The Internet of Things (IoT) is becoming increasingly well known in a world that is becoming more connected. The IoT is no longer a fleeting idea, but a very real phenomenon. Recent figures from Gartner predict there will be 4.9 billion connected ‘things’ in use globally by the end of this year, with as many as 25 billion by 2020.
Whilst it seems the majority are embracing the IoT, some have growing concerns over what it means for privacy and security. Conspiracy theorists are lining up to prove that the IoT isn’t the wonder it is made out to be.
Remember the Samsung TV incident where reporters claimed that smart TVs were listening to your conversations at home? Do you remember when a series of videos was posted on YouTube and Facebook claiming that the stickers affixed to mobile phone batteries were transmitters used for data collection or spying? Or when privacy activists claimed that smart meters were the ultimate spying tool – taking note of the TV shows we watch, appliances we use and music we listen to?
But is this all accurate and something businesses should be concerned about or has it all been over exaggerated?
However, the concerns were confidently dismissed and Samsung assured users their fears were unfounded. Samsung argued the smart TVs weren’t always listening and that they were on a ‘standby’ mode until activated by a pre-programmed phrase.
So logically speaking, how does the smart TV know it has heard a pre-programmed phrase? The microphone must be on, so that ambient sounds and the pre-programmed phrases can be compared. We already know the device can transmit data over the Internet. The real issue here is whether or not data can be transmitted at the wrong time, to the wrong people. What if there was a simple bug that kept the microphone from shutting off, once it’s turned on?
So the actual question is: can we trust that the encryption is done correctly, and nobody has stolen the keys? Can we trust that the third parties doing natural language processing haven’t been compromised?
Conspiracy theories needn’t be complex. Most people have an understanding that there is a potential threat when using a smart phone in a public place, but there is often an element of misunderstanding in this. For example, some people believe that simply charging a device via a wall socket can result in stolen data – the premise is there, but the understanding is skewed. Stealing data in this manner is nigh on impossible.
Similarly, recent videos on YouTube and Facebook claimed that stickers affixed to mobile phone batteries were used for covert data collection and transmission, when in fact they are merely Near Field Communication (NFC) transmitters. Removing these stickers – as suggested by these videos – would subsequently render the device useless for apps using NFC, Apple Pay and Google Wallet for example.
One of the few scenarios where NFC could contribute to the compromising of personal data is if a device is in the vicinity of another user who could transmit malicious code. This could then exploit known vulnerabilities in a document reader or browser, or even the operating system itself.
Smart meters are top of the list when it comes to security and privacy concerns. Privacy activists over the years have argued that smart meters open up opportunities for companies to collect detailed personal information such as the television shows they watch, the appliances they use, the music they listen to, the websites they visit and their banking habits. These conspiracy theorists claim that smart meters really are too smart and are used as the ultimate spying tool, making the electrical grid and the utilities that run it the ultimate spies.
Often people do have the right intuitions, without being technically accurate. Their concerns aren’t completely absurd. Different appliances use different amounts of power and so when power consumption is higher, smart meters can identify what devices and appliances might be being used in a house. Although this isn’t the same as smart meters knowing what you’re watching on TV or cooking for dinner it is understandable that people are wary of their right to privacy and want to make sure that it isn’t being infringed upon.
What is clear is that as the IoT world expands, consumers and businesses alike are inevitably going to be more aware of what this means for their privacy. Technological advancements mean that there are new unknown areas in technology that are challenging to navigate and no doubt, new conspiracy theories surrounding the IoT will arise which organisations will have to address. Businesses are right to be concerned about the security of the IoT and these examples show that the intuition and suspicion in not trusting them is correct. What needs to change is the understanding of the technicalities in these technologies. Once we fully understand how they work, then we can accurately analyse their effects on privacy and security.
By Mike King, supervisor in WhiteHat Security’s Threat Research Center