Handling Privacy and Security Concerns in the IoT: The Importance of Identity
Today, we are in the infancy of widespread mobile Internet connectivity, which we typically obtain through Wi-Fi hotspots and 3G/4G network coverage. When we are not connected, we are invisible to others, unable to get the information we need and unable to interact with personal and professional networks. Further, this concept of ad-hoc connection to the network is evolving. The Internet is no longer a separate object that we have to seek and connect with explicitly.
Very soon, being “connected” will be so intrinsically tied to us that without it basic human interactions and decision making will become stunted. Switching an object on, purchasing it, enabling it, and checking in to it will make that device become “smart,” but it will also become tied to us. It will have network access and be able to communicate, send messages, register, interact, and contain specific contextual information, all on our behalf. The “Identity of things” is thus rapidly becoming a critical component of the modern Web.
A simple example is a popular running shoe company that now provides GPS tracking and training support information for a new shoe. That information is specific to an individual, centrally correlated and controlled, and then shared socially to allow better route planning and training techniques to be created and exchanged. The flow of information requires an “always on” Internet connection, though, which creates many questions surrounding device management, security, and privacy.
The IoT phenomenon will create device-, people-, and services-based connected infrastructure of over 50 billion objects by 2020. From a consumer perspective, home automation systems such as context-based lighting and heating or fridge restock systems help reduce energy consumption and billing, while also providing manufacturers and suppliers with powerful usage insights that can help improve products or provide better marketing opportunities. From a manufacturing or logistics standpoint, smart grid energy and electricity systems and improved SCADA (supervisory control and data acquisition) connectivity help automation and improve data flow.
Future things-based infrastructures will include the marrying of insured devices such as cars and human bodies to the underwriting of insurance policies. Allowing insurance companies to interact with intelligent devices such as cars and human-wearable monitors provides them with a unique metadata opportunity that could allow insurance companies to create more accurate policies and reduce consumer insurance costs. By allowing cars to capture servicing, distance, and maintenance data, insurance companies can help to identify lower-risk (or higher-risk) drivers and car owners. In turn, consumers can have much more customized policies at a lower cost. This cost reduction, however, comes at a price: the loss of data privacy.
The evolution of IoT entails a slew of concerns regarding data privacy, security and control. As such, the concept of identity – and how it relates to the devices and their owners – will become increasingly more important to understand as IoT generates more Big Data that draws relationship between users and their personal devices. Understanding that concept, in turn, will ultimately allow us address the potential future threats that will inevitably arise, and effectively address data privacy issues as they emerge.
So, what is an identity? The Oxford English Dictionary definition describes an identity as “the characteristics determining who or what a person or thing is.” Those characteristics in a digital sense normally refer to attributes, with the values of those attributes being things such as name, email address, or an alphanumeric unique identifier (UID).
While the identity component alone does not make a device smart, without it a device could be considered “dumb.” Without a unique identifier or an association with a real physical identity, the object is inanimate, unable to communicate or provide context to the information that it is exposed to or able to generate.
Why identity is important
The concept of identity in a smart device is not new. Smart phones, for example, shipped over 1 billion units for the first time in 2013, and these devices are intrinsically linked to identity. The identity of the phone owner—generally tied to a mobile network operator (MNO) via a long-term contract—is the first link, but there are other identity components such as a mobile number, the IMEI number, the subscriber identity module (SIM) and associated cryptographic infrastructure, as well as the unique identity attributes associated with the many apps that are available.
The physical unique identifier in a smart device does not always need to be globally unique as it is with a smart phone, however. For example, take house addresses. A house number is obviously not unique across the world; it only needs to be unique with a certain context —the street (see Figure 1).
The same is true of devices and their association with a context and indeed a physical person. They need an identity that is unique within their context.
An important underlying theme with identity, though, is that it is permanent. The UID should not be reused, even if the object referenced by the UID is not active. The concept of permanent identity is a contentious one. Yahoo announced in 2013 that is planned to reuse previously disabled email addresses. While this would give the service provider the ability to sign up new users, it also poses significant privacy and security issues. A previously used email address could, for example, have been used to register for other services such as social networking sites or personal banking. If the host email address is disabled and reissued, what happens to the emails being sent out by those services? They potentially get into the hands of the wrong individuals.
So what can be used as a unique reference within the IoT? There are several examples in the different digital layers we use every day. Figure 2 gives an example of how the joining of locally unique identifiers such as IP and MAC addresses to other identifiers such as email addresses can create chains of device and data identities.
The Extensible Resource Identifier (XRI) is an OASIS-driven initiative for the use of abstract identifiers that are domain, location, application, and transport independent. The XRI format is compatible with the likes of uniform resource identifiers (URIs) that often make up web addresses. This coupled with the likes of more
In our second installment, we’ll discuss how Big Data generated by devices changes the relationship users have to their devices, but also creates new privacy violations and security challenges by creating a wider attack surface and making personal data more accessible to a greater audience.
Simon Moffatt has over 13 years information security experience with a specialization in identity and access management. He is currently Principal Engineer at Open Source ISV ForgeRock. He may be reached at simon@ infosecprofessional.com.
- Handling Privacy and Security Concerns in the IoT: Big Data and Privacy
- Handling Privacy and Security Concerns in the IoT: Protecting Data