Article

Security and Privacy in the Internet of Things: How to Increase User Trust

Posted July 26, 2016 | Technology | Amplify
In this issue:

 
CUTTER IT JOURNAL VOL. 29, NO. 7


Expanding Data, Growing Threats

As the number of interconnected smart things increases from billions to trillions by the end of 2020, and as their special capabilities for cooperation, communication, identification, and exchange of information produce a huge amount of data, the idea of an Internet of Things (IoT) is becoming a reality.1 In an IoT solution, an interconnection between the physical and virtual world is realized, with humans, devices (or smart things), dissemination of data (or information), and communication as its core characteristics.2

From this promising interconnection, the many different sectors of human life where IoT applications and advanced services are employed are proliferating rapidly. Nowadays, IoT systems can be found in: pervasive healthcare applications, building management systems, public surveillance systems, smart city services (e.g., in critical infrastructures such as a smart grid forelectricity generation and distribution), and data acquisition and sensing applications covering almost all the aspects of human life, both publicly (e.g., public ­surveillance) and privately (e.g., healthcare monitoring applications). All these systems consist of sensors, actuators, radio frequency identification (RFID) tags, mobile phones, and/or wearables that generate data and communicate intermittently to share with each other or disseminate the information at specific base stations where it can be further processed and redistributed.

The demanding pervasiveness of this IoT data collection results in an increase in the risks to which everyone is exposed, along with the necessity for better and more efficient security of the systems where this data is produced and transmitted. The massive number of devices that belong to an IoT system, their heterogeneous nature (in terms of memory availability, process capabilities, energy consumption, and protocol application), and their need for ubiquitous Internet communication call for innovative and successful system design in order to provide resilience, robustness, privacy, and security to the users.3

Even as our reliance on the digital world increases, so does the variety and importance of the data that is transmitted. Therefore, apart from the classical security threats that a system has to protect against, a new tide of digital hazards and potential threats is rising that must be addressed carefully and effectively, because they can prove extremely harmful for both companies and individuals. In particular, security4, 5 and privacy6, 7 issues are of great concern, mainly because of their delicate nature and specifically because of the network’s increased size and the wealth of (personal) information that is shared in it.

The notion of security is extremely important for any system and — especially in the IoT environment — is closely related to the crucial notion of privacy, in particular with the identification of sensitive or private data. The relation is such that it is often difficult to distinguish between these two concepts. In an effort to better describe their roles, consider that security covers the whole system, including network security and identity management, while privacy is closely related to the user’s trust in the system to protect their data and actions from internal or external intruders.8, 9 Therefore, any security measures can not only reinforce the system’s resilience, but also strengthen privacy, leading to adesired increase in the user’s trust in the system and the network (i.e., the Internet).

How harmful can it be when IoT data ends up in the wrong hands? Imagine an IoT system in which a home refrigerator can upload data regarding a person’s eating habits and store them in the cloud. While this alone might not be important information, when it is combined with data from the house’s smart TV and the alarm at the door, the result might be more than someone is eager to share with others. For example, if data on the individual’s eating habits is combined with their preferred TV shows, a user profile can be created that advertisers could exploit by directing unwanted targeted advertisements, either digital or physical ones, toward that individual. Exposure of more sensitive information, such as the status of the alarm (or how to control it) or the status of the doors and windows in the person’s house, could bring about more severe, even criminal, scenarios.

In the rest of the article, I will focus on the security and privacy challenges inherent in IoT implementations and propose solutions to help build a feeling of trust between all parties. In doing so, I will try to answer such questions as “How do we assess the security risks in IoT?” and “How can the distinct interests of the sources and the collectors of personal data be expressed in a way that satisfies both parties and increases privacy and access control?”

Security Challenges

For the IoT especially, security needs to be considered at more than one level. From technological issues to more philosophical ones that aim to enhance the privacy of the user’s data, paying attention to these concerns will confer a feeling of trust in the system.10, 11

The security challenges that an IoT solution might face can be divided into threats of a physical nature and threats of a cyber-physical origin. The former concern the extremely large number of devices that work in uncontrolled environments, where access might not be easy or frequent, making them vulnerable to physical dangers (e.g., extreme weather conditions) or human attacks (e.g., surveillance cameras, sensors in a smart grid infrastructure). There is also the case in which the device’s lifecycle surpasses the embedded technology, demanding a repair or upgrade in order to keep up with what it is expected from it. Considering that such devices may be deployed in a hostile environment or not be programmed to receive an upgrade, this can result in a rather cumbersome task.

Cyber-physical threats must also be taken into account when evaluating the overall system’s resilience and security. For example, the large-scale production of ­several almost identical devices (e.g., RFID tags, temperature sensors) greatly increases the possibility of successful external attacks to the system, since if a malicious party gains remote access to one of these devices by exploiting any protocol’s vulnerabilities, other intruders might follow the same process to gain control over the rest of the devices, multiplying the inflicted system damage. The fact that IoT environments often include devices that were not initially designed to provide Internet access (e.g., RFID tags, watches, refrigerators, alarms) creates a rather heterogeneous network with different storage, memory, processing capabilities, and communication protocols. This demands a closer examination for the implementation of security solutions, since the traditional ones will not be applicable without proper modification.

Apart from the above challenges, security breaches in the IoT will very likely be the product of organized cyberattacks,12 initiated by individuals with significant resources that will apply sophisticated methods to try to gain access to the inside of the IoT network. The targets of these attacks are the network’s communications, and the goal is to steal the propagated data. In addition, the attackers have the knowledge and the ability to launch large-scale attacks that will cripple the network and mess with its functionality by controlling a number of software systems and using them for their malicious purposes. “Bots” (i.e., computers that are under the control of the attacker and not their physical owner) are frequently used to send spam emails, launch distributed denial of service (DDoS) attacks, or host false websites in order to attract users, steal their credentials, and thereby gain access to the system “legitimately.”

One more popular cyber-physical attack is the insider threat, where outsiders manage to gain access to, mainly, corporate networks by exploiting the mistakes of legitimate users (e.g., their lack of compliance with corporate regulations) or by stealing their credentials through well-orchestrated attacks. The man-in-the-middle attack is another well-known cyber-physical threat, in which a malicious user impersonates a legitimate one during a communication session, gaining access to the network and learning information or eavesdropping undetected on conversations between two legitimate users. Cyber-physical attacks are very difficult to protect against, since they combine the ­application of highly complex techniques and aim at the most vulnerable elements of the IoT ecosystem.

All the security threats presented here are part of the spectrum of security challenges that should be carefully addressed in order to design a robust and trustworthy IoT environment. Unfortunately, the cost of intrusions cannot be measured in advance; therefore, there is a need to increase security measures and design in order to counter the possible threats and prevent any breaches that might damage the feeling of trust in the IoT ­environment.

Privacy Challenges

With the involvement of citizens and the characteristic of ubiquitous communication via the Internet, privacy13 has attracted a lot of attention from IoT researchers and professionals. Since it is crucial to continuously reinforce privacy, the system must be able to protect the identity of the users from being exposed, providing anonymity of the generated data and, ideally, automatic detection of the sensitive content.

In addition, a system has to prevent the continuous tracking of a user’s position and actions, which can be easily done through the mobile devices everyone is using. Mobile phones can not only be used to track the location of the user (via triangulation), but also to collect information shared willingly — even in real time — by the user on social networks. This information can later be processed by malicious third parties in order to take advantage of somebody’s absence from home to force a criminal action against the victim (e.g., a robbery attempt). Actions that lead to the identification and tracking of the user are regarded as a very important privacy threat that must be carefully addressed with close cooperation between law enforcement agencies and end users. One example of a working project that deals with ways this cooperation can be developed is the EU’s TRILLION project.14

User profiling, the collection of information on a user’s habits (either online or in real life) by companies to enable targeted advertisement during Web browsing, is considered an important privacy threat to everyone. Facebook recently admitted to using “lookalike” techniques to track the habits of not only its registered users, but even people who do not have a Facebook account.15 This can be accomplished by following a Web user’s online “fingertip,” which is created based on all the devices that the user owns, certified by an online account. If the user registers with service A, giving personal information, then provides different information to service B, then A can identify the individual with the help of B by comparing and combining the fingertip information that both services have. Profiling is a very popular technique among all major companies that demand a piece of the modern digital pie.16 Legislation has begun to be enacted against this kind of action both in the US and the European Union.17

Perhaps the most serious privacy-related problem in an IoT environment stems from the lack of control over the vast amount of personal data generated. Even if the original data collector is committed to protecting the user’s data, there might be a moment where possession of data is passed (legitimately or not) to a third party who doesn’t share the same views regarding the proc­essing of the user data. Thus, despite their initial intentions, the original data collector ends up creating a situation that compromises the user’s trust and creates a security threat to the system.

PETs and Security Solutions

As we’ve seen, the security and privacy threats in the IoT environment are many. Privacy-enhancing technol­ogies (PETs) can be used to achieve compliance with existing data legislation to protect the user’s privacy and enforce the feeling of trust in the efficiency and performance of the system. For optimal performance, PETs should address the problems concerning all the basic attributes of an IoT environment (e.g., ­myriad heterogeneous devices, transfer and processing of sensitive data, malicious actors seeking exploitation opportunities). Unfortunately, existing security tools often do not apply well to the special characteristics of an IoT environment because of energy consumption issues or intense proc­essing requirements that are difficult for many smart devices to achieve. Therefore, I will confine the discussion to solutions that closely adapt to the peculiarities of the IoT system.

Cryptography

Cryptography, the most prominent PET technique, aims to hide the identity of the data’s owner and secure the transfer of the data in the IoT system, allowing access only to authorized users and protection against profiling techniques. U-Prove18 is a PET that uses a special token containing attributes that are cryptographically related to the user, and Idemix19 uses similar encrypted tokens that are based on a “group” signature, allowing an individual to anonymously sign a packet on behalf of a specific group of people. Both technologies have been successfully implemented on smart cards and manage to process authentication requests in less than 1.5 seconds, enhancing the system’s resilience and security.

For RFIDs, especially, two PET approaches are to rename the tags and minimize the distance between the tag and the reader. Furthermore, researchers have proposed a “minimalist cryptography”20 for RFID tags in which the cryptographic computations take place at the end point and are then inserted on the tags. To thwart possible eavesdroppers, the reader can even re-encrypt the tag at a later point using a different key, such that a would-be snoop will receive two different signals at two different times. That way, the prevention of unauthorized access is achieved, and secure communication between the RFID tag and the reader is completed successfully.

Privacy Coaches and Brokers

Another promising PET solution is the use of a third-party mobile app that plays the role of “privacy coach,” suggesting the actions to be taken when reading an RFID tag. This mobile application scans the ID of an RFID tag and accesses a back-office database to search for the privacy policy related to the tag. It then compares it with the user’s privacy preferences (found in their profile on the application) and presents the results in an effort to warn the user about the potential dangers of the RFID tags in their vicinity.

Extending this solution, a proxy can be used as a privacy broker, responsible for allowing communication between the information/service providers (e.g., RFID tags) and the users when the credentials of both have been certified by the broker, thus ensuring privacy in the communication. This solution, while promising, could face scalability issues due to the large number of devices that might be interconnected through the proxies, and these issues would need to be carefully addressed before further deploying the solution in an IoT environment. Use of lightweight communication protocols and carefully designed network infrastructures to deal with the traffic are possible solutions to this problem.

Data-Centric Approaches

Data-centric solutions have also been applied to enhance the privacy of an IoT system. These solutions, which utilize privacy-preserving approaches to protect the sensitive data that are the heart of the system,21 include:

  • Data swapping, a technique that suggests the exchange of sensitive data between individual records in a database, thereby increasing the uncertainty and making it harder for malicious users to exploit it
  • Data randomization, an approach that can be used in programs written in unsafe languages (e.g., C or C++) to provide probabilistic protection by issuing XOR instructions on data with random masks
  • Data suppression, a technique that is used to conceal private information on public documents by withholding information that can easily identify a person or a group
  • Synthetic data generation, a technique that uses anonymized data to prevent compromising the identity and confidentiality of particular sets of data (e.g., names or addresses)
     

Network Approaches

One more popular solution is the use of virtual private networks (VPNs), which can be described as special networks (i.e., extranets) that are created, usually, for business purposes between registered users. Since access to the network is permitted only to a small, registered group of people, VPNs are considered very resilient. Nevertheless, they are not a solution that applies well to a broader information exchange on the scale of an IoT system. Another PET is “onion routing,” a technique that encrypts the Internet traffic from multiple sources and mixes it, making it difficult to achieve a match of an IP packet to a particular source. Since it uses multiple encryption layers and the public key from the router, however, the waiting time is greatly increased, hindering the overall performance of the network.

For the described PETs to be successful, the overall security of the IoT ecosystem must be addressed. Solutions that deal with the majority of the physical and cyber-physical threats described earlier include techniques to enforce the confidentiality of the com­munication between the smart entities, like IPSec and Transport Layer Security (TLS), which have been applied successfully.22 To increase their efficiency, they are also combined with secure network stacks in order to deal with the resource constraints that are inherent to many IoT smart devices.

Architecture

Furthermore, the network’s availability must be ensured by the IoT architecture23 in order to provide the desired link handover to allow for seamless communication in the network, while mechanisms like TLS and TCP can be used to test for data integrity (i.e., insurance that the data has not been modified or lost during the communication phase). Authenticity of a connection (which also includes the notion of integrity) deals with providing all the necessary mechanisms to confirm the establishment of a connection with an authenticated, legitimate user or device. There are techniques for device authorization to communicate when they belong to the same domain (e.g., Kerberos24), but solutions are needed that permit the authentication of devices even if they belong to different domains, as this scenario better fits the inherent characteristics of the IoT environment.

Proposed IoT architectures such as IoT-A, BeTaas, OpenIoT, and IoT@Work25 deal with many of the ­security- and privacy-related issues presented in this article (achieving varied levels of performance on the many security attributes, as shown in Vasilomanolakis et al.26), but they still present several holes in their security. For example, data transmission is partially covered, with the focus concentrated on transmission between the gate and the cloud infrastructure, but not so much on communication between the smart devices or inside the cloud. As noted above, one feature that still must be addressed is inter-domain identity management, which is strongly needed in an IoT environment. Given all this, the fact is that there is still no universal architecture solution that can be applied to the various IoT scenarios and perform equally well in all of them.

Standards

Finally, the IoT system suffers from the lack of widely available, open, and well-adopted standards. Manu­facturers require technical guidelines so as to ensure the seamless performance of the system’s functionality between the heterogeneous devices and the provided services it provides. To achieve this, special working groups, both regulatory and technical, should join forces to provide the guidance needed to enable the many different IoT manufacturers to be part of a working and evolving IoT ecosystem. To neglect this task would hinder the IoT system from achieving its great potential.

Endnotes

1The Internet of Things (IoT): An Overview.” Internet Society, 15 October 2015.

Bertino, Elisa. “Security Threats: Protecting the New Cyberfrontier.” IEEE Computer, Vol. 49, No. 6, June 2016.

3 Ziegeldorf, Jan Henrik, Oscar Garcia Morchon, and Klaus Wehrle. “Privacy in the Internet of Things: Threats and Challenges.” Security and Communications Networks, Vol. 7, No. 12, November 2014.

European Research Cluster on the Internet of Things. “Internet of Things: IoT Governance, Privacy and Security Issues.” European Commission, January 2015.

5 Cirani, Simone, Gianluigi Ferrari, and Luca Veltri. “Enforcing Security Mechanisms in the IP-Based Internet of Things: An Algorithmic Overview.” Algorithms, Vol. 6, No. 2, April 2013.

6 Vasilomanolakis, Emmanouil, et al. “On the Security and Privacy of Internet of Things Architectures and Systems.” Paper presented to the International Workshop on Secure Internet of Things (SIoT 2015), Vienna, Austria, September 2015.

Porambage, Powani, et al. “The Quest for Privacy in the Internet of Things.” IEEE Cloud Computing, Vol. 3, No. 2, March-April 2016.

8 Cirani et al. (see 5).

Vasilomanolakis et al. (see 6).

10 Porambage et al. (see 7).

11 Tian, Cuihua, et al. “Analysis and Design of Security in Internet of Things.” Proceedings of the 8th International Conference on BioMedical Engineering and Informatics (BMEI 2015). IEEE, 2015.

12 Bertino et al. (see 2).

13 Porambage et al. (see 7).

14 TRILLION Project.

15 Toor, Amar. “Facebook Begins Tracking Non-Users Around the Internet.” The Verge, 27 May 2016.

16 Brandom, Russell. “Google and Facebook Still Dominate Tracking on the Web.” The Verge, 18 May 2016.

17 Digital Security.” European Commission, updated 30 June 2016.

18 Paquin, C., and G. Zaverucha. “U-Prove Cryptographic Specification V1.1 (Revision 3).” Microsoft Corporation, December 2013; see also: http://iiw.idcommons.net/images/8/88/U-Prove_technology_overview-Nov2010.pdf.

19 Camenisch, Jan, and Els Van Herreweghen. “Design and Implementation of the Idemix Anonymous Credential System.” IBM Research, 2002.

20 Juels, Ari. “Minimalist Cryptography for Low-Cost RFID Tags.” Paper presented to the Security in Communication Networks: 4th International Conference (SCN 2004), Amalfi, Italy, September 2004.

21 Porambage et al. (see 7).

22 Dierks, Tim, and Eric Rescorla. “The Transport Layer Security (TLS) Protocol, Version 1.2,” RFC 5246 (Proposed Standard). IETF, August 2008.

23 Vasilomanolakis et al. (see 6).

24 Steiner, Jennifer G., Clifford Neuman, and Jeffrey I. Schiller. “Kerberos: An Authentication Service for Open Network Systems.” Proceedings of the USENIX Winter Conference, USENIX Association, 1988.

25 Vasilomanolakis et al. (see 6).

26 Vasilomanolakis et al. (see 6).

About The Author
Dimitrios G Kogias
Dimitrios G. Kogias received his diploma in physics in 2001; in December 2004 he received his MSc in electronics and radioelectrology, and in May 2010 his PhD in designing algorithms for dissemination of information in unstructured networking environments from the National and Kapodistrian University of Athens. Dr. Kogias is an Adjunct Lecturer and a Senior Researcher at the Department of Electronics Engineering of Piraeus University of Applied… Read More