On October 30, the 2018 China Household Electrical Appliances Technology Conference was held in Ningbo. At the meeting, Wang Hao, vice president of Haier Home Appliances Industry Group, pointed out that safety is a central line that runs through the development of intelligent technology. Similarly, other speakers have repeatedly Emphasizing the importance of information security. Data organization HIS predicts that with the development of Internet of Things technology, the number of global IoT devices in 2018 It will reach 23.14 billion, and by 2025, the number may reach 75.44 billion. Currently, the smart home Internet of Things technology is still in its infancy, but within the foreseeable 5-10 years, smart terminals will enter the dividend period. As a result, the data will be more widely connected, and the hidden dangers of information security issues will also expand.
In order to cope with the security risks in the era of smart home appliances Internet of Things, in April 2018, the 'Yunyun Internet Information Security Team' initiated by the China Household Electrical Appliances Association was formally established, and the 'Graffiti Intelligence' was the leader unit, including Bosi Home Appliances, Changhong. Skyworth, Galanz, Haier, Hisense, Whirlpool, Konka, Lenovo, Midea, Samsung, TCL, Yunzhiyi are actively involved.
At this technical conference, Liu Longwei, a senior security expert from the 'Yunyun Internet Information Security Group', reported on the work done after the group was established.
Senior Security Specialist of Yunyun Internet Information Security Group Liu Longwei
Liu Longwei pointed out that with the advent of the smart appliance dividend period, the widely generated data and connections have amplified the information security problem. At present, the Internet of Things development model still focuses on the collection of user information by intelligent terminals, with more applications for smart terminals. Scenarios, cloud data security and design flaws will be exposed and increased instability. Once there is a problem in the cloud, a large number of users on the platform will face great insecurity.
At present, there are many Internet of Things communication protocols at home and abroad, but no unified technical standards and security measures have been formed, and communication protocols are also lack of normative. 'At present, many security companies are using their own security protocols, but these protocols have not been verified. If the protocol is not encrypted or authorized, the user's data is easily monitored, tampered with, or even maliciously controlled. In the Internet era, only mobile phones, computers, etc. will be affected; but in the Internet of Things era, smart terminals penetrated into households and penetrated into the public domain. Once a security breach occurs, the impact will be very bad, such as the safety of electricity, and even the hidden dangers of the user's personal safety.
In addition, the current application of the intelligent Internet of Things has its own system, embedded platforms and systems that use others, and many transmission channels, making the terminal more vulnerable to physical attacks, the vulnerability can not be effectively updated, and the upgrade cost is increased. 4. Uniform technical standards and privacy standards are imperative.
Liu Longwei counted the Internet of Things security incidents in 2017. For example, in March, Spiral Toys revealed 2 million parent and child voice messages. In April, Samsung Tizen operating system was disclosed with more than 40 serious security vulnerabilities involving Samsung. Smart TV, smart watches and other equipment, more than 40 million devices were affected; In the same month, drones repeatedly invaded Chengdu Shuangliu Airport, more than 100 flights suffered forced landing or returning; In July, Avanti Markets vending machines leaked user data, 1.6 million users Personal information was leaked; In August, 175,000 security cameras manufactured by a company in Shenzhen were leaked; in August, the list of Telnet passwords for over 1700 IOT devices was leaked; in September, the Bluetooth protocol broke a serious security breach, affecting the world 53 Billion equipment...
The large-scale data privacy and the exposure of security vulnerabilities have led to the malicious attacks on smart devices in recent years. The problem of control is becoming more and more serious. 'In the future, the security reports we see will no longer be millions of dollars, but thousands. Ten thousand, billion scale. '
Liu Longwei believes that due to the existence of a large number of equipment and various technical means, the development of IoT security technology is fragmented and disordered, and it is forced to put it on the right track. This has also become the basis for the establishment of Yunyun Internet Information Security Group. Cloud and cloud interconnection is essentially the opening of the enterprise cloud to the cloud. For example, in the previous closed-loop system, Haier's platform can only control Haier's products, and the US platform can only control the US products. But after the interconnection, Haier's software can also control the beauty. The product, which is extremely friendly and convenient for users. But as the cloud boundary expands, the risk portal is also increasing, the risk of the information system management system is increasing, and the threat of data and privacy security is also increasing. When a cloud The platform is affected and it will pass this impact to other platforms. This raises the following interconnection security requirements: Improved information security entry barriers, unified security technology standards and solutions, standardized information security management, data and privacy safety protection. '
According to Liu Longwei, there are no unified information security standards and regulations at home and abroad, but all countries are actively developing for similar standards. For example, the domestic 'China Network Security Level Protection' and 'Trusted Cloud Service Certification', 'Information technology security assessment standards', etc.; International ISO information security standards, ISO2017 cloud service security standards, etc. 'The current information security standards lack attention to the unique scenarios of the Internet of Things, but privacy and security gradually have clear legal requirements The General Data Protection Regulations (GDRP) issued by the European Union is the world's first legal definition of data security. Currently, countries such as the United States are actively formulating similar laws. We believe that with the development of the Internet of Things, there will be more The more laws come to regulate the landing of information security.'
In this context, the Yunyun Internet Information Security Team was born at the right time. 'Since the formation of the group in April, the member units will have a conference call every 1-2 weeks. In April and May, the standard outline was finalized. After that, standard drafting and continuous revision began. In August, a standard version of the discussion paper "Smart Appliances Cloud and Cloud Interconnection Standard Part 2: Information Security (Draft for Comment)" was formed. Currently, we are in the process of seeking comments. . '
Liu Longwei said, 'The purpose of this information security standard is to help interconnected enterprises reach a consistent information security specification, protect the rights and interests of both parties, and contain the security risks arising from sharing. The first part of the standard mainly focuses on the interconnection security specification. The interface technology security of different enterprise clouds is standardized, including the right to use interfaces, security protocols, authentication and authorization, follow-up services, etc. The second part deals with security event management requirements, standardizes the collaborative management of security events, and regulates which are Individual responsibility, what are the shared responsibilities, and the terms of service in the governance process; The third part deals with data and privacy protection recommendations for smart terminal products in research and development, manufacturing, logistics, services, use to destroy the entire life cycle The data privacy in the process is standardized, and the unified technical means and corresponding guarantees are standardized.'
At the meeting, Liu Longwei also publicized the standard outline. The interface security part includes communication security, authentication and authorization, data filtering, error information processing, service stability and log auditing. Security event management includes security event management and grading. , responsibility model, terms of service, emergency response, time notification, continuous improvement, etc.; and privacy security mainly includes data generation and collection, data transmission, use, preservation and destruction.
At present, you can visit www.cheaa.org to provide feedback on the draft standard, in order to better promote the safe development of smart home appliances.