Read news from:
Austria
SHARE
COPY LINK
PRESENTED BY SEAVUS

Will the Internet of Things rewrite the rules on cyber security?

There’s been lots of hype about the benefits of the Internet of Things (IoT), but ignoring the risks that come with it could have disastrous consequences.

Published: 13 October 2017 09:50 CEST
Will the Internet of Things rewrite the rules on cyber security?
Photo: Pixabay

Not too long ago, the idea of communicating with your kitchen appliances or hopping in a self-driving car may have seemed like science fiction.

But the promise and potential that comes with connecting more gadgets online means that just about anything with an on/off switch can be connected to the internet and a remote controlling device over the same network.

By 2020, more than 50 billion devices are expected to be connected to the internet, meaning our world will become increasingly ‘smart’ as the Internet of Things (IoT) permeates into more parts of more people's lives.

We can already adjust the temperature and lighting in our homes from anywhere in the world; remote diagnostics can be performed on aircraft engines in real time; our cars can warn us of traffic problems and provide alternate routes.

And while all these connected devices may simplify our lives and streamline companies’ production and distribution, it also gives rise to a myriad of new security threats that have the potential to disrupt people’s online lives in new and frightening ways.

“There are no devices that can’t be hacked, it’s just matter of time and dedication,” warns Blagoj Kupev, an embedded systems designer with Scandinavian IT services and software development consultancy Seavus.

Data breaches

And as more systems and devices get connected, more sensitive corporate and personal information gets stored online, meaning an increased potential for hackers to cause serious harm.

Earlier this month, for example, it emerged that a data breach at US credit rating company Equifax may have left the sensitive financial data of up to 143 million Americans exposed.

And in Sweden, revelations that the country’s Transport Administration (Transportstyrelsen) ignored rules about data security resulted in the departure of the agency’s head and two ministers.

High-profile data breaches often involve capable hackers who are able to penetrate complicated security measures at major companies or public bodies.

Photo: Pixabay

But as the number of devices connected to the internet continues to multiply, so do the number of pathways open to nefarious individuals or groups looking to cause harm.

“If you make a cheap, unsecure device that requires users to set up their own security measures, you may sell more devices to more people. But the problem is these people may lack the knowledge to set things up correctly,” Kupev explains.

Even purchasing a high-end smart appliance with lots of security features doesn’t mean things can’t go wrong if users do not know how to use it properly.

“If your router is easily hackable, someone could then easily get access and hack into your smart oven, turn it on, and potentially start a fire in your house,” he continues.

The weakest link

Last year more than 900,000 routers in Germany were knocked offline by cyber-attack experts believe was at attempt to infect the routers with malware. While the attack didn’t result in any smart ovens getting hacked, the incident demonstrated an important principle that Kupev says everyone must remember in today’s connected world:

“The Internet of Things is only as strong as its weakest link – and it’s those weak links that are often subject to attacks”

Part of the problem, says Kupev, is that current cybersecurity approaches and strategies were designed for a time when anyone involved in computing device security likely had a certain level of technical knowledge.

“Now we have to make things usable for ordinary people,” he says. “The Internet of Things requires making it possible for consumers, rather than IT professionals, to be the first line of cybersecurity defence.”

At Seavus, Kupev and his colleagues specialize in designing systems and interfaces that are both secure and easy to use.

“We focus on embedded devices – anything that you can imagine being a part of the Internet of Things – to ensure secure communication between the devices and the network – and that devices always have predictable behavior,” he explains.

Photo: Pixabay

Despite having capable teams of programmers and rigorous testing procedures, many companies – be they retailers, manufacturers, or service providers – still have a hard time seeing the potential vulnerabilities in their own systems.

“There are a lot of companies who think ‘this will never happen’ and then they come back to us six months later saying ‘it happened’,” says Kupev.

The challenge, he explains, is being able to look at things from a different point of view.

“Often a client’s view of things can be quite narrow because they’re used to looking at things from the same perspective,” he adds. “Our job is to help them look at matters from a different angle and uncover vulnerabilities they would have otherwise missed.”

To illustrate his point, Kupev tells the story of an engine maker that invested heavily in ensuring a device’s “regular” communications systems are secure.

“They did magnificent work in securing Ethernet and other standard interfaces, but no one thought about the GPS system that was part of the engine control system as a possible target for hackers.”

No instructions required

Another example that illustrates Kupev’s “weakest link” and “user-friendly” principles involves payment terminals with a system that required service personnel to have special cards to activate the terminals’ service mode.

Since staff kept losing the cards, the company simply turned off the card function and allowed service access without card authentication, exposing the system to serious security threats.

“There are a lot of ‘side entrances’ into systems and devices that people assume are secure but which may not be that secure,” he says.

“We help identify holes in clients’ systems so they can see where the design needs to be improved and then we propose how they can fix it.”

Kupev believes both companies and consumers need to take greater responsibility for ensuring devices are secure and that sensitive data remains safe from hackers and other cyber-threats.

“The arrival of the Internet of Things means that more people need to be aware of what sort of data can be exposed,” Kupev explains. “There are simply lots more devices connected in new ways that are producing more data that can provide a lot of insight into our daily routines.”

First and foremost, companies need to do more to make setting up security features foolproof for the most technically illiterate consumers.

“The key is creating systems and instructions that are easy to follow so that people can set up devices and have control over what data those devices create and how that data is used,” he says.

“You have to make devices user-friendly so everyone can get the setting right even without an instruction manual.”

This article was produced by The Local Client Studio and sponsored by Seavus.

TECH

Cookie fight: Austrian activist in tough online privacy fight

Five years after Europe enacted sweeping data protection legislation, prominent online privacy activist Max Schrems says he still has a lot of work to do as tech giants keep dodging the rules.

Published: 16 May 2023 16:52 CEST
Cookie fight: Austrian activist in tough online privacy fight

The 35-year-old Austrian lawyer and his Vienna-based privacy campaign group NOYB (None Of Your Business) is currently handling no fewer than 800 complaints in various jurisdictions on behalf of internet users.

“For an average citizen, it’s almost impossible right now to enforce your rights”, Schrems told AFP. “For us as an organisation, it’s already a lot of work to do that” given the system’s complexity due to the regulators’ varying requirements, he added.

The 2018 General Data Protection Regulation (GDPR) imposes strict rules on how companies can use and store personal data, with the threat of huge fines for firms breaching them.

While hundreds of millions of euros in fines have been imposed following complaints filed by NOYB, Schrems said the GDPR is hardly ever enforced. And that’s a “big problem”, he added.

He said the disregard for fundamental rights such as data privacy is almost comparable to “a dictatorship”. “The difference between reality and the law is just momentous,” Schrems
added.

‘Annoying’ cookies

Instead of tackling the problems raised by the GDPR, companies resort to “window dressing” while framing the rules as an “annoying law” full of “crazy cookie banners”, according to Schrems.

Under the regulation, companies have been obliged to seek user consent to install “cookies” enabling browsers to save information about a user’s online habits to serve up highly targeted ads.

Industry data suggests only three percent of internet users actually approve of cookies, but more than 90 percent are pressured to consent due to a “deceptive design” which mostly features “accept” buttons.

Stymied by the absence of a simple “yes or no” option and overwhelmed by a deluge of pop-ups, users get so fed up that they simply give up, Schrems said. Contrary to the law’s intent, the burden is being “shifted to the individual consumer, who should figure it out”.

Even though society now realises the importance of the right to have private information be forgotten or removed from the internet, real control over personal data is still far-off, the activist said. But NOYB has been helping those who want to take back control by launching
privacy rights campaigns that led companies to adopt “reject” buttons.

 Shift of business model 

Regulators have imposed big penalties on companies that violated GDPR rules: Facebook owner Meta, whose European headquarters are in Dublin, was hit with fines totalling 390 million euros ($424 million) in January.

One reason why tech giants like Google or Meta as well as smaller companies choose against playing by the GDPR rules is because circumventing them pays off, Schrems said.

Thriving on the use of private data, tech behemoths make “10 to 20 times more money by violating the law, even if they get slapped with the maximum fine”, he added.

Contacted by AFP, both companies said they were working hard to make sure their practices complied with the regulations.

Schrems also accuses national regulators of either being indifferent or lacking the resources to seriously investigate complaints. “It’s a race to the bottom,” Schrems said. “Each country has its own way of not getting anything done”.

Buoyed by his past legal victories, Schrems looks to what he calls the “bold” EU Court of Justice to bring about change as it “usually is a beacon of hope in all of this”.

Meanwhile, the European Commission is considering a procedures regulation to underpin and clarify the GDPR.

In the long-run, however, the situation will only improve once large companies “fundamentally shift their business models”. But that would require companies to stop being “as crazy profitable as they are right now,” Schrems said.

SHOW COMMENTS