Will the IoT Ring the Death Knell for Privacy?
Forget space travel to Mars, human beings are building their own brave new world in cyberspace in the form of the ultimate in connectivity, the Internet of Things (IoT). Internet-connected devices are touching pretty much every aspect of our lives. As consumers, we are embracing health wearables like Fitbit, who, as the wearables leader, have over 23 million active users. Other IoT devices, like Amazon Echo and Google Home, are taking off, becoming our little cyber-home-helper, and making our daily lives smarter. For humans as consumers, the IoT is a smart revolution.
But it isn’t just consumers feeling the force of the IoT. Industry has taken up the Internet of Things call and the ‘Industrial Internet of Things’ is blossoming, with all sectors finding innovative uses for IoT devices. From the healthcare industry to energy to car manufacturers, the IoT is being used to enhance efficiency, build better communications, and drive profitability.
So, what is not to like about the Internet of Things? In the rush to get devices out into the world and make sales, certain aspects of the design of IoT devices have been less than perfect. One of the areas that have started to show some cracks, is privacy. In this article, I’ll look at how privacy and the IoT can sometimes be mutually exclusive.
The Mad Chatter of the Internet of Things
IoT devices make a lot of noise, they generate enormous amounts of data. By enormous, I mean zettabytes of data – IDC predicting that around 180 ZB will be generated, per annum, by 2025. This continuous ‘chatter’ needs to be communicated, often in a web-like manner, via devices, to other devices, or the Cloud – often mobile apps sitting in between and managing the device. The device itself is based on sensors. It is these sensors that are at the heart of the IoT, and which collect and create the data underpinning the operations of an IoT device.
The types of data created by IoT devices really depends on the device and what it needs to collect, but suffice to say, it will often be directly or indirectly linked to our Personally Identifiable Information (PII). PII includes anything that can be used to map back to an individual. Typically PII includes attributes such as name, address, email address, social security number, phone number, and so on. But it can also include your location and the websites you’ve visited. In the case of health wearables like Fitbit, this also includes, for example, walks you may have been on, showing the time of the walk, and your geo-location. Ultimately, as more of us has our genome sequenced, DNA will form part of our PII; DNA already being included as part of our Protected Health Information(PHI). In addition, IoT devices are also being used to track and potentially modify our own behavior. This is seen most clearly in marketing related apps, which are utilizing consumer behavior based auditing, to understand and predict shopping habits.
Some Privacy Shockers
With such a large mass of PII/PHI based data being generated by IoT devices, there has, as you’d imagine, been some serious concerns over the privacy of these data. The Federal Trade Commission (FTC) is even running a competition to find tools to address the security issues of home-based IoT devices.
Some of the more worrying aspects of IoT privacy breaches is the idea of being spied upon. Wikileaks, has made claims recently about the CIA using IOT devices to spy on citizens. The CIA hacks being based on zero-day vulnerabilities in smart phones and other Internet-connected devices such as cameras. You can read more about this in an earlier blog we posted here.
Another sinister privacy issue with IoT devices was exemplified the case of the Internet-connected teddy bear spy. A hack of toymaker VTech, resulted in the exposure of over 2 million voice messages between parents and children, along with passwords and email addresses. In an earlier hack of the same company, millions of pictures of children, as well as other PII, was stolen. When the privacy of our children starts to be exposed, then we really do need to sit up and take notice.
When Good IoT Practices Go Bad
The IoT is opening up multiple cans of worms that we never expected. IoT privacy issues can hit in the most unexpected manner, often the original use case being developed for good purposes. It is those cases that need to be risk assessed for privacy issues. Just because you can do something, doesn’t mean you should. This is the case in the Clark County traffic operations use of the IoT. Clark County is using a system to discover Bluetooth devices that have been switched to discover mode. They use this to work out the exit and entry points of cars across the city to improve traffic signaling. In the case of Clark County, they are using Internet connectivity for a positive purpose. However, this is not an opt-in situation for drivers and has the potential to be highly invasive.
In a recent murder case in Benton County, Arkansas, a search warrant was requested to obtain digital records created by an Amazon Echo owned by the defendant. If our IoT devices can record criminal activity happening in our homes and offices, shouldn’t those records be available to police investigating those crimes? Or, do all of us have the right to a degree of personal privacy, no matter what the circumstance? Privacy related questions around the use of IoT for surveillance is one area that will play out across the world as we bring IoT devices into our lives.
To ensure that IoT privacy is upheld wherever possible, and not taken advantage of just because it is digital data, certain organizations are working to keep an eye on IoT privacy related events. These organizations are building standards and best practices in applying privacy to IoT devices, some of the better-known institutions include:
- The electronic Privacy Information Center (EPIC) has recently sent a letter to the U.S. House Committee on Energy and Commerce warning them that U.S. citizens are facing alarming privacy threats from Internet-connected devices.
- IoT Security Foundation who work to ensure security and standards are used across the IoT.
- OWASP who promote knowledge and build advisories around the Internet of Things.
- Industrial Internet Consortium who are a multi-industry team working on an Industrial Internet Security Framework (IISF).
How to Embrace Privacy in the IoT
A while back, maybe 10 years ago, I remember a discourse amongst security professionals about how the enterprise perimeter was expanding outwards from the traditional network walls. At the time, the Internet of Things was a research project. Since then, the Internet of Things has emerged and exploded into our daily lives. As security professionals, we have to take a positive stance on the use of the IoT. It has massive potential to bring efficiencies into the modern workplace, and therefore should not be excluded for privacy or security reasons. Instead, taking a proactive approach to securing our now extinct perimeter, is the way forward. A number of initiatives are working towards having a more intrinsic security layer and standardized interoperability. This goes some way towards making the environment that contains the IoT more secure and privacy-enhanced. However, building IoT awareness into your security planning and strategy is key. The IoT is attracting cybercriminals, like bees to a honeypot, as exemplified by the Dyn attack on the Internet, perpetrated by IoT security cameras. Penetration testing of the IoT layer is vital to allow us to have a brave, but safe, new world.
Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies