LACBA LACBA Privacy and Cybersecurity Section Newsletter

Summer 2021 Back to newsletter main page >

The Internet of Things—Privacy and Security Risks and Solutions

By Zachary Lochner and Nicolas Batara

During the last decade, Internet of Things (IoT)1 devices have become integral in a variety of markets and are poised to rapidly grow. Worldwide spending on IoT, by at least one estimate, may surpass $1 trillion in 2022, with 41.6 billion connected IoT devices generating 79.4 zettabytes of data by 2025.2 IoT devices range from consumer products to critical infrastructure (energy and transportation) to industrial applications (Industrial Internet of Things [IIoT]) to medical technology (Internet of Medical Things [IoMT]).

The proliferation of IoT devices introduces a kinetic problem (i.e., they enable physical action in the real world). The challenges with all IoT devices, whether in consumer products, industrial controls, health care, agriculture, transportation, or other infrastructure, can have substantial, direct consequences on privacy, safety, and security. IoT devices create a powerful platform for cyberattacks and increase privacy, safety, and security risks in the different areas using these devices. Software engineering best practices are core defense tools for securing threat vectors associated with IoT.3

The Open Source Foundation for Application Security Project®4 identified the top IoT critical security risks: insufficient privacy protections; weak or hardcoded passwords; insecure or outdated components; insecure network services, data transfer, storage, and default settings; lack of secure update mechanisms, device management, and physical hardening; and insecure default settings.5 Such weaknesses may allow unauthorized access to IoT devices, causing potentially nefarious or nuisance actions or high-impact security incidents, including malware exploiting wormable vulnerabilities, resulting in catastrophic impacts across an entire organization.

Personal data security has been a concern for decades. Since IoT devices store personal user data, consumer IoT devices are vulnerable targets for malware, viruses, and botnet attacks.6 For example, the Mirai botnet was responsible for distributed denial of service (DDoS) attacks that infected

1 IoT can be defined simply as “[a] network of items —each embedded with sensors—which are connected to the Internet.” Recommendation ITU-T Y.4000/Y.2060. International Telecommunication Union, 2012. 2 Dignan L. “IoT devices to generate 79.4ZB of data in 2025, says IDC,” ZDNet, June 18, 2019. https://www.zdnet.com/article/iot-devices-to-generate-79-4zb-of-data-in-2025-says-idc/ 3 D’Andrade B. ed. (2021). Software Engineering: Artificial Intelligence, Compliance, and Security. Nova Science Publishers. 4 The Open Web Application Security Project® is a non-profit organization with the goal of improving the security of software. https://owasp.org/. 5 “OWASP Internet of Things Top10.” https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project #tab=IoT_Top_10. 6 The National Vulnerability Database, the United States government’s repository of standards-based vulnerability data, reported vulnerabilities in drones, toys, cameras, and intimate devices, among other devices. Valente J, Wynn A, Cardenas AA. “Stealing, Spying, and Abusing: Consequences of Attacks on Internet of Things Devices.” IEEE Security & Privacy 17(5):10-21, 2019. doi: 10.1109/msec.2019.2924167; “OWASP Internet of Things Top10,” 2018. https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10. webcams, digital video recorders, and routers before deducing administrative credentials of other IoT devices that together could generate terabits of data per second to the hackers.7

Specifically, home area network (HAN) IoT devices are frequently networked wirelessly using the home’s internet access point, most commonly in the form of a Wireless Local Area Network (WLAN) router. This WLAN connection is an attack vector for malicious actors since they will gain access to all the networked IoT devices within the HAN. Thus, one layer of protection to minimize security risk is to ensure that the HAN is password protected and the WLAN updated to the latest Wi-Fi encryption as per the Institute of Electrical and Electronics Engineer (IEEE) 802.11 standard.8

Furthermore, cybersecurity threats to IIoT pose a significant safety risk. IIoT devices comprise automated machine-to-machine technology to sense, collect, process, and communicate real-time events in industrial systems.9 In December 2015, a cyberattack on the power grid in Ukraine started with phishing emails containing malicious Microsoft Office files with embedded malware— BlackEnergy—that allowed network reconnaissance and the theft of privileged credentials. The attackers remotely seized control of a supervisory control and data acquisition system and shut off the electric power to 230,000 residents.10

In the United States, the widespread and continuing deployment of smart-grid electric infrastructure11 creates security risks since the advanced meter infrastructure is IoT-based and ultimately will consist of millions of devices, creating a vast surface for a cyberattack. There are potentially devastating effects on the reliability of widespread infrastructure, given the potential for a cascading shut down of the electricity grid.12

The recent ransomware attack by DarkSide on the Colonial Pipeline, which controls the flow of approximately half the supply of gasoline and diesel and jet fuel between Texas and New Jersey, revealed that while the company believed the pipeline’s operations were isolated from the data systems, this was not the case. Colonial Pipeline had to shut down the pipeline to prevent malware from spreading to the pipeline’s operating system. It also revealed the weakness inherent in critical infrastructure held by private companies that employ insufficient safeguards to protect their systems from cyberattacks.13

The Transportation Security Administration (TSA) in the Department of Homeland Security previously addressed cyberattacks in this industry only with voluntary guidelines, which were first issued in 2010 and last updated in 2018, but in response to this attack, will issue mandatory regulations.14 As a first step, they will require pipeline companies to have an officer in charge with

7 Kolias C, Kambourakis G, Stavrou A, Voas J. “DDOS in the IoT: Mirai and Other Botnets.” Computer 50(7):80-84, 2017. 8 He C, Mitchell JC, “Security Analysis and Improvements for IEEE 802.11i.” Proceedings of the Network and Distributed System Security Symposium, NDSS 2005, San Diego, California, USA. https://theory.stanford.edu/~jcm/papers/NDSS05.pdf 9 Khan WZ, Rehman MH, Zangoti HM, Afzal MK, Armi N, Salah K. “Industrial internet of things: Recent advances, enabling technologies and open challenges.” Computers & Electrical Engineering 81:106522, 2020. doi: 10.1016/j.compeleceng.2019.106522; UL Computer Techology. “An Introduction to the Internet of Things.” https://ctech.ul.com/en/knowledge-center/an-introduction-to-the-internet-of-things/. 10 https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01 11 Saleem Y, Crespi N, Rehmani MH, Copeland R. “Internet of Things-Aided Smart Grid: Technologies, Architectures, Applications, Prototypes, and Future Research Directions.” IEEE Access 7:62962-63003, 2019. doi: 10.1109/access.2019.2913984; Kimani K, Oduol V, Langat K. “Cyber security challenges for IoT-based smart grid networks.” International Journal of Critical Infrastructure Protection 25:36-49, 2019. doi: https://doi.org. 12 Kimani, Kenneth, Vitalice Oduol, and Kibet Langat. 2019. “Cyber security challenges for IoT-based smart grid networks.” International Journal of Critical Infrastructure Protection 25:36-49. doi: https://doi.org/10.1016/j.ijcip.2019.01.001. 13 “Pipeline attack yields urgent lessons about US Cybersecurity,” New York Times, May 14, 2021. https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html. 14 The Department of Transportation was responsible for pipeline security until 2002 when the TSA took over; until 2010, their main focus was on the physical security of the pipelines from terrorist attacks rather than from direct access to TSA and the Cybersecurity and Infrastructure Security Agency (CISA) to report any cyber breaches. In addition, the TSA, in coordination with CISA, will develop mandatory rules for pipeline companies to follow to protect their systems from cyberattacks. These rules will include an assessment of gaps between existing security and cybersecurity guidelines and fixing those gaps, as well as mandatory steps to follow if attacks do occur.15

In addition to government actions such as the new TSA/CISA regulations, risks may be mitigated by compliance with standards, laws, frameworks, and guidelines put forth by standards organizations, professional groups, and government bodies, such as ASTM International, the IEEE, Underwriter Laboratories, and the National Institute for Standards and Technology (NIST).16 NIST recommends IoT device manufacturers undertake pre-market and post-market activities: 1) identify expected customers, users, and use cases; research and address customer cybersecurity needs and goals; and plan for adequate customer support and communication. NIST further identifies core capabilities for IoT products: device identification and configuration; data protection; logical access to interfaces; software updates; and cybersecurity awareness.17 Additionally, generally-accepted practices for software engineering provide mitigation tools for IoT risks.

This article is a broad overview, as IoT applications are varied, ranging from consumer gadgets and toys to industrial control systems. Adherence to IoT standards and guideline documents and good engineering practices should mitigate many risks associated with emerging trends in IoT. Security- conscious design that considers the full lifecycle of an IoT device, including threats that may not be evident during design, is fundamental for both device and network security.

cyberattacks. Nakashima E and Aratani L. “DHS to issue first cybersecurity regulations for pipelines after Colonial hack,” The Washington Post, May 25, 2021. https://www.washingtonpost.com/business/2021/05/25/colonial-hack- pipeline-dhs-cybersecurity/. 15 Nakashima E and Aratani L., “DHS to issue first cybersecurity regulations for pipelines after Colonial hack,” The Washington Post, May 25, 2021. https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs- cybersecurity/. 16 Additional organizations involved with cybersecurity privacy and security issues include: The Internet Engineering Task Force; The European Agency for Network and Information Security; The United States Cybersecurity and Infrastructure Security Agency; The Organization for the Advancement of Structured Information Standards; and The Cloud Security Alliance. 17 NIST. IoT Device Cybersecurity Capability Core Baseline. NISTIR 8259A, 2020.