The consulting company Gartner Inc. predicted that in 2020 there will be more than 20 billion connected devices worldwide. These are 20 billion devices that are supposed to make our lives easier via voice control, Bluetooth or WiFi connection. These are tooth brushes helping to improve brushing behavior or forks helping to lose weight by measuring the eating speed.
Granted, the imagination of a world of Internet of Things makes many people feel uneasy. Do we really need a reminder for drinking a sip of water or for the amount of eggs still left in the fridge? Can Alexa, controlled via a smart salt shaker, really flavor our food better than we can do ourselves? Or do students’ flat-sharing communities really manage without a cleaning rota from now on due to a smart dust bin?
The uneasy feeling is actually justified, as Stefan Mangard from Graz University of Technology reveals during his talk at the i-KNOW 2017. He deals with the challenges around security of the IoT: “Ordinary things are connected with new technologies”, Mangard explains. “Broadly speaking, every device gets equipped with a sensor and a trigger without anyone considering authentification, storage or the collected data before.” Companies, which never before had to deal with cloud storage or security design – because their expertise focused on wholly different areas –fail terribly.
One of many examples is the hack of Cloudpets in the beginning of 2017. Cloudpets are cuddly toys enabling parents to send voice messages to their kids via mobile phone and vice versa. In February it became apparent that the customer data encompassing more than 800.000 accounts was stored in the web unprotected and that hackers could easily gain access to about 2 million voice messages.
Apart from sensors and triggers as well as the code, user data are the most vulnerable assets in the area of IoT. Due to a multitude of possibilities the collected assets can be of interest for third parties, producers or customers. This is getting to the point where they don’t even stop short of privacy invasions.
In order to minimize the security risks, Stefan Mangard suggests some points for discussion, which should be incorporated when even concepting a new IoT device : How will people deal with the authentification of the devices in the future? How will updates be made possible without the user’s doing and how will the availability and security of the device remain granted at the same time? Which programming languages and analysis tools does it take to provide devices with secure code in the first place? And how will a possible information leak caused by meta-data be dealt with?
The Internet of Things surprised us with many useful and useless devices in 2017 without answering the big questions around data security and privacy. What it takes now, according to Christian Derler from Joanneum Research, is profound knowledge about the problem, applicable tools and new methods for developing individually tailored security systems in the area of smart technologies. Maybe we will hear more about this at the i-KNOW 2018.