Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

TIIME 2017: Session 3 IoT Security and Privacy

(Steve Olshansky)

Homes will increasingly have a number of devices to talk to their own discrete cloud. How do you as the "owner" know what sort of information is being transmitted, where it is transmitted, how it is being used…

Home automation platforms are serving as gateways and control systems as devices.

In terms of identity there are issues related to secrecy, privacy, trust and what are the consequences?

What kind of control/influence do we have over it?

Firstly, it has to be secure (flawed by design?). You can do all kinds of identities/TF. First thing to tackle is to make sure to get a minimal secure standard for these devices.

What is the impact of a hack? Many developers of IoT-devices don´t care about identity. We don´t have much voice.

If it is just a device that waters the flowers there is not a great impact in case of a hack. But there are also more sensitive use-cases.

It is paramount to have good security and even some amount of identity, so there are areas where security is important.

Is there a framework for this kind of task?

All devices are insecure for a lot of reasons.

There are many companies who want your data so that data gets stored in their clouds.

We deal with insecure devices since computers exist. We are still facing the issue of insecure devices. We have laws in place but they do not change the way companies are respecting the data.

Today privacy and anonymity are easily mixed. Ability to process this information just throws us back in the past.

Computers are very bad at forgetting. So it is not quite like the past.

One IoT-device does not nail your identity to the ground, but many can.

In the age of surveillance, this kind of data might be very interesting if people buy these devices.

How can you protect yourself?

In schools we don´t teach basic security.

Laptops have less problems than mobile phones, because the latter get much fewer updates.

We have managed to teach physical security (locking the door) but not how to secure your digital data.

People often just want to use and take it for granted or don´t realize that they might expose data.

Similarity between IoT and mobile-apps:

They reduce their user-interface. You often can´t tell if programs communicate over the internet.

We need to ensure that the infrastructure we are building is well-behaved.

Voice-commands to control IoTs are built in and conceited for function, not for privacy. Most IoT-devices are insecure by design so they can be used easily.

How to get security working for everybody, also even for non-IT-people?

In Denmark we trust that companies who build these devices do that for the better good. You have no control of the data others put online (Facebook …)

You should have the right so say "no" if someone puts data about you online without your consent.

Conclusion

We should teach basic security rules and awareness about how apps/devices can affect our privacy.