Every connected device creates opportunities for attackers. These vulnerabilities are broad, even for a single small device. The risks posed include data transfer, device access, malfunctioning devices, and always-on/always-connected devices.

The main challenges in security remain the security limitations associated with producing lowcost devices, and the growing number of devices which creates more opportunities for attacks.

Security Spectrum

The definition of a secured device spans from the most simple measures to sophisticated designs. Security should be thought of as a spectrum of vulnerability which changes over time as threats evolve.

Security must be assessed based on user needs and implementation. Users must recognize the impact of security measures because poorly designed security creates more problems than it solves.

Example − A German report revealed hackers compromised the security system of a steel mill. They disrupted the control systems, which prevented a blast furnace from being shut down properly, resulting in massive damage. Therefore, users must understand the impact of an attack before deciding on appropriate protection.

Challenges

Beyond costs and the ubiquity of devices, other security issues plague IoT −

• Unpredictable Behavior − The sheer volume of deployed devices and their long list of enabling technologies means their behavior in the field can be unpredictable. A specific system may be well designed and within administration control, but there are no guarantees about how it will interact with others.
• Device Similarity − IoT devices are fairly uniform. They utilize the same connection technology and components. If one system or device suffers from a vulnerability, many more have the same issue.
• Problematic Deployment − One of the main goals of IoT remains to place advanced networks and analytics where they previously could not go. Unfortunately, this creates the problem of physically securing the devices in these strange or easily accessed places.
• Long Device Life and Expired Support − One of the benefits of IoT devices is longevity, however, that long life also means they may outlive their device support. Compare this to traditional systems which typically have support and upgrades long after many have stopped using them. Orphaned devices and abandonware lack the same security hardening of other systems due to the evolution of technology over time.
• No Upgrade Support − Many IoT devices, like many mobile and small devices, are not designed to allow upgrades or any modifications. Others offer inconvenient upgrades, which many owners ignore, or fail to notice.
• Poor or No Transparency − Many IoT devices fail to provide transparency with regard to their functionality. Users cannot observe or access their processes, and are left to assume how devices behave. They have no control over unwanted functions or data collection; furthermore, when a manufacturer updates the device, it may bring more unwanted functions.
• No Alerts − Another goal of IoT remains to provide its incredible functionality without being obtrusive. This introduces the problem of user awareness. Users do not monitor the devices or know when something goes wrong. Security breaches can persist over long periods without detection.

IOT Identity Protection

IoT devices collect data about their environment, which includes people. These benefits introduce heavy risk. The data itself does not present the danger, however, its depth does. The highly detailed data collection paints a very clear picture of an individual, giving criminals all the information they need to take advantage of someone.

People may also not be aware of the level of privacy; for example, entertainment devices may gather A/V data, or “watch” a consumer, and share intimate information. The demand and price for this data exacerbates the issue considering the number and diversity of parties interested in sensitive data.

Problems specific to IoT technology lead to many of its privacy issues, which primarily stem from the user’s inability to establish and control privacy −

Consent

The traditional model for “notice and consent” within connected systems generally enforces existing privacy protections. It allows users to interact with privacy mechanisms, and set preferences typically through accepting an agreement or limiting actions. Many IoT devices have no such accommodations. Users not only have no control, but they are also not afforded any transparency regarding device activities.

The Right to be Left Alone

Users have normal expectations for privacy in certain situations. This comes from the commonly accepted idea of public and private spaces; for example, individuals are not surprised by surveillance cameras in commercial spaces, however, they do not expect them in their personal vehicle. IoT devices challenge these norms people recognize as the “right to be left alone.” Even in public spaces, IoT creeps beyond the limits of expected privacy due to its power.

Indistinguishable Data

IoT deploys in a wide variety of ways. Much of IoT implementation remains group targeted rather than personal. Even if users give IoT devices consent for each action, not every system can reasonably process every set of preferences; for example, small devices in a complex assembly cannot honor the requests of tens of thousands of users they encounter for mere seconds.

Granularity

Modern big data poses a substantial threat to privacy, but IoT compounds the issue with its scale and intimacy. It goes not only where passive systems cannot, but it collects data everywhere. This supports creation of highly detailed profiles which facilitate discrimination and expose individuals to physical, financial, and reputation harm.

Comfort

The growth of IoT normalizes it. Users become comfortable with what they perceive as safe technology. IoT also lacks the transparency that warns users in traditional connected systems; consequently, many act without any consideration for the potential consequences.