Conference PaperPDF Available

GDPR Privacy Implications for the Internet of Things

Authors:

Abstract and Figures

Starting on May 25th of 2018 all EU countries began to apply the General Data Protection Regulation (GDPR). This piece of legislation aims to protect and regulate data privacy and applies to any organization that holds or processes data on EU citizens, regardless of where it is headquartered. The penalties for non-compliance can be as high as 4% of global revenue for companies. As a result, compliance with GDPR is a must for companies who deal with users' data. The hallmark for data collection nowadays is Internet of Things devices. With sensors capturing every piece of information from the surrounding environment, concerns about privacy and data breaches have never been so vital. This paper introduces GDPR concepts and principles, analyses the challenges of data protection in IoT systems, discusses the privacy implications and potential issues, presents some mitigation approaches and draws conclusions and future steps.
Content may be subject to copyright.
GDPR Privacy Implications for the Internet of Things
Daniel Bastos, Fabio Giubilo, Mark Shackleton, Fadi El-Moussa
BT Research & Innovation,
British Telecommunications plc, Ipswich, UK
{daniel.bastos, fabio.giubilo, mark.shackleton, fadiali.el-moussa}@bt.com
Abstract. Starting on May 25th of 2018 all EU countries began to apply the Gen-
eral Data Protection Regulation (GDPR). This piece of legislation aims to protect
and regulate data privacy and applies to any organization that holds or processes
data on EU citizens, regardless of where it is headquartered. The penalties for
non-compliance can be as high as 4% of global revenue for companies. As a re-
sult, compliance with GDPR is a must for companies who deal with users data.
The hallmark for data collection nowadays is Internet of Things devices. With
sensors capturing every piece of information from the surrounding environment,
concerns about privacy and data breaches have never been so vital. This paper
introduces GDPR concepts and principles, analyses the challenges of data pro-
tection in IoT systems, discusses the privacy implications and potential issues,
presents some mitigation approaches and draws conclusions and future steps.
Keywords: Internet of Things, IoT, GDPR, General, Data, Protection, Regula-
tion, Europe, Privacy, Anonymization.
1 Introduction
Who we are, where we are, what we do and how we do it is now, more than ever,
being recorded digitally. The Internet is also bigger than ever. The number of people
connected to the web in 2017 was 3.58 billion, up from 2.42 billion 5 years ago and
1.36 billion 10 years ago [1], which represents a significant increase in global connec-
tivity. Enter the Internet of Things (IoT), a new paradigm of Machine to Machine
(M2M) communication based on IP connections. In 2018 the number of IoT connected
devices alone is expected to exceed the world’s population [2]. The Internet of Things
promises complex systems that sense the external environment and take decisions with-
out the need for human intervention. What this means is that a lot more information
about human life is going to be collected and processed by these systems, with some
environments such as Smart Homes being capable of sensing and managing very sen-
sitive and personal data. This makes data protection a must have feature in IoT systems.
When a data breach happens it could have a significant impact on people’s lives
depending on the sensitivity of the data. The entity that suffered the breach also faces
immediate financial costs. In order to recover from the incident an investigation is
needed, potentially involving a lot of people and resources. The loss of trust from its
users and stakeholders also damages the brand image as a whole. A Ponemon Institute
2
study from June 2017 [3] estimated the global average cost of a data breach at $3.6
million, or $141 per data record.
The General Data Protection Regulation 2016/679 (GDPR) came into force on 24th
May 2016 and effectively started on 25th May 2018. It replaces the Data Protection
Directive 95/46/EC and was designed to harmonize data privacy laws across Europe,
to protect and empower all EU citizens’ data privacy and to reshape the way organiza-
tions across the region approach data privacy. GDPR applies to any organization that
holds or processes data on EU citizens, regardless of where it is headquartered and the
penalties for non-compliance can be as high as 4% of global revenue or €20 million,
whichever the greatest.
The rest of this paper is organized as follows: Section 2 introduces GDPR concepts
and principles and Section 3 presents data protection challenges in IoT. In Section 4 the
major privacy implications for IoT are discussed and mitigation approaches are intro-
duced. Finally, Section 5 draws some conclusions and future steps.
2 GDPR’s Concepts, Principles and Compliance
The EU General Data Protection Regulation (GDPR) is “the most important change in
data privacy regulation in 20 years” and to understand it there are a number of concepts
and principles that need to be introduced. The key concepts to learn are: Personal Data,
Sensitive Personal Data, Anonymous and Pseudonymous Data, Data Subject, Data
Controller, Data Processor, Processing, Consent and Data Breach which are defined in
Article 4 of GDPR [4]. The principles of GDPR are: Accountability; The purpose of
limitation principle; Data minimisation, Fair, lawful and transparent processing; Accu-
racy; Data retention periods and Data security [5]. The key rights and obligations of
Data Subjects, Controllers and Processors are: Breach notification, Right to access,
Right to be forgotten and privacy by design.
It’s important to highlight that GDPR compliance is not just a generic sequence of
steps that every business needs to follow. Companies are obliged to perform Data Pro-
tection Impact Assessments (DPIAs) and appoint a Data Protection Officer (DPO),
however compliance methods and tools are specific to each business because of the
nature of the data that it holds and generates.
3 GDPR Challenges in IoT
The Internet of Things (IoT) is largely based on the combination of real world sensors
with the power of the Internet. The sensors collect information from the external envi-
ronment and the data is then combined with cloud-hosted information and analysed as
a whole in order to produce contextual actions or give contextual advice. As a result,
the more data available the more the system is capable of producing the right/best out-
come. Unlike human-based systems, the IoT is capable of working 24h a day, 365 days
a year and storing everything it collects for easy access, so it doesn’t forget a thing.
Nowadays there are sensors for capturing almost every single piece of information
from the environment. Some examples of sensors are: image, video, sound, location,
3
proximity, temperature, humidity, acceleration, pressure, gas and heartbeat. In a world
where data has become a profitable asset, the sensor-ridden IoT world poses a potential
threat. Uncontrolled collection of information in sensitive environments like Smart
Homes requires strong data protection and privacy controls.
3.1 Consent
GDPR compliance in IoT environments comes with a lot of challenges. The first is
consent. Can we control which data are collected about who, or which data are col-
lected at all? Can a guest forbid collection of his/her data while in the house? Current
IoT systems struggle to provide this kind of control, and M2M communications are
based on the very fact that human input isn’t necessary for the system to work. Online
services usually have a Privacy Policy where they state which kinds of data they collect
and for what purposes - accepting this document before using the service is mandatory
and is considered consent, but this is a static document that doesn’t fit the dynamic
nature of IoT. Often written in a way that is difficult for the average person to under-
stand, it is also a one-time decision that strips away the power for the user to be able to
modify/customise what will be collected. Another issue is that in IoT environments a
person is not always an active user of whatever service is collecting his/her data, so that
person didn’t provide any kind of consent and might be completely unaware that their
data is being collected. Often the only solution right now is to turn off the sensor(s),
which effectively disrupts or completely breaks the system. The GDPR states that con-
sent must be given by a statement or a clear affirmative action, and for public IoT en-
vironments where privacy can be an issue there’s still a long way to go to accomplish
a comprehensive and verifiable way to fully handle consent.
3.2 Data Minimisation
The second challenge is data minimisation and the purpose limitation principle. In
a Smart Home environment the sensors deployed can collect highly personal infor-
mation. Limiting data collection to what is necessary in relation to the purposes for
which those data are processed is perhaps unfeasible in this environment. For example,
audio and video is captured in raw form, so the only way to limit data collection is to
censor it right after it’s captured, which leads us to the next challenge.
3.3 Transparent Processing and the Right to be Forgotten
The third challenge is transparent processing and the right to be forgotten. Consider
the user having accepted a Privacy Policy and knowing exactly what is being collected.
Does the current service allow the user to see how that data is being handled? e.g. how
many times was specific information collected in a day, where was it being sent and
what path did it take to get there? Was it shared with third parties, and if so which? This
is very relevant to GDPR given that data about European citizens should be stored in-
side the European Union and adhere to EU laws. The Data Subject Access Request
(DSAR) is a GDPR tool that allows individuals to request access to data that a company
4
holds about them. The right to be forgotten is an exclusive European right, where a
company must erase all data that it holds about an individual when requested to do so.
In IoT, both transparent processing and the right to be forgotten become more complex
to deal with, starting from the fact that data will possibly jump from device to device
many more times than usual before arriving to the final destination where it will be
permanently stored. Hence, for companies it will be harder to track where every piece
of data is located, not only for visualisation and transparency but also for the purposes
of erasure [6].
3.4 Data Breach Reporting
The fourth challenge is breach reporting. Data breaches in 2017 caused chaos, with big
companies such as Equifax failing to secure customer data [7]. While there’s no lack of
tools to protect data, breaches tend to occur because of bad security practices or acci-
dental mistakes. The GDPR defines a 72 hour deadline for companies to report data
breaches to Data Protection Authorities (DPAs) after having become aware of them.
This is likely to prove extremely challenging for everyone given that assessing the ex-
tent and consequences of a data breach is difficult. In IoT environments, finding and
assessing a data breach among hundreds or thousands of devices deployed will defi-
nitely prove to be no mean feat.
3.5 Privacy by Design and Data Security
The fifth challenge is privacy by design (or by default) and data security. GDPR ex-
plicitly requires data controllers to implement effective and provable measures to guar-
antee a user’s privacy and confidentiality. Considering the IoT context, this represents
an even tougher point to take into account, due to the nature of these devices which
tends to have limited hardware and simple system configurations, making the deploy-
ment of advanced and effective security mechanisms difficult. In depth authentication
measures and advanced techniques, such as full homomorphic encryption (FHE) are
likely to be ruled out. A recent survey on IoT protocols and security risks also shows
that there’s still a long way to go to protect IoT systems [8].
4 Privacy Implications
4.1 Background
GDPR article 32 [9], clearly states that controllers and processors must implement ap-
propriate and effective privacy preserving mechanisms, such as anonymization and
pseudo-anonymization. Although these both aim at de-linking certain personal infor-
mation within the data, the process to accomplish this is quite different. Anonymization
focuses on supressing personal attributes, usually referred as PII (personal identifiable
information) [10], to prevent reconstruction, therefore the attributes are destroyed. A
5
hash function is an example of anonymization. On the other hand pseudo-anonymiza-
tion is a procedure where personal attributes are replaced with others that are linked to
the original ones. Tokenization is an example of pseudo-anonymization.
Privacy and data protection are GDPR topics that are particularly relevant and chal-
lenging for IoT devices.
Some commentators say that we are moving towards a surveillance economy, where
governments and organizations try to profile individuals as best they can, in order to
provide more useful and desirable services. Therefore privacy has never been more
important than it is nowadays, considering we are living in the era of connected devices,
with huge amount of data collected and exchanged by them.
4.2 Standards & Compliance
Standard ISO 27001 is a certification scheme for cyber security management within
organizations. It is a best practice guide for comprehensive information security mainly
including people processes and technology. By implementing it, organizations will
have an Information Security Management System (ISMS) which should provide com-
pliance with GDPR [11].
Regarding data protection and privacy GDPR subjects, as it pointed out in article 32,
having an ISMS aligned with ISO 27001 provides certain guarantees in regards to en-
cryption of data (recommended) as well as confidentiality, integrity and availability
(CIA), risk assessments and testing.
4.3 Concerns
In this sub-section we propose some use cases, intended as potential scenarios to raise
privacy concerns that might actually arise in our current society but which could be
mitigated thanks to GDPR. Note that our interpretation of a smart device is intended
as any device constantly connected to the internet.
The first use case is oriented to a smart home context. In this environment we might
find devices such as: TV, bed, home pod, vacuum cleaner, lights, fridge and toothbrush.
These devices, by nature, constantly collect and share data with the manufacturer and/or
other 3rd parties, in order to work and properly provide their services. For example a
smart TV can collect information about programmes watched, or the times when the
TV is used, in order to provide a tailored guide. A bed can collect the time that users
go to sleep and wake up, for a sleep analysis and monitoring routine. Lights can collect
data for improved energy consumption. This scenario raises the following privacy con-
cerns:
1. What if these devices actually collect more data than they are supposed to and al-
lowed to? Is there actually a way to find out?
2. What if the data collected can be accessed by (or sold to) third parties, or available
for free on the internet? Are users clearly aware about how this information is col-
lected, stored and shared?
6
Surya Mattu [12] was able to demonstrate a scenario where the smart home was
silently spying on everything and everyone in the house. Moreover, in the U.S. a TV
manufacturer has been found guilty and admitted spying on his customers to sell this
information to 3rd parties [13]. Another potential situation entails home pod devices
such as Google Home or Amazon Echo. Amazon Echo contacts the service every 3
minutes, regardless of its usage, therefore what if it could be turned into an “always
passive recording” mode? Would users be happy if Amazon (and/or someone else) were
listening to all their personal conversations? Would they, at least, be aware of it?
Data ownership is an important aspect to take into account for privacy. Often users
assume when buying and installing IoT devices, that they own and control the devices
and the data shared and collected, which is not necessarily correct. Many manufacturers
implicitly state, in their tedious “Terms and Conditions Agreement” that the data col-
lected by those devices belong to them and they are free to share or sell to third parties.
Data accessed by astute burglars, such as data collected by smart lights, could indicate
when victims are not at home, to break in [14].
A second use case concerns devices that profile users for specific marketing and
track the behaviour of individuals. Let us consider a scenario with a smart fridge and
wearable devices, aiming at tracking a user’s health activity, such as fitness bracelets
for heartrate monitoring purposes. What if the data collected by the smart fridge, such
as the food usually bought and stored in it, and the fitness bracelet, such as the usual
heartrate frequencies and beat, were available on the internet? Would that be a privacy
concern for the user? Would the user be sufficiently aware of it?
To answer these questions, let us hypothesize the following example. A life & health
insurance company has developed an advanced proprietary algorithm to spot and guess
heart diseases when heart beat frequencies input is provided. The estimate might be
even more accurate if extra information is provided, such as user’s average diet. There-
fore if this fictitious company is able to, somehow, get data regarding fitness bracelets
and smart fridge, it can easily and accurately profile specific individuals, studying their
habits, in order to charge higher rates. Another example could be where employers wish
to monitor their employee’s productivity and behaviour. Let us suppose that employers
were able to access data coming from smart beds and lights of their employee. They
could assume that if an employee did not sleep enough or had stayed with lights on for
a long time, that employee would not be productive the following day, therefore he will
be monitored and possibly fined.
4.4 Mitigation approaches
One approach to mitigate the previous privacy issues and also comply with GDPR
consists of adopting a more efficient and lightweight encryption scheme, such as one
based on elliptic curves, where due to its natural mathematical complexity, keys are
smaller and the encryption process is also simpler and lighter (from a computational
point of view) therefore more suitable for those IoT devices with limited hardware ca-
pabilities [15, 16].
7
Another potential solution, when encryption cannot take place, is proposed as a
model with three different approaches in a smart home context, shown in figure 1 be-
low, based on a user’s trust level with regards to IoT vendors:
1. Users trust the manufacturer to take into account their data anonymization. In this
approach the anonymization is applied by the vendor, before storing the collected
data and sharing it with potential 3rd party services. The data is sent in clear from
the user’s home.
2. Users do not trust the vendor to take into account their data anonymization but they
do trust a 3rd party service. In this approach, the data is sent in clear from the user’s
home to a remote trusted 3rd party, acting as a proxy/middleware, who applies the
anonymization itself and then forward the anonymized data to the vendor. It might
be thought as an ‘anonymization as a service’ solution.
3. Users do not trust the vendor, nor a 3rd party service. In this last approach, the anon-
ymization is performed locally, according to the user requirements. In our configu-
ration the anonymization process takes place in the edge router, just before the data
is sent directly to the vendor.
Fig. 1: Three different approaches, based on a user’s trust level with regards to IoT vendors in a
smart home context.
5 Conclusions and Future Steps
GDPR represents a major challenge for IoT developers, manufacturers and service pro-
viders given the lack of an established strategy for securing, managing and updating
IoT devices. For users, it represents the most comprehensive legal instrument to help
protect their rights in the digital age, in a period where their privacy is increasingly
under threat.
In this paper we have described privacy concerns and requirements arising from the
GDPR for Internet of Things (IoT) services, illustrating these in the context of some
8
concrete scenarios. We have also described some promising directions to begin to ad-
dress these concerns going forward. It’s clear that privacy techniques will play an im-
portant role in the future of IoT, driving its adoption, hence research in this field is
needed to develop the best tools to protect users.
Acknowledgement
We acknowledge financial support for this work provided by the European Commis-
sion’s Horizon 2020 research and innovation programme under the grant agreement
No. 675320 (NeCS).
References
1. Number of Internet Users Worldwide, https://www.statista.com/statistics/273018/number-
of-internet-users-worldwide/, last accessed 1/05/2018.
2. IoT Outnumbers World’s Population, https://www.zdnet.com/article/iot-devices-will-out-
number-the-worlds-population-this-year-for-the-first-time/, last accessed 3/05/2018.
3. Data Breaches cost per second, https://www.csoonline.com/article/3251606/data-
breach/what-does-stolen-data-cost-per-second.html, last accessed 5/05/2018.
4. GDPR Key Definitions, https://www.whitecase.com/publications/article/chapter-5-key-def-
initions-unlocking-eu-general-data-protection-regulation, last accessed 7/05/2018.
5. GDPR Principles, https://www.whitecase.com/publications/article/chapter-6-data-protec-
tion-principles-unlocking-eu-general-data-protection, last accessed 7/05/2018.
6. GDPR right to erasure, https://www.computerweekly.com/news/450419459/Finding-cus-
tomer-data-is-big-hurdle-to-meeting-GDPR-right-to-erasure, last accessed 9/05/2018.
7. Biggest Leaks and Data Breaches of 2017, https://www.zdnet.com/pictures/biggest-hacks-
leaks-and-data-breaches-2017/11/, last accessed 11/05/2018.
8. Bastos, D., Shackleton M., El-Moussa F.: Internet of Things A Survey of Technologies and
Security Risks in Smart Home and City Environments. In PETRAS Living in the Internet of
Things 2018 IET Conference, London (2018).
9. GDPR Article 32, https://gdpr-info.eu/art-32-gdpr/, last accessed 20/05/2018.
10. McCallister, E., Grance, T. and Scarfone, K.A.: Guide to protecting the confidentiality of
personally identifiable information (PII). NIST SP-800-122 (2010).
11. GDPR and ISO 27001, https://www.itgovernance.co.uk/gdpr-and-iso-27001, last accessed
22/05/2018.
12. The house that spied on me, https://gizmodo.com/the-house-that-spied-on-me-1822429852,
last accessed 25/05/2018.
13. Vizio settles in spying case, https://www.washingtonpost.com/business/economy/vizio-
agrees-to-pay-22-million-to-settles-ftcs-television-spying-case/, last accessed 27/06/2018.
14. Giaconi G., Gunduz, D., Vincent Poor, H.: Privacy-Aware Smart Metering: Progress and
Challenges, https://arxiv.org/abs/1802.01166, (2018).
15. Batina, L. et al: Low-cost elliptic curve cryptography for wireless sensor networks. In Eu-
ropean Workshop on Security in Ad-hoc and Sensor Networks (pp. 6-17). Berlin (2006).
16. Malhotra, K., Gardner, S., Patz, R.: Implementation of elliptic-curve cryptography on mo-
bile healthcare devices. In Networking, Sensing and Control, IEEE Conference (pp. 239-
244) (2007).
... IoT devices use wide array of sensors that collect and process staggering amounts of data. A number of authors have recognized several key points regarding the application of the GDPR to IoT processing, mostly focusing on issues regarding identifying appropriate legal basis (such as the prevalent and often inappropriate use of consent which is unsuited to many IoT situations), struggle of IoT service operators with data protection principles enshrined by the Regulation such as principles of transparent, fair and legal processing, data minimisation and data securityconfidentiality and integrity (Bastos et al., 2018). ...
Article
Full-text available
Background IoT and smart devices have become extremely popular in the last few years. With their capabilities to collect data, it is reasonable to have concerns about the protection of users’ personal information and privacy in general. Objectives Comparing existing regulations on data protection and information security rules with the new capabilities provided by IoT and smart devices. Methods/approach This paper will analyse information on data collected by IoT and smart devices and the corresponding legal framework to explore whether the legal framework also covers these new devices and their functionalities. Results Various IoT and smart devices pose a high risk to an individual's privacy. The General Data Protection Regulation, although a relatively recent law, may not adequately regulate all instances and uses of this technology. Also, due to inadequate technological protection, abuse of such devices by unauthorized persons is possible and even likely. Conclusions The number of IoT and smart devices is rapidly increasing. The number of IoT and smart home device security incidents is on the rise. The regulatory framework to ensure data controller and processor compliance needs to be improved in order to create a safer environment for new innovative IoT services and products without jeopardizing the rights and freedoms of data subjects. Also, it is important to increase awareness of homeowners about potential security threats when using IoT and smart devices and services.
... Establish a Data Protection team along with Data Governance officers [35] 4 Prepare the groundwork to implement reasonable data protection regulations mentioned in Article 30 "Records of processing activities" of GDPR Identify the stakeholders in the Car Supply Chain who can access to the data. This includes identifying the recipients of personal data, including sub-processes where the personal data is processed [36] 5 Understand the accountability of Data Controllers outlined in GDPR Article 5.2 "Principles relating to processing of personal data" ...
Chapter
The data-intensive digital supply chain management (SCM) ecosystems seem to be impacted by the recent changes in the regulations and advancement in technologies such as Artificial Intelligence, Big Data, Analytics, Networking, IoT including proliferation of less expensive hardware devices. There is limited guidance available on how to govern the logistics sector, particularly from a regulatory compliance perspective. Through this paper, we investigate the impact of General Data Protection Regulation (GDPR) on digitized SCM. The key questions are: What are the GPDR specific legal obligations? What is the best approach to manage data access, quality, privacy, security and ownership effectively in SCM? This research paper aims to assist researchers and practitioners to understand the impact of GDPR on SCM, provide the 4I (Identify, Insulate, Inspect, Improve) Framework and its applicability to streamline the GDPR compliance activities.
Article
Full-text available
The last two decades have experienced a steady rise in the production and deployment of sensing-and-connectivity-enabled electronic devices, replacing “regular” physical objects. The resulting Internet-of-Things (IoT) will soon become indispensable for many application domains. Smart objects are continuously being integrated within factories, cities, buildings, health institutions, and private homes. Approximately 30 years after the birth of IoT, society is confronted with significant challenges regarding IoT security. Due to the interconnectivity and ubiquitous use of IoT devices, cyberattacks have widespread impacts on multiple stakeholders. Past events show that the IoT domain holds various vulnerabilities, exploited to generate physical, economic, and health damage. Despite many of these threats, manufacturers struggle to secure IoT devices properly. Thus, this work overviews the IoT security landscape with the intention to emphasize the demand for secured IoT-related products and applications. Therefore, (a) a list of key challenges of securing IoT devices is determined by examining their particular characteristics, (b) major security objectives for secured IoT systems are defined, (c) a threat taxonomy is introduced, which outlines potential security gaps prevalent in current IoT systems, and (d) key countermeasures against the aforementioned threats are summarized for selected IoT security-related technologies available on the market.
Article
Emerging technologies, particularly cloud computing, blockchain, Internet of Things, and artificial intelligence, have received noticeable attention from research and industry. These technologies contribute to innovation in public and private organizations, but threaten the privacy of individuals. The natural characteristics of these technologies are challenged by the new general data protection regulation (GDPR). In this article, we examine the compliance challenges between these technologies' characteristics and GDPR both individually and when combined. We identified compliance opportunities related to the characteristics of these technologies. We discuss possible approaches to address the compliance challenges identified and raise questions for further research in the area.
Article
Full-text available
Emerging technologies, particularly cloud computing, blockchain, Internet of Things, and artificial intelligence, have received noticeable attention from research and industry. These technologies contribute to innovation in public and private organizations, but threaten the privacy of individuals. The natural characteristics of these technologies are challenged by the new general data protection regulation (GDPR). In this article, we examine the compliance challenges between these technologies' characteristics and GDPR both individually and when combined. We identified compliance opportunities related to the characteristics of these technologies. We discuss possible approaches to address the compliance challenges identified and raise questions for further research in the area.
Conference Paper
Full-text available
With the introduction of the Amazon Echo family and Google devices like Chromecast and Home the adoption of IoT devices in the household is bound to increase exponentially this year. While usability is at the front and centre of the experience to facilitate the adoption and use of these new devices, security and privacy are often an afterthought. As a consequence, a dangerous environment of opportunity is available for malicious actors to exploit vulnerable devices sitting in domestic houses. Recent history shows that an attack on IoT devices can be both easy and have destructive consequences, with Internet services like Dyn suffering huge DDoS attacks that affected millions of Internet users. In addition, lots of cheap devices are being released in the market with little to zero security features. Therefore, it’s of paramount importance to address the security issues in the IoT space, especially in home and city environments. Privacy and individual safety are at risk given how personal these devices are and how they are going to shape the future of society. This paper presents a comprehensive survey of current IoT technologies and security issues with a focus on the Smart Home and City environments. We discuss possible solutions for improving IoT security that not only focus on today’s endpoint device security issues, but also the anticipated future attacks on data protocols and connectivity.
Conference Paper
Full-text available
This work describes a low-cost Public-Key Cryptography (PKC) based solution for security services such as key-distribution and authentication as required for wireless sensor networks. We propose a custom hardware assisted approach to implement Elliptic Curve Cryp- tography (ECC) in order to obtain stronger cryptography as well as to minimize the power. Our compact and low-power ECC processor contains a Modular Arithmetic Logic Unit (MALU) for ECC field arithmetic. The best solution features 6718 gates for the MALU and control unit (data memory not included) in 0.13 μm CMOS technology over the field F2131 , which provides a reasonable level of security for the time being. In this case the consumed power is less than 30 μW when operating frequency is 500 kHz.
Conference Paper
Full-text available
Over the past few years, much research attention has been afforded to the application of remote patient monitoring using embedded mobile devices. However, relatively little research has been done to investigate the security aspects of such scenarios. The present work describes the implementation of a cryptographic algorithm based on elliptic curves on an embedded mobile device useful for healthcare purposes. A personal digital assistant (PDA) has been chosen to be the hardware platform for the implementation as it is particularly suitable for remote patient monitoring applications. The motivation for this paper was to formulate a secure protocol which comprises of signature, encryption and authentication (SEA) as a combined ingredient of secure remote patient monitoring application using mobile devices. This needed to be easy to use and computationally efficient in order to be acceptable to both clinicians and patients and the results indicate a positive outcome.