Connected objects are a fast growing phenomenon. Today there are 15 billion connected objects whereas there will be 80 billion in 2020. The current technological environment offers all ingredients for them to grow: high-speed internet network, smartphones to be used as monitors, and big data technologies to process the collected data.
How do connected objects work? What are the risks? How can they be secured? These questions are essential to consumers who wonder about the using of their personal data.
What is a connected object?
It is an object with a connection that provides additional useable value. But unlike a computer peripheral equipment or an interface to access the web (like a smartphone), its main purpose is not to provide an internet access. For example, the main purpose of a connected fridge is to preserve food but adding a connection extends its functionalities.
Connected objects allow data transmission. Collecting, processing and displaying this data (food available in the fridge, electricity consumption within the house, heart beat frequency of an individual…) constitute their key added value.
On a technical level, many connected objects send data through the internet to cloud servers. It is the easiest solution for moving data and then displaying it on a user-friendly interface. However some connected objects collecting ultra-sensitive data use other networks: for instance some connected door locks using Bluetooth only through a smartphone, without any data exchange through the web.
The main technical challenges of connected objects are security and big data technologies.
What are the risks?
Concerning the risks there are different views. Some people would rather not use connected objects, while others put the risks into perspective and point out that many sensitive data is already transiting through the web (credit cards data, invoices, health outcomes, social activities, etc).
Actually, connected objects only increase existing risks, but this means that these risks must be taken seriously. More specifically, there are several types of risks.
The black market of stolen data is a very important part of the hidden economy. Personal data can be exchanged and their value fluctuates with the market rates.
Information about your house water consumption can be useful for a burglar who wants to know when you are away from home. Your health data can be interesting for an employer or an insurer. Your address and your digital habits can be useful for a marketer. There are many more examples.
It is an important risk. When entering through a non-secure interface someone can then access other databases and steal information that is more sensitive than it first seemed.
Accessing your digital footprints and your intimate details can allow someone to steal your identity. This is a growing phenomenon.
Imagine if someone could take control of your windows opening, or a medical device, or an object interacting with your children… This risk does not only concern objects collecting personal data.
Use for unintended purpose
Just as a software can be used for unintended purpose, one can do the same with a connected object. A recent attack on a connected fridge network has resulted in a service interruption and shown that possibilities of harm have risen.
The internet of things environment is non secure by nature (because objects can be everywhere and connected on various networks) and cyber criminality is growing, thus we can consider that the probability of attacks on connected objects is very high.
What are the solutions?
It is necessary to strengthen consumers’ trust with security guarantees in order to develop the IoT market. Even if “zero risk” can never be achieved, working on technical, legal and pedagogical levels is highly recommended.
Securing web services
Of course, it is the 1st solution to consider for improving connected objects security. A legal framework is necessary but it is also necessary to make sure that applications allowing data exchanges between connected objects and servers are robust.
From a technical point of view, there are 3 sides to be considered:
- Data collection
- Data transmission
- Data analysis
The more leakproof applications are, the more trustable connected objects will be. This is only about technical improvement, exactly like in any industry. For instance, the first cars were much more dangerous than the cars that we drive today.
Not storing all data in the cloud
It might be a possibility for securing connected objects: storing data on internal systems, like for intranets, in order to limit data movements and exposure. At the moment, the cloud is preferred for accessibility reasons, but objects collecting sensitive data could need a different approach?
Not connecting everything to the internet
Some connected objects only send data through Bluetooth. Furthermore, avoiding massive object connection to the web is a precautionary principle that should not be ignored. It could lead to regulations. Also connecting objects makes sense for some objects but not for all of them.
It is a huge topic because many objects can be configured with low to high security settings. The maximum-security level is not necessarily the default setting.
Many connected objects allow remote querying or send information by themselves. It is therefore important to define clearly who can access what data.
It will be equally crucial to secure the access to connected objects and make sure that they are used only by people who are allowed to and who have the ability to.