GDPR and the ‘chain of trust’ in IoT security

Author : Andrew Hogan, Embedded Software Engineer at ByteSnap Design

11 September 2017

With General Data Protection Regulation (GDPR) coming into full enforceable effect in May 2018, two years after it was approved and adopted by the EU, regulators will have the power to fine companies up to €10m, or 2% of annual global revenue (whichever is greater), for failure to handle customers’ personal data in adherence with the regulations. This article explores why this legislation’s scope overshadows almost every aspect of IoT security. Whether it is health tracking,

This article originally appeared in the September 2017 issue of Electronic Product Design & Test; to view the digital edition, click here – and to register to receive your own printed copy, click here.

The GPDR specifies the responsibilities of companies who monitor, record or handle people’s personal data. In addition to typical information, such as names, addresses and health details, it also applies to digital components of personal data which have not necessarily been covered by previous legislation. Data such as web tracking cookies, IP addresses, mobile phone IMEI and location data all apply here, since these could all be used to identify an individual. It applies not only to the ‘controller’ of the information (the organisation that provides a service to the end user), but also ‘processors’ (organisations who handle the data on behalf of a controller). It mandates a ‘chain of trust’ for users’ data, starting from where it is recorded, through how it is transmitted, who processes it, and how it is aggregated or archived.

These regulations require adherence not only for companies operating or selling devices within the EU, but also for any global organisations that conduct business in the EU, or that handle the personal data of EU citizens. Even if a product or service is not marketed or officially sold in the EU, if a citizen of any EU nation decides to become a customer anyway (and starts uploading their fitness stats or GPS location to a company’s server, even outside of Europe), these protections still apply.

Impact on IoT development

Historically, there have been three primary factors to consider when securing a product:

Device security

The IoT device must be independently secure. Can a malicious party hack into it to tamper with recorded data? Can it be reprogrammed? Encrypting stored data and robust firmware/software validation mechanisms are both vital to prevent device exploitation. For example, botnets (such as Mirai) gain access to new devices by testing out default passwords and admin credentials, which are commonly left unchanged by end users.

Transport

Whenever data is transmitted, security is essential. Whether it’s ensuring that the user’s wireless network has appropriate encryption mechanisms enabled to avoid unauthorised access (such as WPA2), or encrypting transmitted data separately, transport cryptography and properly implemented server certification are key technologies.

Accumulated data

Arguably the most critical issue is that of accumulated data. In the age of identity theft, a single server that stores detailed user information is a tempting target for a cost-effective attack. How secure is the end server that holds this treasure trove of historical data? Are account details, addresses and financial information stored in an encrypted form that conforms to relevant standards? Does the company maintain audit policies to ensure only required staff have access to this data – and that they use appropriate security hygiene? And, perhaps most importantly, is the network monitored in order to identify suspicious network traffic and activity?

The GDPR also mandates another element for controllers to manage, which historically has not received much consideration:

Scope

Controllers must carefully manage both the scope of the data they collect and who is granted access to it. Simply collecting masses of irrelevant data may put you in breach of legislation. Recording relevant data, but then supplying it to a third party who doesn’t need access to it, would also be in breach.

For a list of more key security points, see the entry, 'How to protect your organisation and customers' from the digital version of this article.

Conclusion

As the IoT gathers pace, consumer electronics such as laptops, mobile phones, wearables and even televisions, are increasingly transitioning from being distinct devices to becoming components of – or interfaces to – cloud services. Files don’t necessarily exist on the distinct physical device in front of you. When producing a component that will interact with other devices and services, it is important to identify where the overall responsibility lies for each aspect of system security. You will be individually – and, with your partners, collectively – responsible for system security.


Contact Details and Archive...

Print this page | E-mail this page