3.5.5 Privacy and security Privacy and security are two significant (and closely related) issues in large-scale IoT deployments. Technologies already are available to address some of the underlying technical issues (particularly in sensors), such as key diversification and reader authentication. But these can have a significant impact on device size, cost, functionality and interoperability100. Without adequate security, intruders can break into IoT systems and networks, accessing potentially sensitive personal information about users and using vulnerable devices to attack local networks and other devices. This is a particular issue when devices are used in private spaces, such as individuals’ homes (e.g., baby monitors). IoT system operators and others with authorized access are also in a position to “collect, analyse, and act upon copious amounts of data from within traditionally private spaces.101” Electronic attacks could also lead to physical threats, for example if carried out against medical devices like pacemakers and insulin pumps, or car engines and brakes. Information about building occupancy could be used by burglars to target unoccupied premises, while location-tracking data hacks might enable physical attacks against specific individuals102.If compromised IoT devices can connect to systems elsewhere on the Internet, it becomes a potential route for further attacks. One security company announced in 2014 that it had discovered hundreds of home devices – including smart refrigerators – sending unsolicited e-mail. While a further analysis found this to be inaccurate, it also warned of recently discovered malicious software targeting Linux-based IoT devices103. Another common security and privacy issue is the use of default passwords on devices, which users are not required to change when setting up a device. One website has claimed to find 73,000 webcams accessible over the Internet using a known default password104.IoT devices can be harder to secure than personal computers. Many companies building IoT devices do not have previous experience in dealing with Internet security issues in their products. IoT devices are often inexpensive and resource-constrained (notably on power and battery life), which puts strong pressure on security costs and requires additional hardware or software to deal with threats. Combined with the limited Internet connectivity of some devices, this may make it more difficult to develop and apply regular security patches when vulnerabilities are discovered. Instead, vendors or owners of the devices have to provide ongoing support105. But most IoT devices contain multipurpose computers and can be reprogrammed beyond their intended purpose – with limited mechanisms for users to monitor the devices. And devices frequently share operating systems, embedded chips and drivers, meaning that a single vulnerability can often be used to attack multiple devices106.In large IoT systems such as smart cities, IoT insecurity can create significant vulnerabilities. It can be extremely complex to address all of the interdependencies and links among public and private-sector systems. One 2014 threat assessment found some 200,000 vulnerable traffic control sensors in cities such as Washington DC, New York, Seattle, San Francisco, London, Lyon (France), and Melbourne. The assessment also found such technologies being developed and used in critical infrastructure without security testing. Plus, third-party security researchers often cannot gain access to devices to carry out their own tests, due to their expense and limits on sales to governments and specific companies107.Companies developing and operating IoT systems will need to conduct security testing and then consider how security vulnerabilities can be fixed during the systems’ likely lifetimes. Where security flaws cause consumer harm, consumer protection agencies may be able to take action to require remedies and implementation of better security processes to reduce the risk of recurrence108. EU rules require organizations that process personal data from IoT systems to carry out security assessments and make use of relevant security certifications and standards109. And companies need to ensure that where they use external service providers to manage IoT devices and data, those providers also take reasonable security precautions. To meet these security and privacy challenges, regulators have suggested that companies developing IoT devices should follow a security and “privacy by design” approach, building security and privacy functionality into the device Trends in Telecommunication Reform 2016 89 Chapter 3