Good day, everyone.
In this video, we are going to talk about the future of the Internet of Things
and the risks associated with it in particular, the privacy and security issues concerning users and companies
and how these risks can undermine “trustworthiness”. We will also examine the potential advantages
in such an era and what the future may hold. Moreover we will review the paper entitled: “Inside Risks: The Future of the Internet of Things”
by Ulf Lindqvist and Peter Neumann The Internet of Things, aka IoT, is the network of physical objects such as devices, buildings and vehicles which, by virtue of being embedded with sensors, software and network connectivity, enable us to monitor, collect and exchange data. The IoT will be everywhere: at hospitals, throughout your home, on your wrist
and also in more familiar places. We are currently transitioning to the IoT era this will transform our lives and daily routines. Nevertheless, as with every new technology,
the IoT has both benefits and risks. The main, critical challenge of applied IoT research is security. The IoT network involves diverse devices;
therefore, each system will have different security requirements. If the security dependencies in the network of “Things”
are not adequately considered, IoT can risk your safety, data and, therefore, privacy in your daily life. But if its so dangerous, why would we use it? Well, IoT can entail many more benefits and opportunities through knowledge. it can improve communications and enhance service-delivery mechanisms to improve living standards. However, these questions remain: Do the advantages of IoT outweigh the disadvantages? How prepared are we
to manage the risks associated with this new world? To begin with,
there’s an abundance of regulatory uncertainty. The authors of the paper decided that a whole host of new regulations, standards committees are required. (whilst ensuring cooperation between industry,
government, and users). The exploitable risks associated with IoT could also be used to attack the state and its citizens by both malicious state and non-state actors (this was alluded to when referencing the Stuxnet attack against Iran, where a ‘computer worm’ targeted Iranian Nuclear facilities). Basically, as the IoT expands, it will become increasingly relevant for the state’s own national security apparatus and it will face increasing scrutiny from legislators. Policy makers will have to work fast Gartner forecasts that more than 8 billion connected Things will be in use worldwide this year (that is 31 percent more than last) and this will grow further to 20 billion by 2020. Total spending on endpoints and services will reach almost $2 trillion by the end of the year. Consumer Applications will represent 63% of total IoT Applications in 2017 with 5 billion units of connected things. The Internet of Things is transforming every part of our lives:
the home, the office, city streets, and beyond. IoT products give us greater control over door locks, lights, and appliances. They offer insights into resource-consumption habits, they streamline business processes, and they connect us to the people, systems, and environments in our lives. Any “entry-level” IoT products fit smoothly into the patterns of daily life by simplifying routine tasks. Finding your keys, unlocking your door, turning lights on and off these and other habits can be automated with sensors and intelligent software. A truly smart home is full of products that know your preferences, anticipate your needs, and respond dynamically to your behaviour. so you can spend less time micro-managing your house
and more time living in it. We all know we should try to conserve electricity,
water and other resources, but modifying our habits can be hard.
(Especially when we can not see the immediate benefit). Many IoT products target “resource-use” by tracking
and displaying real-time data to users and by automating the operation of lights, appliances,and temperature systems to aid conservation. Companies will take full advantage of
IoT devices, platforms and tools to build business models that will thrive
in a more interconnected world. So, what are the risks that can arise from continuous monitoring and increased interconnectedness in our daily lives? Various risks are outlined in the paper under several categories. The authors hoped that their article would serve as a ‘wake-up call’ to professionals and users alike, which aims to emphasise the importance of ensuring the trustworthiness of the IoT environment. Due to the ubiquity of the IoT, it is imperative that the various aspects of trustworthiness are duly considered and significantly improved. Human Safety Risks: Successful attacks on the IoT can impact human safety as well as potentially cause death and destruction (whether that be directly or indirectly). Hospitals and healthcare establishments already use devices that are remotely-controlled and accessible “Things” this includes patient monitors, body scanners, pacemakers, defibrillators, infusion pumps, main and auxiliary power, lighting, and air conditioning. If compromised, people could literally be killed through malicious software and actors remotely. The same goes for self-driving vehicles! Security & Privacy Risks: The prime example the authors gave is a recent DDoS attack on Dyn (a domain service provider) which demonstrates the ubiquity of vulnerabilities in the IoT since many devices were “hijacked” and became “unwitting botnet zombies” using the malware Mirai that searches for vulnerable victims and exposes what the authors call:
“the top” of “just one of many hazardous icebergs”. as the DDoS attack significantly interfered with users’ access to major service ssuch as Twitter, Amazon, Netflix, Reddit and Spotify. The attack involved tens of millions of devices and it illustrates the risks of having many “Things” connected and being used for malicious purposes. Management Risks: Many IoT devices are difficult or impossible for users to update and that means security updates are extremely difficult or even impossible in some cases. Robustness: The authors argue that there needs to be a “total system” trustworthiness that addresses the potential vulnerabilities in the devices as well as firewall security and configurations, network connections, cloud services, the Internet itself, the users and the malicious actors. The IoT also must be resilient to insider misuse. Internet firewalls’ capabilities need to be significantly bolstered in the face of potential misuse by outsiders. Fixed passwords and default encryption keys should be avoided even though they are quite common today. (they were exploited by the Mirai malware in the DDoS attack on Dyn, for example). When a device is being updated or recalled, the firewall has to ensure protection for the remaining devices on the IoT. In terms of Functional interoperability: Standards are needed to facilitate interoperable installations involving many different vendors’ devices. Functional interoperability involves the exchange of information without error and, therefore, this will involve a range of different operating systems depending on the Thing, its purpose and the scale of the operation it is involved in. The authors essentially argue that these problems remain unsolved but categorically state that they should be solved. However, they do provide some general suggestions and guidance regarding how these problems can be solved. Different types of Things should be studied and prototypes developed in R&D such that “all reasonable risks have at least been addressed.” Even a few successful cases would be invaluable for paving the way for how things are done in future. It would be extremely useful for everyone competing in the IoT marketplace because a few trustworthy examples would act as vital guidance for IoT developers. They also suggest better education for IoT developers regarding security, privacy, reliability, and trustworthiness more broadly because IoT developers “may have even less security expertise than traditional software developers”. Could governments have a positive influence on ensuring trustworthiness in the IoT? Although the authors encourage government involvement in terms of cooperation and regulation, they follow on from the ‘Keys Under Doormats’ report by Abelson; where it’s argued that there are tremendous risks associated with Governments mandating access to data and communications in tech. They do not welcome Government over-reach. The risks of “dumbing down” cyber security and cryptography for Government would be enormous and especially bad for the IoT. But the government can still play an active role when addressing issues in trustworthiness. The Government has the resources to invest in researching security and privacy risks and it can also provide the necessary funds to set standards to enable functional interoperability, model good practices, encourage adequate security management, and punish malicious actors. There are numerous problems awaiting solution and the authors argue that incremental change is likely to be insufficient (and has been, to present) they suggest that some form of radical change is necessary. Essentially, we need to encourage “total-system trustworthiness” in order for the IoT to be viable. Current advice regarding safety and security needs to be significantly revised because the risks arising from the IoT are far more pervasive (because of its ubiquity and the variability of the devices). The degree of “caution and common sense” required has not been determined yet and, for the IoT to be viable, it requires serious coordinated efforts from several entities: this includes governments, standards committees, and user communities. We need to develop trustworthy hardware and software components alongside deployment and development practices. Worryingly, individual IoT devices could be pulled into a new botnet any time (whereas, previously, botnet attacks can often be stopped by blocking the command and control servers that orchestrate the attacks). The authors also wonder who should take responsibility for fixing these devices? Upon whom (users, vendors, manufacturer, organisation, person etc.) does each of the burdens of responsibility fall and, since each of the alternatives has its own set of risks, how would that be dealt with? A specific example the authors gave is: “if your home burns down because of a hacking attack on your IoT installation, or your negligence in failing to protect your technological devices, could your insurance companies deny coverage for known but unaddressed vulnerabilities, or even pre-existing conditions?” What about the ethics involved in monitoring all this information from users? It’s not only about monitoring the information but also collecting and processing it. Safety, trust and privacy issues will arise from this proliferation of interconnected devices because their security when connected to other systems is not totally addressed or even completely known. Hence, security requirements of one device can be different from when that device is connected to others and thus susceptible to be deeply affected by security threats (such as DDoS attacks, which the authors cite as well). Moreover, the desire and need for more data is ever-growing since there is a clear financial and social incentive for the IoT. Absolutely. This information is of interest to companies who want to know the behaviour of consumers and/or clients. Furthermore, the information retrieved from the IoT will occur at a much larger scale. So, Data Mining algorithms are a way of analysing this huge amount of data and to make autonomous decisions, which ultimately results in improving the efficiency of firms and saving time for customers. Such algorithms includes: – Clustering algorithms for unsupervised learning; – Predictive, classification algorithms for objects with unknown labels; – Association rule mining algorithms which are used to detect events that frequently occur together (in no particular order); – Sequential patterns to identify events that occur frequently together (in some particular order); – Outlier-detection algorithms that analyse trends, how these evolve over time, and detect the objects responsible for such behaviour; – Time-series analysis (which can be used to estimate statistical properties of data and for prediction). On this note, the authors could have emphasized that the risks associated with the IoT could actually be a danger to the integrity of the data monitored by, collected from, and transmitted through the IoT. For example, if attackers exploit vulnerabilities to interfere, manipulate and illegitimately modify data stored in other databases that otherwise may not have been so easily accessible if it weren’t for the IoT. However, significant work and research has been done on the potential for Blockchain technology to be used for securing the IoT. What do you mean by Blockchain technology? A Blockchain is a database that maintains a continuously growing set of data records. It is distributed in nature, meaning that there is no master computer holding the entire chain. Rather, the participating nodes have a copy of the chain. It’s also ever-growing — data records are only added to the chain. It consists of two types of elements: Transactions. Are the actions created by the participants in the system. and, Blocks. Which Record these transactions, make sure they are in the correct sequence and have not been tampered with. They also record a time stamp when the transactions were added. Blockchain technology can be used in tracking billions of connected devices. They can enable the processing of transactions and coordination between devices. The cryptographic algorithms used by blockchain would make consumer data more private. So can Blockchain technology be the answer to IoT privacy and security concerns? Although Blockchain has the desirable qualities of being both: cryptographically secure as well as transactions and activity upon it being verifiable, it has its problems. Dr. Sarah Meiklejohn at University College London wrote a paper on how transactions on the Blockchain are actually traceable and not necessarily, entirely anonymous. In conclusion, existing legislation, policy frameworks, and current best practices are insufficient for the upcoming challenges as IoT devices becomes increasingly ubiquitous in our daily lives. There is a need to protect the users from being hacked by making a hacker’s job more difficult. IoT devices require deep research to handle security issues. The interconnection between devices will require different security configurations and developing these configurations requires extended research capable of addressing security threats derived from exploiting the vulnerabilities associated with a new, interconnected world.