The concept of a big black box monitoring our conversations and actions in our own homes is unsettling. But the benefits of having an Internet-connected TV are wonderful. From the couch we can summon up the latest on-demand movies from the Internet using only our voices, streamed from our any number of our favorite services (whether Amazon, Netflix, or something else entirely). We also have access to specialized content beyond movies and television (e.g. Twitch.)

How can we move IoT innovation forward while providing more control over and transparency into how these devices work and what they’re doing with our personal information?

First, I will provide a quick roundup of some of the concerns and issues with IoT devices. Then, I will provide high-level recommendations to manufacturers and consumers to improve their IoT security.

Listen to the podcast series: Five Indisputable Facts about IoT Security

Internet of Things ‘Spying’

IoT monitoring is real and that means hacking these devices can put consumers at risk of being spied on. Businesses need to be aware of these risks because IoT adoption is on the rise in corporate settings and already a mobile reality when looking at the convergence of personal and business use on BYODs. Likewise, manufacturers need to be aware that failing to manage the security of their devices and the data collected by them will lead to exposure of their customers’ private information, in turn leading to reduced consumer confidence and (potentially) fewer sales down the road.

Some of the more interesting IoT issues to date include:

TVs: Recently the media lit up with news that Samsung Smart TVs could listen in on your private conversations. Interestingly, the media storm was set off, in part, by Samsung’s own privacy policy which read: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Samsung responded quickly by clarifying their policy to make clear that the intent is not to “spy” on people’s private conversations. However users of these TVs, including businesses that have them set up in conference rooms, should be aware that voice commands are sent to a 3rd party

Even if owners of the TVs are comfortable trusting Samsung and their 3rd party (Nuance) with their voice commands, it’s notable that earlier versions of the Smart TV were found to be hackable allowing attackers to turn on cameras and access apps.

Baby Monitors: In August of 2013 a couple in Houston heard a stranger talking to their 2-year-old daughter through the baby monitor. The monitor in question, a Foscam, allows for remote monitoring from around the world. Remote access is a handy feature for parents away on a trip that want to check in on things at home, but quite distressing if that remote connection has been hacked into by a malicious stranger.

Foscam was in the news again recently when another camera was hacked and the stranger addressed the nanny. In both cases, steps like firmware updates and camera password protection could have prevented the hacks, but most baby monitor users are not IT security experts who know how to (or even that they should) do these things.

Cars: Hacked cars that seize steering and brake controls from drivers make for good television, but are extremely difficult to pull off outside of a proof-of-concept right now. What isn’t all that hard? Hacking the remote locks. In February BMW issued a fix to their ConnectedDrive software that allowed attackers to unlock cars and start car engines from their phones.

GPS: As creepy as someone virtually getting into your house by hacking a camera may be, it’s also unsettling to think of attackers tracking your every move when you’re out of the house. Recently IBM researchers reported that 73% of mobile dating apps tested had access to GPS data and that 60% of the tested apps had some kind of vulnerability that could lead to attackers accessing private data.

Preventing Misuse of the Internet of Things

Digging a bit into the examples above, there are a few things manufacturers can do to get a handle on the situation.

The first is to build security in. Most of the time, if a device is vulnerable to a remote attack, it’s because the software that’s running on it or controlling it is flawed. This is the case in the dating apps and BMW software mentioned above. My quick take on how to build in security is available here, but the following are some excellent deep resources available on the topic:

Manufacturers should also communicate best practices. Even though Samsung’s policy caused some alarm, the company was on the right track in being explicit with users about data risks. Those who manuf

acture IoT devices should write short, clear notices about which sensitive data is being collected, how it will be used and who besides them may have access to it.

Manufacturers can also help consumers use their systems more securely by requiring a password or default password reset during installation — which would have sidestepped the Foscam password issue — and creating a way to reach all users when software updates are issued. This could include consumer outreach or remote auto-updates.

Business and consumer users of these devices can do the following:

  • Review privacy and use policies published by the manufacturer. If you don’t like what the policy says, don’t use the device or app.
  • Change default passwords, and don’t forget to make the new password strong and unique.
  • Monitor the manufacturer’s site for announcements about patches and software updates to ensure you have the most recent versions.

If manufacturers build security into their IoT software and devices and users take precautions, we can hopefully all enjoy the benefits of IoT without being spied on by cybercriminal Big Brothers.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today