Smart cities: a cyber criminal’s dream?

Back to Criminal Law publications
Back to Business Crime publications

Dan Hyde
Penningtons Manches Cooper, London


The description of cities of the future as ‘smart cities’ has become a term of art synonymous with improved functionality and interconnectivity which could bring quality of life improvements and a raft of benefits to civilisation. What is often overlooked is the potential downside of smart cities, for example how they will be regulated and the risks such interconnectivity might bring.

There are many forecasts as to what the future holds. It is not unreasonable to estimate that by 2020 there could be over 200 billion connected sensors contained within 30 billion internet of things (IoT) devices and that by that stage the market value for the internet of things will be running into the trillions of pounds. One does not even need to look to the future to see that we already live in a world where physical devices and the IoT are capable of being interconnected and exchanging data. It is increasingly the case that household devices and everyday goods contain sensors that can detect data input such as physical movement, biometric information or other atmospheric circumstance. The price of sensors has fallen so dramatically that they can now be widely used at little cost. Meters, installed in homes for gas and electricity, called ‘smart’ meters are well-known and an entire range of usual everyday devices are now fitted with sensors. These sensors can be linked to a variety of devices such as a mobile phone app or computer to measure heart rate, body mass index, body fat percentage or worn on wrists or ankles to measure steps from distances walked and provide a plethora of metrics and feedback. Over the next few years there will be increased connectivity between every area of human habitation from home to car to hotel to each and every point of existence so that we create a vast interconnected web. The IoT will be a whole new frontier where the advantages intrinsic to the interconnectivity of the IoT devices can be exploited. The benefits are much talked about. They include improvements in healthcare with medical apps used to arrange everything from an initial hospital appointment through to a more effective delivery of medical and other health services in a swift remote way that is presently not possible with our reliance on staff and the separation of systems. There are undoubtedly huge benefits that can be brought by the IoT, yet this focus on the positives often overlooks or minimises the dangers of smart cities.

One key problem area with the IoT will be its security and how it can be properly regulated. It is the very interconnectivity of the devices that creates an enlarged attack surface which will enable hackers to find potential access points, points of weakness across the chain. If one considers the very nature of IoT devices one realises they are designed to be convenient in use and often capable of being transported around wirelessly and easily. This then means that the device will have physical restrictions and, in general, must be relatively small and light. This creates potential for security weaknesses; the processing power necessary for effective security is not generally optimal where microprocessors are used in small form IoT devices. Put simply, there is not yet enough computer power to undertake both the desired IoT task and to provide cybersecurity for the device through encryption. Portable devices in smart cities of the future may well sacrifice security to enhance their desirability and portability. Indeed there may be little incentive for those manufacturing devices to consider cybersecurity as a priority, not least since the incorporation of adequate security measures would represent a likely additional cost. There is also the problem of properly vetting third parties who would install or maintain the devices as third-party installation or maintenance will represent a further risk to cybersecurity. In short, the huge attack surface created by the IoT presents an opportunity to the hacker not only to find points of access across the chain but also, through access, to exert control over a myriad of interconnected devices so that a cyberattack might result in the attacker taking control of the home’s interconnected contents, car and so on.

This leads us to another serious question - who does the data collected through the IoT belong to? In our scenario, would the hacker be able to sell data onto a third party with or without the consent of the owner/user? The ownership of data has other sinister connotations too, for example where the nation state either claims ownership or is otherwise given access to its citizens’ IoT devices such that everyone would be under constant surveillance through the use of each and every IoT device in their lives. This would doubtless result in a state’s ability to successfully prosecute anyone it wished or to micro-monitor a person’s every action. We are aware that Big Data can have significant consequences. Look for example, at the debate around Cambridge Analytica, yet in a smart city of the future access by a nation state to IoT devices would undoubtedly result in Big Data being available to analyse the lives of every citizen. So can we regulate in such a way as to protect ourselves? Furthermore, can criminal law keep pace with the evolving threat and aggregated injuries that smart city crime might bring?

Regulation is not just a problem of the future but of the present. One only has to look at the General Data Protection Regulations (GDPR), which was hailed as the great unifying act for data protection regulation to understand that the cultural and philosophical differences between nations is such that one size of regulation or approach rarely fits all. In the case of the GDPR, while Europe saw fit to put the protection of an individual’s data protection rights at the heart of its regulation, other countries, notably China and Russia, decreed that the state, not the individual was the ultimate owner of data; whereas those countries do pay some lip service to the rights of the individual, the individuals rights' are trumped by the powers of the state in relation to data. The regulation of the IoT would be similarly diverse across the world.

In the UK the current regulatory strategy is set out in Secure by Design: Improving the Cybersecurity of the Consumer Internet of Things Report which was published by the UK government on 7 March 2018. That report sought to introduce a draft Code of Practice for Industry on Consumer Internet of Things ('the Code'). The Code is designed to be applied throughout the IoT sector and, in summary, sets out steps that should be taken by any company supplying devices. The Code recommends that all device passwords should be unique and resettable and that suppliers must avoid universal default values. It also asks that all companies provide internet connected devices and services with a public point of contact as part of a vulnerability disclosure policy so that security researchers and others are able to report issues. It further stipulates that all software components in internet connected devices should be securely updatable and the updates must be timely and not impact on the functioning of the device. The Code also seeks to minimise the exposed attack surfaces by restricting user or program access to only the information necessary for a legitimate purpose and code or hardware, which might expose the device, is to be minimised. The great flaw in the Code is that it is currently voluntary and consequently impossible to enforce in the event of non-compliance. In essence, the current regulation for the IoT is an unenforceable, voluntary code of practice. This is remarkable, if one, by analogy compares the regulation of the IoT to the regulation of food. One can scarcely imagine manufacturers and suppliers of food being politely asked to abide by a voluntary code of practice to ensure that their products are fit for human consumption and not likely to result in disaster. The IoT carries equal if not more potential for humanitarian disaster and its regulation needs to be scaled-up and, so far as possible, uniformly enforced across all regions.

It should be noted, however, that organisations supplying IoT products and services that collect and process personal information may be subject to the Data Protection Act 2018 and/or the GDPR such that in relation to personal data at least there is some effective regulation where it applies. An example would be that device manufacturers and IoT service providers must provide consumers with clear information about how their personal data is being used and by whom, and for what purpose. But the fact remains that such data protection regulation has not been adopted throughout the world and, in an interconnected world, regulation of smart cities that is homogenised and consistent will be difficult if not impossible to achieve. Indeed there are warnings that we face a dystopian future if governments do not seek to regulate devices properly and implement mandatory codes of practice and enforceable regulations. Without this, manufacturers will cut cybersecurity corners in favour of profits and there will be innumerable weak access points for criminals to exploit across a huge surface of interconnectivity that offers significant benefits.

Other risks will doubtless arise from privacy considerations. In the UK e-privacy regulations are to be brought into force which should hopefully provide another layer of useful compliance. But again that is merely the UK not the worldwide perspective and smart cities around the world will doubtless generate all manner of privacy concerns through inter-connection and the inherent insecurity of IoT devices and the aggregated risk that a breach could generate. Smart cities will require smarter regulation, smarter security and a new way of thinking that we have yet to successfully apply to the IoT.