As companies monetize the Internet of Things, there will be some fallout for privacy and security advocates. Danny Bradbury examines an emerging problem
Devices ranging from smartphones to home automation systems, smart lights fitness wearables and embedded vehicle sensors have created an incredible platform that we know as the Internet of Things (IoT), but this vast constellation of connected devices is only the first step in a longer journey. The next step involves creating services that run on top of it. This new layer – which we can call the Internet of Services (IoS) – brings its own security challenges.
“Why would you have an internet-connected bed?” quips Vince Warrington, director of UK cybersecurity consulting firm Protective Intelligence, adding that the IoS can provide use cases for connecting many things. “It’s about how you can tie things together and put value-added services on top of that.”
The internet-connected bed might monitor movement, while smart lights might report when they have been turned on and off. An online service could analyze that data and alert relatives of the elderly when their sleeping and other patterns change, he said. Or connected cars could talk to parking meters and automatically book the closest parking spot as they near their destination. Smartphones, which are also part of the IoT, already use embedded location data to book cars via Uber, for example, making it another example of such a service.
Rethinking Our Computing Model
Andy Mulholland, vice-president at technology advisory firm Constellation Research and former CTO at Capgemini Group, says that the IoS can use data from various IoT devices to fulfil our needs in often opaque ways. “Instead of having things based on fixed process with transacted outcomes, we have things based on interacted intentions or possibilities, and from that we get the insightful outcome,” he says.
What does that look like in practice? It moves us away from the world of simple two-way transactions (say a simple e-commerce purchase), in which a computer and operator collaborate to achieve a predictable result. Instead, these transactions are more holistic and complex.
Take that IoS unicorn Uber, which is threatening traditional taxi firms all over the western world. Taxis represent the pre-IoS model, where customers request a car via a phone or website, and the dispatcher just sends them the closest one. It is a simplistic transaction following a well-defined process with perhaps two fixed data points – the customer and the taxi driver.
Uber works the other way around, using an array of data points – including location and other data from that ultimate IoT-connected device, the smartphone, along with reputation or performance data from rider and driver – that are filtered through a complex algorithm to achieve a hazy result. “It’s where are you, what do you want, where’s the taxi that matches best for that, and then around it other circumstances, like what’s the weather, and what’s the demand for taxis?” says Mulholland. “Is there some kind of event on? It all calculates an outcome that wasn’t predicted or foreseen.”
This mystical mechanism may quietly solve the user’s problems, or end up charging them hundreds of dollars for a cab ride. It’s difficult to tell, because contrary to a straightforward e-commerce transaction with a predictable result, the murky, proprietary algorithm is the master, and the complex array of IoT data feeds is its servant.
One effect of all these additional data points and algorithmic gymnastics is that the entire process becomes far more complex, making it more difficult to manage. “The way the data models work – which is fundamentally what people hack – is also very different,” says Mulholland.
The data models themselves in this new IoS world are entirely different to the old one, eschewing traditional relational databases with their long-established tables and indexes for graph databases and other NoSQL data storage structures designed to store vast amounts of data from different sources and document the relationships between them.
“The data is created by the context of the event,” Mulholland said. To feed these data structures, IoT devices – including phones – are constantly triggered with contextual information relating to them. This ranges from your location to your movements in the home. All of this creates a footprint of that person’s movements, what he calls a “digital exhaust”.
A Poison Exhaust
This exhaust could poison user privacy. Sudha Jamthe is the author of the book IoT Disruptions and also teaches IoT business models for Stanford’s continuing studies program. She warns that the data generated about individuals from their daily interactions with the IoS can be damaging to privacy because no-one is focusing on how it is used. When her smart thermostat vendor wanted to work with her smart lock vendor to determine when individual people entered and left the house, it crossed a line for her.
“They’re saying they won’t use that data for anything else, and just want to know when I go in and out of the house so that they can change the temperature setting, but that isn’t information that I want to share with anybody.”
The IoT networks and the services atop of them are still highly fragmented, says Rob Kranenberg, chair of the IoT Hyper-connected Society at The European Research Cluster on the Internet of Things. This can create security issues in itself because different IoS vendors will have different levels of privacy and security.
“All of their products are already gateways from one network into another. The power will be with anyone who is able to seamlessly link up all these networks and their data,” he says. “It’s about having access to vast data sets that you can aggregate into new services.”
We can already see some scary privacy violations as IoS companies collect enough data of their own. Uber (which did not return our interview requests) has sparked concerns over its plans to track its users’ locations even when they are not using the app, and to pester people in their phones’ contact lists with special offers. It tracked users’ one-night stands by collecting their ride data, and then documented them in a blog post. Executives also tracked reporters’ movements in real-time and then bragged about it. If one company blatantly infringes privacy in this way, then what could hackers do with that data?
Some Solutions
There are some possible solutions to the privacy and security problems threatening the IoS that span the political and the technical. Regional politicians can impose their own data usage laws, as we’re seeing with the General Data Protection Regulation (GDPR) in Europe, which comes into force in May 2018. More specifically to the connected devices underpinning the IoS, the European Commission’s Communication on ICT Standards requires member states to develop standards that support trustworthy authentication across objects, devices and people.
“The EU seems to have a better policy in place about telling us how they’ll use the data,” says Jamthe. “It’s nowhere near as transparent in the US, and vendors here don’t even want to have that conversation and freak out consumers."
Acknowledging that most individuals will be using IoT-based services owned largely by US firms, Rob van Kranenburg suggests instigating personal policies about data usage in the IoT and associated services. He is working on a product, the Dowse Privacy Hub, which will be an open sourced hardware project enabling people to control what data they’re sending from their personal and private networks to other parties. Think of it as a privacy router.
“We want to do this because we think that things are getting out of hand,” he added.
Another Stack of Problems
The security problems for the IoS don’t just rest at that layer of the IoT stack, however. Insecurities in the rest of the stack can render the services themselves vulnerable. These layers include the hardware devices that collect the data and the networks that enable them to transfer that information, explains Sanjay Khatri, director of product marketing for IoT services at Jasper, which Cisco purchased in March 2016. Jasper is an IoT ecosystem platform that helps IoS companies to manage their devices and monetize them with value-added services.
Device vendors can make basic mistakes such as not requiring code signing, or making the devices low-powered enough that they can’t support encryption, for example. Badly-configured user interfaces can lead to loss of control in the cloud.
“You want to have ways to mitigate the large-scale dangers of connected devices,” he says, adding that Jasper provides services including device authentication and detection of anomalous behavior in large groups of connected devices. Partners in the Jasper ecosystem also handle tasks such as data encryption, and the security of the transport layer.
Khatri argues that partners who use SIM-based cellular connections for their devices rather than public Wi-Fi networks to communicate with Jasper naturally harden the transport layer of the IoT stack on which their services rest.
Cultural Issues
Services may exist to help shore up security and privacy in the IoS, but ultimately, what’s needed is a cultural shift, warn experts. Traditional IT security people are used to dealing with well-understood, linear processes relying on clearly-bounded inputs. Constellation’s Mullholland believes that the diverse, loosely-coupled IoS, with the non-deterministic algorithms and complex data sets that run atop it, are beyond the kinds of problems that these professionals are used to solving.
“If you say that it starts with the event, and then serendipitously arrives at the output, you can imagine the look on their face,” Mullholland says.
The same is true for those forced to deal with the IoS in the enterprise space, who may have been used to programing embedded SCADA equipment that only ever spoke to particular devices in a closed network.
“All of a sudden now they have a mandate to open it up,” Khatri says. Not just to internal staff but to third parties. “It’s overtaken a lot of these guys, and I don’t think that even the standard IT practices have really pervaded some of these areas.”
The security and privacy challenges facing IoS companies and their users are broad and intricate. Companies are only just beginning to understand how the business models will work, and are shaping the technology to support it. If they want to bake privacy and security into those models, there’s an awful lot of talking – and learning – to do.