The concept of a big black box monitoring our conversations and actions in our own homes is unsettling. But the benefits of having an Internet-connected TV are wonderful. From the couch we can summon up the latest on-demand movies from the Internet using only our voices, streamed from our any number of our favorite services (whether Amazon, Netflix, or something else entirely). We also have access to specialized content beyond movies and television (e.g. Twitch.)
How can we move IoT innovation forward while providing more control over and transparency into how these devices work and what they’re doing with our personal information?
First, I will provide a quick roundup of some of the concerns and issues with IoT devices. Then, I will provide high-level recommendations to manufacturers and consumers to improve their IoT security.
Internet of Things ‘Spying’
IoT monitoring is real and that means hacking these devices can put consumers at risk of being spied on. Businesses need to be aware of these risks because IoT adoption is on the rise in corporate settings and already a mobile reality when looking at the convergence of personal and business use on BYODs. Likewise, manufacturers need to be aware that failing to manage the security of their devices and the data collected by them will lead to exposure of their customers’ private information, in turn leading to reduced consumer confidence and (potentially) fewer sales down the road.
Some of the more interesting IoT issues to date include:
Samsung responded quickly by clarifying their policy to make clear that the intent is not to “spy” on people’s private conversations. However users of these TVs, including businesses that have them set up in conference rooms, should be aware that voice commands are sent to a 3rd party
Even if owners of the TVs are comfortable trusting Samsung and their 3rd party (Nuance) with their voice commands, it’s notable that earlier versions of the Smart TV were found to be hackable allowing attackers to turn on cameras and access apps.
Baby Monitors: In August of 2013 a couple in Houston heard a stranger talking to their 2-year-old daughter through the baby monitor. The monitor in question, a Foscam, allows for remote monitoring from around the world. Remote access is a handy feature for parents away on a trip that want to check in on things at home, but quite distressing if that remote connection has been hacked into by a malicious stranger.
Foscam was in the news again recently when another camera was hacked and the stranger addressed the nanny. In both cases, steps like firmware updates and camera password protection could have prevented the hacks, but most baby monitor users are not IT security experts who know how to (or even that they should) do these things.
Cars: Hacked cars that seize steering and brake controls from drivers make for good television, but are extremely difficult to pull off outside of a proof-of-concept right now. What isn’t all that hard? Hacking the remote locks. In February BMW issued a fix to their ConnectedDrive software that allowed attackers to unlock cars and start car engines from their phones.
GPS: As creepy as someone virtually getting into your house by hacking a camera may be, it’s also unsettling to think of attackers tracking your every move when you’re out of the house. Recently IBM researchers reported that 73% of mobile dating apps tested had access to GPS data and that 60% of the tested apps had some kind of vulnerability that could lead to attackers accessing private data.
Preventing Misuse of the Internet of Things
Digging a bit into the examples above, there are a few things manufacturers can do to get a handle on the situation.
The first is to build security in. Most of the time, if a device is vulnerable to a remote attack, it’s because the software that’s running on it or controlling it is flawed. This is the case in the dating apps and BMW software mentioned above. My quick take on how to build in security is available here, but the following are some excellent deep resources available on the topic:
- Gary McGraw’s “Software Security“
- Michael Howard’s “Security Development Lifecycle“
- Community Emergency Response Team Coding Standards
- The Open Web Application Security Project Secure Coding Principles
- The U.S. Department of Homeland Security’s Build Security In website
Manufacturers should also communicate best practices. Even though Samsung’s policy caused some alarm, the company was on the right track in being explicit with users about data risks. Those who manuf
acture IoT devices should write short, clear notices about which sensitive data is being collected, how it will be used and who besides them may have access to it.
Manufacturers can also help consumers use their systems more securely by requiring a password or default password reset during installation — which would have sidestepped the Foscam password issue — and creating a way to reach all users when software updates are issued. This could include consumer outreach or remote auto-updates.
Business and consumer users of these devices can do the following:
- Review privacy and use policies published by the manufacturer. If you don’t like what the policy says, don’t use the device or app.
- Change default passwords, and don’t forget to make the new password strong and unique.
- Monitor the manufacturer’s site for announcements about patches and software updates to ensure you have the most recent versions.
If manufacturers build security into their IoT software and devices and users take precautions, we can hopefully all enjoy the benefits of IoT without being spied on by cybercriminal Big Brothers.