19-12-2020 | | By Robin Mitchell
With the rising use of IoT and the increasing pressure from governments, privacy in IoT is a significant factor for designers to consider. One solution is data pre-processing, but what is this, and how does it improve privacy?
The Internet of Things, or IoT, allows for simple devices to connect to the internet, and from there have full access to all that cloud computing can offer. Whether it is to process temperature readings to create better models for weather prediction or may to link the state of a window to the environmental control system located in another building, the ability to connect to the global network provides untold capabilities.
However, a door that is opened can be walked through in both directions, and any other device can access a device connected to the internet on the network. A device without security can be easily hacked, its data were stolen, and potentially personal information obtained. Personal data can include anything from Wi-Fi credentials to bank details, all of which is highly advantageous to a cybercriminal.
How is the world reacting to IoT security?
Stealing bank details and Wi-Fi credentials is one thing, but having access to cameras and microphones is another, and it is this type of data that has both customers and governments worried. Devices such as Amazon Echo and Google Assist record conversations, have this data streamed to a remote server, and then process the data to determine what individuals are saying. From there, appropriate responses can be generated and provide the users with a highly convenient interactive system.
However, sending such data over the internet to a remote location can be very dangerous as an attacker who can access that device has direct access to raw data from any attached hardware including the camera and microphone. If these devices are mounted in a bedroom, for example, then it would leave the occupants exposed to spying, and from there potential ransom.
While IoT devices continue to be developed and sold, users rarely have such devices in private spaces, and governments around the world are now bringing in legislation to regulate the development and sale of IoT devices. For instance, the UK government has brought in industry recommendations. In contrast, the US government has recently brought in its first federal law regulating which devices branches of government can use.
Clearly, privacy is an important factor in IoT design and ensuring that a device keeps private data private can be tricky. Strong encryption methods can help to make data unreadable without a key. In contrast, the use of active anti-malware systems which continuously look for suspicious activity can help to lock out systems automatically.
However, one concept that is gaining traction is data pre-processing. The idea behind data pre-processing is very simple; process data such that when seen by an attacker, it no longer represents the original raw data that contains private information.
While this can be achieved in several ways, two methods, in particular, stand out; direct edge-computing and data manipulation. To understand how these methods can work, let’s take a simple example of a face recognition system that uses an IoT camera in the bedroom.
Edge-computing is the method whereby an IoT device performs data processing itself. The IoT device, which is directly connected to the camera, takes raw data, detects the face, isolates the face, and then uses an onboard AI to determine who face it is. The result is a name produced by the camera, and that name can be sent to a remote server. While the name is transmitted, the picture of the face is not, and neither is the raw data from the camera.
Data manipulation would be a system whereby the camera sends its raw feed to the IoT device. The IoT device then passes the image through a specialised one-way mathematical system that results in a dataset that represents the image. Still, it can’t be used to recreate the image exactly. This data is then streamed to a remote server for further processing, and the processed data can then be used to determine the owner of the face. Such a concept has been seen by researchers from UC Riverside who utilised optical pre-processors to recreate images from obscure data, but the recreated images are only basic recreations (as opposed to an identical image).
Another method for improving privacy in a system is to separate sensors from the processor that communicates from the outside world. For example, an IoT device can utilise a camera. Still, the camera first connects to a microcontroller, and the data from the microcontroller is streamed as read-only to the main controller.
If the microcontroller provides pre-processing of the image, the main controller can only ever receive pre-processed data. From there, should the main controller ever become compromised, it cannot directly receive raw image data from the camera, and thus helps to retain privacy. This is a near-identical system that Apple has recently patented with the use of read-only busses, pre-processors, and data separation.