This document discusses privacy and security considerations for the Internet of Things (IoT). It outlines several dangers posed by IoT devices, including lack of physical and virtual security, potential for tampering, and privacy issues if personal data is not properly protected or consent is not obtained. The document then provides options for improving IoT security, such as preventing physical/virtual access, detecting tampering, tracking device identities, analyzing behavior for anomalies, and blocking compromised devices. It also discusses challenges of encryption for low-power devices and the importance of data privacy laws and user consent. Overall, the document examines both security and privacy risks posed by IoT and potential strategies to address them.

1. Yves Goeleven
#IoT: Privacy and security considerations
Thanks to

2. Yves Goeleven
• Founder of MessageHandler.net
– Shipping software since 2001
– Windows Azure MVP
– Developer on NServiceBus
2

3. Exhibition theater @ kinepolis

4. Agenda
• Why this talk?
• What are the dangers?
• Security options
• Privacy options
4

5. Agenda
Why this talk?
5

6. 6

7. 7

10. You might just leave this session
with more questions than answers

11. Talk!
Let’s start a conversation!
11

12. Challenge!
I challenge anyone to do a follow up session
with your own questions and ideas.
12

13. Agenda
What are the dangers?
13

14. 14
Internet of Things

15. 15

17. What are the dangers?
Personal
17

18. & invisible

20. White lies are the
common decency
holding us together
20

22. Agenda
What can we do?
22

24. Security options
• Prevent physical access
– Behind locked doors
– Secure casing
– Do not expose physical ports (usb, ethernet, ...)
24

25. Security options
• Prevent virtual access
– Do not open inbound ports
– Design without ’listeners’ or ‘servers’ on the devices
– Instead use ‘workers’ or ‘agents’ and remote queues
with outbound connections only
25

26. 26

27. Security options
• Prevent physical tampering
– Seals, markers
– Alarms
– Camera’s
27

28. Security options
• Prevent virtual tampering
– Bootloader in chip or ROM, checks firmware origin
before loading into RAM
– Note: Updating (incl. security fixes) now just got a lot
harder though
28

30. Security options
• Keep track of device identity
– Let devices register themselves/call home
– Do this on boot & periodically
30

31. Security options
• Analyze device behavior
– Include device specific & variable information
– Analyze it server side to detect hacked or spoofed
devices
31

32. Security options
• Block compromised devices
– Access control lists
– Protocol/package filtering
– Signal Jamming
– Unplug the power
– On the device, or a specialized device
32

34. Security options
• Many low-power devices cannot encrypt data
using standard encryption techniques
– Not enough memory
– Drains battery too fast
34

35. Security options
• Do not store unencrypted data
– On publicly accessible devices
– Better send it elsewhere, unencrypted if needed, to
store it safely
35

36. Security options
• Do not send unencrypted data over long
distances
– Use a local ‘gateway’, a powerfull local device to
encrypt it on behalf of dumb devices
36

37. Security options
• Use alternative encryption & data mangling
strategies
– Signed at the foundry, if you can live with lock-in
– Ciphers, hashes & arithmetic algorithms
37

39. Security options
• Audit your physical environment
– Know which devices are ‘smart’
– And how they communicate
– Include all technologies (IR, RF, Bluetooth)
39

40. Security options
• Spy on your things
– Intercept communication between your ‘things’
– Analyze the communication & detect anomalies
40

41. Security options
• Physical canary
– Apply ‘social control’ amongst devices
– Let devices report that other devices are talking to
them inappropriately
41

42. Internet of things, reference architecture
42

44. Privacy options
• There are privacy laws
– Make sure not to break these!
– Do not store, send or process information that you’re
not allowed to
– http://en.wikipedia.org/wiki/Data_Protection_Directiv
e
44

45. Privacy options
• Is it clear what laws apply when?
– Multinationals spread across different countries
– Difference in laws where data is collected vs data is
processed or stored
– US vs EU: direct conflict
45

48. Privacy options
• Trust is paramount for adoption of IoT
– Make it your policy not to break it
– People may choose not to buy products from
violators
48

49. Privacy options
• Question is: is this really true?
– Facebook is huge, yet no one trusts them (I hope)
– Will convenience win over privacy concerns for
majority of people?
49

50. Privacy options
• Build trust by asking for user consent
– On data collection devices
– Oauth great for this!?
– But how about devices without a screen?
50

52. Privacy options
• And how about exchanging and correlating
information with 3rd parties in backend?
– Need for federated authorization?
– With context?
– F.e. I allow you to analyse my energy consumption,
send the results to government, but not to utility?
52

55. 55
Loyalty plan
Give me your address and
you'll get 10% off on your
next pair of jeans…

56. Other things we can do?
There’s a lot we can do
56

57. Other things we can do?
Also a lot of open questions
57

58. Other things we can do?
But maybe consumers just don’t care
(aren’t prepared to pay for it?)
58

59. Other things we can do?
What do you think?
59

60. 60
A big thank you to our sponsors
Gold Partners
Silver & Track Partners
Platinum Partners