IoT Security and Privacy

Concept of information security and its importance.

There are two approaches to the determination of the concept of “information security”:

1. Information security – the status of the safety of information resources and the protection of the legitimate rights of the personality and society in the information sphere.
2. Information security – is a process of support for confidentiality, integrity and accessibility of information.

Confidentiality – ensuring access to information only to authorised users.

Integrity – support of reliability and completeness of information and processing methods.

Accessibility – ensuring access to information and related assets of authorised users as required.

The properties given above are fundamental bases in the sphere of protection and safety of information.

Safety of information – a status of the security of data in the case of which their confidentiality, accessibility and integrity are provided.

Safety of information is defined by the absence of the unacceptable risk connected to information leakage on technical channels, unauthorised and inadvertent impacts on data and (or) on other resources of an automated information system used in the automated system ^[1].

To understand what activities for the support of information security consist of, it is necessary to understand the value of three major concepts clearly: risk, threat and vulnerability.

The risk of information security – a possibility that this threat will be able to use the vulnerability of an asset or group of assets and by that will cause damage to the organisation.

The threat – a potential or real-life danger of making of any act (actions or inactivities) directed against the subject to protection (information resources) causing damage to the owner or user, which is shown it is in danger of distortion and losses of information.

Vulnerability – a shortcoming, the error in implementation which does possibly the unforeseen impact on system attracting failures in system operation is more often. Vulnerabilities are classified by a set of signs. One of the most important signs – harm which can be caused by the system, using vulnerability. Most often understand the specific mistake made in case of design or coding of the system as a vulnerability.

In case of the appearance of new information technologies and furthermore the whole information branches, there is a vast number of potential threats and vulnerabilities which shall be probed correctly. Indeed, the Internet of Things did not become an exception ^[2].

The recent report of Gartner predicts that by 2020, 20.4 billion devices will be connected to IoT, and at the same time will be joined every day by 5,5 million new devices. Besides, by 2020, more than half of sizeable new business processes and systems will include the IoT component.

These digits are surprising and assume that standard protection the PC and anti-virus solutions will not be able to resist future threats of cybersecurity on the attached devices IoT.

For the last few years, many widespread cyber attacks showed risks of the inadequate safety of IoT. Perhaps, the attack of “Stuxnet” aimed at the industrial programmable logic controllers (PLC) at the Iranian uranium enrichment plant became the most known. Experts read that Stuxnet destroyed up to 1000 centrifuges connected through broadband networks to the PLCs devices working under control of the Windows operating system at the PCs standard platforms.

In 2016 was many serious attacks directed to IoT devices. Mirai botnet became one of such attacks. This specific a bot network infected numerous IoT devices (first of all old routers and IP cameras) and then used them for superimposing of Dyn DNS provider utilising the DDoS-attack. The botnet of Mirai destroyed Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter and some other the large websites. This piece of the malicious code used the devices using outdated versions of a kernel of Linux and relied on the fact that most users do not change names users/passwords by default on the devices.

Many companies reduce the costs of production, not including sufficient space for storage on the devices to provide updating of a kernel Linux. Because of it, kernels which include vulnerabilities work on many IoT devices. Vendors need to learn this lesson and to allow each device to update regularly kernels. Until this problem is solved, IoT devices will still suffer from the weight of exploits.

In November 2016 ^[3] cybercriminals closed heating of two buildings in the city of Lappeenranta, Finland. It was the DDoS-attack; in this case, the attack allowed heating controllers to reboot the system permanently, so heating was not made. As the temperature in Finland fell below zero at this time, this attack caused very unpleasant consequences.

Even if you take reasonable measures of the safety of IoT, your connected gadgets can be compromised by criminals. Last fall the DSN Dyn-Internet service provider got under the attack which broke access to favourite websites. Attackers could take under control a large number of devices connected to the Internet, such as video recorders and cameras. These devices that were used for carrying out the attack ^[4].

IoT gives the almost infinite opportunities for connection of our devices and the equipment. From the point of view of creativity, this field is widely opened, with the endless set of methods “to connect devices”. It can become an ample platform for people with innovative ideas, but also it concerns also malefactors. Therefore, IoT offers new opportunities for development and potential security concerns.