Viewpoints: Security, Privacy, & IoT

Guest Contributor, Viewpoints

Viewpoints is a new series we’ve started to highlight the complexities involved in the Internet of Things.  Instead of one take on an issue, we invite two to three experts from different IoT-related backgrounds to give their own views on a subject.

In this edition of Viewpoints, we’ll be discussing the role of Security in Internet of Things.  This week’s contributors are:

David Jacoby – Senior Security Researcher and Security Evangelist, Kaspersky Lab

Jimmy Johansson – Information Security and Privacy Officer, Telenor Connexion

Anders Mellbratt – Internet of Things Expert, Ziggy Creative Colony

They discuss their roles relating to IoT and Security immediately following and then delve deeper into the topic.

David Jacoby, Anders Mellbratt, and Jimmy Johansson

David Jacoby, Anders Mellbratt, and Jimmy Johansson

What is your primary job at your place of employment.  And what influence does IoT have on your role and your company?

David Jacoby (DJ): I have been working at Kaspersky Lab for about five years now.  In my daily job I conduct IT-security research, fight cybercrime, act as one of their technical spokespersons, and simply try to contribute to the IT-security industry in the best way I can.

IoT itself does not have a huge impact in my role, but as a security researcher I have to be on top of the game, which includes researching both trending and traditional technologies.

Anders Mellbratt (AM): I work at Ziggy Creative Colony, a digital agency where I’m involved with strategy and design for connected products.

Ziggy was founded on the basis that connectivity and well-designed products bring new business opportunities.  So we’re all about exploring and employing that in everything we do.

Jimmy Johansson (JJ): I work at Telenor Connexion where we design and operate connected business solutions.  My most important responsibility is to ensure that our assets (both digital and physical) have proper controls in place to protect them from threats.  Also, that the products and services we supply – and the way we work – are compliant with laws, regulations, and standards in terms of security and privacy.

The way I look at IoT and how it affects my work is mainly about privacy. IoT brings the physical and the digital world closer together than ever before and in there lies the real challenge: Protecting the right to privacy while letting people enjoy the benefits of being connected, measured and analysed.

What are the biggest threats to IoT’s evolution from a security standpoint?

AM: I think there are several threats to IoT’s evolution. The first being security policies that are too tight.  Secure systems that are locked down and prevented from communicating with others will slow down the development of new applications within the IoT. The devices aren’t yet at a stage where they are be truly valuable in themselves; it is the data generated and exchanged that potentially can help create something meaningful.

The other threat I see is that if there are further major mishaps where end users’ data is exposed that in turn creates a deeper mistrust in connected products. Such a loss of trust will take a long time to recover from.

JJIoT inherits the same threats as everything else that is connected, while introducing new challenges. For instance, small embedded systems do not have the same resources available as a computer or a server. In many cases there is little room for a built-in firewall, anti-malware, or similar controls, so these countermeasures need to be solved in a different way.

There is also a common misconception that in Internet of Things, ’Things’ must be accessible directly from the Internet.  In my opinion this is not true. With that, there is the prediction that the number of ‘Things’ will count in the billions. Let us hypothesise that a very popular IoT Device platform is compromised and several hundred million IoT devices suddenly are part of a botnet that is tasked with carrying out Denial-of-Service (DoS) attacks or simply spying on traffic to collect credit card information, login credentials, etc..

DJ: From my point of view the biggest problem is that we don’t know what IoT is.  It seems that we consider any network connected device to be an IoT device. As soon as you put a network interface into an device, more attack vectors opens up, and this is more or less what we have experienced so far. We have not really thought the security through, but we must consider:

  • Patch management, eg. How long can we support these devices with security patches?
  • Who is making sure that the code running on the device is secure?
  • What legislations and responsibilities does the vendors have to take/make?

How do you think privacy concerns will change the advancement of IoT?

DJ: This is not only a privacy risk, because it totally depends on the content and data. But when it comes to security some of the most important aspects are Confidentiality, Integrity, and Availability. This includes also Privacy and Support.

AM: So far reports of leaky baby monitors and living room cameras have not acted as too much of a deterrent, and neither has mistakenly published intimate activity information such as the Fitbit sexual activity data.

Together with some friends I have toyed with the idea of creating some sort of security assessment for connected products, but it’s still early days and this would be a large undertaking.  I do think that some sort of independent guidelines and an evaluation of current practice with a user-readable report would be helpful for reviewers and users.

How you mesh the legal requirements of a company with the privacy concerns of a user?

JJ: Consent and transparency is key.  Be very honest and clear about what information is collected, processed, analysed, stored (including for how long), and how it is eventually destroyed. It is also important to detail in what way it might be processed, analysed, stored, shared, or sold to a third party.

How these things are done and why must be clearly communicated to the end user of any service or product and it should be very clear that by accepting the agreement the end user gives their consent. Any future changes to this must trigger a new prompt to ‘accept’ from the end user.

It is common today that the legal text state that terms can change without notice and it is up to the end user to update themselves. This would break the entire model of consent and transparency and everyone would be busy reading legal texts instead of enjoying life.

DJ: It depends on the company, I guess.  I am pretty sure that a bank, governmental institution, and a marketing company have the same privacy concerns. But what all security officers should ask themselves, their staff, and their board is: “What is our Worst Case Scenario?”  And they should base a privacy policy from the answers they get.

Do you think the EU’s privacy laws help or hurt IoT?  What do you think of the concept of a universal privacy policy (as suggested by the European Commission)?

JJ: I think it helps the companies that want to be honest and transparent such that they know their boundaries and what they should be compliant with. It also helps to evaluate an idea for a start-up before money is invested in design and development.

A universal privacy policy sounds fair but hard to agree on. We have the recent invalidation of Safe Harbour which have become a huge problem for many companies, so a universal privacy policy would have its benefits.  But I believe many countries have a very large gap between each other in what they accept in terms of privacy regulations.

Also, Security and privacy are always considered to be at the other end of the scale of importance [from innovation and performance].  Some great ideas may never see the light of day because they would rely on being able to use personal information in an unlawful way.

What personal data are you personally comfortable with a company or app having?

AM: I share most of my communications already. When I use my smartphone I’m pretty sure the telco looks into the data sent back and forth. When I use email (Gmail), calendar (Google Calendar) or some types of instant messaging (Facebook Messenger) I share the information. As far as I know, the only service I use that is encrypted in a way that doesn’t share the contents with the service provider is Apple’s iMessage. I used to be more adamant about encryption and security, setting up my own SSH server to use when on unencrypted wifi etc. I just don’t have the energy to do it anymore. I still try to choose service providers (like Bahnhof) that have a sound view on privacy.

DJ: I am not a privacy advocate, so I don’t really mind sharing personal data with the Internet. Of course, when it comes to things that might hurt my family, kids, etc., but that’s very difficult to define, because some times a photo can tell a lot of information, other cases it might be GPS locations or “likes” from Facebook. So to define some specific information is difficult.

JJ: Today, it depends on the company and the way they share with me what information is collected and why.  Is the value of the benefits I get equal or greater than the value of the information I share? Do they sell my information? If so, how much am I paying for the service?

Who or what I am having conversations with, at what time, and from where is already being collected and that does not bother me, but I respect and understand that many have concerns.

But the old saying “If you have nothing to hide you have nothing to fear” does not apply. Most people care about freedom of speech even though they have nothing to say at the moment. If my life changed considerably, say if I become a billionaire, start working for the military, or if I get sick, I would most likely change in how I am sharing information about myself online and in the physical world.


How can we help users become more aware of, and more well-versed in security issues?

AM: This is a tricky question. A lot of users don’t have a basic understanding of even what is going on when they surf the web, or what separates the browser from a service or server they are accessing. To introduce a complicated model including encryption and other technologies will not reach very far. The efforts trying to aiming to help the less-technical users with a cues such as green padlocks and a healthy dose of skepticism towards too-good-to-be-true offers appearing in their inbox seem to have been fruitful, but as everything else this too can be exploited.

Initiatives such as Pachube’s (then Cosm and now Xively) when it comes to securely allowing access to user data for external services are interesting. This is however a too technical take on the problem.

Where are the challenges in security when dealing with things like smart cities, devices, or even small data hubs that transmit information?

DJ: I guess its availability and integrity. If you starting creating smart cities, where more and more social functions depend on technology we will have a big problem with availability. Even today it’s a problem – and we are far from living in fully smart cities.

AM: We need to find better practices to secure data both when stored and transmitted. There are already practices developing where sensitive data is not transmitted over the network, and the processing of sensitive data is done at the edge of the network.  But it is difficult when tools that are in widespread use, such as OpenSSL, are revealed to be vulnerable.

JJSmart homes have challenges. When I buy a house and I get the keys to the door, how can I be sure that the previous owner does not have any access to, or control of the alarm system, cannot turn off the heat or my fridge, or watch my family and our guests having dinner on a Saturday evening?

Smart cities are even more complex. How will we solve governance in an environment where many products and services interact with each other and share communication paths? How will the many attack surfaces be monitored, and how do we conduct a security assessment or penetration test of a smart city?

Any thoughts or ideas on the topics covered?  Feel free to engage in discussion at our LinkedIn or Facebook Page.