Security and the IoT: The Scariest Thing We Don’t [Yet] Know About

As the rush to exploit the IoT continues, can we ever feel truly secure? Is the proper protection of our data just becoming something of a pipe dream? And really, are we entering the creepiest time ever when it comes to security, when something as seemingly benign as pre-schoolers’ toys are at risk? Sadly, following the most recent high profile security breach, which this time supposedly revealed not just account details of millions of users, but also head shots of children, the answer is yes.

The VTech Breach

In case you missed it, a few months back Motherboard reported that a hacker, who claimed to have broken through the security of gadget and toy maker VTech, had contacted them. The hacker, who wished to remain anonymous, claimed they had been able to penetrate the company’s servers and access customer data. The breach affected users of the VTech Learning Lodge and Kid Connect products, which among other things, allows for the exchange of voice and text messages, photos, and drawings between VTech tablets and parents’ smartphones.

The hacker claimed to have accessed details of almost five million adults and more than 200,000 children. In reality, the actual scale of the breach was even worse as VTech eventually confirmed in a press release.

• The company confirmed that 4,854,209 adult accounts and 6,368,509 related kid profiles had been affected worldwide.
• Parent information revealed included name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and password.
• Kids profiles included name, gender, and birthdate.

Worryingly, the hacker also claimed to have found other sensitive material stored on the company servers that they had been able to access. These included headshots of parents and children, audio files, and chat messages between parents and kids. At the time of the press release, an investigation was still ongoing.

Although the hacker says that the team responsible for the breach doesn’t intend to use any of the information, it’s deeply concerning that such private data could fall into the wrong hands, particularly images and details of children. What was the purpose of storing all of that data? And who else might have already have been poking around in the VTech servers, for more nefarious reasons?

Hackable Barbie

Similar to the VTech breach, researchers recently discovered serious security issues in the Internet-connected toy Hello Barbie, powered by artificial intelligence and able to listen and respond to children. Issues related to the app itself as well as the cloud storage used by the doll could have resulted in a major breach. Both ToyTalk and Mattel, the companies who make the doll, have responded that the issues have been corrected, but the reason for concern still exists. The issue is one of trust, and it’s fairly clear that consumers can’t yet trust developers to develop with a security first mindset.

Here’s an example of just one of the problems with Hello Barbie, “Researchers say they discovered that the app contained a number of security problems, including the digital certificates, which are supposed to confirm the legitimacy of the connection between the doll and the app, used a “hardcoded” password. Every app used the same password as part of this verification process—so if an attacker figured out the passcode, he or she could create a fraudulent app that could potentially steal data, including audio recordings, that passed between the doll and ToyTalk’s servers.”

And therein lies the rub. A toy or device is only as “smart” as the people who make it and as secure as they want it to be. In the instance of the Hello Barbie toy, there were mistakes made by the development team. Issues with how the doll connected over wifi as well as the above-described password issue pretty much set the stage for this occurrence. Think I’m being harsh? Think it doesn’t matter just how secure kids’ toys are? Read on.

Take Care What You Say to Your TV

Earlier this year The Daily Beast reported your Smart TV may have the capability to record your conversations and share them with third parties. The report highlighted part of the privacy policy for Samsung’s Internet-connected Smart TV which states:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” 

Samsung said in response to the article that they “employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.” While there is no reason to doubt this is true and that Samsung treats customer information responsibly and securely, it does serve to illustrate the level of sophistication that our Internet connected devices—and our cybercriminals—have risen to.

Concerns With Physical Connection to the Internet

So, are people concerned about the security implications of the IoT? Well according a report published earlier this year, while interest in the IoT might be high, trust and understanding is somewhat lacking. The Consumer Perceptions of Privacy in the Internet of Things report from the Altimeter Group, suggested that more than half of consumers were “very or extremely concerned” about all aspects of data collection, storage, and use. Although the older generations showed more concern, even the digitally savvy Millennials had misgivings, as this graphic from the report illustrates.

One of the authors of the report, Jessica Groopman writing at TRUSTe.com, gave some context to the evolving implications of the IoT. Jessica put forth the argument that as the IoT reaches further into our physical spaces, the resulting explosion of connections makes the system ever more vulnerable, in the process threatening our privacy, security, and safety. While there are attempts to build on existing legislation, much more needs to be done to educate and protect consumers. As Jessica puts it in her article, “the reality is, a world of ubiquitous sensors and connectivity is unlike anything humanity has seen to date, and requires a fundamental shift beyond litigation.”

Innovation Versus Security and Privacy

The difficulty with the drive for innovation that a new development such as the IoT brings is that security isn’t always at the top of the list for the innovators. Not all of them have the resources of Smart TV manufacturers, or the creative output of Amazon, who are about to flood the world with their Dash Buttons. Consumers generally trust in these types of mega-brands to have the financial clout and expertise to design security into their systems, but even that trust might be not quite yet warranted. Many new innovators, though, are start-ups with bright ideas and limited resources. For them, security and privacy concerns might just take second place as they rush to get their new shiny things to market. And that? It’s a very big deal.

The Internet of Things is still in its infancy, and thus we just can’t anticipate the future. One thing is for sure though; the genie is out of the bottle and our devices are going to be collecting and loading a whole lot more data about our health, fitness, and shopping habits into the ether in future. That’s even before we start to think about the consequences of data breaches like the one suffered at VTech.

There are really only three parties that can get a grip on security and privacy when it comes to the IoT, and that’s legislators, the industry, and consumers. As I’ve already said, the manufacturers and developers may not always have the resources, or even the desire to build deep security into their systems. For their part, legislators face a difficult bureaucratic task akin to nailing jelly to a wall. That leaves the consumer to once again be alert, and educated, when it comes to controlling their own data. The biggest problem here is that all too often, consumers don’t understand the risks.

Writing in the Guardian earlier this year Danny Bradbury speculated that consumer awareness and protection might take the form of devices like the Dowse Box, which allows the user to identify and control what’s connecting to their home network. Bradbury goes on to describe how the developers of the system can even foresee a time when a market for information evolves, with the consumer firmly in control of who can access, and maybe even pay for, their data. The company who figures out how to do and sell that is one I’d like to invest in.

Whatever the future might hold for the IoT, consumers and users of devices need to be watchful about how our data is being collected and stored. We need to read the small print and understand the impact on our security and privacy of devices.

A final thought about the development of the IoT from Bradbury’s article in which he quotes Geoff Webb, senior director of solution strategy at identity and access management firm NetIQ as saying, “The scariest thing is that we don’t know what the scariest thing is.” Now that is a scary thought!

Do you feel that achieving adequate protection for our data as the Internet-of-Things expands is no more than a pipe dream? Do you know how much of your data is being collected and stored via your smart devices? I would love to hear your thoughts.

Other resources on this topic:

MSPs, IoT, and How Consumers Think About Privacy
Who Will Step Up To Secure The Internet Of Things?
How to Secure the Internet of Things

Photo Credit: successteam_1 via Compfight cc