How The Explosion of IoT Devices Impact Network Security & Data Ownership

October 24, 2016

Forecasts on the number of Internet of Things (IoT) devices deployed by 2020 vary widely. In 2010, IBM predicted 1 trillion devices by 2015. Needless to say, this was mildly over enthusiastic. In 2013, a Morgan Stanley report predicted 75 billion IOT devices would be deployed by 2020. While this may yet turn out to be accurate, we still have a way to go. In November 2015, Gartner reported that nearly 6.4 ‘Things’ would be in use this year – a 30 percent increase over 2015. If the growth rate keeps up, then we should live in a world inhabited by 18.7 billion ‘Things’ by 2020.

No matter the number of devices, one thing is clear. The vast number of IoT-enabled devices in the field today are already beginning to impact networks. It is not just a bunch of IP addresses. These devices are gathering and sharing tremendous amounts of information. Then there are the security concerns and questions about data ownership.

As you can see we are entering uncharted territory. Prior to the introduction of the commercial internet in the 1990s, security and network ownership were rather straightforward. Most computer networks were closed systems. If you needed to connect a remote location, you would rent a line from the phone company. Today’s network architecture is much more complex. We have fixed line options, wireless, Wi-Fi, and then there is the coming rollout of commercial 5G service which is a potential game changer.

But let’s roll it back to one simple precept. IoT cannot exist without the network. Sounds simple enough, but many people have gotten so excited about the plethora of devices and applications that they have forgotten about the backbone which makes it all possible.

Network Security

As we have seen, the pace and Scale of cyber-attacks are increasing. The deployment of billions of devices has created the potential for massive security breaches. In 2015, Kaspersky ran an article entitled the ‘Internet of Crappy Things.’ In the article, the security firm outlined what they believe are the risks from the deployment of IoT devices. This included the example of how a car wash was hacked by Billy Rios. The conclusion was not a surprise. Continued deployment of IoT devices without proper security protocols could be ‘detrimental’.

Kaspersky is correct. Whilst many IoT devices have some basic level security measures baked into their firmware. The real challenge is when they are connected to broader networks which could be easily accessed by a growing community of black hats seeking to use IoT devices to forward their agenda. If you think getting locked out of your computer by ransomware is bad, imagine being locked out of your home or your car?

The threats don’t end there. Yes, IoT devices can help to improve management of power grids, but they could also make them less secure. What can be done? For starters, developers and network operators must establish security standards for IoT devices. Another step is for device makers to ensure their devices are certified. In fact, OTA’s Trust Framework is another option.

However, these steps will only go so far. In the end, the voice of the customer needs to win out. This starts with network administrators looking at their IoT purchasing decisions to ensure the choices they make are not creating future vulnerabilities.

Data Ownership

Whilst security is a BIG deal, another bugaboo for IoT advocates is data ownership. It should be a real concern. We are on the precipice of an explosion of IoT-enabled devices – as if 6 billion was not a lot already.

What is at stake is the very understanding of how ‘privacy contracts’ work. These are covenants between the user, the device, and by extension the network providers and the app or device developer. To a certain extent, we have come to take these ‘contracts’ with a grain of salt. How many people have actually ready the iTunes’ User Agreement or Facebook’s Terms of Service? But IoT is ultimately about personal data – especially when it is tied to your business, your home, or your health.

At this point, there are very few answers on the limits of using such data. Not only that, but ownership issues abound. Such as, who actually owns the data? One best practice may be for network administrators and developers to outline responsibilities, especially in an ecosystem which includes multiple data controllers and processors. In this way, users can be made aware of how data collected on their movements is being collected and analyzed.

Conclusion

The explosion of IoT-enabled devices presents numerous challenges, and opportunities, for network administrators and network operators. As we have seen, the awareness of security vulnerabilities needs to be addressed before the issue become nearly impossible to fix. Failure to do so risks submarining all of the momentum towards the mass-adoption of IoT technologies.

Meanwhile, issues remain about the ownership and use of data collected by these devices. Whilst it is highly probably that continued adoption will unearth additional issues, it would appear the onus lies with network owners to put in place gateways to keep potentially unsecure devices off their network while simultaneously working with data controllers, processors, and users to raise the awareness of data ownership and privacy questions.