The concept of a big black box monitoring our conversations and actions in our own homes is unsettling. But the benefits of having an Internet-connected TV are wonderful. From the couch we can summon up the latest on-demand movies from the Internet using only our voices, streamed from our any number of our favorite services (whether Amazon, Netflix, or something else entirely). We also have access to specialized content beyond movies and television (e.g. Twitch.)

How can we move IoT innovation forward while providing more control over and transparency into how these devices work and what they’re doing with our personal information?

First, I will provide a quick roundup of some of the concerns and issues with IoT devices. Then, I will provide high-level recommendations to manufacturers and consumers to improve their IoT security.

Listen to the podcast series: Five Indisputable Facts about IoT Security

Internet of Things ‘Spying’

IoT monitoring is real and that means hacking these devices can put consumers at risk of being spied on. Businesses need to be aware of these risks because IoT adoption is on the rise in corporate settings and already a mobile reality when looking at the convergence of personal and business use on BYODs. Likewise, manufacturers need to be aware that failing to manage the security of their devices and the data collected by them will lead to exposure of their customers’ private information, in turn leading to reduced consumer confidence and (potentially) fewer sales down the road.

Some of the more interesting IoT issues to date include:

TVs: Recently the media lit up with news that Samsung Smart TVs could listen in on your private conversations. Interestingly, the media storm was set off, in part, by Samsung’s own privacy policy which read: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Samsung responded quickly by clarifying their policy to make clear that the intent is not to “spy” on people’s private conversations. However users of these TVs, including businesses that have them set up in conference rooms, should be aware that voice commands are sent to a 3rd party

Even if owners of the TVs are comfortable trusting Samsung and their 3rd party (Nuance) with their voice commands, it’s notable that earlier versions of the Smart TV were found to be hackable allowing attackers to turn on cameras and access apps.

Baby Monitors: In August of 2013 a couple in Houston heard a stranger talking to their 2-year-old daughter through the baby monitor. The monitor in question, a Foscam, allows for remote monitoring from around the world. Remote access is a handy feature for parents away on a trip that want to check in on things at home, but quite distressing if that remote connection has been hacked into by a malicious stranger.

Foscam was in the news again recently when another camera was hacked and the stranger addressed the nanny. In both cases, steps like firmware updates and camera password protection could have prevented the hacks, but most baby monitor users are not IT security experts who know how to (or even that they should) do these things.

Cars: Hacked cars that seize steering and brake controls from drivers make for good television, but are extremely difficult to pull off outside of a proof-of-concept right now. What isn’t all that hard? Hacking the remote locks. In February BMW issued a fix to their ConnectedDrive software that allowed attackers to unlock cars and start car engines from their phones.

GPS: As creepy as someone virtually getting into your house by hacking a camera may be, it’s also unsettling to think of attackers tracking your every move when you’re out of the house. Recently IBM researchers reported that 73% of mobile dating apps tested had access to GPS data and that 60% of the tested apps had some kind of vulnerability that could lead to attackers accessing private data.

Preventing Misuse of the Internet of Things

Digging a bit into the examples above, there are a few things manufacturers can do to get a handle on the situation.

The first is to build security in. Most of the time, if a device is vulnerable to a remote attack, it’s because the software that’s running on it or controlling it is flawed. This is the case in the dating apps and BMW software mentioned above. My quick take on how to build in security is available here, but the following are some excellent deep resources available on the topic:

Manufacturers should also communicate best practices. Even though Samsung’s policy caused some alarm, the company was on the right track in being explicit with users about data risks. Those who manuf

acture IoT devices should write short, clear notices about which sensitive data is being collected, how it will be used and who besides them may have access to it.

Manufacturers can also help consumers use their systems more securely by requiring a password or default password reset during installation — which would have sidestepped the Foscam password issue — and creating a way to reach all users when software updates are issued. This could include consumer outreach or remote auto-updates.

Business and consumer users of these devices can do the following:

  • Review privacy and use policies published by the manufacturer. If you don’t like what the policy says, don’t use the device or app.
  • Change default passwords, and don’t forget to make the new password strong and unique.
  • Monitor the manufacturer’s site for announcements about patches and software updates to ensure you have the most recent versions.

If manufacturers build security into their IoT software and devices and users take precautions, we can hopefully all enjoy the benefits of IoT without being spied on by cybercriminal Big Brothers.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…