Question

Note: These discussion threads are an independent line of thinking from the course. We are exploring the world of loT and these ideas are here to stimulate that thinking Given the nature of loT devices what security and privacy concerns can you identify? How would you protect loT devices? Do all loT devices need protection? Explain.

Answer 1

SECURITY AND PRIVACY CONCERNS IN IOTS

Security Concerns in IoTs Internet of Things virtually is a network of real world systems with real-time interactions. The development of the initial stage of IoT, is M2M (Machine to Machine), having unique characteristics, deployment contexts and subscription. Unattended operation without human intervention is possible for long periods of time by the wireless area network (WAN) or WLAN. Though providing improvements in social efficiency it creates an array of new problems concerning breach of privacy and that information security.

1. Front-end Sensors and Equipment Front-end sensors and equipment receives data via the built-in sensors. They then transmit the data using modules or M2M device, thus achieving networking services of multiple sensors. This methodology involves the security of machines with business implementation and node connectivity. Machine or perception nodes are mostly distributed in the absence of monitoring scenarios. An intruder can easily access these devices which imply damage or illegal actions on these nodes can be done. Possible threats are analyzed and are categorized to unauthorized access to data, threats to the Internet and denial of service attack.

2. Network Network plays an important role providing a more comprehensive interconnection capability, effectualness and thriftiness of connection, as well as authentic quality of service in IoTs. Since a large number of machines sending data to network congestion, large number of nodes and groups exist in lOTs may be resulted in denial of service attacks.

3. Back-end of it systems Back-end IT systems form the gateway, middleware, which has high security requirements, and gathering, examining sensor data in real time or pseudo real-time to increase business intelligence. The security of IoT system has seven major standards viz; privacy protection, access control, user authentication, communication layer security, data integrity, data confidentiality and availability at any time.

Privacy Concerns

In IOTs The Internet security glossary defines privacy as "the right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others". International Journal of Computer Applications (0975 – 8887) Volume 90 – No 11, March 2014 25 Typically in IoTs, the environment is sensed by connected devices. They then broadcast the gathered information and particular events to the server which carries out the application logic. This is performed by Mobile or/and fixed communication which takes the responsibility. Privacy should be protected in the device, in storage during communication and at processing which helps to disclose the sensitive information .The privacy of users and their data protection have been identified as one of the important challenges which need to be addressed in the IoTs.

1. Privacy in Device The sensitive information may be leaked out in case of unauthorized manipulation or handling of hardware and software in these devices. For example, an intruder can “reprogramme” a surveillance camera could such that it sends data not only to the legitimate server, but also to the intruder. Thus, for devices that gather sensitive data robustness and tamperresistance are especially important. To ensure IoTs security trusted computing technologies including device integrity validations, tamper-resistant modules and trusted execution environments are useful. In order to provide the privacy in the devices, there exists so many problems one need to address such as it could be the location privacy of the device holder , non-identifiability means protecting the identification of the exact nature of the device, protecting the personal information in case of the device theft or loss and resilience to side channel attacks. Location Privacy in WSN is achieved by using the algorithm Multi-Routing Random walk in the wireless sensors, in the case of the Protecting of display privacy and Protection of personal Identifiable Information(PII) in case of device loss, theft could be achieved by having QR codes(Quick Response Code) technique were selected. In the case of Non-Identifiability and side channel attacks adding randomness or noise, having synchronous CPUs, Blind values used in calculations could be used.

2. Privacy during Communication To assure data confidentiality during the transmission of the data, the most common approach is encryption. Encryption on certain occasions adds data to packets which provides a way for tracing, e.g. sequence number, IPsec- SecurityParameterIndex, etc. These data may be victimized for linking packets to the analysis of same flow traffic. Secure Communication Protocol could be the suitable approach . During the communication Pseudonyms can be replaced for encryption in case it is not feasible to the device’s identity or user’s in order to decrease the vulnerability. One of the longfamiliar examples is Temporary Mobile Subscriber Identity (TMSI). Devices should communicate if and only if when there is a need, to derogate privacy disclosure induced by communication. In 3GPP machine type communications, in order to avoid unnecessary collection of location information by the network after a certain period of inactivity the devices will detach from the network.

3. Privacy in Storage For protecting privacy of information storage, following principals should be considered. • Only the least possible amount of information should be stored that is needed. • In case of mandatory then only personal information retained. • Information is brought out on the basis of “need-to-know”. To conceal the real identity tied with the stored data Pseudonymization and Anonymization could be used. Without disclosing any specific record, a database could allow access only to statistical data (sum, average, count, etc.). To ensure the output (typically aggregate queries) is independent of the absence or presence of a particular record adds noise called as differential privacy could be the appropriate technique.

4. Privacy at Processing It is mainly of two folds. Firstly, personal data must be treated in a way that it should be simpatico with the intended purpose. Secondly, without explicit acceptance and the knowledge of the data owner, their personal data should not be disclosed or retained to third parties. By considering the above two points, Digital Rights Management (DRM) systems is most suitable which controls the consumption of commercial media and defends against re-distribution illegally. One can define privacy policies for personal data in a rights object or license instead of excersing principles for commercial media which must be obeyed during the data processing. DRM requires trusted devices, secure devices to work efficiently and effectively. User’s permission and their awareness are requirements for distribution of personal data. User notification aids to avoids abuse.

reference: International Journal of Computer Applications (0975 – 8887) Volume 90 – No 11, March 2014