Click to learn more about author Gilad David Maayan.
The Internet of Things (IoT) allows devices, such as cars, lights, video cameras, and personal assistants like Amazon Alexa, to use connectivity to exchange data – often personal and sensitive data. The IoT allows human beings to connect up every aspect of our lives and our work, from cars to home appliances to cyber-physical industrial systems. This hyper-connectivity has created a valuable market used across every sphere of life and which is set to grow to 724.2 billion US dollars by 2023.
However, innovation is never without risk. IoT creates huge volumes of data, much of it is sensitive data belonging to individuals and companies. To ensure that we can continue to use this powerful new technology to its full potential, we need to focus on security and understand the threats created by the massive data footprint of IoT.
In this article we explore how IoT data can be used to prosecute criminal action, to carry out criminal acts, and how regulation can help clean up this complex landscape.
Weaponizing the IoT: IoT as a Prosecutor
The IoT is built upon data, often personal and highly sensitive data. These data, like any valuable commodity, can be used for both good and bad. The data generated by an IoT device can potentially become a weapon against its owner.
In some high-profile cases the IoT, or rather the data collated by an IoT device, has been used as a prosecution tool against the very person who owns the device. Case such as James Bates of Arkansas, USA, who was accused of murder in 2015, when a friend was found dead in Bates hot tub. The prosecutor used the data found on Bates Amazon Alexa data along with his smart meter data to build the case. During the case, Amazon refused to release the data collected using Alexa; however, the defendant gave permission to use the data during the case. The case was dismissed in December 2017, but not before becoming a news item and drawing the defendant’s personal life into the press. In an ongoing case, a Connecticut woman was murdered in 2015; her husband is accused of killing her in the family home. The woman’s Fitbit data has given the prosecution essential GPS-related data that has helped identify her last movements.
Weaponizing the IoT: IoT as a Criminal
Prosecutors may be using the IoT to develop cases, but cybercriminals are using it as a weapon against humanity. Connected devices create the perfect substrate for the use, abuse, and misuse of personal data. This connectivity has created a playground for cybercriminals, giving them with new ways to access data. There are a number of well-documented cybersecurity issues with the IoT across the Open Systems Interconnection layers (OSI) – a multi-layered system that controls the data flow within telecommunications and computing. These security issues include network attacks that deny services, closing them down altogether to accessing protected data.
One of the most famous IoT-based attacks was the Mirai botnet Distributed Denial of Service (DDoS) attack of late 2016 – effectively closing down large sections of the Internet. Some, like security journalist, Brian Krebs, think this was a test of readiness to perform further DDoS attacks against our critical Industry infrastructures.
A recent paper by Canonical, defining the security and privacy issues endemic in IoT devices, concluded that “The ongoing Internet of Things state reveals that there is still significant work to do in order to secure embedded computer devices.”
IoT Security from the Get-Go: SecOps
IoT devices are developed by companies, and in the absence of strong regulation, many of them are not designed with security in mind. According to Gemalto, 57% of IoT vendors say their devices store unencrypted data, making it easily obtainable by attackers.
A new development paradigm known as SecOps, or Security Operations, can make a big difference. SecOps predicates a design and development process in which security is baked in from day one. Even as products are initially planned and designed, security experts are involved to ensure that devices are resistant to exploits and data is soundly protected. As opposed to traditional development workflows in which products were developed and then submitted to security for approval.
Regulating IoT
Respecting privacy and securing IoT is a complicated business. Questions such as who owns the data make policy decisions a quagmire. The smart meter data used in the James Bates case showed water was being used at certain times – perhaps the time of the killing to “clean up”. Definitions need to be tightly defined as to what is, and what isn’t a privacy invasion. Cybersecurity matters may be more straightforward to legislate for, but they still need analysis.
There are moves afoot to regulate the IoT. A good starting point is the U.S. Senate bill “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (ITCIA). The bill sets out a series of expectations around the purchase and use of IoT devices. Things such as ensuring the device can be patched, the use of standard protocols, and the disclosure of vulnerabilities. However, this bill is aimed at U.S. government purchases of IoT devices.
The ITCIA is certainly a move in the right direction and sets out good practice, but it needs to be expanded to cover all. Instead, there appears to be a mosaic approach to regulation. For example, the “SPY Car Act of 2017” addresses the security of personal data in the use of cars. Similarly, the FDA is working on guidelines for the safe use of connected medical devices. But what about toys? Well, Sen. Warner sent a letter to the FTC last year to ask about what is being done to protect the data of our children when they use smart toys? The IoT is ubiquitous, a ubiquitous security framework does not exist.
Lastly, could SecOps be legislated as a requirement for IoT development projects? Or at the very least, should governments encourage industry standards, like the PCI/DSS standard for businesses who store credit card information, to enforce strict security standards for all IoT technology? After legislation handles the questions of ownership and privacy, the next step should be addressing the root cause of security issues – vendor noncompliance with crucial security practices.
Conclusion
The regulatory environment for the IoT is ironically at odds with the hyper-connectivity of IoT devices. Instead of a fully-connected, global regulatory framework that covers OSI security, protocols standards, and privacy of personal data, we are seeing a mosaic approach, on a jurisdictional basis. Without a holistic approach, this gap of legislation will encourage a malfunctioning and dangerous IoT landscape, for everyone concerned.