Assuring privacy and data security on connected devices.

A dive into Qbit’s GDPR Device Testing Service.

Posted on August 22, 2019 in Blog.

Executive summary

In the rapidly changing world of the Internet of Things (IoT), connected devices are providing consumers with ever greater functionality and delivering more innovative interactions. These developments, seen as a positive for consumers, can also introduce risks to the security of personal data and other stored information. Should such data be compromised it can have serious consequences for both the consumer and the businesses who developed (or supplied) the devices. Therefore, immediate action is needed, anticipating risks and the threat of a device being hacked. This can be done by improving the implementation of your device software and connected services in terms of privacy and data security.

Qbit tests the effectiveness of the security of IoT devices and GDPR compliance for different industries involving internet-connected devices. The GDPR Device Testing Service helps to ensure the secure and GDPR conformant handling of personal data by your device.

Introduction

The EU General Data Protection Regulation, the GDPR, has alerted many organisations and individuals to the need for safeguarding information and personal data against the dangers of cybercrime. Though threats from cybercrime existed before this legislation came into force, the proliferation of connected ‘Internet of Things’ devices has increased the opportunities for attack and the potential impact.

Awareness of cybersecurity issues has become increasingly more important for businesses as a result of evolving cybercrime, public opinion and legislation. A key driver is the previously mentioned GDPR. Safeguarding information and personal data is paramount to protect against threats, as is the need to address risks and minimize the negative impact for individuals and businesses.

According to the annual Ericson Mobility Report, there will be around 29 billion connected devices worldwide by 2022. Nearly two-thirds of these will be Internet of Things (IoT) devices: ranging from connected cars, meters, wearable devices, home appliances to all types of consumer electronics. This offers the consumer an increase in flexibility and allows them, for example, simple control of their devices from a smartphone. Furthermore, the increasing trend of embedding of artificial intelligence in devices adds to the capabilities but can also broaden the opportunities for cybercrime.

Problem definition

As device capabilities and flexibility increases, the risk to users increases similarly. Imagine roughly 20 billion smart devices operating and collecting many different types of information from users: for example, names and locations, financial information, sleep patterns, behavioural patterns, and healthcare information. If these devices are not properly secured, there are enormous risks to user privacy, but potentially also to user health, safety and general wellbeing. Furthermore, and beyond the impact of the user, there is also the business impact on organisations involved in selling the devices and providing the connected services, should the connected devices get compromised.

Below, we will outline some of the risks and threats users are exposed to and how these need to be addressed in IoT devices in order to comply with GDPR and other (regulatory) frameworks. Safeguards must be implemented to prevent personal information falling into “the wrong” - or malicious - hands or being used for purposes other than for which they have been collected (which is deemed as unlawful under legislation)

Inadequately incorporating user privacy and security in the technical design, leads to compliance risks for businesses. Examples of these can be found in standard tracking functionality enabled by default, unnecessary data collection, as well as combining different types of information without the user ever being made aware of this.

When this information is exposed to hackers, the impact for users can be severe. For manufacturers, non-compliance can lead, in the short term to fines and penalties, but exposing users to privacy and security risks can also have longer-term effects, negatively affecting the public image of the company leading to potential liability issues when personal information is exposed.

What efforts does the manufacturer put into securing an IoT device and the information it collects and processes? Partly due to GDPR now being in effect, this question is becoming progessively pressing. Manufacturers are now obliged to put appropriate effort into securing and safeguarding users and their personal data.

High-Level Solution

As said, organizations offer products that pose enormous threats to user privacy and security, without the user being aware. The question is not whether you will be hacked but when and how often. The Qbit GDPR Device Testing Service checks a required set of control objectives to monitor GDPR-compliance from the technical perspective. These technical controls are derived from the principles for data protection detailed in the GDPR. Test results are reviewed by our privacy and legal experts.

The core elements of the GDPR Device Testing Service from Qbit include:

  • Testing the communication to and from devices.
  • Conformance to security requirements.
  • Analysis of the firmware of products to see whether it is possible to extract sensitive data.

Solution details

With the GDPR Device Testing Service, Qbit tests the effectiveness of the security of IoT devices and GDPR compliance from different manufacturers. GDPR device testing focuses on providing answers to GDPR-conformance regarding the following:

  • Is it possible to gain (elevated) access to the device from the network?
  • Is it possible to gain access to sensitive (user) information stored on the device from the network?
  • Is the attack surface of the device kept minimal to prevent exploitation of (future)vulnerabilities?

The testing controls are based on the principles for data protection, and specifically address data minimisation, privacy by design and default, transparency - among others - from a technical point of view. The testing approach is layered:

  • Testing the attack surface of the device, i.e. checking which network services are exposed by the devices. Next, these services are tested for publicly known vulnerabilities and hardening issues using by a variety of testing tools. Also, the services are tested for zero-day vulnerabilities.
  • Testing the communication to and from the device. For instance, this can be an interaction that the end-user has when installing the device or features and password settings. This includes the update mechanism and interaction with API’s that are used by apps running on the device. The use of encryption is specifically addressed in this topic.
  • (Basic)analysis of the device firmware to try and extract sensitive data (like default passwords or encryption keys) from the image, and whether the image is protected against manipulation.

On a more abstract level, the GDPR Device Testing Service provides:

  • Insight into the quality and level of the infrastructural and/or applicative security measures taken by a manufacturer.
  • Insight in shortcomings in security measures.
  • A risk and impact classification.
  • Overview of technical and organisational (none)conformance to GDPR.
  • Specific recommendations that enable a manufacturer to enable conformance and increase the (quality of the) security wherever necessary.

From a technical perspective, all the findings that are reported consist of an explanation and proof, so the results can be reproduced. Risk and impact are quantified, to provide easy insight into the most notable findings. They are complemented by specific recommendations to remediate a vulnerability or risk and enabling easy prioritization of controls.

Specifically, GDPR related testing results expose threats to data confidentiality, integrity and availability, that can be addressed to better safeguard the data affected. Notable findings include:

  • Insight inadequate encryption of communication, resulting in:
    • Interception of (sensitive) user data.
    • Manipulation of (sensitive) user data.
  • Standard settings and functionality that track a user by default, without providing notice and without consent.
  • A misalignment between privacy policies and (technical) reality, resulting in:
    • Nonconformance to purpose-, use, and sharing limitations.
    • Lacking transparency.
  • Circumvention of controls to alter device functionality.

Business benefits

Through device testing, Qbit has built up a knowledge base consisting of a substantial amount of issues that expose users to threats (both from a security and privacy standpoint). Qbit is convinced that the findings accumulated represent the state of the wider industry and that a great deal of IoT devices poses equivalent and even worse risks and threats to users. When these risks and threats materialize through hacks or data breaches, this will negatively affect the manufacturers and directly impact their reputation and operations.

Preventing threats and risks to users also prevents negative impact on an organisation. Qbit’s GDPR Device Testing Service addresses both user risks, as well as translating these into organisational risks.

Our GDPR Device Testing Service helps to ensure a secure and GDPR conformant handling of personal data. This leads to a secure service on the connected devices and will minimize the risk of personal data being exposed to hackers. Besides, the service helps to safeguard reputation and revenue streams related to the devices and their connected services. Moreover, it also helps to avoid penalties and liabilities. Depending on the complexity of a device a more compact or more extensive approach can be provided.

Call to action

Qbit appeals to the social responsibility of manufacturers and internet-connected service providers to take device security and user privacy more seriously.

Contact Qbit Cyber Security for a free quote for the GDPR Device Testing Service for your connected smart device.

Check out our Device Assessment IoT.

Mathijs Hummel

By Mathijs Hummel

Advisory & Assurance

Any questions about this post or our services? Just Email me or call me on +31 6 12 985 740.

Contact us

The world of cybersecurity is complex and rapidly evolving, we know. Qbit guides you. Feel free to contact us.

Contact us

Newsletter