Smart devices Use Cases and cybersecurity

Introduction

The number of all ways on and internet connected number of smart devices is growing year on year. Though while we have slowly begun to tackle the issue of cybersecurity around smart devices the potential problems and concerns regarding smart devices continue to emerge. Some of these problems  have come about due to increasing number of devices that are on the market along with the need to comply with ew regulation such as GDPR and the upcoming EU ePrivacy Regulation. This post will aim to highlight some of the use cases of smart devices and how these led to cybersecurity, data protection and privacy concerns. 

 Use Cases

  • Home based Smart Appliances: The new wave of connected appliances has made it possible, to provide a cost effective path to meaningful functionality for end customers, along with remote diagnostics, management and analytics for manufacturers. Connectivity will enable better user experience, proactive alerts and even safety notifications. Manufacturers will learn more about how their products are being used, and be able to more rapidly innovate and deliver enhancements and even new services.

  • Home Water Treatment: There is growing demand for consumer water and air treatment systems and most of these devices have consumable components such as salt or filters. Adding internet connectivity to these water treatment devices can provide performance data, customised alerts on device performance, automated consumable ordering and even automatically adjusts to the users' water usage patterns.

  • Fire and Safety in the Home: Fires are still a common killer and have ability to in numerous ways in the modern house with fires from failed electrical devices now the most common. Adding connectivity to fire safety devices can provide homeowners with the ability to monitor their property remotely and even send alerts to friends and neighbours in the event of an emergency.

  • IoT in Agriculture: Data collected by smart agriculture sensors, e.g., weather conditions, soil quality, crop’s growth progress or cattle’s health. The most common smart agriculture gadgets are weather stations, combining various smart farming sensors. Located across the field, they collect various data from the environment and send it to the cloud. The provided measurements can be used to map the climate conditions, choose the appropriate crops, and take the required measures to improve their capacity (i.e., precision farming). One more type of IoT product in agriculture and another element of precision farming are crop management devices. Just like weather stations, they are placed in the field to collect data specific to crop farming; from temperature and precipitation to leaf water potential and overall crop health. Thus, farmers can monitor their crop growth and any anomalies to effectively prevent any diseases or infestations that can harm their yield.






 Cybersecurity Concerns

 There are numerous security risks with smart devices and systems can that if not mitigated or protected against can leave owners vulnerable to serious threats, such as arson, blackmail, theft and extortion. Researchers have found two major categories of vulnerability: excessive privileges and insecure messaging. Excessive privileges means that that a smart app or device can carry out functions that it is not meant for.  Insecure messaging means as long as a smart app has even the most basic level of access to a device it can receive all the messages the physical device generates, not just those messages about functions it has privileges to.

 There a number of basic steps that user can take to protect their systems and devices:

  • Network Segmentation
    • Configure VLANs and firewalls
    • Monitor networks for anomalous activity
  • Firmware Updates
    • Know who is responsible for managing the smart devices or apps
    • Make sure you have the latest updates
  • Proactive Assessment (more for business users than home)
    • Find vulnerabilities and address before they are exploited
    • Perform penetration testing against your environment
  • Device auditing
    • Before deploying devices check the for encryption and check for their proper authentication features. 


 Data Protection Concerns

 With the advent of GDPR coming into force it has led to many companies to change how they collect and handle data though with number of data protection investigations and complaints on the rise along with the first fines being handed to companies due to breaches of GDPR they still have a long way to go. 

 There are key rights under GDPR that user should be aware of since they important when exercising control over their data:
Breach Notification – Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “Without undue delay” after first becoming aware of a data breach.  
Right to Access – Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten – Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Data Portability – GDPR introduces data portability — the right for a data subject (the user) to receive the personal data concerning them, which have previously been provided in a 'commonly use and machine-readable format' and for which the right to transmit that data to another controller has been given.This has yet to be fully implemented with only limited testing by different companies. An example is the Data transfer Project which is an open-source initiative which features data portability between multiple online platform. Some of the expected use cases for users porting data directly between digital services and platforms include the means to transfer contacts, messages and media between platforms without losing access to them or having to recreate them or a user doesn’t agree with the privacy policy of their music service. Users want to stop using it immediately but don’t want to lose the playlists that have been created by users. Using this open-source software, users could use the export functionality of the original Provider to save a copy of personal playlists to the cloud. This enables users to import the lists to a new Provider, or multiple Providers, once on a new service that have been decided.
These are good universal practises for data protection which all users and business should aim to follow. 


  • Protecting data in transit: When using internet sites that require sensitive data (bank details/payment cards) to be entered check that it is using secure which often is indicated by a https prefix. This means that a secure connection means a user’s information is private when sent to a site. Over open and public networks Virtual Private Networks (VPNs) are one of the most common and effective cryptographic methods used to assure the confidentiality and integrity of data when transmitted. These are designed to protect Data in transit that may be at risk of attacks such as interception, traffic replay, manipulation or jamming.
  • Protecting data at rest: Wherever data is stored, even temporarily, it may be vulnerable to unauthorised access, tampering or deletion. The most common methods of cybersecurity will ensure these risks are minimised. These include enabling firewalls, having anti-virus software, encryption of storage drive and enabling regular backups of data and systems. 
  • Protecting data on mobile devices: The methods are similar to protecting data at rest. This means not installing unknown or untrusted applications. Recent smartphones and mobile operating systems also support data encryption which should be enabled. Also, if the device supports back-ups these should also be done at regularly intervals. 
  • Secure Disposal: Any data which is sensitive to the user should be removed from the media which stored it; just hitting 'Delete' isn't enough. It is the process of treating data held on storage media to reduce the likelihood of retrieval and reconstruction to an acceptable level. Some forms of disposal will allow the user to re-use the media, while others are destructive in nature and render the media unusable. This can be achieved by either rewriting or formatting the storage media until the old data cannot be recovered in a meaningful way. Also, a destructive method is shredding the storage media so data recovery becomes impossible. 
Privacy Concerns 

 With introduction of smart devices that are always on and always listening there is justifiable fear among consumers about that kind of information and data technology companies are collecting about them and the potential for a malicious actor to use those devices carry out harm. But there is a problem that often these devices in order to work effectively are designed to collect as much data as possible in order to work effectively for the user. But users are uncomfortable with their data being harvested leads to the privacy paradox. 
The Privacy Paradox is a consequence of the competing demand to use information technologies (including social technology and social software) and have an online persona, while simultaneously having to guard against potential threats to personal safety and privacy resulting from the misuse of available information either by companies or individuals. 
There are key privacy elements and principles that users should be aware of when choosing a service in order to be confident that the provider is following the best privacy by design practices.
  • The service provider provides the identity and contact information of those responsible for data protection both within their organisation and to individuals.
  • The service provider adopts a ‘plain language’ policy for any public documents so that individuals easily understand what they are doing with end-user personal data.
  • The service providers provider’s individuals (user or customer) with tools, so they can determine how they are using their personal data, and whether their policies are being properly enforced.
  • The service provider offers strong privacy defaults, user-friendly options and controls, and respect user preference.
Most technology companies are moving in this direction though often not of their own choice but pushed by regulations and consumer backlash. 


Conclusion

When users and businesses are considering use cases for smart devices and applications they need to be able to know and understand if the processes and functions of them are protected by cybersecurity measures. They have to consider is the data that is collected is it protected, stored and processed in manner with best practises and regulations such as the EU GDPR. Also, what considerations have been given to privacy policy for example is the data and information being kept safe, secure with no unauthorised sharing. 

While it might seem like there are countless measures being piled on when considering how best to protect smart devices and the data they generate in general most of the measures concerning cybersecurity, data protection and privacy to tend to overlap. This means a smart device and its associated systems if designed from the ground up to take into account these measures instead of being bolted on after the system is out in the wild should lead to secure smart devices that have few ways of being exploited by attackers. 
References

 https://www.aylanetworks.com/iot-use-cases/connected-home 
https://easternpeak.com/blog/iot-in-agriculture-5-technology-use-cases-for-smart-farming-and-4-challenges-to-consider/
http://theconversation.com/security-risks-in-the-age-of-smart-homes-58756
https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/protecting-physical-security-systems-against-network-attacks 
https://www.kingsleynapley.co.uk/insights/blogs/corporate-and-commercial-law-blog/data-protection-in-mobile-apps-boring-but-ignore-it-at-your-peril
https://blogs.dlapiper.com/privacymatters/data-protection-in-the-world-of-smart-devices/
https://iotjuice.com/article/smart-devices-privacy-skepticism/
https://internetofbusiness.com/alexa-beware-many-smart-home-devices-vulnerable-says-report/

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more