Views on Internet of Things Security From Weightless SIG CEO William Webb

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

William Webb

The Internet of things has become a security nightmare, as cybercriminals increasingly target connected devices and unprotected mobile applications.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to William Webb, chief executive officer of Weightless SIG and a senior member of the Institute of Electrical and Electronics Engineers, on protecting privacy on connected devices.

Bloomberg BNA:

What are the typical weak points of connected devices, both consumer and enterprise?

William Webb:

There are many different types of devices, and often the weak spots are only apparent after a successful attack, so it isn't possible to be definitive. However, some general issues include:

  •  devices that don't authenticate the network that they attach to, making it possible to set up a rogue router or base station and attract devices to register to it. This means that the information from the device will no longer be available to the user and the attacker may be able to read it themselves, to gain value from it;
  •  devices that don't have the ability to be updated remotely, so if there is a security issue exposed, it won’t be possible to patch the problem;
  •  when a device goes through a routine software update, it’s not always being checked for authenticity and hence the ability for an attacker to change the operating system in a manner that then allows them access to the device becomes a problem. Often times, the update isn't given a secured watermark or even verified prior to installation. Some devices simply don't have the capability to update its software at all, which means that if there is a security breach, there’s no way to fix it short of a recall of the device;
  •  when devices are connected to a specific network (e.g. the radio in the car being connected to the vehicle management system) there can be a lack of firewalls, allowing an attacker to find a way into a broader network;
  •  devices that aren't designed to prevent disassembly and discovery of secret-key information. Any secret information needs to be securely stored—as it is on a SIM card for a cell phone; and
  •  devices that don't have encryption or use weak encryption coupled with frequent transmission of the same message (e.g. a meter reading) which makes breaking the encryption relatively easy for a skilled hacker.


The weakest points are often in the network rather than the device. An attacker that can hack into a central database can then access unencrypted data from thousands of devices.


Bloomberg BNA:

Is privacy by design an applicable concept for connected devices? If so, how?


It is important to distinguish privacy and security. Security is the most basic concept and aims to ensure that data sent to or from the device can't be overheard, intercepted, replayed or otherwise compromised. Without security there can't be guaranteed privacy. However, even with security, privacy can be compromised if the data is subsequently abused, for example by being sold to a third party or where anonymized data is analyzed sufficiently to discover its owner.

Broadly, the devices can only be designed for security, not privacy. This can be done through authentication, encryption and anti-tampering mechanisms. Privacy has to be designed at the system level, with safeguards on the use and storage of the data in any central database.

Bloomberg BNA:

What are the differences between cyberattacks targeting devices directly and cyberattacks targeting mobile applications?


There is little difference between these. Any device, including Internet of things (IoT) terminals and mobile phones, consist of hardware which runs on software. Attacks are nearly always on the software as attacking the hardware requires taking the device, disassembling and undertaking relatively difficult activities such as monitoring signals between chips. The software can comprise the operating system (e.g. Android on a phone) as well as the applications that run on top of this.

In so much as there is a difference, it seems likely that most connected devices won't download applications in the way that we do with our phones. Broadly, they will have the relevant apps loaded onto the device before leaving the factory and while those apps will be updated over time, it is unlikely that new ones will be added. For example, the NEST thermostat is unlikely to have a new application enabling it to play some game, for example, but the heating control application will be updated periodically and its functions expanded. Because of this, control of the device is somewhat simpler than securing the phone but generally the same best-practice will apply.

Bloomberg BNA:

Do you think a uniform IoT certification standard is achievable?


Certification typically takes place at a number of levels, or “layers.” For example, mobile phones have the lowest level of certification from bodies such as 3GPP that show they can connect to networks and not cause interference. They may then have certification of some sort that their implementation of the operating system (e.g. Android) is conformant. Other certification might cover payment systems and so on.

The same is likely to occur in IoT. There will be certification at a radio layer from the relevant standards body such as Bluetooth or Weightless. This will cover the authentication and encryption at the radio layer. There may then be certification at a higher network layer from entities such as OneM2M and possibly at an industry layer such as from a health-care standards body.

Uniformity isn't necessarily a good thing though. It can mean that if there is a security flaw that billions of devices are affected simultaneously. We don't have uniformity with computers (Apple versus Microsoft) nor with phones (Apple versus Android). As long as all the standards body follow sound principles, this should be sufficient.

Bloomberg BNA:

What role, if any, should the government play in securing connected devices?


Governments generally don't play a role in securing mobile phones, except where they are used by Government officials with access to sensitive information. By analogy, broadly governments shouldn't seek to secure IoT devices—this should be left to standards bodies. Where Governments procure IoT devices for their own use they may wish to reassure themselves that adequate security is in place and add more security if needed.

Governments might wish to publish reports on best practice to assist industry and standards bodies in their work and to alert their citizens to any devices that appear to have insufficient security.

For More Information

Further information on the role of certification systems for the Internet of things is available in the Bloomberg BNA special report “Cybersecurity Insurance, Web of Things Standards Linked” (15 PVLR 1142, 6/6/16).