Security and privacy of smart-home devices and services Trust by Design: The Internet of Things Kevin G. Chege ISOC African Chapters Workshop Addis Ababa, 2018
Security and privacy of smart-homedevices and services
Trust by Design: The Internet of Things
Kevin G. Chege
ISOC
African Chapters WorkshopAddis Ababa, 2018
The number of IoT devices and systemsconnected to the Internet will be more than2.5x the global populationby 2020 (Gartner).
As more and more devices are connected, privacy and security risks increase.
And most consumers don’t even know it.
New devices, new vulnerabilities
4
• Device Cost/Size/Functionality
• Volume of identical devices (homogeneity)
• Long service life (often extending far beyond supported lifetime)
• No or limited upgradability or patching• Physical security vulnerabilities
• Access
• Limited user interfaces (UI)
• Limited visibility into, or control over, internal workings
• Embedded devices
• Unintended uses• BYOIoT
The attributes of many IoT devices present new and unique security challenges compared to traditional computing systems.
What type of risks?
Unlocking doors, turning on cameras, shutting down critical systems and theft of personal property.
People’s safety or the safety of their family might even be at risk.
Large IoT-based attacks, such as the Mirai botnet in 2016, have crippled global access to high-profile Internet services for several hours.
2
A connected world offers the promise of convenience, efficiency and insight, but creates a
platform for shared risk.
Many of today’s IoT devices are rushed to market with little consideration for basic security and
privacy protections.
The challenges we face
Who is responsible?
Developers and users of IoT devices and systems have a collective obligation to ensure they do not expose others and the Internet itself to potential harm.
We need a collective approach, addressing security challenges on all fronts.
7
• We want manufacturers and suppliers of consumer IoT devices and services to adopt security and privacy guidelinesto protect the Internet and consumers from cyber threats.
• We want to educate users on the importance of secure IoTdevices and work with stakeholders involved in technology and security to better inform their communities on IoT.
The Internet Society is working for a better Internet.
IoT Trust by Design
Work with manufacturers and suppliers to adopt and implement
the OTA IoT Trust Framework
Mobilize consumers to drive demand for security and privacy
capabilities as a market differentiator
Encourage policy and regulations to push for better security and
privacy features in IoT
9
Online Trust Alliance (OTA) IoT Trust Framework
• Provides a set of actions and principles to raise the level of security for IoT devices and related services to protect consumers and the privacy of their data
• More than 100+ stakeholders from industry, government and consumer advocates contributed to the Framework
• Stands apart from other IoT-related Frameworks with its comprehensive focus on security, privacy and lifecycle issues, as well as a holistic view of the entire system
10
https://otalliance.org/iot/
Actionable principles in the Guidelines in eight categories for manufacturers, developers and
service providers
Authentication
11
CommunicationsControlDisclosuresPrivacy
UpdatesSecurityEncryption
IoT Framework Principles: It is a collective responsibility
IoT vendors and their supply chain
12
Distribution channels
Policymakers and governments
Consumer testing and product
review organizations
Consumers and enterprises
IoT Security and Policy Makers
13
Work with Policymakers
We want policymakers to create a policy environment that favors strong security and privacy features in IoTproducts and services.We need smart regulation that strengthens trust and enables innovation.
ISOC can help in this process
2
Actions for Policymakers
Governments have the opportunity to guide the IoT marketplace:• Stimulate security and privacy best practice adoption• Strengthen accountability through well-defined responsibilities and clear
consequences• Support industry adoption of the best practice principles from the IoT Trust
framework
15
Data Gathering: IoT in the African Region
- We are working via ISOC Chapters and other partners in the region to gather information on IoT development, IoT related policies and use in the region
- This info will help us coordinate efforts in IoT and know what types of IoT devices are being developed in the region and Policies that are working in our environment.
- This will allow us to better advise policy makers, users and ISPs on IoTsecurity
- If you are aware of any IoT research/development IoT Policy development in the region, please let us know through our chapters or ISOC staff 16
V is it u s a twww .in te rnetsoc ie ty .o rgF o llo w u s@ in te rn e tso c ie ty
G a le rie Je a n -M a lb u isso n 15 , C H -120 4 G e n e v a , S w itze rla n d .+ 4 1 22 8 0 7 14 4 4
1775 W ie h le A v e n u e , S u ite 20 1 , R e sto n , V A 20 19 0 -5 10 8 U S A . + 1 70 3 4 39 2 120
Thank you.