Security and Privacy in the IoT age
By Lokesh Yamasani, Director – IT Security (Security Officer), Satellite Healthcare
We are living in a digital age, let alone the so-called “Age of IoT”. What makes it an “Age of IoT”? The answer is simple. It is the ability to be able to connect and manage everything from fish tanks, baby monitors to industrial devices, home monitoring devices via the internet to accomplish our objectives. Such convenience has led to increased attack vector through which these devices/things could be easily compromised. The scary part is that someone with barely any technical skillset could easily compromise these devices/things. (i.e., someone could easily learn on the internet on how to compromise these things and simulate the same a.k.an “Annoying Script Kiddies”), let alone nation-state actors, hacking groups, and another known/unknown threat actors/groups.
With that being said, privacy has become a major concern in the IoT age along with security. (Funny Story: Most recently, I attended a work meeting where someone I was talking to had their smartwatch turned on. Towards the end of our conversation, that person’s smartwatch started responding to what we were talking about). Now that we got security and privacy icebreakers out of our way. Come on in, feel comfortable. Let’s dissect the security and privacy aspects of the Internet of Things. Shall we?
Chapter 1: Security
Before talking about the “security” of IoT architecture. Let’s get to the basics of IoT architecture. IoT architecture consists of 1. Things (Things that are equipped with sensors) 2. Gateways (Data from things goes to the cloud/infrastructure through these gateways) 3. Data gathering and processing Infrastructure (Data is gathered, processed here and a decision is made based on the data received and Artificial Intelligence techniques) 4. Control Apps (The apps that send the actual commands to perform an operation on that smart device). To put in the real-world context:
Me: Hey Google, I am bored!
Google Assistant: Yes, here are the options. Do you want Mickey Mouse adventures? Car adventures? Do you want to listen to music?
Me: I want to listen to music.
Google Assistant: Music playing….
There is quite an amount of technology or rather amalgamation of multiple technologies and related architectures involved behind that simple transaction. Wherever there is an amalgamation of multiple technologies and related architectures, there are IoT protocols that run the IoT universe. (Did I say I wanted to be a Geologist?). As a sample, let’s look at two IoT network protocols:
Bluetooth protocol is mostly used in smart wearables, smartphones, and other mobile devices, where small fragments of data can be exchanged without high power and memory. Bluetooth protocol is effective for short-range communication. However, as we all know the threats related to Bluetooth are becoming more prevalent these days: Blueborne, Bluebugging, Bluejacking, and Bluesnarfing. With consumers keeping these smart devices that operate on Bluetooth protocol powered on all the time, the likelihood of such Bluetooth attacks is “High”.
ZigBee is an IoT protocol that allows things that are retrofitted with “sensors” to work together. ZigBee is used with apps that support low-rate data transfer between short distances. ZigBee was created by the ZigBee alliance. When it was designed, security-related tradeoffs were made to keep the devices low-cost, low-energy and highly compatible. Some parts of ZigBee’s security controls are poorly implemented (what are those poorly implemented controls?). As an example, Killerbee is a Python-based framework used to exploit the security of the devices implemented with the Zigbee standard. Killerbee provides facilities for sniffing the keys, injecting network traffic, decoding the packets captured, and packet manipulation that takes advantage of “Trust Center Link Key”. If a cyber-attacker has to take advantage of that “Trust Center Link Key” within the Zigbee protocol. Cyber-attacker must capture Zigbee network traffic at the same time the device joins the IoT network.
As noted above, these security risks are just the tip of the iceberg. On top of these security risks, since the backend IoT infrastructure is virtualized and in the cloud, it is prone to the same security risks as any cloud and virtualized infrastructure. Hence, it is highly vulnerable and exploitable.
Bottom-Line: As I’m writing this as a security officer for a healthcare company, what does it all mean to me? What’s the answer to reducing the likelihood of threat and exploitation of vulnerability? One simple solution from securing the backend IoT infrastructure perspective is to implement a zero-trust access model. On the consumer side, deprecate all the less secure protocols. Design and regulate the mandatory use of relatively more secure protocols (IEEE – Help us please!). In the future, patient care is delivered at Home and we can already imagine a situation where sensors that capture patient data are compromised and used as bots to join a network of bots to perform malicious activity thereby compromising patient care. That could be a widespread reality and we are almost seeing that widespread reality these days.
Chapter 2: Privacy
Next on, Privacy! I’m going to take on it from a healthcare perspective. Imagine, a home care dialysis patient using one of these IoT sensors that capture the needed data such as blood pressure level, fluid levels, heartbeat rate, Total body water percentage, etc. Instead, it has also captured patients’ other information such as DNA information, Patient’s private conversations, etc. that was never needed within the context of that particular diagnosis.
By default, most sensors do not give patients the ability to influence where they want their data to be stored, seen by whom, etc. within the context of their diagnostics. This leads to patient data gathering misuse, patient data storage, and processing misuse. Privacy issues like this are some of the privacy risks at the tip of the privacy iceberg (Yeah, let’s create stringent privacy regulations). Creating privacy regulations is not the challenge, enforcing them is.
One of the solutions could be to give the control/ability back to patients, consumers as to what these sensors can or cannot collect, or by design make these sensors in terms of what they can collect and transmit. In short, giving more power back to consumers! (Consumer power)
Bottom-Line: If you are looking to manage security and privacy risks in the IoT age, use frameworks like NISTIR 8228 – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks and customize the framework based on your needs. You gotta start somewhere!
About the Author
Lokesh Yamasani works as Director – IT Security (Security Officer) at Satellite Healthcare/WellBound. He is an experienced and diligent security expert with about 15 years of overall IT experience and over 14 years of experience in all information security domains with a record of accomplishment of successful security leadership with an emphasis on metrics-based performance. Lokesh Yamasani can be reached online at (firstname.lastname@example.org, @LYamasani)