By Richard Eyo, Department of Mathematics and Information Security Royal Holloway, University of London
The Internet of Things (IoT) is here to stay. Therefore, the major focus of this article is to bridge the gap between IoT and the developing world. One of the motivating factors is that most IoT devices have become vulnerable to a series of attacks, thereby threatening safety, security, privacy and even the lives of the end users. We suggest that if governments from the developing world are considering developing IoT frameworks, there is a need for more participatory groups, such as regulatory bodies, professional groups, academia, and civil societies, in order to achieve a safe and smooth implementation. These frameworks, when developed and implemented, will help to “check-mate” inferior products that have been or would be poorly manufactured by the IoT vendors, thereby ensuring no compromise of safety, security, privacy, and interoperability.
The Internet of Things (IoT) has been defined in Recommendation ITU-T Y.2060 (06/2012) as a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. It is a global network that connects physical devices such as household equipment (e.g. refrigerators, kettles, washing machines etc.), buildings, electronic devices, vehicles, medical equipment and manufacturing machines, which are embedded with sensors, network connectivity, software and actuators, which aid in communication and exchanging information to and from devices either through Radio Frequency Identification (RFID) or in more advanced ways (e.g. WiFi). The unique thing about the IoT is that each device will be identified and recognized in the network and could be controlled remotely.
It is expected that 50 billion devices will be connecting together by 2020, although to individual persons or organizations, IoT is seen from a different perspective either as services or technologies etc.. Irrespective of their viewpoints, the primary objective is to make sure that either they provide services or buy services from others by connecting physical objects, sensors, actuators and the Internet together. According to IBM, “every company, every city, every country – every individual – is increasingly interconnected with millions of others; the cost of a bad call can be devastating. But analytics is increasingly helping business and government leaders look beyond their own biases to discern real patterns and anticipate events”.
Supporting ITU – Connect 2020 Agenda in the context of the IoT
ITU – Connect 2020 Agenda has been created to work towards the shared vision of “an information society, empowered by the interconnected world, where telecommunication/ICT enables and accelerates socially, economically and environmentally sustainable growth and development for everyone” and invited all stakeholders to contribute with their initiatives and their experience, qualifications and expertise to the successful implementation of the Connect 2020 Agenda. In order to support ITU Member States in the context of IoT achieving these goals, we will point out some of the challenges that need to be addressed, so as not to hamper the adoption and deployment of IoT in the developing world.
This is achievable if there is trust between the manufacturers of the devices, the users and the IoT devices. By that, I mean the architectural designs, network infrastructures, interfaces for communication, security and safety of the users, standards, policies, and guidelines to regulate the manufacturers and the service providers of IoT should all be in place, otherwise IoT will affect lives negatively.
Challenges of IoT deployment in developing nations
Consider the issue of existing technologies (e.g. electricity, Internet), where many developing countries are still struggling without constant power supply in terms of generation and distribution. Unlike developed countries, where the power sector is fully managed, privatized and regulated through standards and policies, in developing countries, this is more difficult and leads to serious weaknesses. Also, the process of capacity building and establishing adequate regulatory institutions has been a slow and complex one, lagging behind the entry of private operators in the electricity sector, and of course we all know the importance of electricity, as it plays a major role in the smooth operations of IoT.
Again, in most developing countries there is poor and limited internet connectivity, as, for example, in Nigeria. In my own experience, I have seen people subscribe to more than three ISPs. Not that they have so much money to do so, but because they are exposed to the trend of new technologies and are very eager to explore it. It is rather unfortunate and particularly frustrating seeing someone with sophisticated and expensive mobile devices where, due to poor services from the Mobile Network Operators (MNOs), the devices are useless in their hands. This is also because there are no strong standards and policies to keep the service providers on their toes and upgrade their services to a standard comparable with developed countries.
Another important aspect, is that some IoT manufactures are in it for making a profit, but not ready to significantly invest in research. In my own opinion, such manufactures may not have the necessary guidelines – starting from the design, testing, to the implementation phases. There could be a tendency that those devices, which were not initially designed to connect, may be poorly reprogrammed with embedded hardware along the way in order to do so.
Therefore, there should be standardisation and regulatory bodies that regulate and certify the products, to ensure that they meet the relevant standards at all stages, before they are rolled out for use.
Safety, security and privacy of the users
Do IoT manufacturers have the safety, security, and the privacy of the users in mind during the design phase, and to what extent? Governments and utility companies are rolling out smart metering in order to improve energy consciousness and efficiency in supply and consumption. Hospitals are introducing wearable devices to monitor the health of their patients, automobile industries are producing vehicles with IoT–enabled sensors and so on.
These devices must connect to one another in order to share services. Therefore, there is a possibility that the devices could be hacked by criminals, where vital information regarding safety, security, and privacy of both the devices and the users is revealed. This could become a matter of life and death, if, for example, an IoT-enabled vehicle is hacked and the location of both the vehicle itself and the driver/owner is revealed to the hackers. Criminals could use the information to track the owner’s movements or even manipulate some important components of the vehicle either for fun or for more sinister motives.
What if, in the case of hospitals, IoT drugs dispensary equipment, which is linked to every patient’s record and connected to their wearable IoT devices for effective monitoring, is being hacked? This could be devastating to both the patients and the hospital. The life of the patient is at considerable risk, since the hacker has the patient’s medical record and therefore knows the timing and dosage of the patient’s next treatment. This gives the hacker enough information about the patient and the type of sickness, to enable him to change the type and dosage of the medication, save the record afterwards, and leave the wrong prescription for the next medical practitioner who takes over.
The hacker’s intention could be to frustrate the hospital by damaging their reputation, to intentionally kill a patient, or to
get the patient’s information for the financial benefit of a third party. Of course, seeing the type of drugs dispensed to a patient will inform the hacker the nature of the patient’s sickness, and therefore abuses the patient’s safety, security and privacy.
Dumping of rejected or banned IoT devices on the developing nations.
In recent times, there have been a series of complaints from developing nations concerning incessant dumping of banned and sub-standard products from manufacturers. In the medical/ health sectors, for example, Nigeria and Uganda have raised concern over poorly calibrated, old machines being given to their hospitals as “donations”. India has blamed China for exporting sub-standard, low-priced equipment to their country. China has complained to Western and Japanese medical device makers about them selling dialysis kits at exorbitant prices in comparison to indigenous versions. A 2012 report in The Lancet showed that about 40% of healthcare equipment in poor countries is out of service, mainly because of ill-conceived donations. As an example, an oxygen concentrator, donated to a Gambian hospital, worked on a voltage incompatible with the country’s power supply.
If proper measures are not being taken, it is obvious that more of these incidences will occur in the very near future as far as IoT is concerned, as the developed nations with strong and standardised bodies will ban or reject sub-standard goods and services from entering their countries. Of course, there are many reasons that could lead to the banning of IoT devices, such as safety, security, privacy, environmental, technological, compatibility concerns etc. And the options for the IoT vendors would be to either ship the sub-standard devices as they are, or to refurbish them and send them to developing countries, where there is very little or no regulation, in order to not lose out completely. These device shipments could be in the form of a donation, just to create a relationship with a country for subsequent business.
The danger here, is that when such goods and services are banned from the developed world, the manufactures will rush to try and cover up the mess by updating the devices. So, if the updates are not sufficient, they will stop production, since the cost of an update could be more than the cost of producing new devices. And what happens to the hundreds of thousands of devices already in circulation? There will be no updates, as the products would be unsupported or end-of-range. Again, the sub-standard devices could become a back door for hackers to get access and steal the end user’s personal information.
On the other hand, the IoT vendors stand greater chances of losing their trust, reputation and integrity, if such flaws are detected. For example, the issue of Samsung Galaxy Note 7 phones that had a high propensity of batteries failing, leading to personal and property damage. Although, Samsung officially stopped Galaxy Note 7 sales globally and urged owners to power down their phones, the banning of said phone first came from a developed nation (USA); even the airlines that banned it, were from the developed world. Does that mean that a Samsung Galaxy Note 7 was not sold in the developing nations? Or that phone owners from developing nations don’t travel by air? They do! Kudos to the developed nations that they act together, regulate, and notify their citizens promptly and regularly.
Upgrade of IoT goods and services
The upgradeability of goods and services is very important for the smooth running of IoT; for the manufacturers, service providers, and of course the users. It is clear that millions of IoT users are not IT experts, and there is a tendency for them to choose or purchase as many devices as they can afford, without considering any safety, security and privacy policies. How do IoT users know when new security updates are available in order for them to update to the latest version? Are they allowed to carry out the updates themselves or are the updates set to automatic? What are the assurances that the user will even update the devices? How do they know if the updates are genuine and not a malware from cybercriminals?
Updates are very achievable if the products in their original design were intended to be updated, otherwise, the reverse is the case. Therefore, whenever an update is available, there should be a secure channel of communication between the manufacturers, the service providers and the end users in order to prevent them from installing malicious updates from cybercriminals – allowing their personal information to be accessed by these criminals.
Imagine over 50 billion devices and sensors communicating with one another in segmented networks, connected to the Internet in order to execute designated tasks. This is a very large system, which is more complex to manage if things are not well designed and implemented. Of course, the systems offer convenience to the users on the one hand, but on the other, the devices have access and connect to the user’s personal information, whether they are home or away.
According to Eduard Kovacs, as far as web interfaces are concerned, six out of the ten products listed below are plagued by persistent cross-site scripting (XSS) vulnerabilities, easy- to-guess default credentials, and poor session management. Through flaws in the cloud and mobile apps, 70% of devices can be exploited to determine valid user accounts through the password reset feature or account enumeration. Again, following HP’s report, “Internet of Things Security: State of the Union”, a total of 250 security holes have been found in the tested IoT devices – on average, 25 per device. The issues are related to privacy, insufficient authorization, lack of transport encryption, inadequate software protection, and insecure web interfaces. The 10 most common IoT devices include TVs, power outlets, webcams, smart hubs, home thermostats, sprinkler controllers, home alarms, scales, garage door openers and door locks.
Should Governments have a say in the design of the IoT?
Governments of the developing world, just as the developed world, have a significant role to play in ensuring that IoT products and services are compliant with their national policies and international standards. This can be achieved through the setting up of committees in line with the usage of devices, since IoT will cut across all facets of life. For example, medical and IT experts should be in charge of regulating medical- related IoT goods and services. The same goes for automotive, smart home etc. The major reason is that if governments do not have a say or clear idea of what IoT products and services are being purchased, in terms of safety, security, privacy, and interoperability, it could be disastrous along the way for both the governments and the individual home users and it may be to too late or very difficult to correct the anomalies, especially in the case of losing human lives.
In my own opinion, if governments of the developed and developing nations do not have a say on the designs and specifications of the IoT or have a clear idea of what products are coming into their countries, it may lead to cyber espionage. It means that other countries, certain groups and individuals, for selfish, personal, military, political, economic interests etc. may produce devices that are more susceptible to attacks and use them as back-doors to gain accesses to classified, personal or very sensitive information without formal permission. As it is the government’s responsibility to protect the life and property of its citizens, it follows that the government should protect the personal information of its citizens, by knowing how the citizen’s data are being managed, and who manages them, in order not to be traded or abused.
Considering the above IoT challenges, such as security, safety, privacy, data management, interoperability etc. governments alone will not be able to tackle the envisaged challenges, hence the following recommendations.
- Governments of the developing world should develop their own IoT framework or adopt one from the developed world if they do not have the necessary resources. Just as Australia did when it embraced the British Hypercat framework, developed initially for IoT deployments in smart cities, in part to address perceived security issues. A framework that would be interoperable with their environments, social, economic, existing or intended technologies.
- There is a need for the governments of the developing world to participate more in groups (e.g. regulatory bodies, professionals, academia, and civil societies) to help review IoT products and services for the benefit of all. In the developed world, there are good examples of such groups which include; the US Federal Communications Commission Technological Advisory Council (FCC TAC) Internet of Things Working Group, European Commission, Expert Group on the Internet of Things (IoT-EG).
- As the IoT is here to stay, there should be some routine meetings with academia, researchers, IoT vendors, service providers etc. in order to get feedback from different areas in which IoT is deployed and to plan for the future.
The advantages of IoT for developing nations are enormous when smoothly adopted and deployed, as it will positively affect lives in areas such as drought/environmental monitoring, agriculture, health care, home/office automation, transportation, education, research etc. With users and machines exchanging data easily over the Internet, IoT has the capability of boosting the economy positively by saving money and time.