Sophos Cloud Optix
The head of the US Federal Trade Commission (FTC) took to the floor of the mammoth Consumer Electronics Show on Tuesday to warn that the Internet of Things (IoT) – that front-door opening, smart plant-watering, mood-light-setting, recipe-suggesting world whirring away in Las Vegas this week – is a threat to our privacy.
Edith Ramirez, FTC chairwoman, wrote in her remarks for a speech at the show that the amount of information about us now being collected is heading toward shockingly intimate portraits of us all:
In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored. That data trove will contain a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete picture of each of us - one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends.
That’s certainly not news.
One of the more recent alarm bells was rung by HP Security Research, which in August came out with a report that found that smart TVs, webcams, thermostats, remote power outlets, sprinkler controllers, door locks, home alarms, scales and garage door openers were all flunking Security 101, with issues as bad as “Sure, go ahead, we consider ‘1234’ to be a perfectly acceptable password.”
Regardless of these issues not being breaking news, CES is certainly a good place to raise questions about privacy and security, as the makers of internet-enabled things gather to hawk their wares.
As it now stands, Ramirez said, the IoT could do a world of good:
The IoT could improve global health, modernize city infrastructures, and spur global economic growth.
But the potential risks to privacy are as immense as the potential benefits, she said, given that devices are collecting data from “currently intimate spaces” such as homes, cars, and even our bodies:
Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks.
Beyond the privacy implications of IoT vendors potentially selling or sharing personal data with data brokers/prospective employers/universities et al. (who could pigeonhole us socioeconomically for marketing purposes), inadequate security on smart devices present even more entry points for intruders to exploit (as if data breaches aren’t bad enough already), Ramirez said.
She suggested three solutions for the industry:
- Security by design
Companies should bake in security by conducting a privacy or security risk assessment during the design process; testing security measures pre-launch; using smart defaults such as requiring consumers to change default passwords during set-up; considering encryption, particularly when handling sensitive information like health data; monitoring products throughout their life cycle; and patching known vulnerabilities when possible. - Data minimization
Much of the data collection is being done without clear reason, just in case it’s needed down the road. But all that data increases the potential impact of a data breach. If it hasn’t been collected in the first place, it can’t fall into the wrong hands. - Notice and choice for unexpected uses
We know that the smart thermostat is collecting data on our home-heating habits, and we know our our fitness bands are collecting data about our activity and health levels. But we probably wouldn’t be too happy with the notion that that data was being shared with data brokers or marketing firms. In cases such as these, consumers should be given clear, simple notices of what will happen with their data, along with a way to consent. By “simple and clear,” we’re talking not within a lengthy privacy policy or terms of use.
Those are good goals, and let’s hope that the IoT vendors were listening to Ramirez’s speech.
As it is, one friend who’s at the show reports back that security and protection of customer assets certainly doesn’t appear to be priority number one with IoT vendors he’s spoken to, many of whom just shrug when he asks how their stuff’s protected.
The IoT: it will bake our tortillas, control the household plant watering, release chemicals into our hot tubs, control locks and suggest recipes based on what’s in our refrigerators.
But is it poised to protect our security and privacy?
Let’s hope it can do a better job at it than we’ve seen so far.
As Ramirez said, there are billions of dollars in this growing industry.
The stakes are too high, she said, to gamble with consumer security and privacy.
100% and completely agree with your article. One of the main reasons that I have not adopted IoT completely is the fact that I can’t be sure that my data is secure enough when sitting with some of the vendors. I’m very aware of where my data is sitting and how it can be accessed from the outside world. Example – XYZ company provided a cable modem with WiFi built in. I asked how it is setup (passwords, wireless security, etc.) from the installer and he had no clue and that he “just puts the box in and turns it on”. I immediately went out and purchased a personal router to put in between the cable modem and my internal devices. I’ve since logged into the cable modem wifi router (default logons that I found on Google) and turned off the SSID broadcast. I also change the default logins to something more secure. If I found the information on Google, so can anyone who sits near my home.
I’ve got an interesting anecdote along these lines:
When I got my most recent DSL modem, it had that same built-in WiFi etc. The first thing I did was look up the default root password, which was handily available online. I reset the admin passwords to something a bit more difficult to crack than the defaults, locked down the modem, and was on my way.
Then, months later, when I went to tweak a setting on my modem, I discovered my password no longer worked — turns out the ISP had re-set all passwords to their defaults.
Since I had changed what I thought was the root password, this ability of them to revert the passwords is somewhat interesting, and doesn’t speak well as to the unit’s security nor privacy.
It’s looking like buying your own firewall and installing Tomato or some other open source firmware on it may be the best route these days.
Hiding the SSID is a waste of time.
Sure is.
(More precisely, SSID hiding stops people connecting by mistake, which could be said to provide “safety.” But it provides *no security at all*. In fact, it gives a false sense of security, which makes it arguably worse than no security at all.)
Here is why:
https://nakedsecurity.sophos.com/2013/05/22/busting-wireless-security-myths-video/
Unless business takes security more seriously then at some point all trust in the internet will be lost. I’ve worked in the IT industry for 28 years and know enough not to do financial transactions on line – it’s like playing Russian Roulette
Ironically, in the past year or two, the really big breach stories (e.g. Target, Home Depot, Neiman Marcus) have seen online customers escaping untouched, but those who went into physical stores and paid in person getting hit…
Actually, part of the reason for that is that even “in-person” transactions are online – it’s just that you’re online (to the payment processing system) via the merchant’s PCs on the merchant’s network, not via your own 🙂
Then we’re going back to using coins and dollars. Checks aren’t safe (were never safe?). The convenience everyone wanted so badly has been taken for granted.
A decade or so ago, I was interested in getting a wireless video camera to install in my child’s bedroom (to monitor his sleep patterns). At the time, there was only one vendor providing wireless video cameras. I contacted them, and ask them what kind of security they used to encrypt or obfuscate the data stream.
They asked what I meant. Red flag.
So, I clarified, “what kind of encryption do you use for the video signal you’re sending to the PC”?
Again, they didn’t know what I was talking about. Bigger red flag.
I closed the call with “call me when you know what encryption is”. They never did.
On a whim, I just checked their web site. The only use of the term “security” is for the suite of tools they use to protect your home/business/etc. But, at least they use WPA/WPA2 encryption for at least some of their devices.
However, the word “privacy” does not appear on their web site. Not even a Privacy Policy. Somehow I’m thinking they still don’t get it.
As it now stands, Ramirez said, the IoT could do a world of good:
The IoT could improve global health, modernize city infrastructures, and
spur global economic growth.
In your dreams!
One word:
LEGACY