Could privacy protection be the next commodity?

Hackers and creepy gadgets make the Internet of Things ripe for security products

Hacker

What have Nest, Amazon Echo, Project Tango and a smart TV got in common? As well as being just some of the thousands of Internet of Things (IoT) devices, they also happen to be collecting, storing and sharing a lot of data on what happens in homes.

"The IoT is a marketing scheme to get more of your data," says Rafael Laguna, CEO of Open-Xchange. "Amazon and Google have built whole business models around selling you connected devices that monitor your home, listen to your private conversations, and map your home and interior movements, all while collecting huge quantities of personal data," he says.

Some won't care, but mostly it's a case of ignorance. "Privacy protection is already a commodity," says Christophe Birkeland, CTO Malware, Blue Coat Systems, "but the demand for privacy protection is tightly linked to awareness of privacy issues."

Technology that invades privacy rights and autonomously shares and distributes personal data is already widespread, but knowledge and awareness of such is limited. For instance, camera surveillance systems routinely have face recognition, while automated license plate readers automatically connect a vehicle with its owner, but who thinks of these as personal data silos?

Open season for hackers

From Samsung TVs and spying GoPro cameras to FitBit bathroom scales, dolls and even dildos, Ken Munro and his team of ethical hackers at Pen Test Partners have hacked into myriad IoT devices. He made the infamous discovery that the Wi-Fi kettle, together with data from social media sites, can be used to track, attack and take over a home network.

A Wi Fi kettle was used to take over a home network
A Wi-Fi kettle was used to take over a home network

The conclusion? IoT security is in the dark ages, exhibiting the sort of security flaws the internet had 15 years ago. "It's not just IoT devices that have security problems, it's the cloud services that they consume, and send your data to, that are often the source of data leakage," says Munro, who discovered that a sports connect wristband and bathroom scales were sending personal data to the cloud without SSL, so it was possible to intercept anyone's activity details and personal data.

"Everything from access to your contacts, to your emails, your location, your texts and even your voice commands is up for grabs," says Munro, who blames app developers trying to safeguard future app revenue by ensuring software will have as wide an access as possible to the personal information of the user. "With Joe Public often reluctant to trawl through these permissions, and with little choice but to accept them if they want the app, the type of personal data now floating around in the 'app-mosphere' is frankly frightening."

It's also a question of how easy it is to hack. "Hacking IP cameras has previously been relatively easy, and as a consequence more people attempt to hack them," says Gordon Fletcher from Salford Business School's Centre for Digital Business, who thinks that it's the pervasiveness of the OS that's crucial.

"The variety of devices that use Android as their OS means that solving any identified security flaws is a much more complex problem, which is part of the explanation for the more controlled ecosystem approach of iOS," he says. "The more widespread a technology, and the more variable the types of the devices it is used on, simply multiplies the potential for security headaches."

Why is the IoT a security risk?

The security risk that the IoT represents is a result of the complexity of the network its devices create. "Different devices connecting to different types of networks in different ways makes it very difficult to consciously design security flaws out of IoT devices," says Fletcher. He outlines three reasons why the IoT is a security risk; the strength of a network is judged by the weakest link, all devices are potentially a target no matter how trivial, and anything connected to the internet is potentially vulnerable.

A password-protection option will always remain just that. "Where a device is supplied with a default password it is a dangerous design assumption that it will be changed by a user," says Fletcher. "Creating consumer devices that do not require user intervention to be secure is a good start." That way, privacy becomes a commodity by default.