Call Security! — IoT Will Take Privacy Risk to the Next Level
The Internet has done so many great things to create excitement and efficiencies in our lives. We shop, we bank, we socialize, we learn, we do so many things on the web. With our increased reliance on the web, more information about our personal lives and private information such as credit card and social security numbers are being transmitted via the internet, and can potentially be obtained by hackers. As we have become more reliant on the Internet, concern has always been voiced about the security of this information. Engineers, business folks, politicians…just about everybody is concerned that one breach could turn their livelihoods upside down. We have heard about high profile security issues such as Hillary Clinton sending and receiving highly confidential government emails on her unsecure network, or Sony Films being hacked after releasing the controversial movie, “The Interview”. We also are aware of personal risk when we provide our credit card while shopping online, with the hope that each transaction doesn’t put our credit card information in the wrong hands.
Luckily for us, there have been standards set in place to secure our information on the web. The Electronic Frontier Foundation launched HTTPS Everywhere to ensure every website and person can reap the benefits of HTTPS encryption by using a browser extension. Sift Science has come up with a complex machine-learning algorithm to detect and notify businesses of fraudulent activity on their websites. We all know websites and transactions can be hacked, and there are numerous measures in place to fight this fraudulent activity on the web. However, our Internet lives do not only live on the web. Cell phone carriers such as Verizon and AT&T have poured in large amounts of cash to ensure mobile activity using the 3G and 4G LTE networks are protected. Wifi activity is typically protected by your router. Up until now, it has been fairly simple, web activity is sent through your router using http and https protocol, and your cell phone activity is sent through your router or your cell phone service provider. Each person only has a handful of machines and networks that store their information, so the data is not too complex to protect. This is not to take way from the hard work put into implementing this security, but the scope of potential breaches that we have today is nowhere near what it is about to be. Though we certainly should be concerned that our credit cards may be stolen or our MacBook camera could be hacked, but the number of devices that can be compromised today is minimal.
With the rise of the Internet of Things, that will change. The number of devices taking in information about us will be exponentially higher, and the number of ways this information can be compromised will in turn increase as well. Earlier this month a Fisher Price smart stuffed animal exposed vulnerabilities to being hacked. The toy was not properly verifying the sender of messages, which would have allowed a would be hacker to send messages due to this vulnerability. This is just one of numerous cases of a new smart hardware devices exposing vulnerabilities to being hacked. Connected cars can potentially be compromised by hackers who can unlock doors or even shut down the car in motion. Wearables such as fitness trackers and smart watches can compromise one’s health data, and smart watches can give up any information that is being typed. Hackers will be looking to expose all these devices, so we must be ready to defend them. We can certainly take some notes from the Military, who have protected connected machines for decades. Lieutenant General Edward Cardon, Head of Army Cyber Command, has stressed that we must invest in defense against IoT hacks and exploits.
Putting some of the doom and gloom aside, some great news came out yesterday showing our carriers are taking IoT security very seriously. The GSM Association released a set of requirements to address the current insecurity of IoT devices. This is a positive sign that shows data carriers understand how insecure networks are at this point, and how far we need to go to be able to support IoT devices going mainstream. Many mainstream carriers such as AT&T, China Telecom, Orange, and Verizon have agreed to support this initiative. It is important that all device makers and networks develop the proper protocols to ensure security, but that is just half the battle.
Smart devices will no doubt create enormous efficiencies in our lives, but even if one hundred percent secure, we must address the issue of the government accessing our devices if we want to maintain personal privacy. Director of National Intelligence James Clapper made clear that the Internet of Things provides intelligence agencies opportunities to spy on targets, and potentially the masses. According to Clapper “In the future, intelligence services might use it for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials”. CIA director David Patreus seemed excited that the Internet of Things provides the government the ability to spy on people in so many ways. We currently have cameras and microphones on our laptops, our phones, our televisions, and our video game systems. Samsung has even warned people in the fine print of their new television sets not to talk about sensitive information in front of the television. With Nest, our thermostats collect information about us, as do our Fitbit wristbands or Apple smart watches. Soon we will have refrigerators, cars, dishwashers and even jeans that transfer private information about us. IoT can create a fun and exciting connected world, or it can create 1984 forty years later. As the former Director of CIA and NSA General Michal Hayden argues, we must have end to end unbreakable encryption, where law enforcement does NOT have the keys to encrypted devices and communications. I could not agree more with General Hayden.
With the rise of the Internet of Things comes so many possibilities. So many exciting and efficient solutions to our every day problems are being created every day with machine-to-machine Internet communication. However, if we do not ensure maximum security for all our devices and networks before these products hit the market, they may do us more harm then good. The solution is two-fold: one in the technology space, the other in the political space. Firstly, smart hardware and software companies MUST take personal responsibility to ensure there are vulnerabilities in their product before they hit the market. This type of caution is not taking place now, and must happen going forward. Secondly, the government should not use these PERSONAL devices as tools to spy on people. There is a certain privacy that needs to be embraced with our personal items. Open encryption will allow so many paths for government corruption that I do not want to go into at this point. Because we do not expect our devices to be accessed by the government, we cannot expect them to be regulated or governed as well. This puts the onus on technologists to ensure end to end encryption and flawless security. Anyone who has read my blog knows how excited I am about smart devices and a world of connected things, but lets make sure we have the infrastructure in place before we start building houses. And since we cannot expect our government to regulate the Internet, the businesses creating these wildly creative risky devices must hold personal accountability in protecting their customers, and the same technologists who have protected us from the maliciousness of the web will now need to focus their attention on all the things around us, and the networks that allow them to converse.
Written by: Karl Lashkari on February 26, 2016.
Originally published at bizofthings.com.