IoT devices: Security and privacy before you hit ‘okay’

Apple Watch BW

Like most people who live in São Paulo, Brazil, I have a busy daily routine where time management is increasingly important. Unfortunately, one of the things I often neglect is my health, so I visited my doctor. After a battery of tests and a stern lecture, the doctor said: “You either start exercising regularly again or you are lost.”

I got the message and went to work. Being as I like technology, I sought out smart devices with sensors and applications that could track dieting and exercise results. It didn’t take long to find devices for diet, running and heart monitoring.

Up and at ’em!

I was now fitted with the most modern health support technology. I set the initial settings for the applications and started my exercises without paying much attention to the instructions. The applications asked me to create a user account (not another application account? Oh well, I’ll just use my Facebook). I was finally ready to start training.

The Nike+ Running app was fantastic! It monitored all the statistics of my exercises, my vital signs and even my location – and it was all accessible from anywhere, as my information was synchronized in the cloud. It even measures the mileage of my shoes (which are Mizuno, but Nike does not need to know this). After a month or so, my health was improving. I could see the results — everything was perfect! I could see the value in this Internet of Things and all these smart devices.

Uh-oh . . .

One day at a family event, a friend of my mother – a person I never met – approached me and said, “Wow! I see that you run five kilometers every day! Your heart rate looks great! I also saw that you kept exercising even when you went to Paris! By the way, you need to exchange your running shoes – they’re about worn out.”

Inside, I was taken aback, but politely asked: “I appreciate your comments, but how do you know all this about me? Do I know you?” To my surprise, she answered: “Oh you do not know me at all (laughs). I saw your mom ‘like’ all your races on Facebook so I started to follow your profile. Oh, by the way, the Diet and Health app said you have been drinking too much Coca-Cola Zero. That’s not good, it has too much sodium.”

While driving back home to São Paulo, I kept thinking about how a complete stranger knew so much about me. I did not post anything on Facebook. I had no idea who she was! She is not part of my circle of friends. And she knows my heart rate! How is this possible?!

Aha!

As I pulled into the driveway, it hit me: “Remember that application account setup using your Facebook account? Remember that gigantic privacy statement in tiny print you thought was too boring to read? Remember all those “okay” buttons you pressed without even reading the messages?”

This true story is an example of how privacy and personal information is being compromised by technology, mobility and the sharing of information in real time through social networks. Most people – millions of them – don’t realize what they did that exposed their personal information to the world.

IoT accelerates this compromise of privacy but is also part of the New Style of Business for companies, bringing innovation applied to the needs of people. Sensors are everywhere, relevant information is exchanged in real-time and data is stored in the cloud. This generates cost savings for companies and benefits consumers. This is exciting, but also troubling, especially when it comes to issues of privacy and security.

Privacy

Massive Collection of Personal Information. Financial, health and physical information can be used to map a behavior profile. For example, an insurance broker can use behavioral mapping to identify a possible pre-existing disease and decide to not offer a person health insurance.

Exposure. Most privacy terms of use say the company is responsible for maintaining the safety of the data it collects, but it can also be used for business purposes (including being shared with business partners). For example, what recourse do you have when someone arbitrary takes pictures of you with a mobile phone and post then on social networks?

Lack of privacy protection laws. There are several efforts to create standards and laws to protect people’s privacy in terms of technology data exchange. Many of these efforts are in the nascent stage. In Brazil, we have seen progress, such as the law No. 12.737 of 30 November 2012, known as Law Carolina Dieckmann.

Security

Hardware. Smart devices usually have limited hardware protection; security and privacy controls are often left behind (e.g. SSL support).

Shared or public networks. Smart devices can be connected to a wireless network from your home or  public Wi-Fi (e.g. at a Starbucks). This can make your device vulnerable to others on the same network.

Physical location. Your friends may gain physical access to your IoT devices. A former friend can try to set up some of the devices while still having access to your house. For some devices, such as security camera, an attacker can simply cut the cables to turn them off.

Software. Applications developed for devices have the same challenges as that of traditional applications. However, this is aggravated by the hardware architecture as mentioned above. OWASP did a great job defining the OWASP Internet of Things Top Ten list of common vulnerabilities that could be found in IoT software, including:

  • Unauthorized access or misuse of personal information
  • Creating access doors that enable the layers of enterprise API attacks
  • Unencrypted data transmission.

Companies like AT&T, Cisco Systems, General Electric, IBM and Intel formed the Industrial Internet Consortium (IIC) combined an effort to define an IoT security framework and, instead of defining new standards, plan to work around existing standards to make products from various vendors work seamlessly together in the real world.

All in all, though some say personal privacy is the price we pay for living in a connected world, you can take steps to control the privacy of your personal information. Some precautions include carefully reading instructions and paying attention to set-up processes, especially before you hit the “okay” button. Security and privacy of the IoT must continue to improve because your personal information is very valuable to you – and to others!

RELATED LINKS

Innovative New Solutions for Securing the Internet of Things

10 Internet of Things Security Vulnerabilities

Strategic Principles for Securing the Internet Of Things

Comments

  1. Douglas Nunes de Mello says:

    Great work!

    Like

Trackbacks

  1. […] IoT devices: Security and privacy before you hit ‘okay’ […]

    Like

  2. […] IoT devices: Security and privacy before you hit ‘okay’ […]

    Like

  3. […] IoT devices: Security and privacy before you hit ‘okay’ […]

    Like

  4. […] Unfortunately, as we’ve seen time and time again – whether talking consumer or enterprise-class products  – security and privacy are not usually an integral part of the plan. Have a look at Andre Luiz Silva’s piece on IoT security and privacy. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: