Internet of Things devices offer almost no security protections
A Disrupt New York 2016 panel said the fact that so many devices collect information about us poses a serious privacy risk because data could be intercepted, and also creates enticing targets for criminals, hackers, law enforcement, and intelligence agencies around the world.
“It's a field of dreams problem because if you collect the data they will come,” said Electronic Frontier Foundation senior staff attorney Nate Cardozo. The best way to avoid exposing our personal data to attackers is to not collect it at all. That makes sense because data that isn't collected can't be stolen or seized.
That doesn't, however, protect users from data intercepted via sensors, cameras, and microphones in real time, nor does it address another glaring hole: many smart devices and embedded systems have serious security flaws their designers aren't addressing.
Mr. Cardazo said,
Those companies that have engineering staff but no security staff don't know what to do with a vulnerability report. And in my practice when I'm counseling a hacker or a researcher whose doing vulnerability reporting, the big guys, the software companies, those are nearly always seamless. Apple knows what to do with a vulnerability report… But medical device companies? They don't have a fucking clue.
That's bad news for the public, but good news for governments. Harvard University released a report earlier this year detailing the extensive security issues with Internet of Things devices and how they could be exploited by governments for surveillance activities.
“When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be,” the study said. “These forces are on a trajectory towards a future with more opportunities for surveillance.”
Apple is already a step ahead in that game because its HomeKit platform has strict security and encryption requirements for device makers. Assuming they want to offer HomeKit-compatible devices, Apple's security and encryption has to be baked into their products, making for a level of protection that otherwise might not be there.
That doesn't do anything to stop law makers from proposing legislation requiring companies to include openings through device security features for surveillance and data collection—something some politicians are already proposing. If a bill requiring back doors into devices becomes law, all security bets are off and encryption becomes nearly worthless in products that offer it.
Until that day comes, smart device and embedded system makers need to step up their security game and give customer's data and privacy some serious protection.