A quick survey: How many IoT devices do you currently think you own? Chances are you are way off on the actual number. A main reason is that no one actually knows how many devices are currently connected to the Internet of Things and that number is even harder to predict moving forward as more manufacturers put Internet-capable computer chips into more things for a variety of reasons. The current estimate is that more than 50 Billion IoT devices will be connected by 2020. Now you might personally think it is fantastic that your refrigerator uploads a shopping list to your smart phone based on it “knowing” what you have and what you are almost out of through a bevy of sensors and connectivity. But… guess who else thinks that is awesome? Cybercriminals. To them, it is akin to leaving the front door of your house open with signs saying the expensive stuff is in a shoe box under my bed.
IoT in theory makes life easier and more convenient, but in order to do that we willingly give up privacy. The recent Facebook debacle put this front and center as Cambridge Analytica showed how easy it is to get information on you and your personal habits through your devices when you eagerly set up to allow them to do so. Cybercriminals leaving ransomware on computers or spreading viruses through emails have made most people more security conscious — for good reason — and we have seen a dramatic rise in the use of VPNs, password managers and other encryption technology on both corporate and personal computers. But the gaping hole is still your IoT devices. They are not infallible and often are not capable of the types of protections afforded on your PC (or Mac). For example, that smart fridge of yours may be hacked and at best gets its internal temperature raised and your milk spoils and at worst becomes a back door into your network that allows the install a key logger or other maleficence without you even realizing it.
The march towards smart homes and businesses is on-going and and we pay for it with a loss of privacy. Additionally, this does not stop at the front door. IoT devices that are mobile such as fitness trackers, smart watches and even your vehicle all track data and can then sync to your network when within range bringing outside threats right into your environment. Some of these devices do have privacy settings but are not invincible to hacking. Recently a particular self-driving vehicle was hacked while in operation, though fortunately it only disabled the vehicle by stopping it at a relatively slow speed.
For some perspective, there are three main privacy concerns involving IoT:
- The amount of potential data points in staggering. The recent Federal Trade Commission report, Privacy & Security in a Connected World, outlined that fewer than 10,000 households can create 150 million data points in a single day and each of these data points is a potential entry for cybercriminals.
- Private (corporate or personal) information becoming your unwanted public profile. This information can be bought and sold (Cambridge Analytica) and used without your knowledge or apparent consent to sway your opinion, other’s opinions of you or your company, affect decisions by companies you do business with such as insurance brokers or suppliers or could even be used to affect stock value or credit ratings.
- Privacy is not what you think it means anymore. The devices can be always listening for human speech (Amazon Alexa) or even electronic information such as occupancy (security systems)
This can be especially true related to smart energy management devices such as water and gas meters, lighting controls, audiovisual system, HVAC controls that are always on the network ready to go. All is not hopeless though and there are strategies to combat unwanted intrusion but does require active participation. Many smart devices do have opt-out waivers when setting up the device that must actively be selected that can prevent unwanted advertising and marketing material either from being sent directly from the manufacturer or by them selling your information to third parties. And this can be useful for more benign things, but for the rest of it a stronger approach is required and needs to be followed through on. For example:
- Have separate networks that are dedicated for IoT devices from your core home or business network where personal or business related sensitive material is located. Make sure this is an encrypted network for both wired and wireless. Use hardware and software to do this.
- Use a secure password generator for each device so that no two devices have the same password. Use a combination of letters (upper and lower case), numbers and symbols if allowed. Make it the maximum length allowable.
- Change your network password every 30 days and leverage robust firewalls, virus detection and ad-blocking/tracking software.
- Use a dumber version of a device (non-IoT) if you are still concerned.
As I wrote about in my last article, Blockchain technology may be the saving grace and is showing quite a bit of promise here. And, since IoT is a $300 Billion a year business and growing, the government, manufacturers and consumers are immersed and involved. The Facebook/Cambridge Analytica incident just brought the security side of it front and center.