Richard Kemp comments in Tech Radar Pro: Could privacy protection be the next commodity?
Hackers and creepy gadgets make the Internet of Things ripe for security products
What have Nest, Amazon Echo, Project Tango and a smart TV got in common? As well as being just some of the thousands of Internet of Things (IoT) devices, they also happen to be collecting, storing and sharing a lot of data on what happens in homes.
“The IoT is a marketing scheme to get more of your data,” says Rafael Laguna, CEO of Open-Xchange. “Amazon and Google have built whole business models around selling you connected devices that monitor your home, listen to your private conversations, and map your home and interior movements, all while collecting huge quantities of personal data,” he says.
Some won’t care, but mostly it’s a case of ignorance. “Privacy protection is already a commodity,” says Christophe Birkeland, CTO Malware, Blue Coat Systems, “but the demand for privacy protection is tightly linked to awareness of privacy issues.”
Technology that invades privacy rights and autonomously shares and distributes personal data is already widespread, but knowledge and awareness of such is limited. For instance, camera surveillance systems routinely have face recognition, while automated license plate readers automatically connect a vehicle with its owner, but who thinks of these as personal data silos?
Open season for hackers
From Samsung TVs and spying GoPro cameras to FitBit bathroom scales, dolls and even dildos, Ken Munro and his team of ethical hackers at Pen Test Partners have hacked into myriad IoT devices. He made the infamous discovery that the Wi-Fi kettle, together with data from social media sites, can be used to track, attack and take over a home network.
The conclusion? IoT security is in the dark ages, exhibiting the sort of security flaws the internet had 15 years ago. “It’s not just IoT devices that have security problems, it’s the cloud services that they consume, and send your data to, that are often the source of data leakage,” says Munro, who discovered that a sports connect wristband and bathroom scales were sending personal data to the cloud without SSL, so it was possible to intercept anyone’s activity details and personal data.
“Everything from access to your contacts, to your emails, your location, your texts and even your voice commands is up for grabs,” says Munro, who blames app developers trying to safeguard future app revenue by ensuring software will have as wide an access as possible to the personal information of the user. “With Joe Public often reluctant to trawl through these permissions, and with little choice but to accept them if they want the app, the type of personal data now floating around in the ‘app-mosphere’ is frankly frightening.”
It’s also a question of how easy it is to hack. “Hacking IP cameras has previously been relatively easy, and as a consequence more people attempt to hack them,” says Gordon Fletcher from Salford Business School’s Centre for Digital Business, who thinks that it’s the pervasiveness of the OS that’s crucial.
“The variety of devices that use Android as their OS means that solving any identified security flaws is a much more complex problem, which is part of the explanation for the more controlled ecosystem approach of iOS,” he says. “The more widespread a technology, and the more variable the types of the devices it is used on, simply multiplies the potential for security headaches.”
Why is the IoT a security risk?
The security risk that the IoT represents is a result of the complexity of the network its devices create. “Different devices connecting to different types of networks in different ways makes it very difficult to consciously design security flaws out of IoT devices,” says Fletcher. He outlines three reasons why the IoT is a security risk; the strength of a network is judged by the weakest link, all devices are potentially a target no matter how trivial, and anything connected to the internet is potentially vulnerable.
A password-protection option will always remain just that. “Where a device is supplied with a default password it is a dangerous design assumption that it will be changed by a user,” says Fletcher. “Creating consumer devices that do not require user intervention to be secure is a good start.” That way, privacy becomes a commodity by default.
The ‘third platform’
Okay, so we’re producing lots of personal data on what we do, what we use, and perhaps even what we say, but surely the data protection laws in place will always apply? “The IoT is an aspect of the ‘third platform’, the convergence of mobile, social and data, with cloud data centres as the engine room,” says Richard Kemp, founder of Kemp IT Law, who adds that it comes with an explosion in growth of unstructured, internet-generated digital data. Much of it is personally identifiable, and so governed by the 100 or so national laws around the world protecting data privacy.
“So much growth in so much personal data threatens to overwhelm data protection law around the world,” says Kemp. In the face of such a massive increase in the amounts of personal data, a new EU draft Data Protection Regulation is on the cards. “It’s likely to lead to other structured approaches and solutions based around more systematised personal control for the individual about how their personal data is used – like value exchanges, tiered permissioning, central storage and audited use.”
In short, you’ll be allowed to choose what you share. Privacy will become a commodity to be controlled by each of us on every device that connects to a network that IoT data-harvesting gadgets also connect to.
Is the smart home safe?
Not yet, as proved by some hacks recently seen on NAS drives that installed ‘ransomware’, encrypting the contents and demanding a ransom fee to regain access. “Imagine if someone could do the same with your internet-connected TV or IoT smoke alarm?” says Gary Newe, Technical Director, F5 Networks. “We need to do more to secure the operating systems these devices run, keep them up to date, and disable services that are not needed.”
Newe advises against mass panic, but insists that the smart home is only as safe as the devices that are used in it. “So far these devices, and their manufacturers, have not demonstrated an ability to create safe devices,” he says.
No silver bullet
“There is no silver bullet in security,” says Josh Bressers, Security Product Manager at Red Hat, who thinks that all parts of IoT architecture need to be secured, from the devices to the gateway tier and the data centre. “We are currently at a very early stage in this new industry, we don’t yet fully understand the challenges we will face around privacy – we all know privacy is important, but how everything will come together is still a mystery.”
One thing’s for sure; the arbiters of the IoT are not going to protect privacy or anonymise personal data unprompted. “If these companies really cared about an IoT, we would see open APIs become the norm in new product development cycles as opposed to the decline that is now occurring,” says Laguna, who recently wrote about Facebook’s updated API. “If 22% of users have stopped using an online service over concerns about data privacy, then it is clear that there is a market for services and commodities that have greater respect for privacy, transparency and trust.”
Privacy has become a commodity like any other, but only for the tech-savvy minority – it’s not yet widely recognised enough to become a mainstream product. Regulators will have a role to play in changing that, but the demand for privacy of often highly personal data will have to come from the general population itself. The stage is set for IoT devices and platforms with far more flexible terms and conditions that put privacy front and centre.