HP IoT security study and RERUM’s view

In today’s interconnected world new services and products are being developed for providing “smart” applications to the people and improving their lives. Although the benefits of the Internet of Things (IoT) have been well acknowledged for many years now, only lately the focus has been given on the security and privacy of the interconnected devices. In a world where the number of devices that are collecting data from the environment is increasing exponentially, the respective security concerns have not been addressed adequately.

An interesting thing is that recently, the number of reports raising security and privacy concerns for the IoT is also increasing. For example, HP recently published a research study regarding the security and privacy of the IoT. The findings showed (among others) that:

  1.  90% of the devices collected at least one piece of personal information
  2.  70% of the devices used unencrypted network services
  3.  80% of the devices used (or allowed) poor authentication with weak passwords and poorly protected credentials.

RERUM aims to address (among others) those three concerns with significant progress beyond the state of the art. Most IoT-related projects did not focus on the devices up until now, giving more importance on the vrtualization of the devices and their interconnectivity on the virtual world. on the contrary, RERUM, acknowledging the fact that most security and privacy issues of the IoT originate from the devices, aims to embed such security mechanisms on the hardware constrained sensor devices.

For addressing issue (1) above, RERUM aims to enhance the IoT frameworks with a “privacy-by-design” approach, which means that the devices will gather only the necessary information for each service without any personal information of the users. Even if there is a need to gather personal information, it will not be allowed to be sent to unauthorized people/devices. Furthermore, when the information will travel outside the RERUM domain, it can be cleaned from any personal identifiers, so that it can’t be linked with other information and mapped to the individuals. Of course this won’t mean that the information will not be transferred outside of the RERUM domain. The idea is not to design a very restricted intranet, from which no information will be extracted. RERUM will on the other hand design the system so that the information will travel to only the authorized users. Furthermore, these users will only get the exact info they need according to the service they request and their access/privacy policies and not something more that can be used for some other purpose later on. However, RERUM will not magically remove all private linkable information, but it will ensure that the users and the applications will only get the information they are authorised to get and nothing more that could be used to be linked with other data for extracting private user information.

As an example we can give the traffic monitoring use case, which will utilize information from users’ mobile phones (among others). This can be implemented in various ways, i.e. the mobile phones can send their exact GPS coordinates with their id at any given moment (clearly not privacy preserving), the coordinates can be sent anonymised (but linked with other data can reveal the id of the users),  the mobile phones can give speed info at some areas (still not privacy preserving), aggregation of data can also be used (but what happens if only one user is moving on the street?), etc. RERUM has a clear view on how to make a privacy preserving-by-design traffic monitoring system — stay tuned in the next period to see the updates.

For addressing issues (2) and (3), RERUM aims to develop extremely lightweight protocols for encrypting the transmissions of the information of the devices and these protocols will be adaptive to work on various devices according to their technical capabilities and according to the services they provide. For example, in sensor applications Compressive Sensing can be utilized as a simple approach of both compressing and encrypting data with very good reconstruction accuracy (and security). However, in very resource limited devices it is difficult to implement the technique because it normally requires a large encryption/compression key that should be stored in the flash and can’t be stored in the RAM or  changed at run-time (thus it makes it susceptible to attacks). RERUM has a clear approach for developing lightweight encryption techniques, i.e. an adaptive and extremely lightweight CS-based encryption mechanism that will be tailored to the needs of the devices and the service requirements for reconstruction error — and since it does compression it saves transmission energy! — please read our published papers and stay tuned for next updates! Furthermore, secure boostraping of credentials will ensure that whenever there is a need to change the credentials on the devices, this will be done in a secure way, without allowing third parties to acquire the new keys.

RERUM is an ambitious project aiming to enhance the reliability of the IoT so that it can be widely adopted by the citizens – stay in touch for more updates in the future and be sure to monitor the public deliverables.

Bookmark the permalink.