Sophos Cloud Optix
Detectives are being trained to process data gathered from Internet of Things (IoT) “smart” devices for use in criminal investigations, Scotland Yard’s forensic head Mark Stokes has told The Times.
Internet-enabled fridges, toasters, washing machines and coffee makers have endured a mixed press – security flaws that render them potentially hackable have been a recurring theme recently – but to police the forensic opportunity is the real deal.
Consumers are slowly filling their homes with data-gathering IoT devices, which means that tomorrow’s crime scene will start with such items, claimed Stokes: “Wireless cameras within a device such as the fridge may record the movement of suspects and owners. Doorbells that connect directly to apps on a user’s phone can show who has rung the door. All these leave a log and a trace of activity.”
The story is timely, coming only days after police in the US reportedly asked Amazon to give them access to audio data from a suspect’s Echo home hub in case that yields information important to a murder investigation.
In that case, police also noted that the suspect’s smart water meter recorded 140 gallons of water as having been used between 1am and 3am in the morning, hours before victim Victor Collins was found dead in a hot tub.
It sounds like an open and shut case. In principle, police can already gather digital evidence from internet security cameras, so why not other devices too?
In the UK, requesting admissible data from IoT devices shouldn’t even require a change to the law, and should be covered under legislation going as far back as the Police and Criminal Evidence Act 1984 (PACE).
Unfortunately, things won’t be that simple for reasons The Times omits to mention
A fundamental issue is the accuracy and tamper-proofing of the data these devices gather. For example, using IoT data will almost certainly depend on accurate time-stamping and it’s not clear that how many devices can guarantee that to admissible standards of evidence.
In other cases, even accessing the data could prove difficult if that requires a suspect to grant access to a password they can’t legally be compelled to reveal.
As the Amazon Echo cases warns, going to big platform vendors to get around this could cause other problems. As Amazon responded when asked about the police Echo request: “Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”
Battling wider government demands to loosen encryption, the last thing big tech companies want is to find themselves fending off another attempt to turn them (as they see it) into convenient proxies for official snooping.
Digital data, it turns out, doesn’t work like conventional forensics data such as fingerprints or DNA. Data can be in different places at once and its veracity is open to immediate challenge. Who “owns” it in terms of privacy is unclear.
The day when suspects are convicted of crimes on the basis of data recorded by the fridge or toaster may be some way off yet.
Amazon is rite, the moment they turn over that data they will see a steep drop off of sales. No one wants to think they are being snooped on by the law at all times.
Assuming the IoT device is using TLS then it will require accurate time in order that the encryption will work. However, I would be more concerned if the IoT device has unique keys per device. Odds are it will have the same key as every other device with the result being it can be easily hacked, and if it can be easily hacked then it can have fake data placed on it. I doubt any court of law would trust the data if it could be shown that the IoT device was insecure.
If it for good no problem
Tech companies are in a bad spot with all of this.
On one hand, it’s perfectly reasonable for law enforcement to want to use everything at their disposal to catch a criminal.
On the other hand, if the tech companies give in they will most certainly scare consumers away from some really great new technology.
I hope we can find a happy medium somehow.