1. Title: The Weakest Point of Security in IoT
Date: September, 11, 2015
Author: Dr. Nagula Sangary, CEO, BitCircle Inc.
The risks to security and privacy of personal information is becoming a major issue in the Internet of
Things (IoT) market as the hacking of databases is occurring with increasing frequency. As more people
and organizations start to use or offer IoT-enabled services, the number of agents with malicious intent
will also increase, given that the information found in the databases is a tempting target for those who
would seek profit through identity theft or other criminal means. Although there are methods of
addressing information security vulnerabilities, many players in the industry are not taking appropriate
action to mitigate risks as they may be unaware of the specific flaws and attack points, or the solution to
the problem may be at odds with their business model.
If one were to investigate recent cybersecurity breaches you would readily determine that they occurred at
the storage space of the data and not in the communication links or at the data’s point of origin. In general,
most of the internet protocols, the wireless communication systems and the sensors used in the IoT have
sufficient security features enabled to deter hackers. However, at the data storage point there are very few
security safeguards implemented. The primary reason for this is that the authorized service providers need
to view users’ personal data in order to provide the required services; having extraneous security measures
in place would adversely impact their access to that data.
In addition to the data being exposed at the point of storage, the number of authorized staff in a service
provider company who have access to the data can be quite large and difficult to monitor, which is another
risk. It would take only one employee with nefarious intentions to release clients’ personal data, or to give
access to unauthorized staff, or convey knowledge of the weakest links in security protection to outside
hackers. Neither corporate ethics policies nor laws are sufficient protection against acts of this nature. The
security of IoT systems will continue to be an issue until gaps such as this are addressed.
A solution to combat these threats lies in the following process: every piece of data that enters the specific
IoT solution-space should be encrypted at the source and subsequently stored at a separate location rather
than at a single repository, and for tight controls to be in place for authorized access to this data.
One could draw an analogy between the early days of the computer age and the modern cloud-based
services. Initially, computing services and applications provided to the users were based on a centralized
client-server model, which was necessary due to the high cost of the main-frame computers. However, this
changed over time with innovation in the Personal Computer (PC) industry. The lower cost of processors,
memory, and associated components made it affordable for consumers to acquire their own computing
power. A similar trend is taking shape in the world of IoT with sensors, devices and mobile computing
getting cheaper every month.
In addition to affordability, the exponential growth of PCs could also be attributed to the privacy and
security it offered to the user. PC users wanted to regain control over the programs they used and the content
they created, without the vulnerability of using computing resources over a shared system. Having their
own personal computers afforded the users with a sense of comfort and this type of distributed system in
essence created a new, better level of security.
In the modern era of reliance on cloud services people are facing somewhat of an asymmetric problem. Due
to the centralized model of the current cloud services, most cloud applications are offered to the users
essentially at no cost. Cloud service providers offer “free” applications and service in exchange for the
2. users’ personal information. However, the risk that users face is in the potential theft of their personal
information. As a result of this, the central cloud-based solutions should implement information storage
methods in a similar fashion as the PC-era method, where the users’ personal data is distributed rather than
centralized. Unlike the current system where hackers can break into one system and steal the personal data
of thousands of users, in a distributed system the hackers would need to break into thousands of individual
systems to achieve the same level of success. In addition, these individual (distributed) systems can be
further protected by encrypting every piece of data stored in them.
The encryption of users’ personal data with individual keys would provide an added level of protection and
peace of mind. However, the presence of this encryption would be in conflict with the business models used
by many corporations today. In the current models, in exchange for an individual’s personal information
many service providers give free applications for promoting fitness, asset tracking, games and more. This
data is then used for profiling people and the information is shared for big data analytics. Even though most
corporations obtain this information with permission, the idea of “uninformed consent” is being raised by
legal scholars and governments alike and this could become a major issue for these corporations in the
future.
All of the stated concerns can be addressed with a system that combines distributed storage and
individualized encryption schemes. The method for generating individualized encryption keys, managing
and protecting them may be complex, however, it can be done with existing technologies. Undoubtedly,
development and deployment of such systems would require some expertise. Visionary companies such as
BitCircle have recognized this need and are developing solutions to address the issue of privacy and security
in the IoT space, and at the same time enabling the current business models of the service providers to exist
as the users can authorize access for the service providers.
The successful adoption of IoT technologies and resulting business growth will depend on the number of
individuals making productive use of IoT-enabled services. In order for people to feel comfortable with
the system, the key players in the IoT space must continue to address the privacy issue and provide the most
secure environment for the users.
Contact information of the author:
Nagula T. Sangary PhD, MBA
Chief Executive Officer,
BitCircle Inc.,
22 King St. South, Waterloo,
Ontario, N2J 1N8
www.bitcircle.com
Office #: (5190 725-2247
Email: nagula@bitcircle.com
Adjunct Professor
Department of Electrical & Computer Engineering
University of Waterloo, Waterloo, Ontario, Canada
McMaster University, Hamilton, Ontario, Canada
Central South University, Changsha, China
Email: nsangary@uwaterloo.ca