IoT Security & Privacy: Threats and Challenges
Yong Ho Hwang
Software R&D Center, Samsung Electronics Co., LTD,
yongh.hwang@samsung.com
ABSTRACT
The era of the Internet of Things (IoT) has already started
and it will profoundly change our way of life. While IoT
provides us many valuable benefits, IoT also exposes us to
many different types of security threats in our daily life.
Before the advent of IoT, most security threats were just
related to information leakage and the loss of service. With
IoT, security threats have become closely related to our non-
virtual lives and they can directly influence physical security
risk.
The Internet of Things consists of various platforms and
devices with different capabilities, and each system will need
security solutions depending on its characteristics. There
is a demand for security solutions that are able to support
multi-profile platforms and provide equivalent security levels
for various device interactions. In addition, user privacy
will become more important in the IoT environment because
a lot of personal information will be delivered and shared
among connected things. Therefore, we need mechanisms to
protect personal data and monitor their flow from things to
the cloud. In this talk, we describe threats and concerns for
security and privacy arising from IoT services, and introduce
approaches to solve these security and privacy issues in the
industrial field.
1. SECURITY THREATS IN IOT
For the Internet of Things (IoT) services, there are numer-
ous types of things from light to rich devices; the commu-
nication between things occurs through various networks .
It means that there are security risks in each device/network
layer and the user privacy can be exposed from diverse routes.
Therefore, all kinds of attack scenarios in the previous IT
environment should be re-considered more seriously.
2. SECURITY THREATS IN IOT
We introduce the concerns and the high-level approaches
to provide secure IoT environment.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with
credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specific permission and/or a fee. Request
permissions from permissions@acm.org.
IOTPTS’15 April 14, 2015, Singapore
Copyright 2015 ACM 978-1-4503-3449-5/15/04 ...$15.00.
http://dx.doi.org/10.1145/2732209.2732216
E2E Data Life-cycle Protection To guarantee data se-
curity in IoT environment, end-to-end (E2E) data protec-
tion over entire IoT service should be provided. Various
data is generated from many things and is spontaneously
shared with other things including cloud under public net-
work. Therefore, it requires the data protection framework
to control and manage privacy information and confidential
data in full data life-cycle.
Secure Things Orchestration Things in IoT are organi-
cally operated by connecting with other things, and the con-
nected things are dynamically changed. In such a situation,
the connected things should be able to keep the required
security level. For instance, local devices and sensors used
in home should communicate securely with each other, and
should be securely managed to support multi-things orches-
tration. In addition, when they communicate with external
thing, all things should be operated under the same security
policy.
Security Platform for Multi-Level Things There are
many different types of platforms and devices from tiny sen-
sor to smart device in IoT environments. As we mentioned
above, if one thing is any security hole, it can be easily prop-
agated to other things and it is difficult to guarantee the
security with multi-things. Thus, for each thing, the secure
SW execution environment should be provided. However,
since all things have different capabilities such as computing
power and memory size, etc., the same security architecture
cannot be applied. So, security solutions to provide proper
security level according to capabilities and roles of things
should be developed.
Visible/Usable Security & Privacy Many security and
privacy issues are mostly caused by misconfiguration of users.
However, it is very difficult and unrealistic for users to en-
force the understanding of complex security/privacy policies
or rules. Thus, providing the usable solutions to easily set-
up or automatically apply security/privacy policy is very
important.
Bio: Yong Ho Hwang is the head of Security Lab at SW
R&D Center of Samsung Electronics. He received PhD de-
gree in Electronic and Electrical Engineering from POSTECH,
and worked in SPAR Lab/Computer Science at the Johns
Hopkins University as a post-doctoral researcher. His in-
terests are in applied cryptography, mobile security, system
security, network security, etc.