Today, our household appliances are more convenient than ever!
Your fridge can keep track of the food in it, along with expiry dates. Every lightbulb in your house can be turned on and off through your smartphone. And the thermostat can intelligently track your activities, setting the temperature based on who is in the house or the time of day. It’s projected that there will be over 20 billion “Internet of Things” devices in our homes by the end of 2020.
The aim of IoT devices to be so smart that we don’t even need to think about them. They just “work.” However, there is a cost of these items that goes far beyond sticker shock ($50 for a lightbulb?!) When you use these IoT devices, you’re often forfeiting your privacy, often without you even realizing it.
Always Read the Fine Print
Yes, we know that it’s a punchline at this point that nobody reads the Terms of Service. But in the age of the IoT devices, you absolutely should! These devices can record audio and video and often send them to their parent company to be analyzed. Your data is on the line, and the lack of transparency is terrifying.
A recent study performed an in-depth analysis of 81 common IoT devices located in labs from across the United States and the United Kingdom. The results were staggering. After 34,586 controlled experiments, the study found that the majority of the devices were sharing massive amounts of information without the owners’ “permission,” including names, locations, email addresses, and more. This data allows them to create detailed profiles of their “customers,” letting them learn shopping habits, the types of IoT devices in a household, and how/why the devices themselves are used.
Information Sharing Across Borders
It’s bad enough when your devices are sharing your information with companies within your own country, but what about across borders. Believe it or not, 56% of U.S. devices were contacting destinations outside of that region. But that’s nothing compared to the 83.8% of U.K. devices that were showing similar behavior.
While you might expect that your IoT devices might be sharing information with the company that made them (a first-party) or a company that provides outsourced computer resources for the manufacturer (a support-party), the reality is quite different. You could be horrified to discover that 72 of the 81 devices were sending information to at least one third-party destination that had nothing to do with the manufacturer, like advertising or analytics companies.
What Kind of Data is Being Shared?
Well, that all depends on the device.
While the study did find that all of the devices exposed information to eavesdroppers via at least one plaintext flow, it also found that passive eavesdroppers could infer user and device behavior from the traffic of 30 out of the 81 devices. And that’s ALL traffic, including encrypted data.
It might not even be data that you expect. Many IoT devices contain cameras, such as network-connected doorbells. These doorbells are sold as a security device, protecting your place of residence from home invasions. Someone rings the IoT doorbell and the movement sensor is activated, causing the camera to start recording them. You can check the video from your smartphone and even communicate with the person standing on your stoop. While this might scare away people who are planning on stealing your belongings, it compromises security in a less obvious way. Those recordings are often sent to the service provider without any notification of consent from the recorded parties.
This means that, by the simple act of ringing someone’s doorbell, there is a chance that a full-motion video of you could be sent to its manufacture. Keep in mind; YOU didn’t buy the doorbell. You simply rang it. And yet, a high-quality image of you might be sent to a company that will use it for who knows what? And this kind of behavior is often the norm when it comes to IoT devices that contain cameras. That’s frankly terrifying.
Smart Homes Can Be Unsafe for Data
And here is one of the scariest things: Many of these IoT devices are very, very expensive. Not everyone can afford a smart fridge. That means that the wealthier a person, the “smarter” their home is likely to be. The logical result is that higher-net-worth individuals are going to have much more of their data shared with manufacturers and third parties, simply because they can afford more modern conveniences.
What can you do? The first step is ALWAYS to read the fine print and understand the vulnerabilities and the privacy you’re giving away when you buy an IoT device. Knowledge is power, so understanding the device-dependent policy will mean you know exactly what is going to be shared and what isn’t.
Next, you need to be assured that your home (and office, as there are TONS of smart devices there) are secure from intrusions. We highly suggest the Assurance Option, one of our all-inclusive TSCM/Cyber TSCM services.
With the Assurance Option, we perform threat assessments prior to inspections to identify new corporate espionage threats, along with periodic TSCM/Cyber TSCM inspections. Following the service, you will receive an electronic report that includes inspection results and recommendations to improve your security posture. Also, you’ll get a copy of our “ComSec Threat Book,” a useful tool to educate your team on new bugging devices and corporate espionage tactics.
In the case of IoT devices, one of the most effective protection tools is education. So long as you know what kind of data is being shared, you can protect yourself by keeping potential “weak link” IoT devices out of secure areas in your office and home.
If you’d like to learn more about the Assurance Option, we invite you to read more about it here. If you’re concerned about the ways that the Internet of Things could compromise your privacy and security, please feel free to contact us today!
About the Author:
J.D. LeaSure, CCISM, is the President / CEO of ComSec LLC, a global provider of world class counterespionage and TSCM / Cyber TSCM™ services. www.ComSecLLc.com