Security and privacy in a smarter world

AEconomides_post

By Anastasios A. Economides, professor, University of Macedonia.

Internet of Things (IoT) is the worldwide Information and Communication Technologies (ICT) infrastructure that will support ubiquitous services among interacting humans, machines, data and applications. The proliferation of connected people, sensors, mobiles and applications is paving the way to IoT. It is expected that about 30 billion devices will be interconnected developing a market of around $ 2 trillion by 2020.

Most companies already use or plan to implement soon an IoT application in various IoT sectors, such as the following:

    • • Smart Healthcare & Wellbeing (e.g. Angel Sensor, Fitbit, Hexoskin, Intraway, Jawbone, Nymi, OnKöl Health Hub, Pebble, Philips Lifeline, Withings, Zebra MotionWorks).
    • • Smart Home & Building (e.g. Belkin, Nest, Neurio, Quirky, Sensorflare, SMA, SmartThings, Vivint, WallyHome, Withings, ZEN Thermostat).
    • • Smart City & Community (e.g. Bigbelly, Bitlock¸ FUKUSHIMA Wheel, Kiunsys, Placemeter, Silver Spring Networks, Waspmote).
    • • Smart Utilities (e.g. Enevo, Mayflower CMS, MeterNet, Osprey Informatics, Paradox, Trilliant).
    • • Smart Environmental Monitoring (e.g. FilesThruTheAir, Fruition Sciences, OnFarm, Semios, Topcon Precision Agriculture).
    • • Smart Car & Transportation (e.g. Audi, CarKnow, Connected Rail, Dash drive smart, Delphi Connect, Ericsson, Libelium, Logitrac, PowerFleet).
    • Smart Industry & Services (e.g. Argon Underground Mining Safety, Condeco Sense, DAQRI’s Smart Helmet, Numerex, Perch).

An amazing amount of confidential information will be collected, communicated, stored and processed by third parties. However, the consequences regarding security and privacy are unknown.

«Through IoT services, an amazing amount of confidential information will be collected, communicated, stored and processed by third parties»

Few companies admit to be prepared for tackling the IoT security challenges. A recent survey found that only 30% of IT professionals believe their company has the technology necessary to adequately evaluate the security of IoT devices. Also, 20% of the responders state that they have “no visibility” into current protection levels.

Security researchers from Hewlett-Packard performed a security audit of 10 popular Internet-connected devices: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garages. On average, they identified 25 vulnerabilities per device. Six out of the 10 devices that did not use encryption when downloading software updates. 70% of the devices used unencrypted network services and transmitted credentials in plain text. Also, 90% of the devices collected at least one piece of personal information via the device, the cloud, or its mobile application.

Last year, Team Cymru’s researchers identified over 300,000 home routers that have been attacked. This large scale attack was altering the Domain Name Server (DNS) settings of these compromised routers to redirect the victims’ DNS requests and subsequently replace the intended answers with Internet Protocol (IP) addresses and domains controlled by the attackers.

«Although many security officers believe their security is optimized and effective, in reality, this is not true»

Cisco just announced the results of its Security Capabilities Benchmark Survey among Chief Information Security Officers (CISOs) and Security Operations (SecOps) executives at 1700 companies in nine countries. Only 10% of Internet Explorer users run the latest version. Less than 50% of respondents use standard tools such as patching and configuration to help prevent security breaches and ensure that they are running the latest versions. Although many security officers believe their security is optimized and effective, in reality, this is not true.

It becomes apparent that society is not well prepared to face the security and privacy risks regarding IoT. Further security actions should be taken by ICT companies, businesses, public authorities as well individuals. Finally, I would like to invite you to a workshop that will discuss about those relevant issues in a few months: the IoT/CPS-Security 2015, which will be held in London from 8 to 12 June 2015.