We live in an age where privacy is hard to come by. If you go online, you’ve got sites tracking your every move. Even offline, your privacy is limited – every company you deal with wants to collect that valuable personal information. This article is about Data privacy of IoT devices.
They may want to use it later to sell you something or sell it to someone else. There’s nothing more valuable today than data. The collection of data is something that, up until now, we’ve tacitly accepted.
By Chris Usatenko, Growth Marketing and Cybersecurity Expert Writer
Should We Accept this Lack of Privacy?
After all, what’s the alternative? Giving up all internet use and never dealing with a company offline again?. But, let’s be honest – who really wants to do that? Considering the separation anxiety that most of us experience when separated from our phones, it’s not a viable option.
So, instead, we accept that companies will collect data and trust them to keep it safe. The number of high-profile hacks that have occurred over the past few years has proven that this is an unsafe strategy.
The Capital One Hack a few months ago, and the Cambridge Analytica scandal proved that it’s not just malicious hackers that we must worry about. In the former case, the hacker was hoping someone would recognize her skills and offer her a job.
The Cambridge Analytica scandal revealed murkier motives. The data gathered was used to influence the U.S. presidential election. Still, both cases proved that data is not always collected by identity thieves and shady underworld figures.
Infographic: Awesome Security Facts 2019
What’s the Solution?
The solution that we’ve come up with so far is to demand better regulation. The new legislation is putting the onus on data gatherers to protect against a breach. The GDPR regulations that came into effect last year were one of the first far-reaching pieces of legislation in this regard.
Under this legislation, any companies that have clients in Europe are expected to maintain certain “norms.” Some of the regulations are simple – you must provide proof that subscribers opted into a mailing list if required.
Some are more onerous. Did you know, for example, that businesses that engage in “large-scale data handling” must employ a data protection officer?
The GDPR was designed to force companies to protect their client’s privacy better. But it’s only a smattering of what’s to come. Similar legislation will be enacted around the world.
An Interesting Regulation
Now, reading through texts on laws can be boring, but one piece of recent legislature caught our eye. It’s a bill that was enacted in California last September. This bill deals specifically with IoT devices. Or more specifically, that IoT devices must contain security to protect the devices from unauthorized access.
The bill also states that companies must take reasonable steps to prevent the disclosure of data contained on the devices. Combined with strict privacy laws passed in June, it’s clear that the state is taking privacy very seriously.
Why Should Companies Producing IoT Devices Take Note?
Let’s say that you create a simple smart sensor to control the temperature in the home. All it does is to monitor the ambient temperature in the room. It then adjusts according to your preferences. How could that possibly impact privacy?
Let’s look at it another way. That device is only collecting one form of data – the temperature. It might not seem to have value for you. But those devices are programmed with consumer preferences.
Data Sharing May Land You in Trouble
That data may well be valuable to a company working on a new air-conditioning system. Your company could even make a little extra cash by selling the data. Naturally, you wouldn’t hand over the personal names of the clients. You’d just give the data and the general area it comes from.
And, that could land you in trouble. It’s true that you’re not sharing their personal data. But the way privacy laws are headed; the courts might not view this as being as harmless as you think. Unless you have the express consent of each client to share their data, you shouldn’t be handing it over to anyone.
Data privacy of IoT devices
Now, let’s look at part of what the California Bill’s intent was. The Bill states that companies must take reasonable measures to ensure that their systems are protected from unauthorized access.
If your IoT device is not secure enough, your company could land up in trouble. Why would a hacker want to gain control of your smart sensor?
Let’s consider a conspiracy theory for a second. They hack the sensor of a company’s CEO. They change their personal preferences so that the temperature in the room is constantly warmer than it should be. They do this in the hopes of throwing off the CEO’s game.
Now, as I said, this sounds like a ridiculous conspiracy theory. But it could happen. Perhaps it’s the CEO’s ex-wife trying to make his life miserable. While it sounds outlandish, consider the other smart devices that we have now.
Editor’s note: While this may seem like a harmless prank, a sensor could be connected to an enterprise network. Weak security on the sensor can comprise the enterprise network as it provides an entry-point to a hacker. And that could result in data theft or a privacy breach as systems are compromised.
Things like home monitoring systems with nanny cams, smart cars, and so on. These devices can all be controlled remotely through apps on your phone or laptop. This makes things convenient for you, but also for the hacker.
If they hack the nanny cam, they can see exactly what’s going on inside your home. There are several reasons that they might want to do this:
- To see what you have that’s worth stealing
- They might redirect the cameras so that they can see the screen of your laptop. This could be useful in picking up your usernames and passwords.
- It could be used to take pictures of you that could cause embarrassment and also lead to blackmail if they threaten to publish these online.
Using Your Device as an Access Point
But there’s another danger. And it’s one that many experts in the field think is the real issue with IoT devices. It could provide an access point to the smart hub of your home.
Now, the hub itself will usually be secure. If your device isn’t as secure, hackers could use it to access the smart hub. The hub that all your devices connect to and sync with. Like your smartphone, laptop, and so on.
You might think that it’s not your company’s problem. After all, it was the buyer’s decision to connect everything up to the smart hub. Except that in the California Bill, it’s clear that lawmakers are shifting the onus to manufacturers.
And, while there’s very little in terms of specific legislation out there to deal with this issue, that’s bound to start changing. If your device has a security flaw that hackers can exploit, the court could well rule that your company is liable for the breaches.
Final Notes
IoT is something that has captured the public interest and is becoming a part of our lifestyle, both in the office and at home. Companies offering smart devices could well take advantage of these trends. They have to do so carefully, though. They must keep privacy laws in mind when creating their software/firmware.
If they don’t, they might find themselves answerable to the long arm of the law.
About the Author
Chris is a growth marketing and cybersecurity expert writer. He’s passionate about cybersecurity and has published hundreds of articles in this area. He’s particularly interested in big data breaches and big data companies.
Disclaimer
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.
