Reading the McKinsey Global Institute’s 2013 report, we are able to see that different technologies, some already well-known, some less noticed, would be disruptive ones in the following years and would deeply modify each one’s lifestyle but also the global markets and economy1.
Among the listed technologies, we find the mobile ones, AI, Big Data, advanced robotics, Internet of Things and many others which, if used alone or combined between them, would allow new business models and innovative services in many production sectors. Nevertheless, each of those novelties has a dark side, i.e. new risk typologies which, immediately, would oblige us to think about security and privacy aspects.
In the analysis we propose here, we will follow the abovementioned topics and will go in-depth in seeing IoT as a convergence phenomenon between the virtual world based on the web and the world of physical “intelligent” objects, which, when interacting with the exterior world, transmit and receive data. These, when analyzed, would allow to generate added-value and support to the decisional processes.
Following Goldman Sachs’ vision, IoT tools are characterized by a series of attributes which are synthetized into the acronym S-E-N-S-E2 – Sensing, Efficient, Networked, Specialized and Everywhere:

  • “Sensing” refers to the application of sensors (for instanceair pressure, temperature, etc.) on every single “thing”, hence the capacity to generate big quantities of data;
  • “Efficient” refers to the possibility to add “intelligence” and “efficiency” to processes, using the collected data;
  • “Networked” defines objects non-stop connected to the web, in any circumstances;

  • “Specialized” considers the specificity of the IoT tools and, more over, the solutions achieved in a totally “vertical” way in comparison with what happens in traditional IT systems. As a matter of fact, the logic of “reusability” can hardly be applied by a project or a solution IoT of created for a Healthcare need and wished to be transformed for an industrial use.
  • “Everywhere”, at the end, is an allusion to the invasion such objects are making and will make exponentially in our daily life and in business processes.

According to the Osservatorio Internet of Things of the Milan Polytechnics University3, the number of intelligent web-connected tools will reach, by 2020, 25 billion units; a convergence dramatically transforming the global communication pattern, where data and information are not only produced exclusively by individuals but also by “things”. In the banking sector, for payments, “wearable” tools will be more and more used, like watches; the insurance sector will also broadly use those new technologies in order to verify the driving inhabits of its clients and propose personalized contracts; the same sector could also gather other benefits from the IoT, like monitors able to protect an environment and the people within (Smart Home& Smart Building).

If we take urban landscape, the IoT can help with optimal traffic management, for instance by adjusting the traffic lights with the help of the data given by the street cameras, or anticipating to the drivers the possible alternatives to avoid the most jammed streets they are heading(Smart City). The very automotive sector is the one in full ferment with applications dedicated to comfort, security and infotainment (Smart Car). Starting from those examples, we could draw similar parallels inmany more business fields where the IoT seems by now, and more and more, to become a reality(eHealth, Smart Factory, Smart Agriculture, Smart Asset Management, Smart Logistic, Smart Metering & Smart Grid, etc.).
Those considerations made, it remains evident that the sustainability of the innovative business models and services using IoTis tightened to the solving of important challenges to be faced, like security and privacy.

The IoT Security
The dimension of the IoT phenomenon offers an immense attack surface for those wishing to use it to undertake illegal activities in the cyber space, and this independently of their intentions. TrendMicro’s forecast4, done for 2017, is certainly not comforting. We are awaiting malwares similar

to the Mirai, which, used to compromise IoT devices, will allow DDoS attacks of hundreds and hundreds of Gb/s, very close to those which happened during the last quarter of 2016. The CheckPoint research5 comes to the same conclusions, underlining that many attacks will exploit IoT devices and will head more and more to the industrial world.The McAfee Labs’ report on threats6 reveals very interesting analysis, where the authors point out that new compromising techniques of IoT devices will exploit the firmware by directly inserting into it the malware code, making hence its recognition much more difficult. The same report underlines that those new techniques will allow malwares to enjoy extraordinary privileges, acting without limits thanks to the fact that inside the kernel, the security controls are minimal. Often, the IoT devices are compromised, being used as proxy and able, in a second phase, to deliver a full-scale attack directed to the targeted system interesting the criminals.
These security problems, in general, depend however on the articulated system of the diverse operators leading the IoT industry and from multiple factors depending on the organization, the processes, the technologies as well as the cultural aspects of the involved resources. Among the operators, we find “in primis” the producers of the intelligent devices, then the service providers who, almost always, imply installers and hard- and software companies, called in to build the desired service itself; last but not least, we have to take into account all the diverse typologies of users benefitting of those new tools. The device producers are typically focused on realizing those objects with new functions and affordable – or low – cost; they often use “embedded” OS with a limited computational capacity damaging the possibilities of updating/patching them.
They also adopt inadequate authentication and authorization systems and deliver limited configuration possibilities.
Then comes the problem of the interoperability of these devices which are extremely heterogeneous between them, often using different communication

protocols. Not a few of the abovementioned problems should be concerning not only the producers, but also the big service providing companies which should create a healthy pressure to the constructors of IoT devices pushing them to take into account the security and privacy aspects.
For instance, the choice of the producers, installers, as well as system integrators could be done on the base of the most highly qualified on the market, responding to precise demands and warranting privacy and security; the market opens bids and their contractual part could exclude those who are not in line with these obligations.
The service providers should also face the IoT projects according to a risk-based type approach, in order to be from the beginning aware of which modifications they shall enact to deliver a secure service – at the organizational, process and technological levels. For this reason, even if we come to the common IT infrastructure (the back-end component), a maximal attention should be focused to warrant the security but also the sustainability of the service itself.

The IoT provider, for all these motives, should act systematically and since the beginning to control the delivery of the system during its production and then during the next steps, offering also a periodic service and program of security, which should include the monitoring of the systems, the vulnerability assessment enactment and penetration tests. Those last should also be performed on the interface used to interact with the intelligent objects, which are often using mobile technologies and specifically smartphones and/or tablets…
If we want to emphasize how the IoT and its related services could be a success, we must underline that a lot will depend on other factors and in particular of the adjustment of its operational model through an IT transformation which could need dedicated hardware, evolved software to analyze and correlate huge quantities of data, storage and network technologies and all that without barriers or limits of scalability.
The IoT security involves also the end users who will be able to play an active role in the development of this technology if rendered more conscious of its problematics, for instance through awareness campaigns or specific training programs dedicated to those in charge of the new coming elements.
As a matter of fact, very often, the users of IoT devices are not performing, when they are available, the minimal configurations such as changing the

default password or the installation of protection tools dedicated to the mobile devices to be used to interact and exchange data with the intelligent things, for instance antiviruses, local firewalls etc.; there are even users who, for different motives, enact rooting or jailbreaking techniques on their own smartphones and tablets, totally unaware that by undertaking those actions, they jeopardize the security schemes designed by the producer, expose the handled data to heavy risks and can rend vulnerable without, even knowing it, the very intelligent object which can be remotely hacked and controlled by a third part.
In a mirror, we can observe how mobile devices and, in general, the mobile internet paradigm, are constituting a technological driver for the IoT since it allows whoever, men and objects, to be always connected and to exchange information through the specifically developed applications.

Privacy of the IoT
The IoT is raising huge issues on privacy matters, many more than those emerged from the traditional IT systems. We will underline some of them in a non-exhaustive way:

  • Not always, the users realize they have to deal with devices able to interact with the net and, through it, exchange data which can enter the personal intimacy zone.
  • Not always, the users realize they have to deal with devices able to interact with the net and, through it, exchange data which can enter the personal intimacy zone.

  • Often, we witness a total lack of transparency between the raw data collected by the device, then sent to third parts and those eventually shown to the user.
  • Those devices, whose aim is to warrant an enhanced autonomy to the batteries, avoid using any crypto system to transmit data
  • The information collected by a device, even if anonymized, could be combined with information produced by other devices, enabling them to identify the user.

All the above-mentioned results into a major risk to make public personal data, or even sensitive data, in a way which is completely unknown to the user. A huge problem is that, if it all started with the use of wearable devices, this trend will boom in accordance to the daily increase of IoT use in a broad number of sectors.
As an example, if we look at a Smart City, the enormous amount of information collected by the video cameras could be analyzed with

techniques allowing to define inhabits and lifestyle of individuals. The results of such analysis could spot high incident probabilities for persons passing in a defined area; adding the registration numbers of the vehicles and the routes driven through time, profiles could be created and used for the benefits of insurance companies when renewing or signing a vehicle insurance policy contract.
Other examples could be referring to all those devices allowing to collect information on our health and/or our sports performances, information which in a way or another could end up at the insurance companies and the pharmaceutical industry.
Without going further with other examples, we can assert once more that privacy is without any doubt a major challenge for the IoT. In this sense, we already pointed out how some companies providing IoT-based services should act to reduce this specific risk, adding that they would be helped to do so by the new EU Directive UE 2016/679 on personal data protection. Through this rule, the European Commission intends to buff up and to unify the protection of personal data within the borders of the EU, through a simplification doubled by a unification of all pre-existing European and National laws framed within the previous directive (95/46/CE) which will be abrogated since May 25th, 2018.
Thanks to this new rule, even the IoT device producers will have to comply to the new regulationsprovided for the protection of the personal data, in order to avoid the stated administrative sanctions. Between the most important indications, we can mention:

  • The obligation to analyze the treatment of personal data during their entire life cycle, from the collecting moment to the erasing one, starting from the project phase and adopting technical and organizational measures such as minimization and pseudonymization, all according to the Principle of Privacy by Design.
  • The obligation to adopt pre-defined settings as well as default settings of the informatics systems in order to warrant the protection of the personal data with the possibility, for the user, to make only manual modifications in the phase after the launch of the product, all according to the Principle of Privacy by Default.
  • The evaluation of the impact on privacy to define the needs and the proportionality of the personal data treatments, in addition to the risks linked to the rights and freedoms of private individuals, a process which will allow to evaluate, since the project phase, the best security measures to be adopted in order to reduce the risks to acceptable levels.

We can conclude remembering that the joint action of the new European Directive and the pressure that could come in diverse forms from huge organizations desiring to develop their own business with IoT technologies will come in favor of the regulation of this very specific sector, which is considered as strategic for the whole global economy.

Gianluca Bocci

Gianluca Bocci, dipl. in Engineering from Sapienza University(Rome) holds a Master of the BioMedical Campus of Rome in “Homeland Security – Systems, methods and toolsfor security and crisis management”. He is now Security Professional Master within the Protection of the Information for the Company’s Protection at the Corporate Affairs direction of the Poste Italiane. He holds CISM, CISA, Lead Auditor ISO/IEC 27001:2013, Lead Auditor ISO/IEC 22301:2012, CSA STAR Auditor and ITIL Foundation v3 certifications; he backs the activities of the CERT and of theCyber Security District of the Poste Italiane. Within this frame, he has a long experience in security of mobile applications, leading also R&D activities for the academic world. Before joining Poste Italiane, he has been Security Solution Architect for different multinationals of the ICT field, where he backed the commercial units by engineering the techno-economical offer delivered to the customers of the Enterprise category. He always paid particular attention to aspects related to Security Information and Event Management, Security Governance, Compliance as well as Risk Management.


Other Magazines