Edge Computing and IoT Data Breaches: Security, Privacy, Trust, and Regulation

By on May 26th, 2024 in Articles, Commentary, Magazine Articles, Social Implications of Technology, Societal Impact

David Kolevski and Katina Michael

Edge computing is an emerging computing paradigm representing decentralized and distributed information technology architecture [1]. The demand for edge computing is primarily driven by the increased number of smart devices and the Internet of Things (IoT) that generate and transmit a substantial amount of data, that would otherwise be stored on cloud computing services. The edge architecture enables data and computation to be performed in close proximity to users and data sources and acts as the pathway toward upstream data centers [2]. Rather than sending data to the cloud for processing, the analysis and work is done closer to where the source of the data is generated (Figure 1). Edge services leverage local infrastructure resources allowing for reduced network latency, improved bandwidth utilization, and better energy efficiency compared to cloud computing.

The emergence of the IoT, and connected devices and services have changed the way consumers live, businesses work, and governments interact with their stakeholders. No matter where you look today, you will find a smart object affixed to something or someone, somewhere. According to Ni et al. [3], IoT will enable an evolution from the cloud to the edge and reduce computational constraints on cloud services. Smart devices come in many form factors and are increasingly mobile, lightweight and unobtrusive. Who has ownership of the device? Is the device actively generating and transmitting the data back to the edge node? And are citizens aware that they are actively monitored by these objects and devices?

Edge computing is an emerging computing paradigm representing decentralized and distributed information technology architecture.

Edge computing enables computation to be performed at the edge of the network, at the point where users require access to services. [2]. Currently, many IoT devices are generating continuous data streams. To quantify the size of the edge computing challenge, there will be an estimated 29.42 billion IoT-connected devices by 2030 [4]. A city, for example, with 1 million people in 2019, was producing about 180 petabytes of data per day [5] with enormous potential benefits in data-driven innovation serving the public interest. With this constant streaming of various kinds of data emanating from IoT devices, it is important that data processing and storage is concentrated toward the edge of the network to negate the need for longer transmission times and continuous processing improvements. Increasingly, manufacturers of edge devices are building multifunctionality into their products and users simply take advantage of all available features without considering the network and storage implications and constraints. Smart cities will rely on edge devices to fuel the data-driven economy, providing new insights into local challenges and potential futures.

Socio-Technical Challenges

In a 2017 study by Lin et al. [6], it was found that edge services provide improved data processing, storage and quality of service (QoS), suitable for future IoT infrastructure solutions. Abbas et al. [7] also concluded that mobile cloud computing (MCC) faced challenges with high latency and inefficient energy device utilization which could be addressed by edge computing solutions. Thus, MCC was less suitable for real-time applications and scenarios requiring a high quality of service (QoS). These are just some of the design challenges that many businesses face with major implications for addressing systems objectives. Buyya et al. [8] present the outlook of edge computing, including the technology design, security architecture, and integration with cloud services, however, they neglect to centrally address the regulatory workings of distributed services. Similarly, Shi et al. [9] reviewed the social and technical challenges of edge computing providing recommendations for service utilization and consumption, but neglected the environmental issues prevalent in edge computing devices. With the predicted growth of the edge device sector, the energy requirements cannot be underestimated. This commentary will discuss the emergent security, privacy, trust, and regulatory issues linked to edge computing in the context of IoT and corresponding data breaches.

From the Cloud to the Network Edge

The concept of edge computing stems back to the 1990s when content delivery networks (CDNs) were introduced to enhance web performance [10], and load balancers were used in the data center to handle incoming traffic in the available servers, managing peak times of usage. AWS describes three generations of CDNs: 1) on data center replication and with a focus on intelligent network traffic management; 2) a concentration on multimedia content and especially on services like video-on-demand delivered right to the mobile/tablet/edge device; and 3) a shift in emphasis to the edge, away from web services that are centralized in the cloud toward the management of bandwidth consumption through intelligent communications using smart devices [11]. Akamai, founded in 1998, was one of a number of CDN providers enabling caching of web content to be stored and processed on CDN nodes.

Edge services leverage local infrastructure resources allowing for reduced network latency, improved bandwidth utilization, and better energy efficiency compared to cloud computing.

While early use cases of edge computing share similar attributes to that of CDNs, the edge extends the boundary of data generation and processing. Abbas et al. [7] write that edge services will play a pivotal role in web optimization, such as enabling HTML content to be more available locally, rather than on the central server. This has major implications for how artificial intelligence (AI) and ultra-low power machine-learning (ML) applications will be incorporated into the network edge, and how breakthrough technologies, such as neuromorphic computing and TinyML will allow for enhanced user experiences, that were previously impossible [12] IoT services, such as smart traffic lights, healthcare tracking, shopping cart management, and big data analytics will enjoy the advantages of edge computing [3]

Security

Edge computing presents a unique set of security challenges, such as the potential for the unauthorized access and capture of sensor information from connected devices by hackers. It is well-known that given the size and computing power available on some edge devices, there are inherent limitations in available security methods [5]. Shi and Dustdar [5] state that supporting edge security will continue to be a challenge due to the complexity and pervasive nature of the network topology. Similarly, Ni et al. [3] state that IoT devices are vulnerable to hacking due to their limited computing resources and low resilience to persistent attacks.

Lack of Security Impacts Trust in Relationships

Edge computing security challenges the existing trust that end-users have when using device-level services [13]. Better securing IoT devices increases the trust relationship between the user the manufacturer, and the service provider. However, many IOT-based surveillance cameras and alarm systems, for instance, carry default passwords like “0000” and, in other cases, do not have any security mechanism whatsoever, leaving them open for anyone who wishes to gain access to them [14]. When users of these devices find out about the lack of security onboard, particularly while the whole aim was to secure physical premises that contained expensive tools and assets, there is an instant loss of trust in technology and the designers and developers of the technology [15]. Sharan et al. [13] identify that the main weakness in such established relationships is a failure to understand that both security and privacy impact trust between the user and the service provider.

Characteristics of Edge Computing Overcoming or Posing New Security Challenges

The hierarchical network topology of edge computing is considered to be a “double-edged sword” [16]. On the one hand, it provides security protection by the distribution of data between the nodes, and, on the other hand, it also presents security vulnerabilities at the different layers of communication between the end device, the edge, and the cloud infrastructure. Consider, for example, a critical health application on an edge device that monitors a heart pacemaker in a patient, and then each night, the data is uploaded from the edge device to the cloud from the patient’s home [17], with varying topologies and configurations given breakthroughs in wireless technologies. Other security challenges in edge computing relate to attacks performed between different interconnected devices, such as man-in-the-middle (MITM) attacks, eavesdropping, and tampering attacks [18]. Sendhil and Amuthan [18] describe how hackers are applying known types of attacks to edge services. Similarly, denial of service (DoS), tampering, eavesdropping, and waterhole attacks targeting lightweight IoT devices pose challenges that traditional cloud security methods could not entirely deter [19].

Edge computing security challenges the existing trust that end-users have when using device-level services.

Additional studies demonstrate that security challenges in edge computing include authentication constraints, due to the distributed network design and multiple stakeholders engaged in flows of communication [7]. For example, in cloud services, the centralized entity is responsible for authenticating users and devices. Distributed edge services are different in that they operate under a multidomain environment, and it is difficult to authenticate with centralized upstream services. According to Bangare and Patil [20], IoT is one of the most complex technology ecosystems, operating with diverse stakeholders. This complexity brings challenges with addressing the protocols associated with service delivery, service level agreements (SLAs), and cybersecurity frameworks. Similarly, [21] states that reduced performance metrics could breach the SLA between stakeholders while providing minimum service portability options to the user. Hassija et al. [22] discuss the issues related to device-to-device connectivity and the requirement for dynamic SLA security features. Special attention needs to be provided to SLAs which enforce agreements across multiple platforms as they allow IoT users the features required to safeguard them against attacks.

Addressing Security At The Network Edge

Encryption

Threats and attacks on cloud computing have been extensively researched and these solutions do not scale at the network edge, due to device-related lightweight specifications. Ren et al. [16] promote the concept of trust and authenticating IoT devices within each layer, end device, edge, and cloud infrastructure. Similarly, Mosenia and Jha [23] state that strong encryption methods provide further resilience against IoT and edge computing services; however, IoT remains vulnerable to persistent attacks. IoT device limitations such as processing and memory capacities continue to cause a significant challenge for encryption methods.

Blockchain

Hassija et al. [24] propose blockchain technology and smart contracts to increase security in edge computing environments where governments tender services. The researchers identify that a decentralized tendering system could be applied to Ethereum allowing for the control of data because it is accessed based on identity authentication. Similarly, Li et al. [25] also investigated the blockchain ledger to address security and access control using Ethereum. The authors in the study applied Ethereum smart contract functionality to execute the required business logic sets to validate device identity and then validated the requested data via the ledger. In both [24] and [25], Ethereum was applied to validate the authentication and integrity of edge devices; and in [25] it was applied to a hospital-patient use case.

Blockchain Microservices and Virtualized Applications

While cloud computing services have seen the advantages of rapid service deployment, bandwidth, connectivity, and latency are issues that continue to put strain on device and application usage [2]. Ren et al. [16] state that edge computing will increasingly use virtualization techniques, however, with a more lightweight approach to cloud services. Emerging technologies, such as Linux server configuration (LXC, isolating one operating system to one container) and Docker containers (isolating one application to one container) are applied on lightweight devices, enabling virtualization without compromising requirements. The rapid growth of cloud-based services led to an explosion of data being sent over the Internet requiring ever-increasing bandwidth capacity, which was plainly not optimal [26]. Therefore, the authors state microservice applications coupled with container virtualization could be deployed for simplified edge processing and storage services. Both [16] and [26] propose containers providing virtualization services, promoting fast boot time and lightweight energy inputs.

Privacy

“Privacy” can be interpreted in many different ways. There may be privacy 1) of the “person”; 2) of “behavior”; 3) of “communications”; and 4) of “personal data” [27]. We will be focusing on the latter two types, in this section. Personal data, which also goes by the name of “data privacy” or “information privacy,” can be defined as an individual’s right to have control over the data that is personally linked to them, whether available to other individuals, organizations they interact with, or even a third party that might store that data [28]. Privacy in communications is directly related to the network edge, given flows of transactions between components in a network setting that are vulnerable to attack.

Data Privacy at the Edge

Data privacy is a topic of major concern due to the pervasive nature of IoT devices. Satyanarayanan [10] refers to the established concept of Cloudlets in their paper, which extends cloud fundamentals at a more granular level, toward edge nodes and the reduction of overcentralization. Edge computing extends privacy concerns with increasing functionality like location awareness and lightweight IoT devices which possess limited data protection methods [16]. Hagan et al. [29] note that cloud privacy and security breaches have become important challenges in centralized data processing and storage services, and while edge services are bringing these closer to the network boundary, breaches can still happen. All stakeholders need to be aware that the privacy of the end-user can be jeopardized without their immediate knowledge [30]. End-users are often one of the last stakeholders to learn that their data has been stolen, quite often only when a significant privacy breach has occurred and the breach is publicly announced due to mandatory data breach notification (MDBN) legislative requirements [19]. A distributed information technology architecture at the edge should generally have the advantage of minimizing privacy breaches “at scale.” However, if an edge node is targeted by hackers, many edge devices can be affected all at once (refer to Figure 1). Whereas a cloud computing data breach might have compromised hundreds of millions of individual records in a single attack (e.g., due to an unsecured S3 bucket), in the future edge devices will be vulnerable to peer-to-peer network architectures, given the potential for malware to penetrate and spread in systems.

Access Control and Data Protection

The primary use case for IoT integration is to share data between the huge number of devices that transmit sensor data. Thus, researchers are preoccupied with privacy implications relating to edge device access control. When edge devices are compromised and an individual’s privacy has been breached, the device is said to have been the “target,” although personal data is what the hacker can claim as an outcome. While we have yet to observe breaches of this kind “at scale” when compared to some of the major cloud computing hacks of the last decade, this is the next frontier as we move from 5G to 6G networks. These privacy breaches may fall into one or more of the following categories: 1) access offenses; 2) the impairment of data; 3) the misuse of devices; and 4) the interception of data [31, ch. 2–6].

IoT by its very nature makes the end-user vulnerable to “tech abuse” in particular contexts (e.g., the use of technology in the context of domestic violence [32]). Consider how a malicious actor may aim to penetrate the personal privacy of an end-user via an IoT device. There have been many reported examples of “smart abuse” by victims, and these will continue to increase [33] having asymmetric effects on individuals and their wellbeing. Imagine the possibility of an attack on edge devices on the home network that allowed the hacker to access the front door lock, smartTV, doorbell, home lighting, security cameras, speakers, and so on, remotely. The invasion of privacy would be so great that it would cause significant mental anguish in the victim of the attack.

According to Aleisa et al. [34], access control is integrated between the usability of the edge service and the flow of data between the devices and the user authentication process. Likewise, Shimahara and Nishi [35] investigated access control between integrated edge services and concluded that services should be determined by the level of access required by the users. The study also stated that access control needs to fulfill the requirements of data protection regulations [e.g., General Data Protection Regulation (GDPR)]. Li et al. [25] discuss IoT devices that share sensitive information such as healthcare and medical information that must adhere to health-related privacy regulations. The authors noted that service providers need to abide by encryption- and decryption-based rules during access control.

Edge computing extends privacy concerns with increasing functionality like location awareness and lightweight IoT devices which possess limited data protection methods.

Disclosed PII

IoT devices continue to generate, store, and process enormous amounts of personally identifiable information (PII), usernames and passwords, financial information, location data, and health-related information [23]. Disclosed PII, financial, and location data are extensively surveyed in the literature with respect to cloud computing data breaches (e.g., [19]). We [19] investigated the 2011 Sony PlayStation Network (PSN), 2014 eBay, and 2014 Yahoo! cloud data breaches. The outcome of the study was that data breaches would continue to increase, requiring the security industry to further enhance data security methods. In an edge computing scenario, the threat landscape is further exacerbated by the IoT device generating additional data that would have otherwise been limited in a cloud computing scenario [23]

Biometrics

A recent study by Cheng et al. [36] focuses on privacy protection in biometric systems, specifically facial recognition. The authors state that biometric authentication has been applied to e-commerce, banking, government, and military systems. Major concerns now reside with deepfakes and other morphing attacks [37]. While facial and fingerprint biometrics are now integrated into portable hard drives, smartphones, and other edge devices, duping attacks will become commonplace [38]. The introduction of AI into the hacker’s toolkit will mean that proving one’s own identity at the edge will become harder, likely necessitating two-factor authentication [59].

Location-Based Services

Location-based services (LBSs) have enjoyed popularity from online consumer purchases to business tracking inventory [39]. Edge computing brings LBS closer to the consumer using smartphones, smartwatches, and, in ever-increasing cases, implantable devices. Sendhil and Amuthan [18] state that IoT devices are susceptible to location privacy leakage with the attacker knowing the user’s geographical location. There are also covert ways in which proximal geolocation can be determined, possibly placing users at risk, if they are unaware someone/something knows their whereabouts. This is especially troublesome in cases of stalking or the context of restraining orders. An edge device’s location can also be spoofed, rendering a device somewhere other than where it actually is physically [40]. This latter scenario can create all sorts of problems for service providers, despite maintaining an individual’s location privacy.

Trust

Users can gain trust in a service if they can observe stakeholders within that technology ecosystem taking responsibility for their actions [41]. Singh et al. emphasize that unless trust is embedded as a value in the systems design process, to begin with, the potential for IoT will not be realized. In a study by Sendhil and Amuthan [18] that investigated trust, privacy, and security issues in edge computing, it was found that user trust, in particular, needed to be addressed. One way to ensure trust, is through the use of new edge computing protocols and user interfaces, so that people can interact with their devices to learn more about a given context. Along with new user interfaces, transparency around security patches and protecting IoT device integrity is a key measure in increasing user trust. This position is supported by Cheryl et al. [42], who stated that users who have more control of their IoT device, including better user interfaces and ownership of data, have an increased trust in their service provider. The three studies highlight the importance of trust within an edge and IoT ecosystem. The latter study is unique in that it uses a case study method to evaluate end-user trust and data protection in the Malaysian context, offering findings relevant to that market. Another trust-enhancing feature is the implementation of blockchain technology in IoT services. Boudguiga et al. [43] examined the availability and accountability of IoT services and one of the outcomes was to implement blockchain solutions for access control, contracts and agreements, and storage facilities.

Regulation

Previous research we conducted with Abbas and Freeman in 2021, on regulating emerging technologies [19], [44], investigated the environmental implications of data flow in cloud computing. We identified the importance of regulating data flow between stakeholders that allowed continued innovation providing optimum outcomes for all stakeholders in the cloud value chain. While the utilization of cloud services is more mature than edge services, it is important that stakeholders within the edge collaborate up and down the network (with end devices and cloud computing stakeholders) to enhance data flow services to incorporate security-related functions (Table 1). With an increased focus on data protection, regulating edge computing and IoT has gained attention from policymakers and legislators. The following sections focus on data protection by promoting stakeholder accountability, self-regulation, and revisiting existing regulations.

Table 1 Comparing the value chains of cloud computing and edge computing

Table 1- Comparing the value chains of cloud computing and edge computing

 

Increased Data Protection Through Stakeholder Accountability

Studies identify that stakeholder accountability can be achieved through data protection regulation when implementing edge and IoT services. For instance, Urquhart et al. [47] state that the lack of user interfaces inhibits accountability and direct feedback for users to understand the information that is collected, stored, and processed at the device level. Furthermore, the researchers state that sensor and lightweight devices function with minimum user interfaces and often rely on lights or sounds alone. They further outlined the data flow between services which underpin accountability from the GDPR perspective [47]. Complementarily, Li et al. [25] promote stakeholder accountability through better security and existing data protection regulations. From a systems design perspective they applied Ethereum and the U.S. Health Insurance Portability and Accountability Act (HIPPA) to analyze software-defined infrastructure (ChainSDI) services.

Another form of stakeholder accountability comes in the form of software system maintenance and firmware patches [48]. There is a fine balance that must be achieved between better data protection and usability of a given device [47]. At a more granular level, Singh et al. [41, p. 57] note that “technology producers are not currently legally obliged to explain how the technology works.” This immediately prevents users from having full transparency and provides manufacturers and service providers the right to offer limited visibility in what might be called black-box technology, regarding the inner workings of a product or service. Thus, any firmware patch updates are always at the discretion of the service provider. While all stakeholders want to be viewed as doing the right thing by users, accountability is not always practiced in tangible ways.

Promoting Self-Regulation Between Edge Computing Stakeholders

Pokrovskaia et al. [49] introduced self-regulation as a form of data protection to allow users of the system to auto-organize their relationships. They also presented blockchain as a technology platform to organize working relationships between edge stakeholders. Bhadauria and Chennamaneni [50] examined self-regulation and concluded that service providers offering better security incentives were perceived to value data protection. Duarte and de Lima Prestes [51] investigated self-regulation through a certification framework. The authors applied a collaborative research design across technical and nontechnical stakeholders with key components. The stakeholders and components established a security baseline of technical and nontechnical requirements and the solution demonstrated a collaborative multistakeholder environment where cooperation was key.

Studies identify that stakeholder accountability can be achieved through data protection regulation when implementing edge and IoT services.

Abiding by Existing Data Protection Regulations

The sharing of data between heterogeneous IoT systems is a common function of data interoperability [52]. Varadi et al. [52] envisage an architecture enabling users, services, and devices to share common protocols and standards. Furthermore, the goal of the EU GDPR is to ensure that data protection is achieved by privacy by design. Garg et al. [53] review the GDPR and the U.S. Federal Trade Commission (FTC) regulation as related to cloud and edge services and conclude that the U.S. does have some sector regulations. However, the FTC definition of personal data varies across states and the balance of privacy protection falls on the stakeholders providing the services. Overall, these two studies point to the need for a unified approach data protection regulation, such as the GDPR.

Data Breaches in Edge Computing Services

According to Sullivan [54], a data breach is defined as the unauthorized access to personal data leading to accidental or unlawful data disclosure. Similarly, Kolevski et al. [19] have previously defined a data breach is when end-user information is accessed and disclosed to unauthorized entities, exploiting their PII, financial, and geolocation information. Likewise, edge computing faces similar challenges to cloud due to the number of IoT devices connected to online services. While edge computing data breaches have yet to gain attention on front-page news and associated media coverage, the rapid uptake of edge services and IoT devices will be attractive to attackers. Pan and Yang [55] believe that edge computing faces cybersecurity challenges at scales never before seen due to the hyperconnectedness of IOT devices along with resource-poor attributes. Pan and Yang [55] highlight that large amounts of generated data, high-speed access availability, connectivity with cloud services, and decentralized network topology are ideal environments for attackers to penetrate at the edge.

It is essential to recognize the rise of the end-user’s privacy and security needs from cloud to edge service provisions. However, the centralized concept of cloud services and its auditability functions could not easily be replicated in a distributed edge service [56]. Multiple points of interconnections, lightweight processing, and limited storage onboard devices allow for less auditability. While overhead data reduces service performance, it should not be reduced to the degree that it impacts on audit tracking capabilities.

The promise of edge computing and its approach to decentralization of devices, storage, and processing requirements is gaining momentum. The lightweight devices from sensors and RFID tags, to more powerful devices such as smartphones and vehicles, lead to a variety of devices functioning within the edge-to-cloud ecosystem. As a result of these heterogeneous devices rapidly continuing to increase in number, the attack landscape that was once concentrated in the cloud is now incorporating the edge. End-users are generating more data than ever, and dispersing data between multiple edge and cloud services, further increasing the threat scope. The question remains how will attacking the network edge benefit hackers? What do they have to gain from data breaches of this kind in the future? Will targeted attacks be aimed at individuals, groups of people, or specific manufacturers of devices with known vulnerabilities?

As we become reliant on edge devices and end-user devices, the discussion of what is possible begins to become a serious one. The sensitivity of the data being collected today could be “mission-critical” for more than just a business, but ensure the well-being of a human. The stakes are increasing as we get closer to the end user, and the repercussions of data breaches have a real human impact, beyond the concept of personal information being stolen. Rather we may be looking at data breaches at the edge causing significant local outages in smart cities, the potential for vehicular accidents (especially semi/autonomous vehicles), and even human casualties. In this context, safeguarding the edge and IoT services against hackers will likely become just as important as securing the cloud, if not more.

We speculate that the value chains for cloud computing [45] and the network edge [46] will begin to harmonize over the longer term and that the two very distinct models will co-exist—centralized versus decentralized—demanding data interoperability for the delivery of services (refer to Table 1). Decisions of where to store an application will come with an assessment of the type of data being gathered, its criticality, and whether data is being collected discretely, continuously, or on demand in real-time, among many other criteria. We advocate for privacy and security by design [57] approaches from the outset of the development of an IoT-based solution that, at the very least, abides by industry standards and recognized regulations [58].

Author Information

David Kolevski is an enterprise network communications specialist. Kolevski has a Bachelor of Information Technology, a Master of Information Communication Technology, and a PhD in cloud computing from the School of Computing and Information Technology, University of Wollongong, Wollongong, NSW, Australia. Email: dkolevski@
protonmail.com.

Katina Michael is a tenured professor at the School for the Future of Innovation in Society, Arizona State University, Tempe, AZ 85287 USA, and the School of Computing and Augmented Intelligence, Arizona State University, Tempe, AZ 85281 USA. She is also a senior global futures scientist at the Julie Ann Wrigley Global Futures Laboratory, Arizona State University.

 

________

To read the full version of this article, including references, click HERE.

________