IoT Security and Privacy

Questions and Answers

According to a Hewlett Packard study, what percentage of IoT deployments experienced a security breach?

• 84% (correct)
• 52%
• 95%
• 68%

Security, in the context of IoT, primarily protects user identity and personal information.

False (B)

What is a common security issue among IoT devices related to traffic communications?

Lack of encryption

Compromised IoT devices can be used to launch __________ attacks, disrupting network services.

DDoS

Match the following concepts with their descriptions:

Security = Protecting data from unauthorized access. Privacy = Protecting user identity and personal information. Authentication = Verifying the identity of a user, device, or system. Encryption = Converting data into a form unreadable by unauthorized users.

Which of the following is a primary concern regarding privacy in the age of IoT?

The potential for detailed personal profiles to be created by combining data streams. (C)

IoT vendors always prioritize user privacy, even if they consider the data collected as non-personal.

False (B)

What type of attack involves exploiting smart devices,like televisions, to obtain personal information?

Identity theft

__________ is a type of malware that has been used to launch DDoS attacks using compromised IoT devices.

Mirai

What can be the consequence of unauthorized access to smart meters?

Revealing occupancy status, leading to potential burglary. (D)

Excessive privacy protections always facilitate law enforcement efforts and accountability in cases of criminal behavior.

False (B)

What design requirement ensures that a system can maintain functionality during failures by avoiding single points of failure?

Resilience to attacks

__________ is a W3C-developed platform that helps individuals manage their data privacy by categorizing data as public or private.

P3P

In IoT systems, smartphones can be exploited for what types of attacks?

Man in the Middle (MiM) attacks and Denial of Service (DoS) attacks. (C)

Symmetric authentication is highly scalable for IoT deployments due to the ease of managing a single shared key across all devices.

False (B)

What security measure might be compromised in resource-constrained IoT devices to reduce computational overhead?

Data secrecy. (B)

What type of infrastructure manages the creation, distribution, and revocation of digital certificates and keys in IoT security?

Public Key Infrastructure

In asymmetric authentication, the __________ key is used for signing data, while the __________ key is used for verification.

private, public

A network intrusion involves an attacker gaining access to an IoT device connected to a home network. The attacker installs a keylogger on the device to capture keystrokes, including banking passwords. What type of security threat does this represent?

Unauthorized Access (D)

In an IoT ecosystem, where devices transmit sensitive user data to the cloud, prioritizing data integrity over secrecy implies exclusively relying on cryptographic hashing algorithms without any form of encryption.

False (B)

Flashcards

Security (in IoT)

Protecting data from unauthorized access through control methods.

Privacy (in IoT)

Protecting user identity and personal information; complex to manage.

IoT Data Unawareness

Individuals may be unaware of how IoT devices collect and use their data.

IoT Device Vulnerabilities

Small, ubiquitous devices in unprotected areas vulnerable to manipulation.

Unauthorized Access (IoT)

Intruders misuse personal info; televisions exploited for identity theft.

IoT Network Attacks

Compromised devices launch DDoS attacks (e.g., Mirai malware).

Physical Safety Risks (IoT)

Remotely controlling cars or smart meters, leading to potential harm.

IoT Vandalism

Hackers damage databases or RFID systems, causing disruption.

Data Authentication (IoT)

Ensuring retrieved data is authentic and reliable in IoT systems.

Access Control (IoT)

IoT owners control access to their data via defined mechanisms.

User Privacy (IoT)

Safeguards to prevent unauthorized parties from inferring user identities.

Platform for Privacy Preference (P3P)

Individuals categorize data and control sharing with websites/third parties.

Smartphone IoT Attacks

Smartphones exploited for MiM or DoS attacks, risking data integrity.

Symmetric Authentication

Sender and receiver use a single, shared key; scalability issues arise.

Asymmetric Authentication

Private key signs data; public key verifies, ensuring integrity and authenticity.

Public Key Infrastructure (PKI)

Framework managing digital certificates and keys for secure communication.

IoT Security Overhead

Resource-intensive; requires balancing security, privacy, and energy efficiency.

Study Notes

• IoT introduces novel applications but raises cybersecurity risks due to extensive data acquisition.
• 84% of IoT deployments have experienced a breach
• An average of 25 vulnerabilities are found per IoT device.
• Common IoT device issues: 80% lack complex passwords, 70% don't encrypt traffic, and 60% have vulnerable interfaces/firmware.
• Embedded devices have been attacked, with more expected in IoT.

Security vs. Privacy

• Security protects data from unauthorized access via control methods.
• Privacy protects user identity and personal information
• Privacy is more complex to define and manage than security.
• Understanding the distinction between security and privacy is crucial because they involve different risks and protection methods.

IoT Privacy Concerns

• IoT connects billions of devices, leading to a data explosion that presents privacy challenges.
• Individual IoT devices collect detailed data that, when combined, can create a comprehensive personal profile, especially with metadata.
• Smart TVs and gaming devices may continuously listen and record conversations, sending data to cloud services and third parties.
• High value of personal information leads companies to seek and capitalize on IoT data, challenging privacy protection.
• Users often lack knowledge or control over data collection
• IoT vendors may not prioritize user privacy if they consider data non-personal, even though combining non-personal data can reveal personal information.

IoT Security Concerns

• IoT devices are often small, ubiquitous, deployed in unprotected areas, and vulnerable to manipulation.
• Limited resources (memory, power) may prevent implementation of robust security measures like data encryption.
• Many IoT devices are autonomous with minimal human intervention.

Cybersecurity Threats include:

• Unauthorized Access: Weak security allows misuse of personal information; smart devices can be exploited for identity theft/fraud.
• Network Attacks: Vulnerabilities can facilitate attacks on connected networks; compromised IoT devices can launch DDoS attacks (e.g., Mirai malware).
• Physical Safety Risks: Attackers can remotely control physical devices like cars or smart meters, leading to potential burglary.
• Vandalism: Hackers may vandalize databases or RFID systems to cause financial damage.

Relation between Security and Privacy

• Robust security mechanisms are essential for maintaining privacy, but may limit the beneficial use of IoT data.
• Excessive privacy protections can complicate law enforcement efforts as governments may need access to data for surveillance and public safety.

Design Requirements for IoT Applications:

• Systems must avoid single points of failure and proactively adjust to maintain functionality during failures.
• Ensuring retrieved data (addresses, object information) is authentic and reliable.
• IoT device owners should have mechanisms to control access to their data.
• Safeguards must make it difficult for unauthorized parties to infer user identities from data.

Privacy and Security Enhancing Technologies

• Platform for Privacy Preference (P3P) was developed by W3C to help individuals manage their data privacy by categorizing data as public or private.
• Avoiding data sharing can reduce the usefulness of the information (e.g., location data for recommendations).
• Smartphones used in IoT systems can be exploited for Man in the Middle (MiM) attacks or Denial of Service (DoS) attacks.
• Ensuring authenticity and integrity of data between IoT devices and cloud services is crucial.

Authentication Methods

• Symmetric Authentication: uses a single shared key for both sender and receiver but has scalability issues.
• Asymmetric Authentication: involves a pair of keys, a private key for signing and a public key for verification, using digital certificates.
• Process: data is hashed and signed with the private key; the cloud service verifies by comparing hashes and checking the digital signature.
• Public Key Infrastructure (PKI) manages digital certificates and keys.
• It is widely used for securing electronic communications and is suitable for IoT applications

Considerations for IoT Devices:

• Security measures like encryption and digital signatures can be resource-intensive for IoT devices.
• Smart compromises balance security, privacy, and energy efficiency; data integrity might be prioritized over data secrecy.