Not too many years ago, somebody cloned my credit card using the information imprinted on the carbon copy receipt of one of my transactions. Back then, protecting my privacy was as simple as destroying those pieces of paper. Fast forward to now, and I have a piece of tape covering the camera of my computer; I need a VPN client when accessing public WiFi spots; and last night I pulled the plug on my Amazon Echo by my nightstand as I realized that Alexa – and who knows who else – listens to everything. The convenience of our connected devices is fantastic, whether it is related to helping us manage a health condition, our energy consumption, or providing a better quality of life. Having Alexa in the room feels like I’m sleeping with the enemy.
Privacy is an ever changing concept. What my generation considered to be private, our kids consider public, as we can see in the regular broadcasting of our own Truman Show through social media. This behavior is not exclusive to Millennials, as a new Nielsen Report reveals that their older cohorts, Gen X, spend seven hours per week on social media; 15 percent more time than Millennials do. Gen X and baby boomers use of social media grew 29 and 64 percent year over year, versus 21 percent for Millennials; we are all part of the tectonic shift in privacy.
It is evident that access to our private information makes us vulnerable, but what’s less obvious than the risk of our social media exposure is the exposure of our private information through our myriad of connected devices. Each device and every sensor is a point of vulnerability and considering IoT still lacks security standardization, we open ourselves up to significant risk with our personal data. We need to realize that while connected devices tailored to our specific needs at work or home bring many benefits, our personal information is shared to some degree and is potentially open to unwanted eyes. Privacy as a concept is changing as fast as IoT technology evolves.
A large proportion of IoT devices share common chips that are not built to a particular standard of cyber-security. We tend to ignore them as they are just doing their job and forget that each one is a potential window into our privacy.
According to the Thales Data Threat Report, one-third of the people using IoT technologies expose sensitive data through those devices. Despite the personal or critical nature of many IoT tools: medical and fitness devices, video cameras and security systems, power meters, etc.be, only three out of ten people report being ‘very concerned’ about their data.
Consumers and Enterprises are concerned about exposure through IoT devices, but we all seem to think that somebody else will have the problem, not us.
There is an ever-present tension between consumers demanding everything internet related to being free or very cheap, and the need for companies to be sustainable ventures. Selling user’s data is a valid business model and many of the technologies we enjoy today, whether it is social networking or the ability to access the world’s information with a simple search, is sustained with a monetization model based on selling our data to advertisers.
Last week, the U.S. Senate and House voted to repeal regulations approved by the Federal Communications Commission in October of 2016 requiring internet providers to obtain consumer consent before selling or using their precise geolocation, financial information, health information, children’s information and web browsing history for advertising and marketing. Regulations aside, most of that information is already available, as we give our consent to access our data every time we use an online service or activate a new IoT device.
Regulations are merely a baseline and cannot cover the entire gamut of protecting our privacy. Besides, entities that are committing illegal practices anyway do not have high regard for pledging to any regulations.
The joint effort from industry players and security experts on defining a set of standards that can make our connected devices more secure is a meaningful step in the right direction and something that will likely deliver more value than any regulation in place. There is ample support for this approach, and we should see some concrete outcomes by early next year as discussed last February at the CompTIA gathering in DC.
There is a fundamental asymmetry when attackers only need to win once, and defenders can never fail. As the industry lacks a comprehensive set of standards related to security and privacy, an attacker breaking through a particular chip or sensor common to many devices gets access to millions of endpoints. (IoT 360 speaking series: IoT and Cyber attacks – Optio3, Inc March 2017)
Every day we interact with connected devices. The thermostat, the fitness band, our smartphone, the security cameras at the workplace, our smart TV or Alexa on our nightstand. Each connected device brings value to our lives, but if we are not watchful, it can also be an invisible enemy right by our side.
- Seals US/North America News Reporter, Infosecurity MagazineEmail Tara, Tara. “63% of Orgs Use Cloud, IoT without Proper Security.” Infosecurity Magazine. Infosecurity Group, 17 Mar. 2017. Web. 24 Mar. 2017.
- “U.S. Senate Votes to Overturn Obama Broadband Privacy Rules.” Reuters. Thomson Reuters, 23 Mar. 2017. Web. 24 Mar. 2017.
- 2016 Nielsen Social Media Report
- IoT 360 Cyber Security and IoT (Event) – Optio3 – Seattle, March 2017