Internet Society (ISOC) aims are: make security an integrated function of connected objects and encourages IoT device and service providers for consumers to adopt the Online Trust Alliance (OTA) security and privacy principles ; increase the consumer demand for security and privacy in the IoT devices they purchase; create government policies and regulations that promote better security and privacy features in IoT devices.

1. IoT securityand privacy:
main challenges and
how ISOC-OTA address them
Radouane Mrabet
Emeritus Professor - Mohammed V University - Rabat
President of the Internet Society Morocco Chapter
The 6th International Conference on Multimedia Computing and
Systems Rabat, 10-12 May 2018

2. 2
4 priorities of
the Internet
Society
(ISOC)
2018 action
plan
A. Securing the Internet of Things
B. Strengthening the Global Routing
System (MANRS: Mutually Agreed
Norms for Routing Security)
C. Innovate to connect the world
(community networks)
D. Promoting concerted governance
(multiparty consultation model)

3. 3
Securing the
Internet of
Things
Internet Society (ISOC) aims are:
 make security an integrated function of
connected objects and encourages IoT device
and service providers for consumers to
adopt the Online Trust Alliance (OTA)
security and privacy principles ;
 increase the consumer demand for security
and privacy in the IoT devices they
purchase;
 create government policies and regulations
that promote better security and privacy
features in IoT devices.

4. 4
Online Trust Alliance is an initiative of
the Internet Society;
Online Trust Alliance's mission is to:
 improve online trust, user empowerment
and innovation by organizing multi-
stakeholder initiatives,
 develop and advance best practices and
tools to enhance security protection,
confidentiality and the identity of the
users.

5. 5

6. 6
IoT Security & Privacy Trust
Framework v2.5
Updated October 14, 2017

7. 7
Smart Alarm Clock
Wi-Fi VideoCamera
Smart plug that
tracks air quality
Wireless blood
pressure monitor
Toys for kids
Fitness tracker
Connected coffee machine
Sensing cooker
Source : http://iotlist.co/

8. 8
Internet of
Things

9. 9
The term "Internet of Things" refers
to scenarios in which network
connectivity and computing capacity
extend to objects, sensors, and
everyday objects that are not normally
considered computers, allowing these
devices to generate, exchange, and
consume data with minimal human
intervention.

10. 10
IoT: Many
opportunities
and some
challenges
The open nature of the Internet
creates the opportunity to connect
devices on a scale that is transforming
the way we interact with our
environment and transforming our
society.
The Internet of Things (IoT) has
enormous potential to change our
world in a positive way.
But ...

11. 11
Insufficient IoT security whose impact
is already being felt:
Attacks on devices, applications and
services, as well as the compromise of
sensitive data, not only threaten the
security of users of connected devices, but
also all other users.
IoT: Many
opportunities
and some
challenges

12. 12
Compromised IoT devices can be used
to form botnets and attack other
networks, other users, and the
Internet infrastructure.
In 2016, a compromised IoT device
network performed a distributed
denial of service attack against Dyn, a
DNS service provider, causing many
websites and online services to be
unavailable in some parts of the
world.
Example:
DDoSAttack
on Dyn

13. 13
Source :
https://www.internetsociety.org/blog/2016/10/trust-isnt-easy-drawing-an-agenda-from-fridays-ddos-attack-and-the-internet-of-things/7/

14. 14
Source:
2017 GlobalThreat
Intelligence Report

15. 15
What are the
challenges?
1. The economy promotes weak security;
2. Security is difficult, especially for new
businesses;
3. IoT systems are complex and each part must
be secure;
4. The security support is not always
maintained;
5. The consumer's knowledge of IoT security is
weak;
6. Security incidents can be difficult to detect or
resolve for users;
7. Existing legal liability mechanisms may not
be clear.

16. 16
1.
The economy
promotes
weak security
Competitive pressures for shorter time
to market and cheaper products are
driving many IoT system designers
and manufacturers to spend less time
and resources on security;
Strong security is expensive and
lengthens the time to bring a product
to market.

17. 17
1.
The economy
promotes
weak security
 There is no credible way for
suppliers to report their level of
security to consumers, for example:
trusted labels, certifications, ...
 Difficult for consumers to easily compare the
security of different IoT systems;
 Reduction of consumer pressure on suppliers
 Security can not be a competitive
differentiator.

18. 18

19. 19

20. 20
2.
Security is
difficult,
especially for
new
businesses
 Implementing enhanced security in IoT
systems requires expertise;
 New players in the IoT ecosystem may
have little or no experience with
Internet security.
 Example: A manufacturer may know how to
make a refrigerator safe for its initial use
(electrical wiring, chemicals), but may not
understand Internet security.

21. 21
3.
The IoT
systems are
complex and
each part
must be
secure
 The security of a system depends on
the weakest link;
 In IoT systems, different parts may
be under the control of different
actors, which makes cooperation
difficult to solve IoT security
problems:
 Complex supply chains make security
assessments difficult;
 Often, IoT systems are managed and / or
controlled by cloud services.

22. 22
4.
The security
support is not
always
maintained
 IoT devices, applications, and services
require security patches and updates
to protect against known
vulnerabilities;
 Support for IoT systems is an
expensive task for IoT service
providers.

23. 23
5.
Consumer
awareness of
IoT security is
low
Typically, consumers have limited
knowledge of IoT security, which
impacts their ability to effectively
integrate security into their
purchasing habits or to configure and
maintain the security of their IoT
systems.

24. 24
6.
Security
incidents can
be difficult to
detect or
resolve for
users
 In many cases, the effects of a poorly
secured product or service will not be
obvious to the user.
 Example : a refrigerator can continue to do a
good job, even if it has been compromised and
is part of a botnet performing DDoS attacks).
 Consumers generally do not have the
technical ability or user interfaces to
implement patches.
 Users are contractually prevented from
updating or repairing the systems
themselves or having them repaired by
independent specialists.

25. 25
7.
Existing legal
liability
mechanisms
may not be
clear
 Liability for damage caused by
inadequate safety of IoT can be
difficult to determine.
 Uncertainty among victims when seeking
to assign liability or to obtain
compensation for harm.
 Clear accountability encourages
suppliers to enhance security, but in
the absence of strict liability regimes, it
is ultimately users who pay the price
for security breaches.

26. 26
With the development of connected
objects, users entrust de facto part of their
privacy to improve their environment and
make their living environment more
efficient or safer.
Personal data?

27. 27
Risks to the
person and his
personal data
-
Examples
Hacked surveillance camera lets you
know if owners are away or not from
their home;
Smart electricity meter: the meter can
quickly become a "spy" if you are not
careful.
 A load curve (consumption hour by hour) allows to
know if someone is in the house?

28. 28

29. 29

30. 30
Founded in 2007 as a trade and
industry organization
More than 65 members (DigiCert,
Symantec, Verisign, Microsoft,
Twitter, Coles, …)
Internet Society and OTA merged in
April 2017 and OTA members became
members of ISOC

31. 31
What to do knowing that there are
more than 40 different organizations
working in the IoT industry?
OTA has decided to adopt a broad
multi-stakeholder approach to assess
IoT risks and address the security,
privacy and sustainability of the IoT
products and services lifecycle.

32. 32
Creation in January 2015 of a working
group called "IoT Trustworthy
Working Group (ITWG)" whose
mission was to develop "IoT Security
& Privacy Trust Framework"
First version: March 2016

33. 33
IoT Security & Privacy Trust
Framework v2.5
Updated October 14, 2017

34. 34
IoTSecurity &
PrivacyTrust
Framework
v2.5
It includes a set of strategic principles
necessary to secure IoT devices and their
data throughout their life cycle.
Through a multi-stakeholder process
driven by consensus, criteria have been
identified for the connected home, office
and wearables.
The trust framework emphasizes the
need to provide product information
prior to purchase.

35. 35
IoTSecurity &
PrivacyTrust
Framework
v2.5
It articulates policies regarding the
collection, use and sharing of data, as
well as the terms and conditions of the
security patches - including and
especially after the end of warranty
support.
Finally, the framework provides guidance
to manufacturers to improve the
transparency and communication of the
ability of devices to be updated as well as
issues related to data privacy.

36. 36
IoTSecurity &
PrivacyTrust
Framework
v2.5
40 principles in 4 key areas to secure
IoT devices and their data:
1. Security Principles (1-12)
2. User Access and Credentials (13-17)
3. Confidentiality, Disclosure and
Transparency (18-33)
4. Notices and Recommended Practices
(34-40)

37. 37
IoTSecurity &
PrivacyTrust
Framework
v2.5
Security Principles (1-12) -
Applicable to any device or sensor and
all cloud applications and services.
This ensures that devices use default
cryptographic protocols, and only open
physical and virtual ports and services
are required.
This includes penetration testing and
vulnerability reporting programs.
Other principles emphasize the need
for security patches throughout the life
cycle.

38. 38
IoTSecurity &
PrivacyTrust
Framework
v2.5
User Access and Credentials (13-
17) –
Requires encryption of all passwords
and usernames, password reset process
implementation, strong authentication,
integration of mechanisms to prevent
login attempts.

39. 39
IoTSecurity &
PrivacyTrust
Framework
v2.5
Confidentiality, Disclosure and
Transparency (18-33) –
Requirements in accordance with generally
accepted principles of confidentiality,
including significant disclosures about
packaging, point of sale and / or uploads,
ability for users to reset devices to factory
settings and compliance with applicable
regulatory requirements, including EU
GDPR and child privacy regulations.
Also deals with disclosures about the impact
on product functionality if connectivity is
disabled.

40. 40
IoTSecurity &
PrivacyTrust
Framework
v2.5
Notifications and Recommended
Practices (34-40) –
It includes mechanisms and processes
to quickly inform a user of the threats
and actions required in the event of
security concerns.
The principles include email
authentication for security notifications
and that messages must be clearly
communicated to users regardless of
their grade level.

41. 41

42. 42

43. 43

44. 44

45. 45
Released
April 17, 2018

46. 46

47. 47
Moroccan
Law 09-08 on
the protection
of individuals
with regard to
the processing
of personal
data
Article 3: Data quality:
Personal data must be:
a) treated fairly and lawfully;
b) collected for specified and legitimate
purposes, and not to be further processed in a
manner incompatible with the purposes;
c) adequate, relevant and not excessive in
relation to the purposes for which they are
collected and for which they are further
processed;

48. 48
Moroccan
Law 09-08 on
the protection
of individuals
with regard to
the processing
of personal
data
Article 3: Data quality:
Personal data must be:
d) exact and, if necessary, updated. All reasonable
measures must be taken to ensure that
inaccurate or incomplete data, with regard to
the purposes for which they are collected and
for which they are subsequently processed, are
erased or rectified;
e) preserved in, a form permitting the
identification of the persons concerned for a
period not exceeding that necessary to achieve
the purposes for which they are collected and
for which they are subsequently processed.

49. 49
Moroccan
Law 09-08 on
the protection
of individuals
with regard to
the processing
of personal
data
Person’s rights:
 Expressing consent (Article 4)
 Be informed when collecting data (Article 5)
 Exercise your right of access (Article 7)
 Exercise the right of rectification (Article 8)
 Exercising the right of opposition (Article 9)

50. 50
Moroccan
Law 09-08 on
the protection
of individuals
with regard to
the processing
of personal
data
Obligation of the treatment
responsible:
 Respect the purpose of the treatment
 Respect the principle of proportionality
 Ensuring the quality of the data
 Ensure that the data retention period is
maintained
 Ensure the exercise of the rights of the data
subject
 Ensuring the safety and confidentiality of
treatments (Articles 23 to 26)

51. 51
Conclusion
IoT security is a global challenge
requiring global collaboration. The
Governments, industry and civil society
need to work collectively and take
actions to secure consumer IoT products
and associated services at every stage of
their lifecycle.

52. Radouane Mrabet
Emeritus Professor at Mohammed V University of Rabat
President of the Internet Society Morocco Chapter - MISOC
The 6th International Conference on Multimedia Computing and
Systems Rabat, 10-12 May 2018
Thank you
ⵜⴰⵏⵎⵎⵉⵜ