What is Peekaboo’s new privacy framework for the Internet of Things (IoT)?

What is Peekaboo’s new privacy framework for the Internet of Things (IoT)?

Many Internet-connected devices — let’s use Amazon’s Echo or an LG Smart TV as examples — share data in the cloud when you interact with them. How do you know your speaker isn’t always listening? How do you know that you are not sharing more information than is necessary to fulfill your request?

At this time, there is no way to confirm this. However, the researchers at Carnegie Mellon Institute for Security and Privacy (CyLab) have come up with a newly designed privacy-sensitive architecture that “leverages an in-house hub to pre-process and minify outgoing data in a structured and executable way before sending it to external servers in the cloud.”

They’ve nicknamed this frame, ‘Peekaboo!’ At its core, it is a software design that aims to enable developers to create smart home apps for particular devices in a way that addresses concerns about data sharing and gives users control over their personal information that is shared. in the Internet of things.

What is the Internet of Things? The Internet of Things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals, or people that have unique identifiers (UIDs) and the ability to transfer data over a network without the need for a person to another. human or person-to-computer interaction.

Why this matters: Various devices, such as air conditioners, washing machines, televisions, and other household appliances in a smart home environment, record user behavior through the sensors embedded in these devices and use this data to facilitate their lifestyles (for example, Amazon Echo “user favorite” automated playlists). Sensor data contains a lot of sensitive information about the user and the devices. An attacker in or near a smart home environment can potentially exploit the innate wireless environment these devices use to leak sensitive information about users and their activities, invading user privacy. Alternatively, the attacker can even deliver an encrypted payload of malware that can potentially take over the user’s entire home, holding them hostage. With this in mind, Peekaboo tries to create a safer environment in smart homes with this new framework.

Commercial. Scroll to continue reading.

How is Peekaboo supposed to work? Peekaboo operates on the data minimization principle, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose.

  • To achieve this, the system needs developers to explicitly declare the relevant data collection behaviors in the form of a manifest file which is then fed into a trusted internal network to transmit sensitive data from smart home devices like Amazon Echo or LG Smart. TV on a need-to-know basis.
  • The network acts as the path between the raw data of the IoT devices and the respective cloud services. It also allows third-party auditors to cross-check an app developer’s data collection claims.
  • The manifest file details the permissions an application needs to access protected parts of the system or other applications. It is generally analogous to the root data format of a phone’s operating system.
  • Peekaboo makes it possible to define data collection practices in a more adjustable way, such as the type of data to be collected, when it should be collected, and how often.

“This approach offers more flexibility than permissions, as well as an enforcement mechanism. It also gives users (and auditors) more transparency into a device’s behavior, in terms of what data will flow, at what granularity, where it will go, and under what conditions.” — CyLab blog on Peekaboo

Does India have any protection measures for IoT devices? No, India does not have any protection measures for data from IoT devices because the country does not have any kind of data protection laws. Although the Code of Practice for Securing the Internet of Things (IoT) for the Consumer published by the Telecommunications Engineering Center (TEC) requires unique default passwords for all IoT devices, asks users to choose a strong password, requires implementing a system to manage vulnerability reports, provide regular updates, and verify software. However, the code is given a choice and is therefore not enforceable.

Non-personal data, such as that collected by these devices, falls under the jurisdiction of the National Data Governance Framework, which is still under public consultation.

Do other countries have laws that regulate the IoT? The United States is the first country to draft legislation on the Internet of Things. nicknamed the IoT Cybersecurity Improvement Act of 2020, requires government agencies to ensure the security of their IoT devices. At the state level, several states, including California and Oregonhave already passed IoT cybersecurity laws.

In the European Union, the NIS2 directive, which was approved by all 27 member states at the end of May 2022, covers the security of the Internet of Things. These new rules mean that manufacturers of IoT devices will have to report all their cybersecurity incidents and analyze the vulnerabilities to prepare a report for the Union’s cybersecurity agency. Failure to comply will result in heavy fines or penalties.

Also read:

Commercial. Scroll to continue reading.

Leave a Comment