• United States



by C. A. Burnett

Welcome to the Internet of Things. Please check your privacy at the door.

Apr 07, 20159 mins
Internet of ThingsMobile SecurityPrivacy

Several things can happen to your IoT data, and most of them are bad. Here are the biggest things you need to worry about.

It knows when you are sleeping and when you are awake. It knows when you’re home and when you’re away. It knows how how fast you drive, how many steps you took yesterday, and how hard your heart is working right now.

It’s the Internet of Things (IoT), and it is terrible at keeping secrets.

If the Web resembles the wild west when it comes to personal privacy, then the IoT is a jungle where only the fearless survive. While the privacy threats are similar, the stakes are much higher. Connected devices are collecting vast amounts of deeply personal information from our homes, our cars, and our bodies — far more than any Web site possibly could. The kind of data that’s being collected and what happens to it is governed almost entirely by privacy policies that virtually no one reads and few truly understand. Many IoT devices and apps have no privacy policy at all. And IoT security at this point in time is tissue thin, leaving your personal data at risk from external attack.

[ Related: ]

The good, the bad, and the ugly of IoT

Several things can happen to your IoT data, and most of them are bad. The first is your information will be used only as intended — allowing you to pump up your workouts, crank down the HVAC, or drive more safely. That’s the good one. The second is that the people collecting this data will use it in ways you don’t expect — like, say, sharing your exercise habits with a maker of dietary supplements. The third is that this data will become an irresistible target for third parties like the police, insurance companies, or a divorce attorney who may be keenly interested in where and when you used that sex tracking device. That data trove could also leak onto the Web, putting you at risk of identity theft as well as embarrassment. The final threat is that external attackers could steal your personal information or use your IoT devices to gain access to more valuable data, like your banking logons.

Here are the three biggest things you need to worry about.

1. Unscrupulous marketers will sell your IoT data

Making money from your data is an essential part of the business model for many IoT companies. For example, in December 2013 Nest CEO Tony Fadell told Forbes Magazine he expects to make more money by sharing data with public utilities — who can use Nest thermostats to more efficiently manage their customers’ power usage — than by selling the units directly to the public.

This kind of data sharing can also benefit consumers. Some Nest users who opted into the data sharing program will see a drop in their energy bills. Fitbit and Jawbone sell thousands fitness tracking devices directly to private corporations, who offer employees discounts on their health insurance for using the devices. Progressive Insurance offers cheaper premiums to customers who plug its Snapshot telematics device into their car’s OBDII port. (If they prove to be poor drivers, their insurance will presumably go up.) ABI Research predicts that by 2017, the number of drivers whose insurance premiums are tied to an IoT gadget will hit 89 million.

The problem comes when companies decide to sell this data without either informing or benefitting the people who are generating it. Many of these companies have no written policies at all. Symantec’s July 2014 survey of the 100 most popular self-tracking apps in the iTunes Store found that more than half lacked a privacy policy describing the kind of information they collect and whom they share it with.

While there have yet to be any widely publicized examples of companies selling personal IoT data to marketers, it’s only a matter of time, says Philippe Kahn, CEO of FullPower, which makes the Motion X software platform that powers devices such as the Jawbone Up and the Alpina Smartwatch.

“Once IoT is widely adopted and control over the data rests in the hands of current incumbents with the current rules, we have a perfect storm brewing,” he says. “Most of the tech industry is focused on monetizing, with complete disregard of the more subtle issues of privacy. They say ‘it’s all free, so consumers will live with it’. Privacy is a huge price to pay for ‘free’.”

2. Your IoT data could be used against you in a court of law

Last November, FitBit data was used in a personal injury lawsuit in Calgary, Canada. Lawyers for the plaintiff, a personal fitness trainer injured in a car accident, hope the data will prove she is less physically active as a result of her injuries. Neda Shakoori, an attorney with McManis Faulker law firm in San Jose, California, calls wearable fitness trackers a “perfect fit” for litigation.

[ Related: Data from wearable devices could soon land you in jail ]

Of course, such data could also be used against a plaintiff to prove that her physical activity was not impaired, writes Shakoori. It could be obtained by the police and used to determine your location or other information. Dropcam, makers of popular Web-connected home security cameras, told Fusion Net’s Kashmir Hill it has already received a handful of requests from law enforcement agencies demanding footage captured inside people’s homes.

The connected car that lowers your insurance rates when you drive well might some day clock when you’re speeding and issue you a ticket. In a 2012 survey, more than 90 percent of divorce attorneys acknowledged a spike in the use of smartphone data as evidence in divorce cases; IoT could be the new frontier in marital discord.

Bottom line: As long as the IoT data is accessible and can be traced back to an identity, third parties will find ways to use it.

3. Hackers could use the IoT to pwn you

The insecurity of IoT devices is now firmly established. According to a June 2014 report by Hewlett Packard, 7 out of 10 IoT devices have some kind of security flaw — with an average of 25 vulnerabilities per device. Symantec reports that all fitness wearables it looked at were vulnerable to location tracking, and one in five transmitted user credentials in the clear. In recent years, connected security cameras, baby monitors, Nest Thermostats, smart locks, and cars have all been the victims of successful hacks, though mostly by security researchers probing for weaknesses.

The fact is, hackers probably aren’t all that interested in how many steps you took today or how hard you’re cranking the air conditioning. The bigger threat is when they exploit vulnerabilities in IoT devices to gain access to information they do care about, like the traffic flowing across your home network, which may include banking passwords and other valuable information.

[ Related: IoT’s dark side: Hundreds of unsecured devices open to attack ]

To an attacker, a vulnerable IoT device is no different than misconfigured server, laptop, or desktop computer, says Richard Henderson, a security strategist for Fortinet’s FortiGuard Threat Research and Response Labs.

“I am aware of security issues in some popular devices that create ‘smart outlets’, as well as devices like webcams,” says Henderson. “We know that advanced attackers will use any vector available to them to gain an initial foothold into their target’s environment. Using a smart outlet as a springboard is no different than using a laptop.”

Right now, smart home devices are at low risk from being targeted by attackers, says Mika Stahlberg, director of strategic threat research at F-Secure. That’s partly because there just aren’t enough smart home devices, and because there are far richer targets available — like corporate servers containing millions of records. Eventually, though, they could become a target.

“If you are extremely worried about your privacy and security, the only way to really stay safe is to not buy and use these gadgets,” writes Stahlberg. “However, for most people, the time-saving convenience benefits of IoT and the Smart Home will outweigh most privacy and security implications.”

home security threats F-Secure

A handy guide to home security threats.

50 billion devices can be wrong

The risks of the IoT are not lost on government or industry officials, either. But what they can do about it is fairly limited.

In January, the FTC issued a series of guidelines for private companies to follow to minimize some of the threats posed by the IoT. The feds recommended beefing up the pitiful security found in most of these inexpensive devices, minimizing the amount of data they collect, urging companies to retain that data for as short a period as practical, and giving users notice and choice about how their data is being used.

The agency has also taken action against companies that advertised their IoT products as “secure” when they were in fact not. In addition, several independent organizations are working on security standards for IoT devices, thought they are still likely years away.

Members of the US House of Representatives have formed a new Congressional caucus to educate legislators on the security risks inherent in the IoT. (Whether that’s a cause for celebration or concern is a matter of debate.)

Meanwhile, the Internet of Things continues to grow at a phenomenal pace. By the end of this year, some 25 billion devices will be connected to the Internet – a figure that’s expected to double by the year 2020, according to Cisco’s Internet Business Solutions Group.

What will happen to the petabytes of data the IoT will generate is a question no one today can really answer. But we’re forging blindly ahead anyway, hoping solutions appear before anything truly awful happens.

C. A. Burnett writes about privacy and security issues from an undisclosed location.