Privacy and Security in the Internet of Things
Download as PPTX, PDF1 like633 views
The document discusses privacy and security issues in the Internet of Things (IoT), emphasizing the importance of minimizing data collection and protecting user information. It highlights various examples of potential data leaks from smart technologies and the risks associated with government intrusion and corporate data sales. The speaker, Jeff Katz, advocates for strong encryption and proactive security measures to mitigate these challenges.
Privacy and Security in the Internet of Things
- 1. Jeff Katz | KIWI Privacy and Security in the Internet of Things
- 2. Agenda • A bit about me • Privacy and Data Collection • Security and Data Protection • Guidelines • Example • Questions
- 3. A small bio • Embedded Engineer, hardware and software (but also backend, mobile, frontend, web...) • Developed hardware to break Nintendo DS copy protection • 7+ Years in Physical Access Control Industry • VP Engineering, KIWI (more at kraln.com)
- 4. Image Credit: Twitter @internetofshit
- 5. Privacy • Ability to preclude information from being shared or communicated • What is sensitive changes over time • What is private changes over time • Remember: Anonymized data isn’t 1 1 Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of Colorado Law Legal Studies Research Paper No. 9-12. Available at SSRN: http://ssrn.com/abstract=1450006
- 6. Data Collection • Don’t collect data you don’t need • Don’t use services that collect data in order to provide your product or service • Avoid unintentional information leakage • Data is a double-edged sword • Pretend everything will become public!
- 7. Example: Smart Thermostat • What you want – House temperature auto-adjusts – House is warm when you come home – Less energy usage • What you get leak – Knowledge about where other people are – When you are on vacation – Location information collected by background service on your phone
- 8. A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away. Antoine de Saint-Exupery
- 9. Example: Smart Power Meter • What you want – Power usage over time – Optimize grid – Easy metering • What you get leak – When people are home – What is being watched on TV – Ability to remotely kill power1 1 http://www.sciencedirect.com/science/article/pii/S1877050915008492
- 10. But we’re the good guys! • Security breaches • Government intrusion • Corporate sale Information you collect, even with the best of intentions, can be used against you and your customers.
- 11. Security breaches • Any data you have can & will be used against you • The more data you have, the more valuable you are as a target • Large or small scale possible • Matter of when, not if! http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- 12. Example: Smart Lock • What you want – Lock works with cellphone over Bluetooth – List of people who come and go, and when – No need for metal keys anymore • What you everyone gets – List of people who come and go, and when – Ability to drain battery, lock people out of their houses
- 13. Government intrusion • 2013 Facebook: 38,000 requests • 6mo 2014 Twitter: 2,871 requests • 3mo 2014 Snapchat: 400 requests • Google: https://www.eff.org/who-has-your-back-government-data-requests-2015
- 14. Corporate sale • Barclays bank tells 13 million customers it is to start selling information on their spending habits to other companies http://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data • Bell faces $750M lawsuit over allegedly selling customer data http://www.cbc.ca/news/canada/windsor/bell-faces-750m-lawsuit-over-allegedly- selling-customer-data-1.3037545 • “RadioShack Corp. won court approval to sell data on about 67 million customers in a $26.2 million deal for assets that also includes the bankrupt electronics retailer’s name.” http://www.bloomberg.com/news/articles/2015-05-20/radioshack-receives-approval- to-sell-name-to-standard-general
- 15. Security • The internet is radioactive ☢ • Wireless communications are radioactive ☢ • Users are very radioactive ☢ • Minimize your exposure! • Strong encryption is your radiation shielding! • Keep your business-critical data, and your user’s data, as far away from the danger as possible
- 16. Example: LIFX • What you want – App to control lightbulb – Easy set up, wireless control • What you get – Mesh-network “encrypted” with keys sent in plain-text – WIFI password broadcast unencrypted http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/
- 17. Medical Devices: Myth • High standards mean high quality • Enable doctors to work remotely • Security vulnerabilities do not exist, or even if they did, they would not cause problems • Medical devices are always airgapped
- 18. Medical Devices: Reality • High standards mean lots of shortcuts • Enable anyone to access remotely • Security vulnerabilities do exist, and create critical problems • Medical devices are almost never airgapped. Many devices can be crashed just by running simple security scans (port scans)
- 19. Why should I care? • Immunizations provide herd immunity! • Designing for privacy and security is much easier and more effective than retrofitting • Defense in depth • Think of your mom!
- 20. Example: Smart “Toy” http://motherboard.vice.com/read/yes-your-smart-dildo-can-be-hacked • Remote control • Video • Sound Do I really need to explain why this is a bad idea?
- 21. What can I do? • Collect as little information as possible • What you collect, always secure/encrypt • Secure command & control channel • Have a disaster recovery plan • Have a privacy policy • Don’t re-invent the wheel • Work with security researchers More ideas: https://msdn.microsoft.com/en-us/library/ms976532.aspx
- 22. • Physical Access Control as a Service • Private apartments, service providers, and house management companies • Mix of hardware, software, wireless sensor network and web applications • High focus on privacy and security of our users