Issue 52

Security aspects of the "connected world"

Bogdan Hruban
Project Manager IoT @ NTT DATA Romania


We live in a world that is used to think about the household products, the accessories, the cars and all the items we rely on daily just based on the purpose they have been created for. A coffee machine, for example, will help you better start of the day, while the hand bracelet, a shiny / colourful item, is meant to fit in with your look and mood.

Each new generation of such products comes with surprising new features. Out of these products, the connected devices give you an endless set of options, ways to know yourself better and make your life easy and fun.

You can start the coffee machine remotely by pressing a button or with a phone call, so it will be ready just the way you like it when you go into the kitchen. The wristband will help you keep better track of that part of your daily routine you do not normally pay much attention to: walking, standing, sleeping.

While all these products seem to surpass their forefathers, we still do not jump into using them right away. Why would this happen? To be honest, the adoption rate of such devices is more rapid than the switch that happened a few years back in the mobile world: from the usual phone (call and text messages) to the smart phone.

This is a great sign, as the new generation of devices comes with tons of benefits. They also raise some concerns about data privacy and data security, concerns that only a few people are aware of and even fewer do something about.

These devices get connected to more and more of the world we live in and record information about us all the time. Unlike your best friend, they never get tired of counting the steps that you made in the last hour or day.

What happens to all this data? Where does it go and who has access to it?

One of the major benefits of smart devices is that they can provide more and more accurate information about you as time passes. They get to know you a lot better, by recording and processing your data patterns: the time you wake up, the time you go out for a walk / run, how long you run, how fast, how often, your heart rate during such actions and many more. These minute "friends" record all our actions to help us. They can warn you if you sleep too much / too little, if you should go for a walk now, if you sat at the desk for 4 hours straight, if you have a suspiciously high pulse for your age and so on.

To provide this information, most of the devices transmit it to a central database for storage and more accurate insights. Now we come to the tricky part: How is the information transmitted? How is it stored? Who can tap into the connection and see my data? To be honest, a lot of the manufacturers of the first generation devices have almost overlooked the security aspect. This makes me wonder if data security is a real threat to me as a user of the coffee machine. In the beginning it was not, because there was little knowledge on how to use it, no real standard existed yet, the adoption rate was low and it made little sense for one to spend a lot of time learning how to hack data that will no longer be valid with the next generation of coffee machines.

As products evolve and the adoption rate increases, the concern becomes ever more justified, as, from a coffee machine, one could determine the time when a person gets up in the morning, the person's mood (based on the strength of the coffee), if they are alone in the house and many more. Do you understand why data security is important for connected devices?

Security was always a big thing and I was under the impression that, most of the time, it was considered important only after something bad happened.

In the connected world (IoT), where the volumes of data amount to millions of times what we had until now, security should be among the first features added to the gadgets.

We already have constructive showcases of white-hat hackers taking control of a running car from miles away. This example was among the most marketed, as people can easily relate to it.

I wrote this topic mainly for the engineers that design and implement the next generation of smart devices, as they should be aware that security is an issue of the same importance as the main features of the device.

The most common threat that involves the small devices connected to the internet (IoT) is the DDoS attack.

On September 20th, 2016, the largest attack of such type was launched against the French domains hosting OVH and several others. This led to a request of over 1Tb/s (Tera) of data from the hosting company.

Below is a snapshot provided on twitter by the founder of OVH.

Behind it all was the "Mirai" botnet, which targeted the busybox systems (SSH vulnerabilities) mostly found on home based routers and IP cameras.

In this attack, 145607 cameras/dvr (1-30Mbps per IP) were used, which could send over 1.5Tbps DDoS (type tcp/ack, tcp/ack+psh, tcp/syn). The control over the devices was taken by using the default username and password from the producer. To make matters even more "fun", a part of the Mirai source code was leaked over the internet leaked over the internet.

To end on a positive mood, there are committees already established to address the security concern for such devices. These committees are supposed to establish (and enforce) some guides that the manufacturers can follow to be able to enjoy their morning coffee.




  • Accenture
  • BT Code Crafters
  • Accesa
  • Bosch
  • Betfair
  • MHP
  • Connatix
  • BoatyardX
  • AboutYou
  • Telenav
  • .msg systems
  • Grab
  • Colors in projects