Surveillance of the Internet of Things

With the continuous cost reductions in computing power, sensors, and networking equipment it becomes tempting to record data wherever we can, upload it to centralised servers, and monetise it with fancy data mining algorithms.

The Internet of Things is creeping into every minute aspect of our lives. This can be comical, as the twitter account “The Internet of S***” documents for its almost 80 thousand followers. Among its delights are tales of umbrellas that vibrate when you miss a call, devices that can connect your plants to your smart phone, API documentation for toothbrushes, and plugs that automatically restart your internet if the Wi-Fi is out.

In sum, there seems to be a desire to take any existing household appliance and connect it to the internet. Toasters, fridges, blinds, light bulbs, windows, fans. Everything becomes an app, and everything is suddenly ‘smart’.

Consumers have yet to decide whether tweeting from your fridge, controlling your blinds from outside your home, or being offered data analysis on your dating analysis is worth the cost of replacing existing appliances. But two things are sure.

Firstly, the Internet of Things opens up a whole new array of possible attack vectors that compromise your security. We have not at all figured out how we will store and process the data we are collecting, who owns it, and who has access to it. Together with weak security and an overreaching state, the Internet of Things can easily become our worst dystopian nightmare.

With every car being getting connected over the internet, car companies and governments can easily collect vital pieces of information about your behaviour. They know your location, your destination, and might even be able to make guesses about the number of people inside. Ford’s Global VP for Marketing and Sales revealed in 2014: “We know everyone who breaks the law, we know when you're doing it. We have GPS in your car, so we know what you're doing.”

Security flaws, thinly veiled “features”, or even backdoors made it possible for security researchers to remotely take over control of a Jeep Cherokee while it was being driven. The researchers could even assume complete control of steering, braking, and transmissions.

It is technical possibilities like these that lead many to believe it was not an accident when journalist Michael Hastings died in a car crash, shortly after informing friends he is “onto a big story” involving the US intelligence community. But even smaller security loopholes can have big consequences, reminding us that we can neither trust the goodwill nor competency of our device manufacturers. For example, it was revealed in February that information and features around Nissan’s electric compact car Leaf can be remote-controlled by anyone.

Elsewhere, hackers stole data on 6.4 million children from toymaker Vtech, including images, names, birthdates, IP and email addresses. All of this data was collected by Vtech using connected toys.

With these vulnerabilities in mind, it is no surprise that the amount of appliances indexed by Shodan, the world's first search engine for Internet-connected devices, is nauseating. Launched in 2009, it has since indexed countless applications, from window blinds to traffic lights, all accessible to anybody who knows a device's IP address.

What makes all of these connected devices so attractive to criminals and governments is not so much their ability to silently make you disappear and have it look like a car accident or stove malfunction (although that is certainly appealing to some). Rather, it is the vast amount of information collected about us, often in intimate places.

For example, data from wearables manufacturer Fitbit is a recurring fixture in court, showing us that the data is often stored unencrypted, allowing law enforcement agencies to access it without trouble… With easy access to live and historical data about a person’s whereabouts, health, activity and their surroundings, it is easier than ever for legal authorities to find something to indict you for.

To take another example, consider the privacy policy Samsung attaches to its products. “Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.” In other words, Samsung’s TVs are listening to what you are saying in your living room, recording it, analysing it, and passing it on to other parties.

While civil rights legislation around the world generally aims to protect us from unreasonable and arbitrary searches, supports the legal privilege against self-incrimination (not having to testify against yourself) or mass surveillance, it becomes very difficult to defend against these threats when it is we who is voluntarily submitting data, be it consciously, accidentally, unknowingly, or through negligence.

Eventually consumers are getting a chance to vote with their money. They buy the products they trust. It is therefore in the interest of the manufacturers and developers to be transparent about their products. As for investors, it’s important to know about the risks associated with their brand’s products.

In sum, consumers should have answers to these key questions:

  • What data is being collected by the device?
  • Where is the information kept? On the device, on a central server, or with third parties?
  • In what form is the information kept? Unencrypted? Encrypted? Who owns the encryption key, the user, or the device manufacturer?
  • Who has access to the information? How is access given? Is the information made available to third parties? Are there transparency reports available?

Companies that want to sell us devices which measure and record personal data will have to not only answer these questions, but also stand up against cyber criminals and authoritarian regimes on our behalf.

Often, only time will tell how well manufactures can and want to protect their customers and users. But for those that do, long-term success will surely follow.

Arthur Baxter, Network Operations Analyst at ExpressVPN

Image source: Shutterstock/weedezign