Page 34 - AeM_October_2021
P. 34
LEGISLATION
• Weak, guessable, or hardcoded passwords data that is collected by their devices and used for
analysis. If it gets into unauthorized hands, clear
• Unsafe network services
data can be read out very easily.
• Unsafe ecosystem interfaces
• Security risks for companies: An Infoblox study
• Lack of secure update mechanisms showed that, in addition to private end devices, the
• Use of unsecured or outdated components drastic increase in IoT devices in company net-
works is causing enormous security risks. Compa-
• Insufficient privacy protection nies should therefore keep an overview of the tech-
• Unsecured data transfer and storage nical devices they are using and critically analyze
the use of the Internet of Things.
• Lack of device management
The Internet of Things could also meet the require-
• Unsecure default settings
ments for the data protection impact assessment
• Lack of physical hardening (DPIA) of Article 35 GDPR that says if the processing
Erroneously, manufacturers often tend to focus only on of personal data is likely to result in a high risk for the
the security of the application software they are writing rights and freedoms of individuals due to the type,
themselves, and completely ignore the most widely ex- scope, circumstances and purposes of the processing,
ploited classes of vulnerabilities namely third-party soft- the person responsible must carry out a DPIA. Howev-
ware/firmware vulnerabilities, configuration vulnerabili- er, it is quite difficult for an outsider to judge to what
ties, and authentication vulnerabilities. extent this is already being implemented. Therefore, it
is best to follow general security standards for IoT de-
IoT data protection concerns can be addressed by an- vices, such as:
swering the following questions:
• Do not use standard passwords
• Determination of the person responsible for
data protection: The manufacturer, equipment • Encrypted communication
rental company or third-party service provider • Keep software up to date
could be responsible for data protection. As soon • Define an individual identity for each device (e.g.,
as a third party comes into play, the user's consent by using numbering) for authentication
to the disclosure of his/her data or another legal
basis is essential. • Implement guidelines for what to do in the event of
a data breach
• IT security certification of IoT devices: The main
problem here is that updates have to be continu- • Network segmentation must be able to isolate
ously installed on IoT devices and the level of IT compromised devices from the rest of the network
security can change with each update, which is when needed
why it is difficult to make a permanent statement • Monitor system telemetry data that provide infor-
about the security of a device. mation on how software is used and how well it
works, etc.
• Non-transparent data flow and insufficient edu-
cation of users: So far, users have not been ade- A good option is to make firmware public and following
quately informed about which data is being record- General Public License (GPL) practices, manufacturers
ed, who has access to it and where or for how long can benefit from a worldwide network of security talent
it is stored. finding bugs and steadily improving. Without this trans-
parency, they exclude responsible researchers from
• No possibility of objection: It is also not yet pos- protecting their firmware. Right now, I see IoT not only
sible to object to data processing. The devices will as too diverse to have a single standard, since it is still
not be able to function technically without data ac- emerging and continues to grow, but ultimately it will
quisition at all. So far, however, IoT devices have lead to something more homogeneous. The fact is that
not offered any options that could at least restrict compliance is the single most important factor driving
data collection. the growth of IoT security as cyberattacks on the Inter-
net of Things (IoT) are already a reality. ◊
• Inadequate encryption: In a survey by Gemalto,
only 59% of IoT companies said they encrypt all By Daniela La Marca
34 October 2021: IoT in Marketing