Jeff Katz from KIWI discusses topics relating to Privacy and Security in the Internet of Things. What you should do, what you should never do, and what to avoid becoming. From the IoT Conference September 2015 in Berlin

1. Jeff Katz | KIWI
Privacy and Security in the Internet
of Things

2. Agenda
• A bit about me
• Privacy and Data Collection
• Security and Data Protection
• Guidelines
• Example
• Questions

3. A small bio
• Embedded Engineer, hardware and
software (but also backend, mobile,
frontend, web...)
• Developed hardware to break Nintendo
DS copy protection
• 7+ Years in Physical Access Control
Industry
• VP Engineering, KIWI (more at
kraln.com)

4. Image Credit: Twitter @internetofshit

5. Privacy
• Ability to preclude information from
being shared or communicated
• What is sensitive changes over time
• What is private changes over time
• Remember: Anonymized data isn’t 1
1 Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of
Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of
Colorado Law Legal Studies Research Paper No. 9-12. Available at
SSRN: http://ssrn.com/abstract=1450006

6. Data Collection
• Don’t collect data you don’t need
• Don’t use services that collect data in
order to provide your product or service
• Avoid unintentional information leakage
• Data is a double-edged sword
• Pretend everything will become public!

7. Example: Smart Thermostat
• What you want
– House temperature auto-adjusts
– House is warm when you come home
– Less energy usage
• What you get leak
– Knowledge about where other people are
– When you are on vacation
– Location information collected by
background service on your phone

8. A designer knows he has
achieved perfection not when
there is nothing left to add, but
when there is nothing left to
take away.
Antoine de Saint-Exupery

9. Example: Smart Power Meter
• What you want
– Power usage over time
– Optimize grid
– Easy metering
• What you get leak
– When people are home
– What is being watched on TV
– Ability to remotely kill power1
1 http://www.sciencedirect.com/science/article/pii/S1877050915008492

10. But we’re the good guys!
• Security breaches
• Government intrusion
• Corporate sale
Information you collect, even with the best
of intentions, can be used against you
and your customers.

11. Security breaches
• Any data you have can &
will be used against you
• The more data you have,
the more valuable you
are as a target
• Large or small scale
possible
• Matter of when, not if!
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

12. Example: Smart Lock
• What you want
– Lock works with cellphone over Bluetooth
– List of people who come and go, and when
– No need for metal keys anymore
• What you everyone gets
– List of people who come and go, and when
– Ability to drain battery, lock people out of
their houses

13. Government intrusion
• 2013 Facebook: 38,000 requests
• 6mo 2014 Twitter: 2,871 requests
• 3mo 2014 Snapchat: 400 requests
• Google:
https://www.eff.org/who-has-your-back-government-data-requests-2015

14. Corporate sale
• Barclays bank tells 13 million customers it is to start selling information
on their spending habits to other companies
http://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data
• Bell faces $750M lawsuit over allegedly selling customer data
http://www.cbc.ca/news/canada/windsor/bell-faces-750m-lawsuit-over-allegedly-
selling-customer-data-1.3037545
• “RadioShack Corp. won court approval to sell data on about 67 million
customers in a $26.2 million deal for assets that also includes the
bankrupt electronics retailer’s name.”
http://www.bloomberg.com/news/articles/2015-05-20/radioshack-receives-approval-
to-sell-name-to-standard-general

15. Security
• The internet is radioactive ☢
• Wireless communications are radioactive ☢
• Users are very radioactive ☢
• Minimize your exposure!
• Strong encryption is your radiation shielding!
• Keep your business-critical data, and your
user’s data, as far away from the danger as
possible

16. Example: LIFX
• What you want
– App to control lightbulb
– Easy set up, wireless control
• What you get
– Mesh-network “encrypted” with keys sent
in plain-text
– WIFI password broadcast unencrypted
http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/

17. Medical Devices: Myth
• High standards mean high quality
• Enable doctors to work remotely
• Security vulnerabilities do not exist, or
even if they did, they would not cause
problems
• Medical devices are always airgapped

18. Medical Devices: Reality
• High standards mean lots of shortcuts
• Enable anyone to access remotely
• Security vulnerabilities do exist, and
create critical problems
• Medical devices are almost never
airgapped. Many devices can be
crashed just by running simple security
scans (port scans)

19. Why should I care?
• Immunizations provide herd immunity!
• Designing for privacy and security is
much easier and more effective than
retrofitting
• Defense in depth
• Think of your mom!

20. Example: Smart “Toy”
http://motherboard.vice.com/read/yes-your-smart-dildo-can-be-hacked
• Remote control
• Video
• Sound
Do I really need to explain why this is a
bad idea?

21. What can I do?
• Collect as little information as possible
• What you collect, always secure/encrypt
• Secure command & control channel
• Have a disaster recovery plan
• Have a privacy policy
• Don’t re-invent the wheel
• Work with security researchers
More ideas: https://msdn.microsoft.com/en-us/library/ms976532.aspx

22. • Physical Access Control as a Service
• Private apartments, service providers,
and house management companies
• Mix of hardware, software, wireless
sensor network and web applications
• High focus on privacy and security of
our users

24. Questions?
Jeff Katz
jeff.katz@kiwi.ki
kraln.com / @kraln