The Internet of Things – the Safety of Your New Smart Home

by Maria Ilie, Maria Ficiu, Andrei Nicolae, Matei Butucescu

What is the Internet of Things (IoT)?

The internet of things is “the internetworking of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data” [1].

The concept goes beyond the typical machine-to-machine interaction that traditional connected devices have- IoT is expected to usher in advanced interconnectivity that ultimately leads to automation and better data processing.

IoT has been included in Gartner’s Hype Cycle for Emerging Technologies for a number of years now, with numerous applications being foreseen, especially in terms of smart homes.

iot-smart-home-540x334

However, the consumers’ concerns are also growing, as they fear that increased connectivity will also mean that they will just have more devices that can be hacked, or that their data will be visible to third parties. To better understand this debate, let’s see what the main applications for IoT are and what they bring in terms of security and privacy concerns.

The main applications for IoT

Any object that can be equipped with a sensor has the potential to become a connected device, so there is no surprise that we’ve started seeing them all over the news. Although many classifications are possible, IoT Analytics [2] have produced a study  to show what the most popular searches were, reflecting where the future consumer demand will be. Let’s have a closer look at the main categories.

IoT-application-ranking-v3.png

Smart Home

The hot topic in IoT right now is the smart home, from Mark Zuckerberg trying to re-create his own home AI Jarvis and Google’s investment in the smart thermostat Nest, all the way to the hundreds of start-ups being funded with similar projects.

This category is probably the most popular because of its relevance to the everyday consumer- you don’t have to be a tech expert to want a refrigerator that tells you when you run out of milk- but that’s also where the problems start. The average consumer isn’t savvy enough to know how to protect themselves and their data against all types of cyber crimes, and with the rise of IoT the stakes are rapidly increasing. In a couple of years, being hacked could no longer mean just someone finding out your password, but potentially causing disruption in your home and monitoring your location.

As this is the most discussed category to date, we will discuss its privacy and security dimensions later on in the article.

Wearables

After smart home, the most discussed  topic was that of wearables, which have already penetrated the market with products such as the Apple Watch, Microsoft Band, FitBit, etc. One of these devices, Jawbone, holds the record for the largest funding for an IoT product to date [2].

Beyond the fitness trackers, companies are also exploring virtual reality wearables such as Google Glass or the Oculus Rift, which are forecasted to become the newest type of consumer media.

Smart City

The third category is smart cities, with applications such as traffic and waste management, noise pollution reduction and environmental monitoring. The appeal of smart cities is easy to see, as the potential for cost reduction is immense, and the IoT solutions promise to solve everyday problems such as traffic jams or polluted air.

Smart Grid

As global warming comes more and more into the focus of policymakers, it’s crucial that the fourth category, smart grid, is taken into consideration. Smart grids promise to improve the efficiency and reliability of energy grids by analyzing the behavior of electricity suppliers and consumers.

 

Security in IoT- will you be safe in your smart home?

People like to feel secure in their homes, so the reluctance to embrace IoT devices that might make their homes prone to outside attacks is understandable. New technologies will always be more vulnerable than mature ones, and to add to that, the more devices you add, the more points of entry you grant to potential attackers, as illustrated below.

IoT-security-attacks.png

However, IoT producers are aware of the potential threats and are taking active measures to prevent security breaches from happening. For instance, sandboxing is a common method of protecting against vulnerabilities, and consists of isolating the environment from external intervention as much as possible. That’s why, for example, you can’t install new software on an iPhone that didn’t come from the App Store.

Finally, most hacks of ordinary consumers come from social engineering (e.g. finding out your interests in order to have a better shot at guessing your password, making you log into fake accounts hoping you’ll use the same password), not from a fault of the manufacturer. Thus, digital security education for consumers is going to be far more important than any manufacturing protocol in the future.

Read more about Big Data and online security here.

Privacy in IoT- who can see what you’re doing?

5310c94b49b2e946c88ff4c6ca51cc0f

Besides concerns about third parties accessing our data, consumers are worried about the manufacturing companies themselves using it against us.

We should take note of the distinction between individual data and aggregated data processing. Individual data processing is when, for instance, an insurance company would use what they know about your daily step count to modify the price you need to pay for insurance. Aggregated data processing is when that same company would use all the available data to modify the average insurance price. This distinction is important, as most of the data that is currently collected is used in the latter manner, which means one can’t be uniquely identified based solely on the collected data, although that’s not to say that there won’t be a shift at some point.

To conclude, privacy laws and practices will have to evolve at the same pace as technology does, otherwise there will be some clear winners and losers from the people whose data is collected.

Your turn

Did we make you reconsider how safe you are on the internet? Take the quiz here to find out how to get safe online (give it a try, it’s harder than you think!). Comment your scores down below and let us know what you think about the topic.

quiz

 

 

References

Featured image. Retrieved 23/10/2016 from: http://cdn.mos.cms.futurecdn.net/V2mhmEFpAPzBhrKQTJbnKA.jpg

Sensors image. Retrieved 23/10/2016 from: http://lh3.googleusercontent.com/3ilN8pLYRkHhzWgA3QVtVjHOa2Sv9MwYocWB_jXbyRvjXzN53Hb9AV9p4gGBcEM50AyUfYtD1wFtFA1fI_iwpY23EMJ2=s1200

IoT Devices. Retrieved 25/10/2016 from: http://www.theinquirer.net/IMG/976/314976/iot-smart-home-540×334.jpg?1447305839

Nest cartoon. Retrieved 24/10/2016 from: https://ro.pinterest.com/pin/298574650267724826/

Security attacks. Retrieved 23/10/2016 from: https://imgtec.com/wp-content/uploads/2015/07/IoT-security-attacks.png

Quiz. Retrieved 23/10/2016 from: https://www.getsafeonline.org/quiz/

[1] Internet of things. Retrieved 24/10/2016 from: https://en.wikipedia.org/wiki/Internet_of_things

[2] IoT popular searches. Retrieved 24/10/2016 from: https://iot-analytics.com/10-internet-of-things-applications/

Advertisements

11 thoughts on “The Internet of Things – the Safety of Your New Smart Home

  1. Thank you for the nice summary 🙂
    Why do you think so many people care about their privacy? If they buy smart home devices they would want more technological assistance right and therefore the devices have to collect more data.

    Like

    1. Collecting more date is something, and finding a way to make it accessible to others is something else. Sometimes for some data “existing” somewhere in the internet, means it can be accessible to different people. That is one of the biggest issues that “Big Data” is facing in my opinion.
      I would care about my privacy, even though it is not the first thing that comes to my mind when I buy a smart home device.

      Like

    2. I think the concern is that security is perceived as evolving slower than the IoT space in general, so people fear that third parties will access and exploit their data. This is not to say that it’s actually true, but few people keep up to date with all the developments in the field.

      Like

  2. Very interesting and relevant topic! As already mentioned in the article, increasing the connectivity increases points of entry granted to potential attackers. That’s why security plays a very important role. The article lists sandboxing as one of the most common methods of protecting against vulnerabilities by isolating the environment from external intervention. If you want to know more about sandboxes in general, I recommend the article listed below. It’s about problems of common sandboxes. Furthermore, it compares common sandboxes to smart sandboxes, which are capable of analyzing the behavior of multiple aspects of a threa.

    http://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks/

    Like

    1. really interesting article, thanks for adding it! I think when it comes to the smart sandboxes, Big Data could really help, namely with refining their analytical power.

      Like

      1. I disagree. There is only one think you really have to keep in mind.
        “Keep different things separate. ”
        And this means really separate (i.e. if possible using “baremetall” i.e. hardware isolation) and not some soft stuff in userspace (for instance almost all visualization or “sandboxing” software you ever heart about).
        The idea is to thing about what you have to trust in order to stay secure (the so called trusted computing base).
        Then you should thing about what you can reasonably trust (these things are called trustworthy). This especially implies that they should be secure (i.e. resistant against attacks), but also that they are doing what they are supposed to.
        Now your goal is to make sure that everything which is on the first list is also on the second.

        The big problem is of cause that modern systems are so incredibly complicated that you can never reasonably trust them (for instance this applies to all monolitic operating systems for anything including but not limited to windows, mac, ios, linux, bsd, solaris…). So the only way to get back into controll is to try to assume breakage and to make sure it won’t cause any problems. For instance using a very insecure operating system (any system, it really doesn’t matter) it doesn’t make any problems as long as you don’t connect it to the internet (well, and never connect it with a USB stick or a SD card, … and potentially even the power supply or microphone might be dangerous). On the other hand you don’t care about somebody breaking into your browser as long as all the interesting information are stored somewhere else. So combining all these ideas one might want to build a computer (or car I don’t mind, the main idea is the same) which provides strong hardware based (baremetall) visualization, sufficiently thin and small that you can hopefully trust it, and then build different virtual machines using the visualization. Especially the virtual machine responsible for the management and for instance displaying everything on your computer screen would be too big to be put under the hypervisor, so it should run in an airgapped virtual machine and never ever receive any information from the other “domains”. Then you can have different virtual machines for different purposes, one for emails, one for writing in this blog, one to access campusnet, …
        And the surprise is, this system does already exist (and I am currently using it). I is calles Qubes OS (see qubes-os.org), the only reasonable usable operating system I ever heart about and known and used by nobody except some very few computer nerds, who care about privacy and security so much that they would probably never use these products described above anyway.
        So I doubt that this approach will be applied en large. I guess we just have to get used to being completely depended on non transparent propriatary system we don’t understand, we can’t reasonably trust and that are very likely to by extremely vulnerable to cracking (which might very well be life threatening).

        Liked by 1 person

      2. Colin, really interesting point about sandboxing, thanks for adding it! Is it feasible to use the baremetall isolation (in terms of costs and usability) for start-ups or for individuals? I’m thinking about the return of investment of time for small companies, as it just seems that they would sacrifice so much of their time, money and compatibility with other systems versus the cost of being hacked (which wouldn’t be so high for them). I’m really curious to hear your opinion about the payoff for individuals as well- is it worth spending one’s time to be protected against low-risk events?

        Like

  3. “Did we make you reconsider how safe you are on the internet? Take the quiz here to find out how to get safe online (give it a try, it’s harder than you think!). Comment your scores down below and let us know what you think about the topic.”

    -One interesting point is for instance, that you would not be able to run it without using Flash player (a security nightmare). i haven’t tested further, but I am sure it has even more interesting requirements (say JS enabled).

    Like

    1. Haha that is ironic indeed. Didn’t iPhones use to not support Flash player? Was this the reason why? Again, I think it would be interesting if you could expand on the point of individual payoff of investing time in cyber-defense. Thanks for all the interesting comments!

      Like

    2. “I’m really curious to hear your opinion about the payoff for individuals as well- is it worth spending one’s time to be protected against low-risk events?”

      -This really depends. If you are used to linux and having to fix problems on your own you might consider the costs of getting started to be relatively low. However, when it comes to maintenance it does add a significantly bigger amount of work to keep it running (perhaps halt an hour a day).
      In this regard I suspect that companies might have an advantage as they could make their systems highly automatic minimizing the maintenance costs an approach obviously not feasible for most individuals. Here of course remains quite some costs of switching to these systems (and being said, that you should look for baremetall compartmentalization there is visualization on virtually all levels (from baremetall to micro-kernels (for instance Gnu Hurd), kernels operating system or userland), so you have an trade off between security and usability).

      Finally, there are the costs that come with the performance issues caused by the necessary overhead of visualization. While this does require an overhead of resources, this overhead is relatively small on modern hardware compared to the overhead (especially memory) of higher level visualization (which might already be used anyway, for instance on servers) and in case of hardware based isolation the increased runtime (CPU) is very small. But I think that these overheads shouldn’t play a big role considering the very low costs of the required components right now.

      But I wouldn’t really talk about low level risks here. Even these somewhat extreme measures can not protect you against i.e. some of your own hardware (low-risk threads). However, breaking in monolithic systems (that don’t use these measures) is usually very easy, you simply need an exploit on application level and one in the kernel and you can do anything. So while it can’t help you against (all) low-risks threads, it can (if you use it correctly) protect you against high-risk, thus threads making your system “reasonable” secure.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s