The Internet of Things is a concept that has been heard quite a
lot in recent years, a concept that slowly emerged, but over time it
has experienced a booming growth that was then adopted not only
by giant IT companies, offering according to the directions of each
company that adopts the corresponding services and applications
to the end user. Undoubtedly this technology has come to stay for
a long time, it has come to improve our living conditions and to
simplify habits and functions that required time and many times
difficulties. The Internet of Things is almost everywhere around
us from the super market to the cars we drive, our everyday life
is going easy and we are happy to live with, but there are two
important points that we should consider:
a) Uncontrolled product design based on the Internet of
Things.
b) Access to data managed by Internet of Things are
inaccessible by the users.
According to the above, important questions arise, such as:
a) How and where these devices store and manage the data
now?
b) How and where these devices store and manage data in
the future?
c) What personal data are collected and for whom?
d) How protected they are from hacking attacks?
e) How capable is an Internet of Thing to take full control of
an information system?
Surely for all of us who are involved in the security of information
systems, we have a lot of work to do. The biggest challenges we
have to face are:
a) No one knows an Internet of Thing how it collects, how
it uses, and where stores personal data. One could construct
an Internet of Thing that behaved properly according to the
purpose it was created, but it could also act as intelligence
espionage product to transmit personal sensitive data and
information related to the online traffic and services of an
organization, and the worst scenario is that this device can
work for years without being noticed.
b) Depending on the complexity of the smart device, the
amount of data it sends is increasing, for example a complex
smart device can send up to 5 times the volume of unidentified
data.
c) The Internet of Things, as I mentioned above, was
designed to make our lives easier because technology evolves
and these devices evolve, so many unknowingly use them in a
computer room or in critical security infrastructures for which
the devices have not been made for this purpose, and of course
with unknown security implications for the company’s network
since these devices do not have an management interface for
the user, so it is impossible to access them.
d) Depending on the type of the device, third-party
information is internally embeded, for example GPS maps,
geostrategic data, human habits information, transaction
information, which will then have to work all together for the
Internet of Thing.
e) We do not know exactly what kind of data and metadata
are collected, it is enough to ponder that an IoT card containing
basic medical data of a patient sends about 200MB of unknown
data per year.
f) The Internet of Things are not safe enough in external
attacks, a denial of service attack on an Internet of thing could
be the entry for violating an information system and collect
sensitive information from it.
g) The construction of these devices varies, there are not
enough standards to build and protect personal data, no one
can guarantee that an Internet of Thing will protect its owner
against an external threat, which for example could get the
control of a car with unpleasant consequences for the driver.
Considering the above, we should consider whether we really
need an Internet of Thing and if this is necessary, how much we can
parameterize and access to it [1,2].