Last November I was invited to give a keynote speech at the 2015 IEEE International Conference on Research in Computational Intelligence and Computer Networks (ICRCICN 2015) held in Kolkata, India. I chose the topic “The Internet of Everything: How secure should it be?”* The more I thought about the security of the IoT, the more I realised how IoT could make individuals insecure and vulnerable and that the coming of IoT could seriously impact on our privacy!
The Internet was conceived in the early seventies mainly for the exchange of messages and data among the academics and researchers in the USA (Leiner, et al., no date). It took more than three decades to add the first billion users on to the Internet. This happened in 2005. After just 10 years, Cisco (2014) predicts 8 billion connected “things” (smart phones and M2M devices) in 2016. Gartner predicts that the Internet will have 20 billion connected things by 2020 (Gartner, 2015). Although precise estimates of how many devices are connected to the Internet at any given time is impossible, Walport (2014) gives a collection of predictions made by a number of agencies according to which IoT is expected to reach 50-100 billion devices by 2026.
These “things” would include -in addition to your laptop, tablet and smart phone – your Internet connected toaster, fridge, toothbrush, bathroom scale, baby monitor, smart watch or smart TV (which can spy on you – well, that is a topic for another post) at one end of the spectrum, to connected cars, smart houses, smart cities, industrial robots, energy and transport systems, etc., at the other end. According to International Data Corporation (in Schulz, no date) the total revenue from IoT is expected to be $8.9 trillion by 2020. Scroxton (2016) reports that UK enterprises expect to spend 42% more on IoT projects in 2016 but 80% of the business leaders were aware that “security was a barrier to successful IoT innovation and adoption”.
These “things” are embedded with sensors giving them the ability to sense physical parameters. For example a modern smart phone has, on average, 14 embedded sensors constantly taking measurements such as light intensity, temperature, location, etc. The devices are designed to be smart with the ability to talk to you, and communicate with each other via Bluetooth, Infra-Red, Wireless or Cellular Phone technology. For example your refrigerator will sense that you need milk and will message you when you are on your way home from work. Your car will send a signal to your home thermostat when it is 30 minutes away from home. Of course it will check the GPS route map to find out the traffic conditions en route and compute an estimated arrival time (ETA) before doing this. These are all good things, aimed at making your life easy and comfortable. So then what is there to worry about?
The worry comes from the fact that we have little control on what these things engage in doing behind our backs. Your bathroom scale can gossip with the toothbrush and with your personal health monitoring system. Imagine the plight of a celebrity whose weight gain becomes public knowledge because the Internet connected bathroom scale had leaked it to the paparazzi. If your fridge does not “like” you, it can hack the toaster and burn your toast. The huge computational capability – high powered processor and large memory – of some of these devices make them very attractive to criminals. BBC (2014) reported that a fridge was among 100,000 compromised gadgets which were used in a spam campaign sending 750,000 spam messages.
The nature of IoT is that these devices are allowed to join networks without much user intervention. They use their default security settings which are not very strong in most cases, allowing hackers to have easy access to your devices. Once exploited, they can be used not only to attack you but also to launch Internet-wide attacks (BBC, 2014). Moreover they can be made to share your vital statistics with data aggregators and harvesters who can then customise their services to you, try to sell something new, or simply sell the data to others. A criminal who intercepts this data might use it to blackmail you. Grau (2015) who gives many examples of possible attacks due to exploitation of IoT security vulnerabilities, and reports of a Cincinnati hacker who compromised a baby monitor and used it to scream at a sleeping infant, goes onto say that “The Internet of Things has been touted as many things. But what you haven’t heard is that it could be your worst enemy”.
More recently, with the emergence of wearables, the story has become even more complex for more than one good reason. Firstly the wearable IoT devices will become ubiquitous very soon and will number in their billions. Based on recent studies Statista (2016) predicts that the wearables market will reach US $12.6 billion by 2018. Secondly people pay little attention when they use a wearable IoT device which may be collecting a range of health related metrics covering blood pressure, heart rate, steps taken, sleep patterns, etc. Thirdly, and most importantly, these wearables sync users’ personal data with their smart phones and personal computers thereby heightening the risk of compromising PII (Personally Identifiable Information). These issues are compounded by the fact that the data that comes from a wearable device that is not hospital-assigned, does not have to be HIPAA (US Health Insurance Portability and Accountability Act of 1996) compliant.
So what does it all mean? As illustrated by Grau (2015) security vulnerabilities in personal wearable devices such as smart wristbands, body implants (such as pace makers, insulin pumps), etc., can become central to the attack vector. Although the pressure on industry to secure communications of wearables has become ever more intense, the industry, in a bid to get their products into the market before the others, has rolled out many billions of these devices that lack proper security measures. Jack Narcotta, industry analyst at Technology Business Research Inc., New Hampshire, USA has recently emphasised (in Edmond, 2016) the need to take care of security of wearables stating that “these things will go off road to places that smartphones and tablets never really went”.
Recognising the importance of studying [the lack of] IoT security the Department of Computing, Digital Forensics and Cybersecurity has been engaging in various studies. Last year under my supervision a Computing student looked into the use of Node-RED (an IDE developed by IBM) and the inherent security features of MQTT (Message Queueing Telemetry Transport) protocol for D2D (device-to-device) communication. This year I will be supervising several project students who will be looking into the security flaws in home automation devices, and will develop apps for providing assistive care and wellbeing using personal wearable devices and evaluate their security requirements.
* full presentation material is available on CReaTE
If you are interested in working with Abhaya on IoT related projects, please contact him at: email@example.com
BBC, 2014. Fridge sends spam emails as attack hits smart gadgets [Online] Available at: http://www.bbc.co.uk/news/technology-25780908 [Accessed 19 February 2016]
Cisco, 2014. Cisco Visual Networking Index and VNI Service Adoption- Global Forecast Update 2013–2018 [Online] Available at: http://www.ciscoknowledgenetwork.com/files/448_06-24-14 VNI_Traffic_and_Service_Adoption_Forecast_Presentation__CKN_MOBILITY_.pdf?utm [Accessed 19 February 2016]
Edmond, R., 2016. Enterprise wearables suffer from a lack of apps [Online] Available at: http://searchmobilecomputing.techtarget.com/news/4500272576/Enterprise-wearables-suffer-from-a-lack-of-apps [Accessed 19 February 2016]
Gartner, 2015. Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015. [Online]
Available at: https://www.gartner.com/newsroom/id/3165317
[Accessed 16 February 2016].
Grau, A., 2015. How to Build a Safer Internet of Things: Today’s IoT is full of security flaws. We must do better [Online] Available at: http://spectrum.ieee.org/telecom/security/how-to-build-a-safer-internet-of-things %5BAccessed 19 February 2016].
Leiner, B. et al., no date. Brief History of the Internet. [Online] Available at: http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet#Origins [Accessed 16 February 2016].
Schulz. M., no date. How connected cars, IoT devices will drive enterprises Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/389315/14-1230-internet-of-things-review.pdf
Scroxton, A., 2016. Half of UK businesses looking for internet of things lead roles [Online] Available at: http://www.computerweekly.com/news/4500273264/Half-of-UK-businesses-looking-for-internet-of-things-lead-roles?utm_medium=EM&asrc=EM_EDA_53512099&utm_campaign=20160217_Half%20of%20UK%20businesses%20looking%20for%20internet%20of%20things%20lead%20roles_&utm_source=EDA [Accessed 19 February 2016].
Statista, 2016. Forecasted value of the global wearable devices market from 2012 to 2018 [Online] Available at: http://www.statista.com/statistics/302482/wearable-device-market-value/ [Accessed 19 February 2016].
Walport, M., 2014. The Internet of Things: making the most of the Second Digital Revolution — A report by the UK Government Chief Scientific Adviser, Sir Mark Walport [Online] Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/389315/14-1230-internet-of-things-review.pdf [Accessed 19 February 2016].