I gave an Internet of Things (IoT) security and privacy keynote half a dozen times throughout the world last year, along with as many executive presentations. These presentations described the lack of security and privacy engineering within the devices themselves and related contributing factors. Throughout the recent holiday season, news broadcasts and publications warned about new IoT breaches, often resulting from insufficient data security controls being engineered into the devices, hacking into the data transmitted through the smart devices and misusing access to associated data in IoT devices. Several news reports throughout the past year also warned of vulnerabilities of IoT devices by nation-state hacking, along with many activities from cyber criminals.
As we mark Data Privacy Day today, it is worth taking a long, hard look at some common information security and privacy risks that exist within and related to IoT devices that have allowed privacy breaches and data security incidents to occur. Here are five common problem areas for IoT security and privacy:
1. Most smart devices do not have security or privacy controls built in to protect sensitive data transmissions. Those comparatively few that do have controls typically do not have them set to be secured by default, and as a result those using them do not set security controls, mistakenly believing that since they were advertised as having security built in that security was turned on by default. The users then unwittingly leave themselves wide open to unauthorized access.
For the hundreds of IoT device and app developers I’ve spoken with and done assessments for in the past several years, I have not found any smart device creator that had all of the following security and privacy features built into their device, and enabled by default:
- Strong encryption for data in storage and in transit
- Multi-factor authentication
- Activity logging
- Device management user interfaces
2. Device vendors and manufacturers are using and sharing your data collected through their devices and apps. Data is widely shared not only throughout the vendor business units, but also with downstream third parties, many of which the device users would be surprised to know about. A few examples include cloud sites for other smart devices, government agencies, insurance companies, law enforcement, data aggregators, data banks, social media sites and others. Once data leaves the device, the device user has basically lost all control over how that data will be used and shared.
3. Most smart devices have listening turned on by default. They have to listen to be able to “hear” the trigger words to get them to interact. Some devices, such as smart speakers, have been found to not only be listening all the time but also keeping the recordings of all that is said and can be heard. This despite vendor claims that the devices listen and have the associated conversations in the vicinity recorded and stored in the vendor’s clouds, only after the trigger word is spoken. We also know that vendors have large teams of humans who have the job of listening to the types of conversations taking place.
4. Devices are accessible through online connections. A large number of popular IoT devices, including many that are purchased to improve physical security, actually have no authentication or encryption, and can be easily found through tools such as Shodan, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions. Many devices also have vulnerabilities that allow for unauthorized peeking by cyberstalkers.
5. Smart device builders/sellers have horrible privacy notices that are vague and usually tell you how you do not have rights to control your own data. I’ve reviewed dozens of privacy notices on smart device sites. Some are getting better now that GDPR and CCPA are in effect. However, in those instances, the site often indicates the protections only apply to California and EU residents. A couple of examples:
a. As the privacy notice reads, only California residents have the right to access their personal data if they use a Philips Hue smart lightbulb.
b. The Ecobee Smart Thermostat also gives such personal data access only to California residents.
If you are from some other US state, like Iowa, where I live, then based on how their privacy notice is written, it looks like you’re out of luck if you want to see the personal data they have about you, and if you want all the other rights they are giving to California residents. The same goes for those outside of the US. Well then, I won’t be buying any of Philips smart lightbulbs or Ecobee smart thermostats under their current privacy notices. But how many others will? As long as smart devices, and the providers of apps used with smart devices, are not penalized for having substandard privacy notices, they will continue this privacy-poor practice.
It is time to take action to get these risks mitigated to acceptably low levels, and also to meet the many existing and emerging legal requirements for privacy and data security controls.
Speaking of privacy practices …
As I was writing this article, I received an email from Fitbit (I’ve never subscribed to their messages, and I have never owned a Fitbit). It contained the following images:
As I looked at these stats, I wondered many things, including:
- Can all those steps be broken down and attributed to specific individuals?
- Can all the locations for the Fitbit users’ activities be tracked for each individual?
- Can the specific times of activities be associated with each individual?
- Can all this information be shared, without the knowledge of the individuals, with others, such as law enforcement, insurance companies, employers, and others?
I already knew the answer to all these questions was yes. Of course.
I would love to see a research company, or maybe even a university or an association such as ISACA, track and document, within some type of directory, the smart devices that have:
- Independent validation that they have privacy and security design and data handling practices in place, and
- Privacy policies that not only are easy to understand, but also reflect the organization’s actual practices, and meet all legal compliance requirements.
Is it too much to ask smart device businesses to build security and privacy controls into their devices, and to give consumers accurate information about their privacy practices within posted privacy notices? It seems like it must currently be too much to ask because I couldn’t find examples during my admittedly brief (approximately four hours) search online of any smart device privacy notice that fit these reasonable privacy ideals.
My hope for 2020: to find at least 10 smart devices, from 10 different device building businesses, that address all the previously outlined privacy protections and practices. The time is long overdue for these billions of IoT devices with privacy and security vulnerabilities to be fixed.