IGF 2020 WS #325 Internet of Things: Trust, Trick or Threats?
The session, moderated by Mr Mark Datysgeld (Consultant, Governance Primer), addressed the security and privacy risks raised by domestic Internet of Things (IoT) networks. Currently, the most common use of IoT is home automation. In this context, users’ daily routine can be captured by devices in their homes, and thus challenge their security and privacy.
The first part of the session addressed the nature and determinants of the risks linked to IoT devices. Mr Sávyo Vinícius de Morais (Researcher, Federal University of Rio de Janeiro) argued the root source of IoT security issues originates from device design. Such issues can be leveraged by botnets to take down online services with distributed denial-of-service (DDoS) attacks. Ms Martha Teye (Developer, Zlitch Technologies) explained that because many IoT devices are designed for mass use, the magnitude of any vulnerability is vastly amplified. Authentication remains one of the main challenges in terms of security for most IoT devices. Although there are protocols to secure data in the context of IoT devices, most individuals are still either unaware of these protocols or do not follow common guidelines such as changing default passwords.
In the second part of the session, solutions to these IoT risks were addressed. Vinícius de Morais pointed at the privacy risks raised by flawed IoT systems, showing the need for stronger regulation and certification of devices. IoT security has been a theme of growing importance within Internet governance institutions. For instance, the Internet Research Task Force (IRTF) has recently released the document RFC 8576 that explains the state of the art challenges of IoT security, discussing the problems related to technological limitations faced by the industry, and how it impacts end-users. Mr Edgar Ramos (Distributed AI Project Leader, Ericsson) addressed the tension faced by users in terms of the centralisation, sharing, and ownership of their data. Given the heterogeneity of IoT hardware and platforms, users are faced with intertwined, yet different, regulations and rules, challenging to navigate in order to enforce their rights and secure their data. Teye argued that users and companies need to follow risk-driven strategies and place priority on critical assessments of the IoT infrastructure. Ramos also explained that end-to-end encryption is not necessarily sufficient to address IoT vulnerabilities. Encryption requires trust between at least two end-points, but users may not trust all end-points of IoT networks. Trust can only be enhanced via standards and decentralised systems.