Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The Internet of things has become a security nightmare, as cybercriminals increasingly target connected devices and unprotected mobile applications.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to William Webb, chief executive officer of Weightless SIG and a senior member of the Institute of Electrical and Electronics Engineers, on protecting privacy on connected devices.
What are the typical weak points of connected devices, both consumer and enterprise?
There are many different types of devices, and often the weak spots are only apparent after a successful attack, so it isn't possible to be definitive. However, some general issues include:
The weakest points are often in the network rather than the device. An attacker that can hack into a central database can then access unencrypted data from thousands of devices.
Is privacy by design an applicable concept for connected devices? If so, how?
It is important to distinguish privacy and security. Security is the most basic concept and aims to ensure that data sent to or from the device can't be overheard, intercepted, replayed or otherwise compromised. Without security there can't be guaranteed privacy. However, even with security, privacy can be compromised if the data is subsequently abused, for example by being sold to a third party or where anonymized data is analyzed sufficiently to discover its owner.
Broadly, the devices can only be designed for security, not privacy. This can be done through authentication, encryption and anti-tampering mechanisms. Privacy has to be designed at the system level, with safeguards on the use and storage of the data in any central database.
What are the differences between cyberattacks targeting devices directly and cyberattacks targeting mobile applications?
There is little difference between these. Any device, including Internet of things (IoT) terminals and mobile phones, consist of hardware which runs on software. Attacks are nearly always on the software as attacking the hardware requires taking the device, disassembling and undertaking relatively difficult activities such as monitoring signals between chips. The software can comprise the operating system (e.g. Android on a phone) as well as the applications that run on top of this.
In so much as there is a difference, it seems likely that most connected devices won't download applications in the way that we do with our phones. Broadly, they will have the relevant apps loaded onto the device before leaving the factory and while those apps will be updated over time, it is unlikely that new ones will be added. For example, the NEST thermostat is unlikely to have a new application enabling it to play some game, for example, but the heating control application will be updated periodically and its functions expanded. Because of this, control of the device is somewhat simpler than securing the phone but generally the same best-practice will apply.
Do you think a uniform IoT certification standard is achievable?
Certification typically takes place at a number of levels, or “layers.” For example, mobile phones have the lowest level of certification from bodies such as 3GPP that show they can connect to networks and not cause interference. They may then have certification of some sort that their implementation of the operating system (e.g. Android) is conformant. Other certification might cover payment systems and so on.
The same is likely to occur in IoT. There will be certification at a radio layer from the relevant standards body such as Bluetooth or Weightless. This will cover the authentication and encryption at the radio layer. There may then be certification at a higher network layer from entities such as OneM2M and possibly at an industry layer such as from a health-care standards body.
Uniformity isn't necessarily a good thing though. It can mean that if there is a security flaw that billions of devices are affected simultaneously. We don't have uniformity with computers (Apple versus Microsoft) nor with phones (Apple versus Android). As long as all the standards body follow sound principles, this should be sufficient.
What role, if any, should the government play in securing connected devices?
Governments generally don't play a role in securing mobile phones, except where they are used by Government officials with access to sensitive information. By analogy, broadly governments shouldn't seek to secure IoT devices—this should be left to standards bodies. Where Governments procure IoT devices for their own use they may wish to reassure themselves that adequate security is in place and add more security if needed.
Governments might wish to publish reports on best practice to assist industry and standards bodies in their work and to alert their citizens to any devices that appear to have insufficient security.
Further information on the role of certification systems for the Internet of things is available in the Bloomberg BNA special report “Cybersecurity Insurance, Web of Things Standards Linked” (15 PVLR 1142, 6/6/16).
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)