Gaining Control of Security and Privacy to Protect IoT Data

Wednesday, April 24, 2019

Mike Nelson

408ac1e5b2b05b63e650bd356018b62c

Internet traffic growth is unrelenting and will continue to expand exponentially, in large part, due to Internet of Things (IoT). The amount of data being generated is staggering, with 5 quintillion bytesof data produced and transmitted over the Internet, daily.  

Virtually every industry is going to be impacted by IoT. The vast amounts of data that devices, apps and sensors create, collect and consume are a real challenge for individuals and companies, throughout the world. This explosive growth of IoT-driven traffic is expanding the attack surface on our networks, putting business and user data at great risk.

Within our increasingly connected world, IoT gathers insightful data from almost every facet of our lives. These devices offer valuable intel about our social habits, public and personal transportation, healthcare facilities, manufacturing assembly processes, industrial plant operations, and even our personal health, sleep and exercise regimens.  

Can you imagine the consequences IoT device manufacturers and healthcare providers would face if sensitive patient health data was mishandled and exploited by hackers? Or if a design flaw in a modern car’s network access control system couldn’t be remotely patched, and hackers took over the vehicle's gas pedal, brakes and steering? If we don’t get a handle on the security issues for smart products, tomorrow’s news headlines will eliminate your need to imagine.

I remember a children’s song called “Dem Bones.” It went something like, “The toe bone's connected to the foot bone, the foot bone's connected to the ankle bone, the ankle bone's connected to the leg bone, now shake dem skeleton bones!”

Here’s a different take on that song. “The watch app is connected to the voice app, the voice app is connected to the car app, the car app is connected to the geofencing app - and that’s how the data gets around!”

While data access is great for helping us gain useful insights in all manner of life and business, it also poses a great threat, when in the hands of those who use it for ill-gotten gain.

IoT Data Should Be Private and Controlled

Data is being created, collected and consumed by IoT, everywhere. Yet, most consumers and companies don’t know if, or how, their data is being used. Many companies are monetizing our personal data, without our knowledge, and reaping billions of dollars. Yet, we continue to just give it away. Other companies are sharing this data within their ecosystem, to “enhance” the value of their products or services. Depending on the product or service, this information sharing can be of potential benefit for consumers, or a possible detriment.

So, what are we as individuals, and as a society to do? How do we discover who has access to our data, and how it is being used? Are we okay with this? After all, what we don’t know can’t hurt us, right?  Perhaps, we can start by becoming more aware and asking some of these questions:

What can we do to protect our data, and keep it confidential? How can we be assured that companies are acting responsibly with our data? Who is responsible for data protection? If we had a choice, how and what kind of information would we want shared with us? How can we gain greater transparency over how our data is used? Are we comfortable living with smart home devices that may listen in on private conversations we have at home?

The other day, my wife and I had a conversation at home about buying new shoes for our daughters. While having this conversation, we were surrounded by smart devices - Alexa, Ring, Nest and a multitude of smart phones and tablets. The next morning, I woke up and the first image in my Instagram feed was for toddler girl shoes. Is this a coincidence or targeted marketing? I haven’t figured out which device it was that captured our conversation, but I’m certain one of the smart devices is monetizing on the data it collects from private conversations going on in our home.  

That story provides a real-life example of how companies may be monetizing on data they collect from IoT devices. As devices proliferate into society, it’s important for consumers to be aware that data is being captured, and the importance of knowing how and when it is being captured. Manufacturers need to be more transparent about these practices so consumers have the right to opt-in or out of data collection on such a private and intrusive level.

You Can’t Have Trust Without Transparency

Many of the answers to the privacy questions mentioned above are not going to be solved with technology alone. We must gain greater insights and control into the way our data is used. Companies must self-regulate, and if they don’t, there should be regulatory and legislative actions required.

Many IoT manufacturers have direct control over their ecosystem, while others have more open systems and hub platforms that are more difficult to control, and specifically, to control how data is collected, stored, and ultimately used. Most companies fall short in communicating their data-handling policies to consumers.

We want these amazing devices in our homes, cars, offices, and bodies, but we don’t necessarily want the companies, or worse, hackers, misusing our information. It’s a catch 22. There are no easy answers or solutions, however as a society, we must feel the urgency to address this growing problem. Consumers need to be aware, while manufacturers need to be responsible. 

I think transparency is key to solving this problem. Companies must adopt a more transparent use of customer data, that will in turn, build customer trust. Transparency will help us know what data is being tracked, how it is being tracked, and how is it being monetized or shared. In the near future, we will have systems that provide data visibility to consumers. Perhaps a privacy portal with authentication mechanisms, where consumers can have autonomy, and even the ability to monetize their own data, by revenue sharing with companies.

Not only will this give consumers control over their data, it will also help companies build greater loyalty and brand equity, when they show consistent data stewardship.

Protecting IoT Data in Transit

In addition to a higher level of transparency, manufacturers need to protect the sensitive data collected. Data encryption is a best practice for confidentiality, and should be used by all IoT manufacturers when transmitting data.  Making sure all connections to an IoT device are properly authenticated, and that access controls are in place, helps keep bad actors out of the device’s ecosystem. If IoT is going to continue to grow in the future, we must have confidence in the security and privacy of our data. I believe all IoT devices that collect personal data, or sensitive business information, should always use encryption.

Controlling access to encryption keys is accomplished through authentication. User authentication uses username and password combinations, biometrics, tokens and other techniques. Server authentication uses certificates to identify trusted third-parties. Authentication allows a company to determine if a user or entity is who they say they are. It then verifies if, and how, they can access a system, including the ability to decipher encrypted data. Without question, multi-factor authentication is always the most secure form of protection for users.

While encryption and authentication protect data, they can’t prevent unauthorized access to a network. As a result, in addition to protecting access through authentication, authorization is used to control who sees sensitive data, and what they can do with it.

Authorization allows IT to restrict activity within their resources, applications and data, by giving specific access rights to individuals and groups. Privileges are defined, and the level of access is granted to individuals or groups.

Updating software on IoT devices isn’t always possible, and many devices don't have a secure method of ensuring the authenticity or integrity of software updates. This is a dangerous practice, as it enables hackers to introduce malware into devices. Code signing is an effective solution, that requires proof of the origin and integrity of executable software, by using a private signing key to create a digital signature of a hash of the file. Code signing is an effective way of protecting IoT device manufacturers, the businesses that deploy the devices, and the consumers of the devices, from the dangers posed by unauthorized software.

Consistency, security and trust have always been requirements for ensuring lasting customer relationships, and the digital age is no different. It’s a matter of who is in control of our data. Today, IoT device manufacturers and businesses are in control. In the future, we must be in control of our own information.

About the author: Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. He oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations.

Possibly Related Articles:
50522
Infosec Island Enterprise Security Privacy
Privacy Data Protection Internet of Things IoT transparency
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.