After the Gold Rush: The Boom of the Internet of Things, and the Busts of Data-Security and Privacy

This Article addresses the impact that the lack of oversight of the Internet of Things has on digital privacy. While the Internet of Things is but one vehicle for technological innovation, it has created a broad glimpse into domestic life, thus triggering several privacy issues that the law is attempting to keep pace with. What the Internet of Things can reveal is beyond the control of the individual, as it collects information about every practical aspect of an individual’s life, and provides essentially unfettered access into the mind of its users. This Article proposes that the federal government and the state governments bend toward consumer protection while creating a cogent and predictable body of law surrounding the Internet of Things. Through privacy-by-design or self-help, it is imperative that the Internet of Things—and any of its unforeseen progeny—develop with an eye toward safeguarding individual privacy while allowing technological development

Assessing Cybersecurity Risks When Adopting Internet of Things (IOT) Devices

The Internet of Things (IoT) is a term covering a broad array of Internet-connected devices adopted by both business entities and consumers. Unfortunately, this connection to the Internet also exposes these devices to connections from other devices on the Internet. In the current cybersecurity environment, this means that IoT devices are susceptible to all manner of cybersecurity threats. Thus, the adoption of IoT devices brings with it exposure to an array of cybersecurity risks. This paper attempts to develop a framework to analyze the nature of cybersecurity threats and the resulting risks faced by entities adopting IoT devices

Measuring Performances of a White-Box Approach in the IoT Context

The internet of things (IoT) refers to all the smart objects that are connected to other objects, devices or servers and that are able to collect and share data, in order to "learn" and improve their functionalities. Smart objects suffer from lack of memory and computational power, since they are usually lightweight. Moreover, their security is weakened by the fact that smart objects can be placed in unprotected environments, where adversaries are able to play with the symmetric-key algorithm used and the device on which the cryptographic operations are executed. In this paper, we focus on a family of white-box symmetric ciphers substitution-permutation network (SPN)box, extending and improving our previous paper on the topic presented at WIDECOM2019. We highlight the importance of white-box cryptography in the IoT context, but also the need to have a fast black-box implementation (server-side) of the cipher. We show that, modifying an internal layer of SPNbox, we are able to increase the key length and to improve the performance of the implementation. We measure these improvements (a) on 32/64-bit architectures and (b) in the IoT context by encrypting/decrypting 10,000 payloads of lightweight messaging protocol Message Queuing Telemetry Transport (MQTT)

IoT Expunge: Implementing Verifiable Retention of IoT Data

The growing deployment of Internet of Things (IoT) systems aims to ease the daily life of end-users by providing several value-added services. However, IoT systems may capture and store sensitive, personal data about individuals in the cloud, thereby jeopardizing user-privacy. Emerging legislation, such as California's CalOPPA and GDPR in Europe, support strong privacy laws to protect an individual's data in the cloud. One such law relates to strict enforcement of data retention policies. This paper proposes a framework, entitled IoT Expunge that allows sensor data providers to store the data in cloud platforms that will ensure enforcement of retention policies. Additionally, the cloud provider produces verifiable proofs of its adherence to the retention policies. Experimental results on a real-world smart building testbed show that IoT Expunge imposes minimal overheads to the user to verify the data against data retention policies.Comment: This paper has been accepted in 10th ACM Conference on Data and Application Security and Privacy (CODASPY), 202

Tracing where IoT data are collected and aggregated

The Internet of Things (IoT) offers the infrastructure of the information society. It hosts smart objects that automatically collect and exchange data of various kinds, directly gathered from sensors or generated by aggregations. Suitable coordination primitives and analysis mechanisms are in order to design and reason about IoT systems, and to intercept the implied technological shifts. We address these issues from a foundational point of view. To study them, we define IoT-LySa, a process calculus endowed with a static analysis that tracks the provenance and the manipulation of IoT data, and how they flow in the system. The results of the analysis can be used by a designer to check the behaviour of smart objects, in particular to verify non-functional properties, among which security

Privacy-by-design for Internet of Things (IoT): Implementing user autonomous options in a smart home scenario

Capstone Project submitted to the Department of Engineering, Ashesi University in partial fulfillment of the requirements for the award of Bachelor of Science degree in Electrical and Electronic Engineering, May 2020In traditional Internet of Things (IoT) systems, users are unable to authorize and/or deauthorize the collection of user data. Hence, the problem of the absence of user autonomy in IoT systems. The project aims to tackle this problem by suggesting a human-centered privacy-by-design option in the design and implementation of IoT systems. It aims to prioritize the need for the privacy of the user in designing IoT systems. It proposes to do this through the provision of user autonomous commands that enable the user to opt out of the collection of a particular data type and restore the collection of that data type at will. A Smart Home was built and designed, as the IoT system, for the proof of concept. Various data types were collected at the edge level and three of them (audio, image and temperature) were selected to be transmitted to a remote NoSQL database. Through the user web application, the user was able to authorize and/or deauthorize the transmission of data types by choice. In addition, the user was given access to view a user-friendly presentation of the cloud database, to validate the execution of their autonomous actions taken. This was demonstrated in several use case scenarios. The results shown from this research illustrate that user autonomous actions for privacy can successfully be implemented in the design of IoT systems.Ashesi Universit