Content uploaded by Tamás Szádeczky
Author content
All content in this area was uploaded by Tamás Szádeczky on Jan 18, 2020
Content may be subject to copyright.
Known security issues of IoT systems
Tamas Szadeczky
Dept. of Measurement and Automation
Obuda University
Budapest, Hungary
szadeczky.tamas@kvk.uni-obuda.hu
Gergely Kovacs
Dept. of E-Government
National University of Public Service
Budapest, Hungary
gergelyk00@gmail.com
Abstract— The aim of our research was to elaborate the
current concept of the IoT based on the scientific papers up to
now and to draw up the potential legal and security risks,
which may affect the users or the state. We categorized the
challenges of the IoT usage. The main problems in the aspect of
data protection, are traceability and confidentiality issues.
Keywords—Internet of Things, embedded systems, privacy,
data security
I. INTRODUCTION
The actual Gartner Hype Cycle 2018 is showing us that
the topic of Internet of Things (IoT) is just passed the peak of
inflated expectations and will be a commonly used
technology (will reach the plateau of productivity) in 5 to 10
years time. IoT might only be a fashionable topic without a
high level of implementation to manufacturing or our daily
life, but it seems that many companies, developers and
scientists think it will be surely a usable product.
„76% of the international enterprises claim that the
application of the Internet of Things (IoT) is key to success”
– Says the Vodafone IoT report. However, why is this
technology so popular? We would like to quote the words of
the American billionaire entrepreneur Kevin Trudeau: „if
you can see John Jones through John Jones eyes, you can sell
John Jones, what John Jones buys.” This is exactly, why the
Internet of Things is so important for them. Let’s imagine
that we are the owners of a huge company with many
employees. Thanks to the Internet of Things enterprises
might always know how much they have sold from a certain
product and how exactly the behavior of the customers is
changing. They can spot the number of the goods in the stock
and also which type of product is likely to be faulty.
Of course, not only enterprises are taking advantage of
the Internet of things. We can also utilize this technology for
instance in our car, home („Smart Home”) and many other
areas. Moreover, even in the National Zoo of Hungary IoT
devices take care of the endangered species.
It is obvious that the concept of the Internet of Things is a
very practical and actual topic. In reality, however, there is
not even an exact definition of IoT, which is accepted by
every expert. „The IoT is surely not science fiction, but not a
tangible concept, as well. - Says Mark Bartolomeo, president
of the IoT sector of Verizon. [1] There is a huge variety in
how we can build an utilize an IoT system, and the concept is
constantly evolving. Furthermore, the operators of such
systems have to face a lot of possible legal and security risks,
which makes the concept of IoT even more actual. Based on
the research of James Scott and Drew Spaniel we can’t even
see through all the possible risks of an IoT system. [2] There
are a lot of unanswered questions regarding this topic. Also,
the related literature grasps the certain aspects of IoT very
differently. That’s exactly why we decided to research this
very interesting technology – the Internet of Things.
II. CONCEPTUAL ISSUES
A. The concept of the Internet of Things
Nowadays the increased possibility of accessing the
internet; the cloud computing; and the miniaturization of
sensors and communication chips cause the concept of
internet to fade into the background and connected smart
devices, which use an internet-based network, get more and
more attention. What this actually means, is that information
technology is gradually appearing in a variety of devices like
cars, household devices, industrial machines, etc. These
devices are treated to be smart because they can sense their
environment, collect data and optionally make decisions.
They are connected because they communicate with their
backend system, the user sometimes the provider, and
probably with other similar devices at the same time. The
system pieced together of these devices is called the Internet
of Things (IoT).
In the 80’s a concept similar to the Internet of Things has
already appeared. This concept was used mostly by factories
and was called Machine to Machine (M2M) communication.
[3] The difference between the two technologies is the
internet. Both concepts are based on the connection between
machines, but the M2M communication takes place solely in
a closed system, while IoT utilizes the internet expanding its
potentials tremendously. The expression „Internet of Things”
was first used by Kevin Ashton in 1999. The essence of his
idea was to securely and independently connect tangible
smart devices through an internet-based network.
Smart devices in the system of IoT use certain protocols
and technologies to transmit data through a wireless network
to the receiver. This issue will be detailed later in this paper.
Usually, there is also a central server, from where anyone
can track and manage the activity of the other devices in the
system. After setting up the system, smart devices in IoT
networks can work fully automatically. Due to this
technology, we can automatize our environment (e.g.,
automatic climate systems, lights, etc.); we can make
machines do the monotonous physical work for us; but IoT is
used in healthcare, transport, predicting disasters and many
other areas. [4] Nowadays there are more than 15 billion IoT
devices (phones, computers, household devices, industrial
machines, security devices, etc.) in use and this number
might even increase up to 28 billion by 2021. [5]
B. Functioning of the Internet of Things
1) Three pillars of IoT
Based on our research we identified three key pillars of
an IoT system. These are Built-in intelligence; Internet-based
connection and Sensors. These three elements lead to the
establishment of IoT systems, which are capable of
independent and intelligent functioning.
IEEE CANDO-EPE 2018 • IEEE International Conference and Workshop in Óbuda on Electrical and Power Engineering • Nov. 20-21, 2018 • Budapest, Hungary
978-1-7281-1154-4/18/$31.00 ©2018 IEEE
000133
1. Built-in Intelligence: processing functions and
sometimes artificial intelligence, can „smart up” the
devices, as communicated in the mainstream media.
Due to the built-in systems, we can use practical
features. From the simplest things like household
devices to the most complicated industrial systems,
using the artificial intelligence getting more and
more popular in developed countries.
2. Internet-based connection: Devices in IoT systems
are connected through an internet-based network.
Moreover, with virtual private networks (VPN) IoT
administrators can establish secure connections
between IoT network elements.
3. Sensors: The most important element of an IoT
system might be its sensors. Using sensors is the
biggest difference between traditional passive
networks and IoT. [3] Due to sensors IoT systems
can transform into active networks, which adapt to
the happenings of its surroundings.
2) Hardware in IoT
Internet of Things systems might consist of a lot of
tangible devices. In other words, a hardware heterogeneity is
very typical in IoT networks. It means that we can find many
different devices on many different levels, which build up an
IoT network.
In all IoT networks, we can find central servers, which
manage data processing and from where server settings can
be set up. We can also find routers in the system, which
connect sensors and servers by transmitting data and signals.
Lastly, there are tangible devices with sensors inside of them.
To sum up, the vertical levels of IoT hardware are Devices,
Routers, Servers and Server Settings. We can find a variety
of devices on each level. [6] “Server settings” is, of course,
not hardware itself, but it is very good, in our opinion, to
include them in such a list, because all the functioning of an
IoT system is based on how it is configured in the server
settings.
The most important hardware in IoT systems is the
sensor. [7] Sensors are key to the entire functioning of IoT
networks, which means that they are able to sense and
transmit data without human interference. The structure of
sensors is the following: there is a power source, which is
responsible for managing energy consumption and
distribution; a radio frequency (RF) module; and a sensor or
sensing module, which is able to perceive certain
environmental impacts. Most of the time there is an Analog-
Digital Converter (ADC) attached to sensors, which can
convert analog signals into digital data (e.g., text or
numbers). The transmission and reception of data and the
control of other functions are managed by a microcontroller
module.
The RF module is necessary to be able to communicate
with servers and other devices. This module is able to put out
and receive signals.
The sensor is nothing but a measuring object, which
based on its kind can identify many environmental factors.
These are, for example, temperature, pressure, sound, light,
speed, but there are also a lot more specific sensors, which
can measure the composition of air, humidity or the intensity
of a magnetic field, etc. In one device there can be many
sensors functioning at the same time. The most typical
example of this is smartphones.
3) Software in IoT
IoT systems use a variety of software solutions to
manage certain tasks. [8] To accomplish their numerous
networking and other objectives IoT systems use platforms,
embedded systems, partner systems, and middleware.
1. Platform means a certain environment, which
determines which other software can be run on the
computer.
2. An embedded system means such a special
software, which are created to manage specific
tasks. Its corresponding hardware is the
microcontroller.
3. Partner systems, in this case, mean the software
complexity of other IoT devices in the same
network.
4. Middleware provides the connection between the
embedded system and applications that are
accessible for users. They are also called as „glue-
software” because they „glue” applications
together. Due to middleware in IoT systems, for
instance, all the data accumulated by many software
can be transmitted at the same time. A more
common usage of middleware is dynamic websites,
where the „offer” of the website (most of the time
advertisements) varies based on the user’s profile.
Software, which fit in the framework of systems
mentioned above, mainly perform 3 key tasks: data
collection, device connection and real-time analyzing.
1. Data collecting software manages sensors,
measurements, data-filtering, and basic security
tasks. This software also plays an important role in
connecting the IoT devices; they distribute the
gathered information based on the programmed
settings, for example. Lastly, this software also
executes the transmission of all the collected data to
the central server.
2. Software responsible for device connection
provides the linkage with all the partner systems. It
provides accordance and stabilizes the network
among devices. This software is key to the system
because there is no Internet of Things without them.
They manage a variety of applications, protocols
and regulate inter-device communication. They are
also responsible for the extension of applications,
which allows other devices to connect to the system
(e.g., with Bluetooth).
3. Real-time analyzing software breaks down from all
the devices incoming data into a clear pattern,
which is suitable for human analyzation. They can
execute analyzation many different ways, which
depends on the demands of the given industry.
4) IoT networking technologies and protocols
IoT system uses basic networking technologies and
protocols. The most important ones are RFID (Radio
Frequency IDentification), NFC (Near-Field
Communication), low energy wireless networks, radio
protocols, LTE-A (Long Term Evolution Advanced) and Wi-
T. Szadeczky, G. Kovacs • Known security issues of IoT systems
000134
Fi-Direct. These patterns are also called unique identification
technologies because due to the connected devices are
separable, trackable and accurately identifiable.
1. NFC and RFID provide an astounding opportunity
to manage the several tasks performed by an IoT
device. RFID is a 2-way transmitter-receiver
technology, which not only establishes
communication but also makes the devices
trackable and accurately identifiable. NFC works in
a similar way, but it typically consists of protocols
necessary for the communication between mobile
and traditional (e.g., servers) devices.
2. The main advantage of low energy wireless
networks is that they reduce consumption in
systems, which otherwise require a lot of energy to
function. This way sensors can operate quite a bit
longer, and the lifespan of such systems is also
increased in general. To the functioning of such
networks, a constant connection between devices is
required. A typical example is Bluetooth.
3. Radio protocols like ZigBee, Z-wave, etc. establish
low-frequency private networks. Creating a local
network is the most cost-efficient and effective at
the same time.
4. Using LTE-A in IoT systems improves the range
and intensity of signals, also increases the
maximum amount of transmitted data and reduces
latency. This technology is used, for example, in-car
applications, drones, and 4G networks.
5. Wi-Fi-Direct is a technology, which makes it
possible for devices to connect without the
necessity of a wireless access point (WAP). In this
case, devices are able to transmit data with the
speed of Wi-Fi, but due to the lack of an
intermediate wireless access point latency is greatly
reduced. The connection of Wi-Fi-Direct devices
usually happens with the help of NFC or Bluetooth.
III. LEGAL AND SECURITY CHALLENGES OF IOT
A. The need for regulation
Obviously, IoT solutions have many advantages, but
using these systems can be dangerous, as well. Internet of
Things raises many legal and security related questions.
According to James Scott and Drew Spaniel, we cannot even
see through all the possible risks of IoT. Many lawyers are
on the same page that institutions and enterprises need a
separate legal background solely related to IoT. The main
focus of such regulations would be protecting privacy and
personal data. All data, which is related to an identified or
identifiable natural person (even encryption or using feigned
names) counts as personal data. The only exception is
anonymized information, where the identification of the
affected person is no longer possible. [9]
In the research of Global Privacy Enforcement Network,
which was published in their report in 2016, a violation of
privacy and the related law was identified by 2/3 of IoT
systems. [10] Most of the time clients were not even
informed that their personal data was gathered. Self-
evidently these clients didn’t know what their personal data
was used for, where and how long it was stored or what were
the conditions of making them public. In 3/4 of the cases, the
clients did not have any possibility to ask about their
personal data and its usage or to make a complaint. [11]
Furthermore, the increasing popularity of wearable devices
that track mood, customs, health status, etc., also presents a
variety of new privacy challenges.
Of course, it’s not only about personal data related issues,
but IoT is also vulnerable to hacking, as well. There are
millions of unsecured attackable devices and systems.
Unauthorized access might paralyze infrastructure, other
important networks (e.g., Smart Home environments) and as
IoT devices that surround us in our everyday lives, it could
also put human lives in danger. And even if hackers do not
directly threaten lives, they can attain and exploit sensitive
personal and corporate information by revealing them.
B. Protection of personal data
The two most important areas of the protection of
personal data are data protection and data security. Data
protection means written regulation related to the collection,
usage, storing and sharing of personal data. In other words,
data protection specifies who and what can do with what
kind of personal data, so here we are talking about the legal
aspects of data protection. Up against data protection, data
security includes those technical solutions, which are
supposed to prevent illegal acquisition, changing or deletion
of personal data. Data security is an IT-security related
approach. To sum up, apparently both data protection and
security deal with the protection of personal data, but data
protection handles legal aspects as long as data security deals
with technical issues. Based on this we distinguish legal and
security challenges. [12]
First of all, we have to mention the lack of control over
personal data. In IoT systems, a lot of data gets accumulated,
stored and transmitted. In most cases, users have no insight
or any kind of influence on the actions mentioned before.
Because of this, we can say that users cannot control the
usage of their personal data.
Secondly, it is important to underline the quality of
consent. Most of the IoT devices namely do not specify how
the personal data is going to be used, they only ask for
permission. In this case, users are not aware of how actually
their personal data is going to be utilized.
Thirdly, the re-usage of personal data, which is closely
correlated to the quality of consent. Many times users give
their permission to use their data in a certain case, but after
that their data is often reused for other purposes like
researches. The problem here is that most of the time users
did not give authorization to other actions.
The next one is the so-called data aggregation, which
means that by collecting the personal data of all applications
and devices people use, there is a possibility to create a very
accurate picture of a person and his customs. Obviously
gathering data this way and potentially exploiting it is a
heavily infringing act. In some cases, enterprises (e.g.,
Facebook and Google) use this method openly and make
users contribute to it when accepting the terms of use. Of
course, this way it is not an infringement, but it can be still
very disturbing for some people.
Fifthly, using applications and services in an incognito
mode is almost impossible, even when we do not provide
IEEE CANDO-EPE 2018 • IEEE International Conference and Workshop in Óbuda on Electrical and Power Engineering • Nov. 20-21, 2018 • Budapest, Hungary
000135
any data directly. While using our devices, it is accurately
trackable from which device, what kind of information,
when, from where and to whom was transmitted. One of the
biggest concerns is that IoT devices enable geo-localization,
which means, for example, if we have any kind of IoT device
with us, with the appropriate tools anyone can track us
anytime.
Lastly, it is important to talk about the IT-security risks.
In many cases, IoT devices do not have appropriate software-
based protection. A good example is when producers lower
the security level in order to increase the lifetime of batteries,
so they can reduce their expenses because a weaker battery
can also satisfy the expectations. This way, however, it is a
lot easier to hack these devices and acquire important
personal data, credit card information, etc. [11] Even objects
(e.g., critical infrastructure) with an appropriate security level
can become targets of cyber-criminals.
C. Hacking the Internet of Things
As the saying goes, a chain is as strong as the weakest
link. This exactly applies to the Internet of Things. When a
hacker gains control over one IoT device, he will
immediately have access to all the other networked devices
and stored personal data. This may endanger the reputation
and even the life of a person, when they take control of a
hospital’s IoT system, for instance. Because of this, routers
are becoming one of the most targeted devices, for example.
It is obvious that protecting IoT systems would be very
important. Still, IoT devices and sensors are many times
open to attacks due to their low computing and battery
capabilities. Given this, traditional solutions (e.g., firewalls
and anti-malware) are also not applicable to IoT systems.
Another issue is that most IoT devices use outdated software,
which is difficult to update. Based on the research of Daniel
Miessler the most important weakness of such systems is that
they have a simple login field, where the users only have to
put their username and password to enter. This problem
wouldn’t be serious if these systems were configured
properly, but most of them are vulnerable to account
harvesting which is resulted by the possibility of user
enumeration, weak password policy and lack of account
lockout. [13] Harvesting means collecting account names or
related information and potentially scam people through
exploiting the collected information, e.g., spamming email
advertising. User enumeration means the ability to determine
accounts names and related information. Weak password
policy usually includes the allowance of weak passwords like
easy numbers or simple words and most of the systems also
allow an infinite number of log-in attempts.
A 2014 HP study reveals that about 70% of the Internet
of Things devices, including sensors and connected
infrastructure, have vulnerabilities that could be exploited.
These devices included TVs, webcams, smartphones, Smart
Home devices (even locks and alarms), health-care and
security systems, etc. Among the key findings: 80% of
devices, including cloud and mobile apps, failed to require
strong passwords and blocking devices after a certain amount
of failed attempts. 70% of devices did not encrypt
communications, 60% lacked encryption for software
updates, and another 60% had insecure web interfaces. [14]
An attacker could use vulnerabilities such as weak
passwords, insecure password recovery mechanisms and
poorly protected admin platforms to gain access to a system.
These issues can all lead to account harvesting, wherein the
worst case an attacker could determine login details of all
users or even gain access to the whole system. A good
example is when a hacker can access to video cameras due to
weak passwords, and this provides the hacker an opportunity
to access to the rest of the system through inspection of the
recordings of security or other cameras. It is obvious that
because of the issues mentioned above IoT networks are
most likely to require a completely new security model with
suitable security solutions. [15]
IV. SUMMARY
The Internet of Things consists of 2 or more identifiable
networked devices, which can sense certain things (like
temperature, pressure, movement, etc.) and forward the
sensed information to a receiver device with the help of the
internet. In other words, IoT means smart devices, which are
connected to an Internet-based network.
The usage of IoT poses a risk to the users. This also
includes technical and legal risks, mainly from the aspect of
the collected personal data.
REFERENCES
[1] Harvard Business Review: Internet of Things: Science Fiction or
Fact?, Harvard Business School Publishing, 2014.
[2] J.Scott, D. Spaniel, Rise of the Machines: The Dyn Attack Was Just a
Practice Run, CreateSpace Independent Publishing Platform, 2016.
ISBN 9781540894571
[3] Coordinated development and spreading of the application of the
Internet of Things in Hungary (Az Internet of Things koordinált
fejlesztése és alkalmazásának elterjesztése Magyarországon)
Feasibility Study of IVSZ, 2014-2015, 12. p. http://ivsz.hu/iot/iot-
tanulmany/ [Accessed: 2018.09.13.]
[4] R. Mehtaa, J. Sahnib, K. Khannac, “Internet of Things: Vision,
Applications and Challenges,” Procedia Computer Science 132
(2018) 1263–1269, doi: 10.1016/j.procs.2018.05.042
[5] Ericsson Mobility Report 2015-2021
https://www.ericsson.com/en/mobility-report [Accessed: 2018.09.11.]
[6] V. Aleksandrovičs, E. Filičevs, J. Kampars, “Internet of Things:
Structure, Features and Management,” Information Technology and
Management Science, December 2016, vol. 19, pp. 78–84 doi:
10.1515/itms-2016-0015
[7] P. Waher, Learning the Internet of Things, Packt Publishing, 2015,
pp. 15-19., ISBN 9781783553532
[8] Tutorials Point – Internet of Things Tutorial, 2016, 6. p.,
https://www.tutorialspoint.com/internet_of_things/internet_of_things
_tutorial.pdf [Accessed: 2018.09.01.]
[9] Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) OJ L 119, 4.5.2016, p. 1–88 Articles 2, 4(1) and(5)
[10] Privacy regulators study finds Internet of Things shortfalls,
https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/2016/09/privacy-regulators-study-finds-internet-of-things-
shortfalls/ [Accessed: 2018.09.01.]
[11] Richard Kemp: Legal Aspects of the Internet of Things, London:
Kemp IT law, 2017.
[12] D. Ábrahám, Z. Ujfaludi, A. Kiss, Internal Data Protection (Belső
Adatévédelem), Budapest: National University of Public Service,
2015, p. 39.
[13] D. Miessler, The real Internet of Things, 2017.
[14] The Internet Of Things - Priv.gc.ca. (n.d.).
https://www.priv.gc.ca/media/1808/iot_201602_e.pdf [Accessed:
2018.09.01.]
[15] Office of the Privacy Commissioner of Canada: The Internet of
Things: An introduction to privacy issues with a focus on the retail
and home environments, 2016
T. Szadeczky, G. Kovacs • Known security issues of IoT systems
000136