Internet of Things (IoT)

Policy Drafting

The Internet of Things (IoT) refers to the networking of physical devices using a variety of software, electronics, and networking connectivity to collect and share data. The IoT has grown to encompass almost everything from vehicles to refrigerators in an effort to create smart devices that provide convenience and efficiency for human activities. There can be no doubt that this trend in technology has provided tremendous economic benefit as well as changing the manner in which Americans live their lives. The growth of IoT continues at an accelerated rate as more and more devices become connected to one another in order to provide these benefits. However, while IoT provides tremendous benefits it is also a growing risk which threatens individual privacy. This problem has resulted from a lack of security in most of the IoT devices that are created and the storage and sharing of information that is collected from these devices. In the following report, a new security policy implementation is identified to create minimum standards for IoT information collection and usage. While this report is focused on information collection and use policy, it should be noted that these policies will be impotent without implementation of policies to govern the minimum standards for manufacturing security.

The Future Home

The current evolution of IoT presents a picture of the future that is both desirable and fearful. One can imagine a future where the home is a marvel of interconnected technologies that are poised to serve the owners' every need. Imagine entering the home without a key because the door recognizes your face through a camera with facial recognition and voice recognition. As you enter your home, the lights adjust to your liking and your voice greets you with a friendly “hello”. You are prompted through voice recognition software if you would like to watch TV or order dinner. (It knows this because the smart devices such as your phone and internet history shows that these are your normal habits.) You tell your home “no” and that you will be making dinner. The refrigerator has already sent a note to your smartphone reminding you to pick up certain groceries that you are low on. While you make dinner, you tell your home to begin playing music. You then eat dinner with your smart TV allowing you to access your mail, providing reminders to your phone for essentials for the home, all the while the TV is showing you previews of shows and movies that you might want to watch. As the night progresses, your home places an alert on your phone and TV to remind you it's time to take your medication and should be thinking about going to bed soon.

In contrast to this vision of comfort and convenience is a more frightening scenario that is equally possible. When you get to your home the door allows you to enter and you follow all of the same routines but unbeknownst to you, a hacker is using your video devices and within your home to watch everything you are doing. Your entire life is being posted to the internet on a website or worse, your identity is slowly being stolen. The hacker watches you stealing information from your devices and begins opening accounts in your name and in several months you learn of this problem when bill collectors begin calling you incessantly.

At the same time, that your information is being stolen by a hacker, the companies that produce these devices is also collecting all of your personal data. Your smart TV is reporting all of your viewing habits to the manufacturer and what applications you use on your TV (FTC, 2013). Your refrigerator is reporting all your eating times and the types of food you store. Even your home security is reporting how often you are home and how many occupants are in your home at any given time.

In a worst-case scenario, all of the devices in one’s home and possession are being used to mount a bot attack on some critical infrastructure such as a hospital network or a banking system. Only after the FBI have come to the home to investigate, do you realize the inherent risk that your IoT home possesses.

These visions of the future are not science fiction but are real possibilities based on the current growth of technology and lack of security infrastructure. The direction of smart devices is currently moving towards integration between smart homes (thermostat regulation, smartphone, smart refrigerators, smart TVs, stereos, control devices such as Alexa and Siri which can regulate all of these devices. There are no limits on the number of smart devices that can be achieved as smart technology is being embedded into watches and appliances to ensure that these devices operate in a personalized manner.

The problem with this integration of devices is that there is no standard on security from intrusion that is present in other technologies such as networking and cloud computing. The devices themselves, are inherently insecure due to the process of manufacturing and the need to be competitive. This problem is easily seen in the devices and needs that form the backbone of the IoT.

Smartphones

A strong example of IoT insecurity can be found in one of the most ubiquitous form of this technology- the smartphone. Most, 87% of smartphones are considered insecure when compared with networked devices such as computers and other servers (Greene, 2016). The reason for this insecurity is that the programming for smartphones is not tested in the same manner as network computers. For example, an android phone has a limited life of 3–5 years which means that this phone is unlikely to experience large data breaches during its lifespan and large issues can be patched after it has been sold (FTC, 2013). The reason that companies release these phones with inherent security flaws is that it is not competitive or cost effective to make them secure prior to selling. The cost of a secured phone would increase cost of the phone substantially and reduce competitive advantage because these phones would never make it to the market in time to compete with similar phones.

Smart Appliances

The advent of smart appliances such as refrigerators and stoves which have sensors and video capability have brought a host of security issues into the home. The newest refrigerators are capable of identifying food in the refrigerator and transmitting messages to the owner such as grocery lists and pictures of food. This same information is being shared with manufacturers for the purpose of collecting business data (FTC, 2013). These items operate on a cloud and supposed to be secure from intrusion but they are often less secure than smartphones because building hack-proof refrigerator microcomputers would not be cost effective (FTC, 2013).

Data

The largest security problem with IoT is the collection, storage, and usage of data (NIST, 2015). These same insecure devices that open one’s home to intrusion, magnifies this risk with the fact that they make personal data accessible to unknown companies and possible hackers. To understand this problem, one must understand that because these devices have software insecurity issues they require updates from the manufacturer or development company (NIST, 2015). As such, the device must have an internet connection. What many manufacturers have created is a means of allocating consumer data. That refrigerator that tracks the food, also tracks what kind of food you are eating and how often. Imagine all the things a person is doing being recorded and stored on the devices they interact with and then being transmitted to a company. This is exactly what is happening on many of these devices and this begs the question of who sees this data?

Risk Assessment

Privacy

Not only are IoT devices mostly insecure, they are storing and transmitting data. There is a significant risk that these devices can be hacked and in within this circumstance, the storage of this data is also at risk. This is a significant threat but the threat to privacy is much greater. One of the reasons that manufacturers release insecure software is because they know that the risk of a refrigerator being the target of an attack is relatively low and that the insecurities can be patched over time with low risk (FTC, 2013). The larger issue may be the use of data. There are currently no laws governing this collection of data and worse yet some laws such as the Computer Fraud and Abuse Act (CFAA) give unlimited rights to manufacturers selling online (Sandvig & Karahalios, 2016). Manufacturers or retailers selling online can build the free use of personal data into their website’s terms of use. Within the CFAA, the terms of use for a website are essentially legally binding allowing the company almost limitless authority of the terms of sale to include data usage making this agreement enforceable by law (Sandvig & Karahalios, 2016).

Intrusion

Because devices are connected with the internet and they have a low security assurance, these devices bring the threat of intrusion which can be used to bring harm to the owner or user of the devices or to be used to mount bot attacks on critical infrastructure targets. The threat of physical harm to individuals is low in probability but significant in impact:

…unauthorized persons might exploit security vulnerabilities to create risks to physical safety in some cases. One participant described how he was able to hack remotely into two different connected insulin pumps and change their settings so that they no longer delivered medicine. Another participant discussed a set of experiments where an attacker could gain “access to the car’s internal computer network without ever physically touching the car.” He described how he was able to hack into a car’s built-in telematics unit and control the vehicle’s engine and braking, although he noted that “the risk to car owners today is incredibly small,” in part because “all the automotive manufacturers that I know of are proactively trying to address these things” (FTC, 2013).

This type of intrusion is coupled with the threat of devices being used to escalate cyber warfare on critical infrastructure. This problem has already occurred when an influential security blogger for Akamai (a security service) was attacked by:

A giant botnet made up of hijacked internet-connected things like cameras, lightbulbs, and thermostats has launched the largest DDoS attack ever against a top security blogger, an attack so big Akamai had to cancel his account because defending it ate up too many resources (Greene, 2016).

These large volume attacks need to be considered as potential threats to critical infrastructure. If hackers attack a hospital network they can shut down an entire system and put hundreds of lives at risk. While these threats are relatively low in probability, their threat represents a serious problem for users who have large amounts of data stored on these devices because once a hacker gains entry to a device, the data is automatically placed at risk. The reality of these threats calls for a policy framework that provides minimum standards for information security.

Policy Framework

Securing IoT is a twofold endeavor. The first part of this security measure is to ensure the security of devices. Without device security, any policy for data collection and regarding IoT becomes less effective due to the inherent vulnerabilities of the devices. The second part of this policy measure is to design a framework for collection and use of data. Consumers need to understand the collection process and how data will be used.

Device Security

As a recommendation, the FTC would encourage companies to implement reasonable security for devices prior to release. This means that device testing should be increased in order to reduce the risk of intrusion and tampering. This problem can be dealt with utilizing other security frameworks such as Federal Risk and Authorization Management Program (FedRAMP) which provides a risk assessment for hardware and software modules that is used on government networks to meet minimum safety standards. This framework is available for implementation on the NIST Special Publication 800–37 (NIST, 2015).

Collection and Use of Data

This area on policy is based on the NIST framework to determine the risk for privacy and confidentiality of information. The Federal Chief Information Officers’ Council (CIO) refers to these control implementations as “privacy by design” in which the NIST recommended controls are addressed with regard to application to the specific agency (NIST, 2015). This same application can be used for manufacturing devices and making determination for securing based on the level of privacy that is needed through risk assessment. This framework seeks to protect information based on the primary concept of “linkable data” (NIST, 2015). As such the following protocols should be followed in order to create information assurance:

1. Does the user know that this device is collecting data?
a. Have permissions been made clear for this allocation of data? b. Is the user aware of how this data will be used?
2. Determine type of data
a. Is this data linkable to a user in an identifiable manner?
b. Does this data reveal personal information such as age, name, social security number?
3. Why is this data being collected?
a. Is this data for competitive intelligence?
b. Is it for resale?
4. How will this data be used?
a. If it is shared who will have access?
b. Is this considered protected data?
5. Some data such as healthcare data falls under HIPPA law and this protects the use of personal data being transmitted electronically.

Using this assessment, companies can determine the level of risk that the data collection process carries and then determine the security necessary to protect this data. Because most of these devices are using WIFI and cloud based programming the type of security can be determined using Implementation Guidance for the FIPS 140–2. This is already suggested by the leading manufacturer, Microsoft:

Validation against the FIPS 140–2 standard is required for all US federal government agencies that use cryptography-based security systems — hardware, firmware, software, or a combination — to protect sensitive but unclassified information stored digitally. (Note, however, that any business can take advantage of the FIPS 140–2 mode of operation if they desire.) Some agencies also require that the modules procured for secret systems meet the FIPS 140–2 requirements (Microsoft, 2017).

FIPS 140–2 provides standards for 11 areas of encryption that form a rating system for the security of a device. This rating system is a security level rating (1–4, from lowest to highest), with most devices needing only Level 1 qualification for sale. Level 1 is basic security such as integrated circuits, microprocessors, and other components that are readily found in smart devices (NIST, 2015). Using FIPS 140–2 would eliminate the problem of devices being manufactured and released with no security protocols.

Summary

The unprotected manufacturing and distribution of technology that collects and transfers data without regard to privacy is a negligent action on the parts of companies. Since the 1960s network infrastructures have been attempting to protect vital information and it is unreasonable to believe that this oversight was caused by anything other than cost drivers. The rapid rate of advancement in technology needs to be guided with privacy controls and measure to ensure public safety. This policy provides for a minimal protection for data collection devices that currently already exist in home computers and other integrated networking devices such as routers. Asking companies to meet these standards allows for the most effective means to protect the public.

References

FTC. (2013, November). Internet of Things . Retrieved from FTC: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

(2016, September 23). Largest DDoS attack ever delivered by botnet of hijacked IoT devices. Retrieved from NetworkWorld: http://www.networkworld.com/article/3123672/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html

Microsoft. (2017). Federal Information Processing Standard Publication (FIPS) 140–2 Federal Information Processing Standard Publication (FIPS) 140–2. Retrieved from Microsoft Trust Center: https://www.microsoft.com/en-us/TrustCenter/Compliance/FIPS

NIST. (2015, August 14). Archived NIST Technical Series Publication. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/fips/fips140-1/fips1401.pdf

NIST. (2015). FedRAMP Security Assessment Framework FedRAMP. NIST, NIST. NIST.

Sandvig, C., & Karahalios, K. (2016, June 30). Most of what you do online is illegal. Let’s end the absurdity. Retrieved from Guardian: https://www.theguardian.com/commentisfree/2016/jun/30/cfaa-online-law-illegal-discrimination

Photo by Andres Urena on Unsplash