Cybersecurity and IoT Privacy Risks and Challenges

The Internet of Things (IoT) has started to become part of daily life in society: intelligent homes, intelligent education, intelligent healthcare, wearable devices, the Internet of Vehicles (IoV) and other industries make great use of this technology, with it playing a key role in the digital transformation and the hyper-connection of their elements.

The IoT ecosystem includes devices, networks, platforms and applications that require multiple security protection measures at each layer, as well as intelligence and security analysis capacities on all of their data in order to make the most of the synergy between the devices and the cloud.

The Challenges of IoT Cybersecurity

Due to the constant evolution of these technologies, it is very difficult to know what the scope of the advance of IoT will be on services in the future. However, what we can hazard a guess at is the large amount of cybersecurity and user information problems that may be affected.

The relevance of IoT technology as a target for possible threats that compromise cybersecurity and privacy come mainly from the fact that this technology uses and depends on everyday items (intelligent watches and bracelets, localisation applications, medical care intelligence systems, etc.) which are able to transmit and process information over the internet.

The gathering of users' personal details is intrinsic to the working of these devices, regardless of how aware the user is of how much personal information is revealed when using these services. This is also a source of security problems.

Moreover, the most used IoT devices have technical vulnerabilities with regard to their authentication mechanisms or in the encrypting of the information they transmit. For example, there is a large amount of data that is not sufficiently encrypted that is transmitted via wireless networks, many of which are public and lacking in security.

Considering its impact on security and citizens' privacy (the collecting and processing of data may be unclear for users), the panorama of these threats regarding IoT is extremely wide.

Summary of Risks and Weaknesses

Currently, IoT technology presents a series of risks and vulnerabilities that can be summarised as follows:

• Limited resources: the majority of IoT devices have limited capacities in terms of processing, memory and power, thus advanced security measures cannot be efficiently applied.
• Complex ecosystem: The security worries have worsened now that the IoT cannot be seen as a collection of independent devices, but rather as a rich, diverse and wide ecosystem that includes aspects such as devices, communications, interfaces and people.
• Low cost: in some cases, manufacturers may be inclined to limit security elements so as to guarantee a low cost, therefore the product's security is not able to protect it against certain types of IoT attacks.
• Lack of experience: This is a fairly new field and as such there is a lack of experts in IoT cybersecurity that have a background in threats or problems that allow for putting the previous lessons learned into practice regarding this technology. They simply have some general rules that must be applied to this field in an appropriate way.
• Security failures in the device's design and its exploitation: the most common practice is that manufacturers concentrate on reducing the launch time of the products, sometimes neglecting the phase where they design essential cybersecurity elements (encrypting of transmitted information, access controls, etc.). In many cases this is due to the need to launch before competitors do.
• Lack of control and asymmetry of the information: the user is often not aware of the treatment of data carried out by devices with sensorization technology. The conventional mechanisms used to obtain the users' consent are considered as "low quality" consent due to the fact that on many occasions they are based on the lack of information that the user receives regarding the subsequent treatment of the personal details they are providing. Moreover, this information can get into the hands of third parties without the user being aware of this.
  Moreover, whilst it is not a specific IoT issue, the lack of control that exists in technology such as cloud and Big Data services, even the problem that arises from the combination of both can make the lack of control and the asymmetry of information very evident in the realm of IoT.
• Limitations in the possibility of maintaining anonymity when using services: the advance in IoT technology will cause the loss of anonymity in the use of multiple services in which, as it currently stands, this is taken as a given. In order to protect said anonymity, it will be necessary to improve the access control and encryption techniques, to develop techniques which support the concept of Privacy by Design, avoid the inference of information and maintain the privacy of the users' location.
• Security against efficiency: when balancing the optimisation of the device's hardware resources with the security requirements that these devices require, various challenges arise for manufacturers. Due to the fact that time pressures when commercialising IoT products are greater than in other fields, this sometimes causes limitations in the efforts to develop secure devices. Because of this, and sometimes also due to budgetary issues, companies that develop IoT products put more emphasis on their functionality and usability than on their security.
• Unclear responsibilities: the lack of clearly assigning responsibilities (manufacturer/ service provider/user) could give way for ambiguities and conflicts should anything occur that affects security. This is especially true when considering the large and complex IoT supply chain. Furthermore, the issue regarding how to handle security if a single component is shared by various parties remains unresolved.

The following table references the threat taxonomy of the Baseline Security Recommendations for IoT study developed by ENISA.