Misusing and Abusing the IoT ( Ingliskeelne referaat andmeturve ITX0040 jaoks) (0)

Misusing and Abusing the IoT - Now and in the Future
The Internet of Things is the network of physical objects— devices , vehicles, buildings and other items which are embedded with electronics, software, sensors , and network connectivity, which enables these objects to collect and exchange data [1]. As the amount of devices connected to the internet of things is constantly on the rise , making it innately more secure and protecting those devices from abuse, in a sense of unwanted access , manipulation by third parties and other scenarios, is rapidly turning into a pressing issue . According to some sources there were about 13.4 billion connected devices back in 2015 and the projections show there might be up to 38.5 billion such devices in 2020 [2]. As the number of devices increases , the necessity for a proper security mechanism concerning those devices becomes a priority in order to safely adopt the evergrowing internet of things into every aspect of a persons daily life.
Privacy
One of the most discussed issues concerning the security of the internet of things is the issue of privacy. According to a study done by HP, 70 percent of the most frequently used IoT devices containt vulnerabilities. One of the most common security issue was privacy related . It appears that 90% of the tested devices collected at least one piece of personal information [3]. Due to the variety of tasks the devices connected to the IoT monitor and administer, the amount of information to extract from those devices is fairly large. A british IT-consultant discovered that the LG made smart -TV has been sending back information to the company, about what shows the viewer has been watching and even what files are stored in the USB disk connected to the TV, without the user ’s proper consent [4]. By collecting the data from just a smart TV, you could by long- term surveillance, form a pattern which tells you at what days and times a person watches television. From those times, you could deduce when a person is at work , when he is at home, on which days he doesn’t work, at which time does he go to sleep , which shows and topics interest him the most and so forth . The raw data could be then sold to the highest bidder or it could be organized. By collecting data from multiple sources, you could probably write a multiple pages long description of a person, just by monitoring his devices, which are connected into the IoT. This organized data would be of great importance, for example to companies which are involved in the advertising business, police and other law maintaining structures, criminals and other third parties for different reasons . Sensitive data could also be very well used to extort people or force them to do things which are useful for the extortionist. The biggest harm from such activity could come in a political form, where dictators or other corrupt officials could control and threaten their political opponents by threatening to reveal some kind of personal information. Although the part about extortion is hopefully not that real scenario in first world countries, the selling of data collected by the IoT device to advertisers is more than likely. According to Chris Rouland, founder and CEO of Bastille – a company dealing with IoT security „Many of the reasons that these products are very inexpensive is because part of the business model is the ability to collect and resell your data“ [5]
Security
According to the survey conducted by Business Insider, the largest barrier against adopting IoT by widspread business, was the security. In this survey, executives of companies were asked to answer questions regarding the IoT. The option of ’’ Privacy and security are the most significant barriers to IoT investment ’’ was chosen by 39% of the respondents [6]. In 2015, a journalist with the help of a couple hackers played through a hacking scenario of a Jeep [7]. Whilst the journalist drove, the hackers manipulated the car to switch radio stations, turn on the cold air flow in the car and eventually they cut the transmission, leaving the car unable to accelerate. As this was just a show, no people were endangered during the process . Yet it still shows how vulnerable the internet of things is, even amongst large corporations, such as the one which produces Jeep. The vulnerability presents itself largely in the physical damage a virus or a malevolent hacker could cause . Although this does not only involve Jeeps , since similar attacking scenarios were also performed successfully on cars such as Tesla Model S and a 2013 Corvette. Not only does it concern cars, but also a TrackingPoint self-aiming „smart“ rifle was hacked by reverse- engineering it for a journalistic experiment [8]. Cases like these suggest that elements of security are lacking in areas concerning the internet of things. IoT also comprises of items which directly can affect a persons well-being and health. For instance many medical devices, such as pacemakers, which maintain an adequate heart rate of a patient or insulin pumps, which administer doses of insulin to the patient in treating diabetes , could be possibly abused by a third party in order to kill or seriously compromise the health of the individual using those devices. According to researchers Billy Rios and Terry McCorkle in 2013, there are roughly 300 such medical devices which are exploitable [9]. In 2007, the doctors of Dick Cheney, the vice president of USA at that time, ordered the defribillator manufacturers to disable the wireless feature in the vice presidents defribillator, in fears that somebody could hack it [10]. This suggests that in the future, aswell is in the present , the cyberattacks not only will be virtual threats, but will directly turn into a physical threat to the human life.
Reasons behind security related shortages
This raises the question of how come the internet of things is left quite unsecure and open for manipulation which can cause not only virtual threats but also real, physical damage which could be deadly at the worst case scenario? The largest inhibitor to proper security measures comes from the fact that the IoT devices are not as capable as for instance , computers, due to the lack of processing power , which leaves less opportunities to properly secure them. Moreover there is most likely a issue of consumer knowledge as well, which makes the companies produce a cheaper , less secured device then a more costly, better secured device, because the consumer prefers the cheaper version. As the IoT is a fairly new phenomeon, legislation which forces companies to enforce strict security measures hasn’t been passed. That might possibly be even beneficial , since hindering the progress and new solutions of IoT related innovations with strict law might not be the best way to proceed.
How to fix issues regarding the IoT
Since, ’’ security is the main concern for the IoT ’’ [11]. The first step to improve the security of the IoT devices should come from the vendors themselves. Having the device perform updates which renew the security software should be a must, although the updates shouldn’t take too much processing power as to not compromise the functionality of the device. Having secure devices means that they are built from the start to be secure and protected from simpler attacks. Product managers working alongside security specialists to plan the product roadmap will ensure security is a key consideration when designing core features and functionality. An integrated team will allow for greater collaboration, ensure the business and security concerns are well balanced and any vulnerabilities can be identified early in the product lifecycle [12]. For example encrypting data and having strong passwords, which are not as easy to bruteforce as for instance is to bruteforce a PIN code . ’’ Some researchers have proposed attribute based encryption method and access controls in cloud computing environments. However, a huge number of devices as a characteristic of IoT was not considered in the existing schemes. Through context extraction based on detection, data owner performs encryption and decryption. In decryption process, each user can decrypt only desired data. Therefore user can receive data in low overhead environment even though there are a large amount of device exists. In the end, access control using context has shown some benefit , but also needs more study about it. ’’ [13]. The issue of privacy should be tackled alongside, so that the devices do not collect and forward too much information nor do the companies sell it to any third parties. The duration of time, in where the collected data is kept in storage, should be reduced in order to make any privacy leaks less harmful. One idea to prevent the need for excessive data collection was proposed by Chris Rouland. He sees that the privacy in IoT could be retained by paying a premium, meaning that a user would pay a small sum so that the company wouldn’t forward the data anywhere or atleast would guarantee that the data is de-attributed from the customer [14].
Educating customers is a necessity aswell, since having integrated strong security features is not enough, when the product is used improperly. Those companies have to offer advice on updates and patches to the customer, as well educate customers about best practice . Best practice such as changing passwords regularly, which to date is one of the most common causes of a security breach . Employees, who work for the customer service must also be properly trained in order to help the clientele manage these issues [15].
Conclusion
In conclusion, due to the IoT still being in its early stages despite quite a massive number of devices connected, the security features have been somewhat overlooked. As the new industry hasn’t been forced to introduce more sophisticated security measures by laws as well as by consumer knowledge, the producers , in hopes of maximizing the usage of IoT devices and spending less funds on security, have been not prioritizing those issues. Most notable are the privacy related issues where the devices collect too much information, and in some cases forward the collected personal data specifically to the company, who created the device. Besides issues of privacy, there are concerns about general security. In worst cases, the poor security measures and a planned hacker attack, can lead to death or other severe health risks. Security risks are to blame partly on the small processing power of the IoT devices, but also on companies not making the devices inherently secure from the start of the production . Since the IoT industry is quickly developing , so are the ideas for protecting those devices. For instance encrypting the data in a novel way, creating stronger default passwords and so on. And if the producers should fail to implement proper security measures by themselves the legislative organs have to step in and enact laws, which set a standard for security.
References
[1]"Internet of Things", Wikipedia, 2016 . [Online]. Available : https://en.wikipedia.org/wiki/Internet_of_Things . [Accessed: 11- Mar- 2016 ].
[2]" Internet of Things Connected Devices to Almost Triple to Over 38 Billion Units by 2020 - Juniper Research", Juniperresearch.com, 2016. [Online]. Available: http://www.juniperresearch.com/press/press-releases/iot-connected-devices-to-triple-to-38-bn-by-2020 . [Accessed: 11- Mar- 2016].
[3]"HP News - HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack", Www8.hp.com, 2016. [Online]. Available: http://www8.hp.com/us/en/hp-news/press-release.html?id=1744676#.VvGt9OJ9670 . [Accessed: 11- Mar- 2016].
[4]C. Arthur, "Information commissioner investigates LG snooping smart TV data collection", the Guardian, 2013. [Online]. Available: http://www.theguardian.com/technology/2013/nov/21/information-commissioner-investigates-lg-snooping-smart-tv-data-collection . [Accessed: 11- Mar- 2016].
[5]D. Bradbury, "How can privacy survive in the era of the internet of things?", the Guardian, 2015. [Online]. Available: http://www.theguardian.com/technology/2015/apr/07/how-can-privacy-survive-the-internet-of-things . [Accessed: 11- Mar- 2016].
[6]C. Weissman, "We Asked Executives About The Internet Of Things And Their Answers Reveal That Security Remains A Huge Concern", Business Insider, 2016. [Online]. Available: http://www.businessinsider.com/internet-of-things-survey-and-statistics-2015-1 . [Accessed: 19- Mar- 2016].
[7]A. Greenberg, "Hackers Remotely Kill a Jeep on the Highwayā€”With Me in It", WIRED , 2016. [Online]. Available: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway . [Accessed: 19- Mar- 2016].
[8]A. Greenberg, "Hackers Can Disable a Sniper Rifleā€”Or Change Its Target ", WIRED, 2016. [Online]. Available: http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/ . [Accessed: 19- Mar- 2016].
[9]"Medical Devices Hard -Coded Passwords | ICS- CERT ", Ics-cert.us-cert.gov, 2016. [Online]. Available: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01 . [Accessed: 19- Mar- 2016].
[10]D. Ford, "Docs shielded Cheney defibrillator from hacks", CNN, 2016. [Online]. Available: http://edition.cnn.com/2013/10/20/us/dick-cheney-gupta-interview/ . [Accessed: 19- Mar- 2016].
[11]C. Bekara, "Security Issues and Challenges for the IoT-based Smart Grid ", Procedia Computer Science , vol. 34, pp. 532-537, 2014.
[12]"How to secure the internet of things", ComputerWeekly, 2016. [Online]. Available: http://www.computerweekly.com/opinion/How-to-secure-the-internet-of-things . [Accessed: 25- Mar- 2016].
[13]J. Lee, S. Oh and J. Jang , "A Work in Progress: Context based Encryption Scheme for Internet of Things", Procedia Computer Science, vol. 56, pp. 271-275, 2015.
[14]D. Bradbury, "How can privacy survive in the era of the internet of things?", the Guardian, 2015. [Online]. Available: http://www.theguardian.com/technology/2015/apr/07/how-can-privacy-survive-the-internet-of-things . [Accessed: 25- Mar- 2016].
[15]"How to secure the internet of things", ComputerWeekly, 2016. [Online]. Available: http://www.computerweekly.com/opinion/How-to-secure-the-internet-of-things . [Accessed: 25- Mar- 2016].