Why a safer future depends on protecting IoT devices [Q&A]

There's been a huge proliferation of Internet of Things devices in recent years, but along with this has come a whole range of new security and privacy concerns.

How are IoT devices secured -- if they are at all -- and what are they doing with our data? We spoke to Rob Shavell, co-founder and CEO of Aine/DeleteMe to talk about security gaps, privacy concerns and more.

BN: When we talk about IoT privacy risks, what kind of devices are we talking about specifically?

RS: The Internet of Things refers to a vast range of network-enabled, 'smart' devices; often normal, everyday items, now embedded with sensors and software allowing them to exchange information over the internet, and offer value-added features and controls.

The most popular current categories of IoT include:

• A diverse range of 'Smart Home' items, from Amazon Echo / Google Home, to the Wi-Fi enabled thermostats, light switches, power sockets, home appliances, and doorbell cameras they control.
• Wearable devices like Fitbit or Apple Watches
• New cars: increasingly, automobiles are now sold with a diverse range of network-enabled features

…but the ecosystem of these devices is ever-expanding. Estimates suggest the number of internet-enabled devices is already in the tens of billions, and is doubling every three to four years. The cost of adding network-enabling sensors and chips to extant consumer devices has become so low that they are now becoming standard features in items many people will never even bother utilizing.

In some cases, it's hard to find standard devices that don't contain this technology -- in my home, I have an internet-enabled alarm clock, picture frame, bathroom scale, exercise bike, refrigerator, and stove, but I've chosen to never employ their networking capabilities for the reasons we're discussing.

BN: What are the current risks and privacy concerns associated with the use of these IoT devices?

RS: The specific concerns vary by device, so it helps to break the concerns into categories of problems with internet-enabling consumer devices:

• These devices create new ways to break things. They create a vulnerable point of failure that can quickly render an otherwise 'dumb', simple piece of hardware useless.
• They're insecure. Many have no real security features at all, and those that do can often never be updated and quickly become obsolete, creating network vulnerabilities. This isn’t just theory: in 2016, the Mirai Botnet exploited millions of IoT devices simultaneously and launched Denial of Service attacks on internet-backbone servers, resulting in temporary global internet shutdowns. And while newer devices tend to be better-designed than in the past, new flaws are being routinely discovered and there are often no simple ways to deliver updates.
• They Benefit vendors more than users. Most devices collect data on how they're being used and report back to vendors or third parties for marketing or monetization purposes. Consumers often have no informed consent or control over what information is being collected, how it’s used, and who it is being shared with.
• They shred basic assumptions about consumer privacy. Ultimately, IoT devices create networks of passive information collection that amount to 24/7 surveillance of surroundings, and that should be of serious concern to consumers.

Many consumers may have no problem with Amazon, Google, or Microsoft having access to data sources, but opinion can quickly change when it's clearer that tech companies routinely share collected information with law enforcement. And while the risk of hackers surveilling individuals is low, some internet-enabled cameras have been so insecure that they've enabled exactly that.

Recent revelations about the behavior of voice-activated assistants like Alexa/Echo and Google Home have led to class-action lawsuits alleging failures to disclose device behaviors. While users are led to believe devices only 'wake up' when given trigger words, the reality is that they record perpetually, and recordings can be retained to help refine accent-sensitivity, vocabulary response, or to identify specific users, or even their moods. These recordings can also sometimes be manually reviewed by vendors' third parties, and have in some cases been inadvertently lost.

BN: Is there any legislation regulating data collection and use from IoT devices?

RS: In December 2020 the US Federal government passed the IoT Cybersecurity Improvement Act, which focuses primarily on ensuring devices used by the Federal government itself met some basic guidelines and security standards. While the law has no real oversight over the consumer marketplace there is an assumption that any Federally agreed-upon security standards will eventually spill over into mass-market devices as manufacturers will seek to minimize complexity, and private-sector businesses using devices will want to ensure compliance with govt systems.

On the consumer level, California enacted similar, security-focused legislation in 2018 (SB-327), which became effective in January 2020, but which observers note suffers from crippling vagueness: requiring that devices sold have 'reasonable security feature(s)', without creating any standard.

Neither law addresses anything about device data collection, whether users will have any right to opt-out, or how that data can be used or shared by vendors. Recently-passed consumer data privacy legislation like California's CCPA/CPRA may eventually have some impact on how devices inform consumers about data collection, but the complexity of the topic will likely make it low-priority for the new oversight agency.

BN: Many users understand these privacy concerns exist, but think it either won't affect them or isn't really that big a deal. Why should people care?

RS: You're right, many people turn a blind eye to the invasiveness of personal data collection -- whether it's IoT devices, social media monitoring, surveillance using facial recognition, or a number of emerging privacy concerns that we’ve been addressing for years.

And, on a granular level, they may be right -- Who cares if Amazon/Microsoft/Google know when I'm home (or not), how brown I like my toast, or whether I sometimes violate the speed limit. We assume that the specific data point is meaningless, or that it’s all being analyzed in aggregate anyway.

The problem is ultimately twofold:

• First -- the sophistication and scale of collection has exploded along with the proliferation of these surveillance devices, to the point where these devices are hoovering up information en masse about minute details of our lives, as well as biometric info (such as our facial features and voice patterns).
• Second -- This data is being collected, repackaged, and in many cases even sold to create incredibly robust user profiles that are used for nefarious purposes. Data brokers like Spokeo, Whitepages, and other people search sites now have data on 99 percent of US adults and are selling this data to everyone from political campaigns to law enforcement agencies to overseas spammers and scammers -- with no oversight and for as little as $.99 per record.

So, I'd say the problem isn't really that a device manufacturer knows how you like your toast -- it's that very soon anyone with a credit card will be able to know increasingly specific details about your personal life, as more data is collected and feeds into these data broker sites. At DeleteMe, we see that as the larger privacy concern, and where citizens need to wake up quickly to the growing threat.

Image credit: Jirsak / Shutterstock