Security, Privacy, and the Internet of Things

18 04 2012


The Director of the CIA, General David Petraeus, recently discussed the “emergence” of the ‘Internet of Things’ (IoT) and the capabilities that it can provide to spy agencies in terms of collecting data on targeted individuals (Ackerman, 2012).  His frank discussion highlights the potential impact of the IoT on society.  The IoT offers many advantages for improving quality of life, but associated privacy and security risks must also be considered.

What is the Internet of Things?

In the RFID Journal, Kevin Ashton (2009) claims to have coined the term ‘Internet of Things’ in 1999 as a means of linking RFID technology to the Internet in order to automate industrial supply chains.  Whatever its origins, the term has evolved to describe the increasing deployment of embedded, network devices into everyday items (Grau, 2012; Samani, 2012).  Well beyond “PCs, phones, and tablets”, the IoT includes items such as “televisions, cars, medical devices, and ATMs” (Samani, 2012), whose functionality can controlled by inputs from other devices, humans, and sensors.

For example, grocery products could be fitted with the ability to signal the “internet-connected refrigerator” to automatically place an order for replacement items once they are sufficiently depleted (Burton, 2012).  Other scenarios could include, a burglar alarm automatically arming itself when the homeowner’s smartphone GPS indicates that he or she has departed or the development of “self driving vehicles” (Samani, 2012).  Given the possibilities, and enabled by Internet advances such as IPv6, “Ericsson predicts that by 2020, there will be 50 billion Internet-connected devices” in the world (Samani, 2012).

Privacy and Security Issues

From a privacy perspective, the IoT could enable the collection of a trove of information by governments or corporations.  As noted from Gen Petraeus’ discussion (Ackerman, 2012), embedded systems can provide intelligence operators with the means to remotely tag, track, locate, and monitor targets without the need to install a physical bug; the target’s interaction with the network through his or her devices would likely provide all of the information required.

Further, MacManus (2009) argues that marketing agencies will have increased access to “personal preferences” and user behaviours through the IoT.  For example, a very accurate consumer profile can be built by merging television viewing information with “web browsing history”, payment card information, “email data”, and “recorded movements” from “facial recognition cameras”, RFID tags, and “mobile device signals”.

The proliferation of embedded devices also implies more access paths to the internet, and hence, a larger attack surface to be exploited (Fulton, 2012).  Coupled with inadequate controls, this could lead to a wider level of insecurity across the Internet. Grau (2012), citing a study by the Intrusion Detection Systems Lab at Columbia University, notes that “embedded devices were over 15 times more vulnerable to Internet-based threats than enterprise networks”.

A large portion of security issues arise from the “constrained memory and processor speed” (Polk and Turner, 2011) of embedded devices.  Resource constrained environments make it difficult to use common security tools such as HIPS/HIDS, firewalls, and anti-virus (Fulton, 2012).  Further, while cryptography could play a significant role in providing security, current cryptographic suites have been designed under the assumption that sufficient resources would be available (Polk and Turner, 2011).  If current algorithms are found to require more resources than would be available in such environments, it could potentially lead to the use of ‘weaker’ cryptography.  This would provide a significant advantage to the attacker who is not subject to the same limitations, potentially making brute-force attacks trivial (Polk and Turner, 2011).

Samani (2012) provides two examples where IoT devices have been exploited for malicious use. In an incident in Texas, 100 vehicles with remote disable functionality installed by a car dealership were subverted by a “former disgruntled employee” who “remotely disabled the cars and wreaked havoc by setting off car horns”.  In a demonstration by academic researchers in 2008, medical information was “intercepted from implantable cardiac devices and pacemakers”, allowing them to be disabled or be issued “life-threatening electrical shocks”.

Thoughts for the Future

Given the power that this technology could have over our information and everyday lives, significant countermeasures will be required to mitigate the overall risk.  The European Commission is taking a step in the right direction; presently, they are discussing legislation to ensure that the IoT does not compromise “security, privacy, and the respect of ethical values” (Burton, 2012).

Notwithstanding potential governmental action, enterprise and individual users will need to remain cognizant of privacy and security risks.  Enterprise users can continue to invest in additional security countermeasures to protect their networks, but standards and regulating bodies will also need to consider the average user when designing protocols, standards, and regulations.  Novel solutions could include the use of “pairing protocols” similar to those used with Bluetooth, “automated [device] re-key after deployment”, and “mandatory security features” that “stretch the capability of” IoT devices (Polk and Turner, 2011), however, past experience does not provide much cause for optimism.

As Polk and Turner (2011) point out:

“The experience with home and small-business WEP wireless deployments is informative; weak cryptography was rapidly discovered and exploited.  Deploying the IoT without security will surely have the same result”.

Maintaining an acceptable level of security and privacy in an increasingly connected world will remain challenging if it is even attainable at all.  Continued education will be required to promote awareness of the issues, prompt the government for proper legal protections, and otherwise provide individuals with the means to protect themselves.


Ackerman, Spencer. (15 March 2012).  “CIA Chief: We’ll Spy on You through Your Dishwasher,” in Wired Magazine Website. Available from  Last accessed 15 April 12.   

Ashton, Kevin. (22 June 2009).  “That ‘Internet of Things’ Thing,” in RFID Journal Website.  Available from  Last accessed 15 April 12.

Burton, Graeme.  (13 April 2012).  “Europe to Legislate on the ‘Internet of Things’,” in  Available from  Last accessed 15 April 12.

Fulton, Scott M.  (27 February 12).  “Would an Internet of Things Threaten the Internet of People?” in Read Write Web Website.  Available from  Last accessed 15 April 12.

Grau, Alan.  (29 March 12).  “Embedded Device Security and the Internet of Things,” in Hearst Electronic Products Website.  Available from  Last accessed 15 April 12.

MacManus, Richard.  (14 August 2009).  “Should Consumers Fear the Internet of Things?” in Read Write Web Website.  Available from  Last accessed 15 April 12.

Polk, Tim & Turner, Sean.  (14 February 2011).  “Security Challenges for the Internet of Things,” in Internet Architecture Board Website.  Available from  Last accessed 15 April 12.

Samani, Raj.  (4 April 2012).  “The Internet of Things: Surfing Securely,” in the Huffington Post Website.   Available from  Last accessed 15 April 12.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: