Page 107 - Trends in Telecommunication Reform 2016
P. 107
3.5.5 Privacy and security which puts strong pressure on security costs and
requires additional hardware or software to deal Chapter 3
Privacy and security are two significant (and closely with threats. Combined with the limited Internet
related) issues in large-scale IoT deployments. connectivity of some devices, this may make it
Technologies already are available to address some more difficult to develop and apply regular security
of the underlying technical issues (particularly in patches when vulnerabilities are discovered.
sensors), such as key diversification and reader Instead, vendors or owners of the devices have to
authentication. But these can have a significant provide ongoing support . But most IoT devices
105
impact on device size, cost, functionality and contain multipurpose computers and can be
interoperability . reprogrammed beyond their intended purpose –
100
with limited mechanisms for users to monitor the
Without adequate security, intruders can devices. And devices frequently share operating
break into IoT systems and networks, accessing systems, embedded chips and drivers, meaning
potentially sensitive personal information about that a single vulnerability can often be used to
users and using vulnerable devices to attack local attack multiple devices .
106
networks and other devices. This is a particular
issue when devices are used in private spaces, In large IoT systems such as smart cities, IoT
such as individuals’ homes (e.g., baby monitors). insecurity can create significant vulnerabilities.
IoT system operators and others with authorized It can be extremely complex to address all of
access are also in a position to “collect, analyse, the interdependencies and links among public
and act upon copious amounts of data from within and private-sector systems. One 2014 threat
traditionally private spaces. ” assessment found some 200,000 vulnerable traffic
101
control sensors in cities such as Washington DC,
Electronic attacks could also lead to physical New York, Seattle, San Francisco, London, Lyon
threats, for example if carried out against medical (France), and Melbourne. The assessment also
devices like pacemakers and insulin pumps, or car found such technologies being developed and
engines and brakes. Information about building used in critical infrastructure without security
occupancy could be used by burglars to target testing. Plus, third-party security researchers often
unoccupied premises, while location-tracking data cannot gain access to devices to carry out their
hacks might enable physical attacks against specific own tests, due to their expense and limits on sales
individuals . to governments and specific companies .
107
102
If compromised IoT devices can connect to systems Companies developing and operating IoT systems
elsewhere on the Internet, it becomes a potential will need to conduct security testing and then
route for further attacks. One security company consider how security vulnerabilities can be fixed
announced in 2014 that it had discovered during the systems’ likely lifetimes. Where security
hundreds of home devices – including smart flaws cause consumer harm, consumer protection
refrigerators – sending unsolicited e-mail. While a agencies may be able to take action to require
further analysis found this to be inaccurate, it also remedies and implementation of better security
warned of recently discovered malicious software processes to reduce the risk of recurrence . EU
108
targeting Linux-based IoT devices . Another rules require organizations that process personal
103
common security and privacy issue is the use of data from IoT systems to carry out security
default passwords on devices, which users are assessments and make use of relevant security
not required to change when setting up a device. certifications and standards . And companies
109
One website has claimed to find 73,000 webcams need to ensure that where they use external
accessible over the Internet using a known default service providers to manage IoT devices and data,
password . those providers also take reasonable security
104
precautions.
IoT devices can be harder to secure than personal
computers. Many companies building IoT devices To meet these security and privacy challenges,
do not have previous experience in dealing with regulators have suggested that companies
Internet security issues in their products. IoT developing IoT devices should follow a security
devices are often inexpensive and resource- and “privacy by design” approach, building
constrained (notably on power and battery life), security and privacy functionality into the device
Trends in Telecommunication Reform 2016 89
