Internet of Things security? Start with who owns the data
Cambridge Wireless event chews the fat over key questions
“Defence is only as strong as the weakest link,” said Tim Phipps of Solarflare at today’s Cambridge Wireless event on security within the Internet of Things.
Today's Cambridge Wireless event was part of its Special Interest Group focusing on security and defence. In particular, on securing and defending the Internet of Things.
Speaking to an audience of about 50 network industry executives in London this afternoon, Phipps highlighted three security challenges for IoT: data loss, particularly with last week’s Yahoo! hack of half a billion user accounts; hijacking, such as the controversial Jeep hack published a little while ago; and consumer products, particularly, with the latter, medical device hacks of items including pacemakers and insulin pumps.
Phipps also highlighted how Ken Munro of PenTest Partners had “made children’s toys swear” by hacking them, which drew general laughs.
Building on that point of how a trivial hack can lead to bigger things - in the case of Munro and an IoT kettle, the host Wi-Fi network's authentication keys - Phipps warned: “The attacker needs to overwhelm you in just one place to be successful. If it delivers on the promises of the hype, IoT looks like something that will be integrated into our home life, transportation, cities, and … even improving our health."
“I think this is a Wild West industry,” thundered Paul Tindall of Sepura, following on from Phipps, opening a talk that focused on IoT security beyond the simple headlines. “It is fragmented and that makes security harder to apply."
"If you consider the fragmentation of the standards as well," he continued, "you cannot trust security due to the fact that you’re using an unusual standard. We’ve got to apply proper governance around this.”
Take the example of a body-worn sensor such as a Fitbit health monitor which generates data about you, he said. "I think I own that data. At some point that data is aggregated and [the aggregating party] is going to fuse that data with data from other sources. If you wrap context around those sources you turn that into valuable information. I don’t know who owns that information. Actually, I think that gets really complicated from a legal point of view.”
The legal side of things was a point that was returned to later on.
So what could possibly go wrong? Adrian Winkles an information security lecturer at Anglia Ruskin University, said: “IoT security is not device security. IoT is end-to-end. It has many different facets, many different faces. There’s a whole raft of things we have to think about.”
The DDoSing of Things
Referring to the recent DDoS of Brian Krebs, which was powered by an IoT botnet – “cameras, lightbulbs and thermostats” all generating 990Gbps of traffic, “which would take most government websites down” - he contrasted what people think they have, in terms of networked devices, with what they actually have in terms of traffic types. In brief, your devices generate far more information about you than the ordinary punter ever realises.
Winkles summed it up neatly: “Security is like a stack of Swiss cheese. Each slices covers up holes in the slices below it.”
“You could make a financial difference by building security in,” added Winkles, who quoted NIST: “The cost of fixing a bug in the field is $30k vs $5k during coding.”
As for baking proper infosec practices into the Internet of Things, Winkles was forthright about taking a top-down approach:
There’s an argument that says you start from the boardroom. The pressure to be first to market doesn’t feature security. The pressure to reduce costs? If you ignore security, you do so at your peril; it's going to cost you more in the long run. Educate boardroom and senior management to build security in from the start. Appoint a Chief Information Security Officer. What I’m touting is bottom up and top down. The end message is to build security in.
Finally, in the first half of the afternoon, Laurence Kalman, a lawyer from international law firm Olswang, spoke about the legal problems the Internet of Things throws up.
“Privacy and security are what’s got everyone talking,” he said. Much of the data generated by IoT devices “is also personal data”, including a vast range of data about “an individual." This includes things such as “driving habits” in the case of smart satnavs and other sensitive data.
As his slide deck put it, “the success of the IoT both from an individual device and application perspective, and more broadly as something we accept into our lives, will come down to users' confidence.”
There is no law of the IoT as such, said Kalman. “Having said that, IoT has attracted significant focus from regulators,” he continued, highlighting how the EU has issued consultations and solicited other expressions of interest from the industry. “Europe could be a very productive place to do business on the IOT,” he concluded.
What about the detail-slurpage?
What about data ownership? “Who owns data in the IoT? The answer is, it’s complicated. From a legal perspective, the question of ownership isn’t a simple one to answer. There’s no property rights in it, as such. There might be intellectual property in data if you do certain things to do it to take it beyond a certain piece of information. Complications of data, databases, might attract copyright protection … you could see these IP rights arising at some point in the IoT value chain but its not the case that each part of IoT data will have ownership attached to it in the first place.”
The Data Protection Act “has very broad application” to the IoT, he said. “In the IoT world, where there's thousands of devices and infrastructure at various stages of the chain, its very easy for infrastructure owners to fall within that domain.”
In particular, it could be the "device manufacturer [or] the social network that disseminates that data” or even “the health insurer who takes that data and offers a product from it”.
“There’s no cyber security regulation as such that applies to IOT stakeholders as such,” concluded Kalman. He said the EU’s new GDPR would apply from 25 May 2018, noting that the E-Privacy Directive is currently under review and that the Network and Information Security Directive will also come into play for IoT manufacturers.
One questioner from the floor touched on an area that drew great interest from the assembled audience. “Quite often I can see a conflict between business processes that need audit trails and the desire to delete data.”
Kalman, answering, said: “The tendency up until now is that there’s been little focus on” what data do I need. That sort of good housekeeping “have had less focus and that will have to change with the regulatory direction we’re receiving. Businesses are going to have to work out where the balance lies.” ®
Sponsored: Becoming a Pragmatic Security Leader