NTT Data Logo
12/20/2018

Technology Trend “Security for the IoT era”

Introduction of the information society and technology trends is about the technology trend "Security for IoT era".

tooth wheel mechanism with IOT SECURITY letters

IoT and Security Challenges

Every device on the Internet is vulnerable, making security a critical IoT issue. Because IoT devices can collect volumes of data in short periods, data aggregation is a major IoT strength. But without regulation or governance on data collection, the potential to misuse information is high, stymying consumer adoption from fear of exploitation. IoT security is a complex problem, but one that must be addressed to prevent it from inhibiting innovation and progress.

Escalation of cyber-attacks

The damage caused by various cyber- attacks has continued to expand and become serious. Recently, it was discovered that billions of individual user accounts, including account data of online services, email addresses, associated passwords, and sometimes secret questions and answers, were being leaked.

This was confirmed from the fact that the information assumed to have been stolen was traded on the dark web several years ago.

It is virtually impossible to detect and completely prevent data leakage attacks like this, thus early detection is the key to minimising damage. Efforts are underway to use technology to promptly disconnect the affected sections from the network as soon as possible as well as to implement AI-assisted automatic protection.

Besides, the damage of Ransomware, which is also called "ransom-demanding malware ", also continues to spread. Ransomware encrypts data of the infected PCs to make it unusable, and then demands a ransom for decryption. It became manifested around 2013 and has been continuing for 4 years up to now.

Attackers can purchase Ransomware tools on the Internet cheaply, distribute them, and wait to obtain ransoms, and then repeat this “business” process. It is difficult to control this crime. There is no other way than to improve computer literacy of general users. But it is assumed that the damage will continue.

Increase in cyber- attacks due to IoT

IoT came to the fore as a factor that makes such cyber- attacks more serious. IoT devices such as security cameras, network devices or video recorders, are always connected to the Internet and are exposed to the risk of information leakages or data takeovers. These kind of equipment tend to be left neglected after installation. Attackers seek for such "stray IoT devices" every day, and as soon as they discover one, they exploit its vulnerabilities and take over it.

Hundreds of thousands of stray IoT devices scattered around the world were attacked by attackers and organised them as a "botnet", and used them for the largest DDoS attack in history. It was a typical attack that sent a huge number of packets to specific websites to make them inaccessible and caused serious damage in which multiple online services were suspended (* 1). Botnets are used not only for DDoS but also for information leakage attack.

To curb the aforementioned circumstances, the demand has grown stronger for a more secured IoT, but its realisation is not easy. Users are not willing to implement measures, such as distributed software, that eliminates the vulnerability of IoT. The imposition of liability to IoT device manufacturers, and authenticating and labeling these devices to prevent the emergence of “stray IoT devices”, is currently under discussion. In Japan, an IoT security guideline has been released and countermeasures to be taken are being considered.

Personal data change due to IoT

IoT, on the other hand, will increase the data protected by security measures and transform it. IoT is also a starting point for collecting behavior information and biometric information of individuals.

Data generated by IoT devices, such as heart rate, blood pressure, running distance, speed, etc can help a lot to personalisation of data. Also the position information obtained by wearable devices, travelling position, speed, and vehicle condition collected by navigation systems, images of passenger faces captured by security cameras are automatically identified and analysed. Even the data recorded when you are travelling by trains such as getting on/off stations, seat-load time, transfer time will be attached to personal data, and can lead up to more robust personalisation, as long as the user agrees.

In addition, increase of personal data collection of individuals due to IoT devices can be used for personalisation. The information generated by systems is characteristic of each individual, and it can be estimated by analysing vast amounts of data collected using the software. Estimated data can also be negative.

For example, if data on personal details such as health condition, healthy life expectancy, or the possibility of illness in the future can be generated then all kinds of personalisation can be done. The data can be used to advertise a specific medicine for that individual and also can be used to judge and create advertisements for insurance policies or loans. This kind of negative data can be created while the information provider himself has nothing to do with it. Therefore it cannot be controlled, even if it is false information and can cause disadvantage to information owners. Hence this can create problems since there is no way for them to act in self-defense.

The ideal way of security and information

As we face problems about the handling of widely collected personal data and estimated data, we can no longer avoid the key question of “who owns the data?”. The individuals’ personal information that now belongs to companies that are collecting and analysing such information is being questioned. As a result, many countries are making efforts to call for obligation of consent for collecting such personal information and trying to bring a legislation to information provisioning to third parties. A trial of data trading market that promotes the fee-based distribution of valuable information has been carried out.

There are also some companies that use anonymisation technology to process the collected personal data and convert it into unidentifiable forms so that the data can be used in marketing without owner’s consent. To curb this, the GDPR (EU General Data Protection Rules) is aiming for critical personal data protection and is going into effect from May 2018, and it is expected that all companies start to take specific steps to adhere to this framework.

"NTT DATA Technology Foresight" special site: https://www.nttdata.com/global/en/foresight

※1  US-CERT Heightened DDoS Threat Posed by Mirai and Other Botnets
https://www.us-cert.gov/ncas/alerts/TA16-288A

smart city and wireless communication network

Technology Trend Environment-aware Robotics

business, people, technology and mass media

Technology Trend Interactive Computing