Internet of Things

Security and Privacy Concerns

nternet of Things (IoT) envisions

I everything in the physical world will be

connected seamlessly and integrated
securely through Internet infrastructure. Component of IoT
When things react to environment or
stimuli, data will be captured and transformed into
Characterising IoT by referencing the number of
valuable insights, which can be utilised in various
connected devices or connection is oversimplifying
application domains, ranging from automated home
the phenomenon. IoT is a complex eco-system
appliances, smart grids and high-resolution assets,
encompassing all aspects of the Internet, including
to product management. This newsletter portrays
analytics, the cloud, application, security and much
the need and strategy of enhancing the present
more. Technologically, connecting things to the
stance of IoT by incorporating security and privacy
Internet can be accomplished with the existence of
into its design and implementation.
three main technology components (Figure 1),
namely physical devices and sensors (connected
things), connection and infrastructure, and analytics
Introduction of IoT and applications.

“Internet of Things” was first coined by the co-  Physical devices and sensors
founder and Executive Director of MIT’s Auto-ID lab,
Physical devices and sensors are able to gather and
Kevin Ashton in the mid-1990s1. Major vendors and
sense first-hand and multidimensional information,
technology leaders are announcing initiatives to
and evidence of the objective condition of an event
leverage the Internet of Things’ opportunities, and
autonomously without human intervention. In
define IoT differently, according to each of their area
addition, when devices function to capture
of specialty. Nevertheless, there are salient
information with embedded intelligence, devices
attributes across array of definitions, such as
can act and react. Environment context will then be
sensors, things, people, process, automation, data,
modified and the devices will respond differently. As
network, connectivity, convergence, and
such, this circular process will be repeated
intelligence. Hence, Internet of Things can be
continuously.
defined as “Intelligent interactivity between human
and things to exchange information & knowledge for  Connection and infrastructure
new value creation”.

Page 1
Connection and infrastructure, such as cloud,
security, storage, security, privacy and processing,
facilitate continuous, real-time data and information
flow and feedback loops.
 Analytics and applications
Analytics and applications transform sensor-
generated information to a new and key source of
knowledge for action-taking. They enable users to
leverage the large amount of data gather, converge
information for further analysis provides actionable
insight for the enterprise for productivity
enhancement, offer unique solutions, and enhance
life experience.
Figure 1: Components of the Internet of Things18
Technology Trend
The Internet has evolved (Figure 2) to become an
ever more pervasive and critical infrastructure
underpinning society and commerce around the
globe. In 1990, with the creation of worldwide web
(a method of publishing information on the
Internet) by Tim Berners-Lee, Internet became the
richest source of information, and since then the
number of websites has exploded.
Yesterday’s Internet was a universe of interlinked
human and creates new generations of interactive
experiences. Internet usage had exploded since
1995 to reach the first billion users in 2005. The
second billion was in 2010, and the third billion is
expected to be reached by the end of 20142.
The next phase of the Internet will be IoT: a world of
networked smart devices equipped with sensors,
connected to the Internet, all sharing information
Figure 2: Internet evolution2
with each other without human intervention.
Gartner 26 billion connected devices3
Frost & Connected devices amounting to
Sullivan 40 billion connected ‘things’4
IDC 28.11 billion of IoT units
installed5
CISCO6 & 50 billion devices
Ericson7
GSMA 25.7billion connected devices;
10.8 billion mobile connected
devices8
GSMA 880 million unique subscribers9
UTMS Forum Global mobile subscription reach
9.7 billion10
Table 1 : Usage prediction of IoT
Page 2

Value Propositions
With the rise of connected devices and connected
individuals, technology experts forecast four
interwoven and interaction technology pillars which
will fuel and shape the IoT, namely big data, cloud,
social media, and mobile devices and things.
 Big Data
With the variety and enormity of data and
information collected by the sensors, Big Data
technologies will be the cornerstone in extracting
meanings and insights of this exponentially
increased data, which will enrich the user
experiences and enable new business processes and
models.
 Cloud
Cloud serves as delivery platform of information and
functionality to users. Cloud allows information and
knowledge to be accessed and delivered to anyone,
anytime and anywhere.
 Social media
Social media is transforming interaction and
communication modes between individuals in new
and unexpected ways. Information will be sourced
from physical movement and interactions
happening in the Web 2.0. Interconnected societal
promote engagements, share information,
collaborate and innovate.
 Mobile devices/things
Mobile devices/things are the platforms of social
communication and network in both personal and
work spheres. With the diminishing cost of device
that drives the revolution of sensors and connected
things, data capturing is no longer restricted by
locations and a single dimension. Data collection
process escalated both in speed and scale and multi-
dimensional variables can be captured
simultaneously within the same environment.
Challenges
Several challenges need to be addressed in order to
encourage higher growth rate of IoT and
subsequently provide opportunities for Universities
and the industry to capture new competencies and
capacities Several thematic challenges have been
identified from various stakeholders of the IoT
ecosystem.
 Infrastructure
Infrastructure is the catalyst to reach an
interoperable, trustable, mobile, distributed,
valuable, and powerful enabler for emerging
applications such as Smarter Cities, Smart Grid,
Smart Building, Smart Home, Intelligent Transport
Systems, and ubiquitous healthcare, to name a few.
The massiveness of sensors and smart things to be
connected to the Internet will pressure the adoption
of IPv6, which is a technology considered most
suitable for IoT, as it offers scalability, flexibility,
tested, extended, ubiquitous, open, and end-to-end
connectivity11.
 Data & Information
The tremendous volume of data that pours in from
devices presents a huge challenge for service
providers in the IoT ecosystem. Big Data solutions
will be instrumental in overcoming this challenge by
giving IoT service providers the capacity to analyse
data, and discover relevant trends and patterns.
Page 3
Issues including privacy related to personal data,
and data sharing12 will emerge, denoting the
importance of trust in establishing the ecosystem
that supports consumers in donating their data for
public good.

Page 4
  Security & Privacy
Connected devices can communicate with
consumers, transmit data back to service providers,
and compile data for third parties such as
researchers, health care providers, or even other
consumers. The supply chain of information in the
era of IoT brings new challenges for regulators,
enterprises and consumers. Findings from TRUSTe
Internet of Things Privacy Index reveal that UK
consumers’ comfort level varies widely depending
on responsibility, ownership and usage of collected
personal data13.
 Ecosystem
The IoT revolution is already under way. ‘Things’
(for example, everyday objects, environments,
vehicles and clothing) will have more and more
information associated with them, and are
beginning to sense, communicate, and produce new
information, to become an integral part of the
Internet. Added value services using the IoT could
reach £200bn a year worldwide14, with new
business models, applications and services
developing across different sectors of the economy.
These will also stimulate innovation and growth in
areas such as components, devices, wireless
connectivity, system integration and decision-
support tools.
Potential Threat to IoT Ecosystem
As more connected devices join the IoT ecosystem,
researchers has run a range of security tests to
expose IoT vulnerabilities, and make the world
aware of the potential security concerns of
connecting devices without proper security
measures. The key threat vectors are described as
below:
 Threat Posed by Compromised
Devices
Since many devices contain inherent values by their
design and nature of functions, a connected device
presents a potential target to be exploited by an
attacker. A connected security camera could expose
personal information, such as user’s location when
compromised. As devices will be trusted with the
ability to control and manage things, they are also
capable of impacting things. This could be
something as simple as controlling the lights in
house or business premises, or something as
malicious as controlling an automobile or medical
device in a way that could cause physical harm.
 Threat over Communication Link
Threat over communication link involves
monitoring and intercepting messages during a
communication session. Due to the volume and
sensitivity of data traversing the IoT eco-systems,
attacks of targeting communication link are
especially dangerous, as messages and data might be
intercepted, captured, or manipulated while in
transit. For example, an attacker could track the
energy usage to learn of the downtime or uptime of
a system (for example business premises) to plan an
attack on the entire core smart cities command &
control systems; the other attacker could
manipulate the data transmitted to the utility
company and alter the information. Successful
breaches, such as these examples, may compromise
the trust in the information and data transmitted
across IoT infrastructure.
Page 5
Manipulation of
Connected Cars
Security researcher Chris
Valasek and Charlie
Miller in their research
15
discovered the
vulnerability of connected
cars. The duo
experimented a Toyota
Prius and a Ford Escape
and plugged the exploits
tools into the vehicle’s
diagnostic port. This
allowed the team to
manipulate the cars
headlights, steering, and
breaking systems.
Threats to
Medical Devices
Security researchers Scott
Erven16 and his research
team released the results
of a two-year studies on
the vulnerability of
medical devices. The
results demonstrated the
possibility of remote
manipulation of medical
devices, including those
that controlled the dosage
levels for drug infusion
pumps and connected
defibrillators. The results
exposed the severity of
threats posed to the
security of patients and
medical system.
 Threat on the Master  The Trusted IoT Master
Threats against IoT device manufacturer A trusted master must have secure
and cloud service providers have the communication with dependent sensor
potential to compromise the entire IoT devices, and issue firmware/software
ecosystem, as manufacturer and IoT updates to those devices in a way that
cloud are entrusted with hosting trillions provides assurances that the code is
amount of data, some of which is highly authentic, unmodified and non-malicious.
sensitive by nature. This data is
 Data Integrity
important because it represents an
analytics, which is a core, strategic asset, As sensitive data in-transit travels
it is a significant amount of competitive through the IoT cloud hosting, it should
information in the eyes of underground be encrypted in network layer to prevent
APT group if exposed. If the Master is interception. Likewise, stored data
compromised, this would give the should be in active-active mode and
attacker opportunity to manipulate many seamlessly encrypted to avoid data theft.
devices at once, some of which may have
already been deployed in the field. For
example, if a provider who issues Establishing Trusted
frequent firmware / software have the Identity IoT
mechanism compromised, malicious
code could be introduced to the devices. Given that the IoT is built on a network of
uniquely identifiable devices, public key
Securing IoT ecosystem cryptography plays a huge role in
establishing trusted identities in the IoT.
IoT will be a game changer in many
Public key cryptography19 is based on the
aspects. At the fundamental level, IoT
The Dangers of
security depends on the ability to identify
concept of a special and unique
relationship between two distinct keys
the Smart Grid
devices, protect IoT hosting platform, and
that are used to encrypt data. One of the
protect the data that the devices capture
Security researchers Scott keys is made public (the public key) and
and share:
Erven16 his research team the other is kept private (the private key).
 released
The Trusted IoTthe results of a
Device Only when the two are put together is the
two-year studies on the relationship seen to be true. It is also
A trusted device is vulnerability
required to be reliably
of medical known as asymmetric encryption
identifiable and devices.
associated Thewith results
a
because it uses one key to encrypt and a
manufacturer or provider. The devices
demonstrated the ability to related key to decrypt. This is effectively
should be able to communicate
remotely with the
manipulate done by a Certification Authority (CA)
devices, including those
intended hosting services.
that controlled dosage
levels for drug infusion Page 6
pumps and connected
defibrillators. The results of
their work exposed serious
issuing a digital certificate to confirm the
authenticity of the device.
Similarly, a digital certificate contains
several fields that help to establish and
validate the identity of a device or system
as it relates to a corresponding public key.
These certificates will be used to identify
devices, sign firmware / software
updates, and facilitate encrypted
communications.
Public Key Infrastructure in
Best Practice for IoT
The entire identity infrastructure
described above is built upon the
foundation of public and private keys. It is
necessary to make the public keys freely
available, but the private keys, however,
must be kept secret and secure, or else
the credibility of the key in securing an
identity is compromised.
Figure 3: Security Model for IoT18
The secure generation and storage of
these keys is therefore paramount
(Figure 3). PKI should be secure by design
and ideally implemented in or protected
by tamper-resistant hardware. A root of
trust effectively creates a barrier
between software on the server and
cryptographic key material. This
approach greatly mitigates the attack
vector which seeks to access sensitive
cryptographic keys.
Protecting Aggregated Big
Data with Encryption
The sensitivity of data collected,
transmitted, and stored as a result of IoT
necessitates the use of encryption to
secure that data. Encryption plays a vital
role in securing data when being passed
between devices over the cloud.
Page 7
 • Data-at-Rest Protection
Encrypting data is all about providing scalable, cost-
effective storage, and fast processing of large data
sets that facilitates the availability and usage of the
said data. Typically, this data will be stored in
clusters spread across hundreds to thousands of
data nodes. This data is largely unprotected, making
each data node a potential entry point for a rogue
insider or malicious threat, and leaves sensitive data
in clear view should an unauthorised user or service
gain access. This presents a tremendous, and
potentially costly, risk for organizations.
To overcome this challenge, organizations need to
be able to lock down sensitive data at rest in big data
clusters without impacting performance. Doing so
requires transparent and automated file-system-
level encryption that is capable of protecting
sensitive data at rest on these distributed nodes.
 Data-in-Motion Protection
Encrypting communication as data moves through
the IoT ecosystem presents a unique challenge. As
data moves from one location to another, it is highly
vulnerable to attacks such as fibre tapping. An
attacker can attach an evanescent fibre coupling
device to the cable without detection. This allows
the attacker to record all activity that runs across the
network, and data is captured and stolen without
the owner’s knowledge. Worst, this type of attack
can also be used to change data, and has the
potential to override the controls on the entire
system.
IoT communication over public networks will need
to be secured in much the same way we protect
other communications via the Internet. Transport
layer security (TLS)20 is a good example of
encryption protocols that could be used for this
purpose. Encryption is also needed at the back-end
infrastructure level of manufacturers, cloud service
providers, and IoT solution providers.
Conclusion
Security at the device level, protecting the master,
and encrypting communication links are critical to
the secure operations of IoT. In addition, leveraging
PKI for the IoT ecosystem will allow devices to
implement uniquely authentication in order to
counteract counterfeits. Securing IoT ecosystem
does not require a revolutionary approach. The
techniques that have proven success in modern IT
environment can be adapted to address the
challenges brought by IoT. Instead of searching for a
new method, or proposing a revolutionary approach
to security, universities and the industry should
focus on delivering the current state-of-the-art
security controls, and optimise the new and complex
embedded applications to drive the further
adoption of IoT.
Page 8
References

1. TELEFÓNICA I+D: Internet of Things + Internet of Services (2008)

2. http://www.internetlivestats.com/internet-users (visit 2015)
3. Gartner Says “the Internet of Things Will Transform the Data Center” (2014)
4. Pranabesh Nath, “Internet of Things & Connected Industries: Driving New Applications”, Frost & Sullivan, 6th
Annual Customer Interaction Malaysia (2014)
5. Charles Reed Anderson, “The internet of Things: The possibilities are endless, but how will we get there?”; IDC
APeJ Internet of Things Web Conference (2014)
6. Bradley, J., Barbier, J., & Handler, D. Embracing the Internet of Everything to capture your share of $14.4 trillion.
Cisco.(2013)
7. Ericson, “More than 50 billion connected devices”(2011)
8. GSMA, “Mobile Economy 2014”
9. TNW News, “Report: Asia-Pacific is home to 1.7 billion mobile subscribers, half of the world’s total” (2014)
10. UMTS Forum (Jan 2011), “Mobile traffic forecasts 2010-2020”; (retrieved on 14 July 2014)
11. Jara, A.J., Ladid, L. and Skarmeta. A. “The Internet of Everything through IPv6:An Analysis of Challenges, Solutions
and Opportunities”. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications,
volume: 4, number: 3, pp. 97-118. (2013)
12. Robert Wood Johnson Foundation, “Personal Data for the Public Good” (2014)
13. Davies, J. “Internet of Things crisis? Privacy issues could be barrier to smart-device take-up, says Ipsos Mori
report”(2014)
14. Technology Strategy Board. “Internet of Things convergence: Competition for funding of preparatory studies”
(2011).
15. Forbes, “Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel (Video)” (2013)
16. WIRED, “It’s Insanely Easy To Hack Hospital Equipment” (2014)
17. ICS-CERT, “Internet Accessible Control Systems At Risk” (2014)
18. MIMOS, “National IoT Strategic Initiative Blueprint” (2015)
19. Wikipedia, “Public Key Cryptography” (Visit 2015)
20. http://postscapes.com/internet-of-things-protocols (visit 2015)
21. Tim Sisson, “What is SSL and why is it important? ”
http://www.inmotionhosting.com/support/website/ssl/what-is-ssl-and-why-is-it-important (2013)
22. Wikipedia, “Elliptic Curve Cryptography” https://en.wikipedia.org/wiki/Elliptic_curve_cryptography (visit 2015)

Copyright Statement

All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright
and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in
any manner, without the prior written consent of the copyright holder, is a violation of copyright law.

A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must
preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether
or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of
the materials. Contact information for requests for permission to reproduce or distribute materials available through this document
are listed below:

copyright@jucc.edu.hkf
Joint Universities Computer Centre Limited (JUCC) Page 9
c/o Information Technology Services
The University of Hong Kong
Pokfulam Road, Hong Kong