Terraforming Blog

Protection of personal data in the network of IoT devices

Society today is often confronted with such a concept as the Internet of Things (IoT). This acronym can be seen almost everywhere these days: on news, social media, product descriptions, etc. This is the concept of a data transmission network between physical objects ("things"), equipped with built-in tools and technologies to interact with each other or with the external environment. [1] This concept assumes a way to exchange information between two or more devices connected to a single network. For a better understanding of the meaning of this term, examples can be given:
  • Smart electricity or water meters transmitting data on the consumption of resources of an apartment or house to the company
  • Smart home technology, which allows you to remotely control electrical appliances (turning on the kettle, turning off the heater, transmitting data about the temperature in the room or from CCTV cameras, etc.)
  • Medical bracelets that allow doctors in hospitals to monitor the patient's pulse around the clock, etc. [2]
  • Smart speakers. Such devices are controlled using a human voice and are activated in response to a keyword. Some smart speakers can control other smart devices: smart refrigerators, smart air conditioners, smart lighting, and other smart home appliances.
  • Smart TVs, Smart TV. This is a technology for integrating the Internet into modern smart TVs and set-top boxes. Thanks to this function, the TV becomes a kind of computer and allows the user to watch any content from it.
In modern life, IoT technologies and devices are used in industry, medicine, transport, agriculture, energy, or just in everyday life. In general, it should be said that the IoT is a useful and necessary resource, which we already encounter quite often today in many areas of our life. The technology allows you to collect information, analyze it, process it and transmit it to the right place. And most importantly, all this happens with minimal or no human participation, which significantly reduces the risk of a human factor, which can lead to inaccuracy or error. And this is the undoubted advantage of the IoT. The advantages include the fact of convenience and time saving. A person can only monitor the actions of devices in a remote format.
However, this system has a significant drawback - it is the weak security of personal data. Information security is one of the pressing problems in the field of information technology today. While at first glance, IoT devices appear to be reliable, they are not without security and privacy concerns, as there are many threats and vulnerabilities in the modern IoT fabric. Cybercriminals regularly try to hack devices, introduce computer viruses into them, and gain access to user databases. This leads to a significant increase in cyberattacks, which can lead to the leakage of especially important, confidential information, which can lead to negative consequences. This fact endangers national security and can cause both physical and financial losses. At best, such a cyberattack by an ill-wisher will harm a person's property. Also, the victim may be harmed. After all, an attacker, having hacked the system, can at any time, at will, turn off or turn on a specific electrical appliance, which is part of the human life support system, or create an emergency.
Manufacturers themselves will also be able to use our personal data. Experts are already starting to be alarming, especially with regard to smart speakers. After all, these devices can not only respond to voice commands, search for specific music at the user's request, but also eavesdrop. After all, any speaker works like a microphone, it listens and records information. Even if the user forcibly turns off the microphone, no one guarantees that the device will not continue to record sounds, conversations that are nearby. Most of all, the information of users can be safely used by specialists in the field of advertising. Knowing the thoughts and desires of consumers, they will be able to promote the desired product and get a lot of profit from it. Unknowingly, we link our profile to the smart column. One can notice a fact that has become more frequent lately. For example, they talked about buying an apartment. And immediately real estate advertisements begin to come across. But this was discussed only in words. Hence, someone overheard this conversation. This fact was also noticed by scientists from Imperial College London and the University of East London. They conducted a study, in the process of which the following was revealed: when using several of the same smart speakers (Google Home Mini, Apple Homepod, Harman Kardon Invoke, Amazon Echo Dot) they were forced to listen for six months several times (to confirm the purity of the experiment and analysis of all words and phrases sounded) the same a sample of one hundred and twenty-five hours of various TV series and other entertainment content of the Netflix service. [3] Many columns were turned on by themselves without the use of a codeword by the user. During the experiment, on average, each of the smart speakers was accidentally activated at least a hundred times in five days and began to record what was happening around, waiting for further commands. And the speakers Apple HomePod and Harman Kardon Invoke did it much more often than others. This fact casts doubt on the safety of storing the user's personal data. The same can be said for smart TVs. Devices can record and send screen content to the server. In an interview, Vizio CTO Bill Baxter explained that the servers are powered by automatic content recognition (ACR) systems. [4] The TV will take a screenshot at regular intervals. This snapshot is transmitted to the server along with an identifier for the user's TV. Vizio then benchmarks against a database of known content and as a result gets a second-by-second log of the content you viewed, which the company sells to several other companies. Thus, screenshots of the user and other data end up in the hands of several companies at once. However, there are manufacturers who do not sell user information, but they will still use it for their own purposes, to promote their product.
Based on the above, we can conclude that the security and protection of personal data in the network of IoT devices is an extremely urgent problem today. Indeed, not only the financial condition of people or an enterprise depends on the degree of protection of the IoT sphere, but also, most importantly, the health of users.
Solving this problem clearly requires an integrated approach. While ensuring the required level of information protection, it is extremely important to pay much attention to the end information systems and the security of their interaction. [5]
Therefore, the solution to the problem of ensuring data security in IoT networks can be divided into two main tasks:
  1. Securing end devices
  2. Ensuring the security of their interaction on the home network.
Also, an approach based on the concept of "security profiles" can be used to solve this problem. This concept implies that each layer of the IoT must be provided with information security, which, in turn, corresponds to a certain set of metrics "security profile". After all, all levels of the IoT have a hierarchical structure and each higher level can be considered as a set of lower levels. Consequently, the security profiles will have inherited characteristics. [6] The problem of protecting personal data of IoT devices can also be solved by simply giving the user the opportunity to independently decide what information, how often and to what extent he is ready to share. Moreover, if the user decides to make the information completely confidential, the device should not limit its functionality.
The problem of personal data security was also raised by the President of the Russian Federation Vladimir Vladimirovich Putin at a meeting with members of the Council for the Development of Civil Society and Human Rights. The President said that there is a threat to the data of Russians and "there are too many leaks." The government was instructed to take measures and organize work in this area [7] To solve this problem, of course, changes in legislation are needed. It is necessary to restrict the access of manufacturers of IoT devices to the personal data of their users, to introduce a system of fines as sanctions against unscrupulous manufacturers.
The approaches to solving the problem of security in the IoT field can be different, but they all have a common goal: to create operating security systems with a sufficient level of protection that can withstand both cyber attacks at any level and unscrupulous manufacturers of smart devices. From a networking perspective, attention should be paid to protecting against eavesdropping on network data and impacting network resources. The solution to this problem is a rather lengthy process. Therefore, IoT users should independently prevent the possibility of a cyberattack and provide comprehensive protection for their devices, taking into account the following recommendations:
  1. Systematic change of passwords, the more varied, longer and more complex the new password is, the less likely a hacker will be able to hack your device or gain access to secret data;
  2. Timely update of device software;
  3. Installation of exclusively licensed antivirus programs that can provide full protection of personal data and the devices themselves
  4. Installation of a firewall through which all incoming information to devices will be checked.
To protect personal data from manufacturers of IoT devices, you can disable the transfer of information. The user has a cart the ability to forcibly disable sending information, erase it. For smart speakers, you can turn off the microphone, but in this case, the speaker will become normal.
As mentioned earlier, today the IoT has a significant impact on many areas of modern society. Therefore, we can safely say that the IoT is a whole infrastructure for society, the construction of which must be unambiguously carried out in compliance with all the requirements of modern information security. The use of effective information security systems is capable of fully ensuring high-quality, full-fledged work of most spheres of human life. Therefore, it is precisely necessary to develop such systems.

List of sources used
  1. "Internet Of Things (iot)". - [Electronic resource] URL: https://www.gartner.com/en/information-technology/glossary/internet-of-things (Date of treatment 12/05/2021)
  2. "An enhanced security framework for home appliances in smart home." - [Electronic resource] URL: https://link.springer.com/article/10.1186/s13673-017-0087-4 (Date of treatment 12/05/2021)
  3. SMART SPEAKERS STUDY (PETS20) - [Electronic resource] URL: https://moniotrlab.ccis.neu.edu/smart-speakers-study-pets20/ (Date of treatment 12/05/2021)
  4. Taking the smarts out of smart TVs would make them more expensive - [Electronic resource] URL: https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter -interview-vergecast-ces-2019 (Date of treatment 12/08/2021)
  5. Ozerova E.A., Sokolova M.A. Problems of information security when using the Internet of Things technology for the urban environment // Postulate. - 2016.
  6. Maslova M.A. Analysis and identification of information security risks // Scientific result. Information Technology. - 2019.
  7. Putin: it is necessary to put things in order in the protection of personal data [Electronic resource] URL: https://www.vesti.ru/hitech/article/2650299 (Date of treatment 12/10/2021)

The material was prepared within the framework of the conference "Implementation of technologies for sustainable development of the urban environment"
Research and recommendations