The Internet of Things (IoT) not only offers new opportunities for marketing communication but confronts companies at the same time with new challenges – especially in the areas of data protection and data security.
Perceived as an infrastructure between physical and virtual objects that can communicate with people and other connected devices, it supposedly has the potential to make our lives easier. We should be aware, however, that each of these new smart devices collects data about us. Some data recorded can be highly sensitive, be it health data from customers in B2C or data on business-relevant processes in B2B, therefore demanding comprehensive data protection and security. Keep in mind that with every data-producing device, there is another source and transmission path on which data must be protected from misuse in the process.
Since every IoT vertical and use case has different architectural patterns, there is so far no set standard, considering device heterogeneity, vertical specific standards, and emerging architectural concepts.
However, despite the myriad of devices and their wide array of use cases, industry verticals started to collaborate creating use case specific IoT security and connectivity standards. Because, both hardware manufacturers and software vendors are challenged by the increasing risk of vulnerabilities in IoT devices.
The convergence of technologies, including big data, cloud, analytics, and mobility, along with lower sensor prices and exponential social media adoption, are instrumental in driving IoT adoption worldwide.
Asia, and Southeast Asia in particular, are no exception when it comes to growing traction towards IoT adoption. And already back in 2014, FireEye reported that Asia Pacific is 35% more likely to be targeted by advanced cyber-attacks as compared to the rest of the world. In any case, vulnerabilities in IoT devices are constantly exploited by attackers to access confidential corporate data, steal user information, or spread malware.
So, avoid the following negligence, according to the OWASP Internet of Things Project:
- Weak, guessable, or hardcoded passwords
- Unsafe network services
- Unsafe ecosystem interfaces
- Lack of secure update mechanisms
- Use of unsecured or outdated components
- Insufficient privacy protection
- Unsecured data transfer and storage
- Lack of device management
- Unsecure default settings
- Lack of physical hardening
Erroneously, manufacturers often tend to focus only on the security of the application software they are writing themselves, and completely ignore the most widely exploited classes of vulnerabilities namely third-party software/firmware vulnerabilities, configuration vulnerabilities, and authentication vulnerabilities.
IoT data protection concerns can be addressed by answering the following questions:
- Determination of the person responsible for data protection: The manufacturer, equipment rental company or third-party service provider could be responsible for data protection. As soon as a third party comes into play, the user's consent to the disclosure of his/her data or another legal basis is essential.
- IT security certification of IoT devices: The main problem here is that updates have to be continuously installed on IoT devices and the level of IT security can change with each update, which is why it is difficult to make a permanent statement about the security of a device.
- Non-transparent data flow and insufficient education of users: So far, users have not been adequately informed about which data is being recorded, who has access to it and where or for how long it is stored.
- No possibility of objection: It is also not yet possible to object to data processing. The devices will not be able to function technically without data acquisition at all. So far, however, IoT devices have not offered any options that could at least restrict data collection.
- Inadequate encryption: In a survey by Gemalto, only 59% of IoT companies said they encrypt all data that is collected by their devices and used for analysis. If it gets into unauthorized hands, clear data can be read out very easily.
- Security risks for companies: An Infoblox study showed that, in addition to private end devices, the drastic increase in IoT devices in company networks is causing enormous security risks. Companies should therefore keep an overview of the technical devices they are using and critically analyze the use of the Internet of Things.
The Internet of Things could also meet the requirements for the data protection impact assessment (DPIA) of Article 35 GDPR that says if the processing of personal data is likely to result in a high risk for the rights and freedoms of individuals due to the type, scope, circumstances and purposes of the processing, the person responsible must carry out a DPIA. However, it is quite difficult for an outsider to judge to what extent this is already being implemented. Therefore, it is best to follow general security standards for IoT devices, such as:
- Do not use standard passwords
- Encrypted communication
- Keep software up to date
- Define an individual identity for each device (e.g., by using numbering) for authentication
- Implement guidelines for what to do in the event of a data breach
- Network segmentation must be able to isolate compromised devices from the rest of the network when needed
- Monitor system telemetry data that provide information on how software is used and how well it works, etc.
A good option is to make firmware public and following General Public License (GPL) practices, manufacturers can benefit from a worldwide network of security talent finding bugs and steadily improving. Without this transparency, they exclude responsible researchers from protecting their firmware. Right now, I see IoT not only as too diverse to have a single standard, since it is still emerging and continues to grow, but ultimately it will lead to something more homogeneous. The fact is that compliance is the single most important factor driving the growth of IoT security as cyberattacks on the Internet of Things (IoT) are already a reality.
By Daniela La Marca