I’ve been concerned with and writing about the information security and privacy risks involved with the data created, transmitted and processed by smart devices in the Internet of Things (IoT) for several years since they first started emerging (e.g., here) and will likely be writing on it even more in the coming months and years. According to a new IDC research report, the IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020 with a compound annual growth rate (CAGR) of 16.9%. Will privacy die in this IoT explosion? If IoT developers and manufacturers take action now, I’m optimistic that they can save privacy in the IoT explosion.
I thought that the first FTC ruling against an IoT vendor for not building appropriate security and privacy protections into their home monitoring system would have gotten the attention of those creating the new IoT gadgets and motivate them into building in privacy protections, and also motivating those using the gadgets to think about how they are using that data in ways that can cause privacy harms to the associated individuals. However, based upon the phenomenal growth for these smart gadgets, and the continually discovered lack of security and privacy controls, it seems the IoT creators and those providing them to others are turning a blind eye and deaf ear to the IoT privacy risks and harms. Consider these situations.
- The U.S. Government Accountability Office (GAO) recently warned that the wi-fi systems installed on airplanes are poorly secured and could lead to “hackers seizing control of a plane mid-flight”.
- A recent lawsuit was filed in Northern California against a car manufacturer for having inadequate security and privacy built into their vehicles’ wireless electronics.
- A security researcher recently discovered serious vulnerabilities in several models of drug infusion pumps made by the same manufacturer, which could allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. The research called them “the least secure IP enabled device” he had ever worked with. His research prompted a “10 out of 10” warning about the devices from the Department of Homeland Security.
Do you notice a common significant additional concern with these examples? The IoT security and privacy weaknesses also bring with them very real physical safety and security risks. While IoT devices can bring great benefit to those using them, they also bring new security and privacy risks, and new types of privacy harms to those using them, that must be addressed.
IoT developers at a minimum need to take the following actions as starting points for addressing security and privacy, to establish safeguards for the data collected, transmitted and stored by IoT devices:
- Build in strong authentication. Don’t simply connect to specific IP addresses as a method of authentication. IP addresses can easily be spoofed. And the risks of using IP addresses have already been demonstrated several times, such as for medical devices.
- Encrypt the data. Encrypt not only the wireless transmissions, but also the data in storage.
- Log the access to the IoT device. Log: a) who accessed the device, b) what she did to the device and with the data, and c) when he did the accessing.
- Embed anti-malware within the device. These smart devices are often more susceptible to malicious malware than other types of computing devices, as has been demonstrated by hacks into healthcare systems via unsecured medical devices via malware.
And every person involved with the engineering, development, testing, and use of IoT gadgets must have a strong understanding of how to secure the devices and protect the privacy of, and prevent harm to, those using the devices. This requires effective, regular training and ongoing awareness communications.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: access logs, awareness and training, Dell, encrypt, encryption, Information Security, Internet of Things, IoT, IT compliance, malware, medical device, policies and procedures, power more, privacy, privacy compliance, privacy professor, privacyprof, program changes, risk management, security awareness, security logs, security training Rebecca Herold, toprank