By Rebecca Herold, CEO, Privacy Professor®
I’ve been concerned with and writing about the information security and privacy risks involved with the data created, transmitted and processed by smart devices in the Internet of Things (IoT) for several years since they first started emerging and will likely be writing on it even more in the coming months and years. According to a new IDC research report, the IoT market is growing from $655.8 billion in 2014 to a projected $1.7 trillion in 2020 with a compound annual growth rate (CAGR) of 16.9 percent.
Will privacy die in this IoT explosion? If IoT developers and manufacturers take action now, I’m optimistic that they can save privacy in the IoT explosion.
“IoT developers need … to establish safeguards for the data collected, transmitted and stored by IoT devices.” – REBECCA HEROLD
I thought that the first Federal Trade Commission (FTC) ruling against an IoT vendor for not building appropriate security and privacy protections into its home monitoring system would have gotten the attention of those creating the new IoT gadgets and motivated them into building in privacy protections, and also motivating those using the gadgets to think about how they are using that data in ways that can cause privacy harms to the associated individuals. However, based upon the phenomenal growth of smart gadgets, and the continually discovered lack of security and privacy controls, it seems that the IoT creators and those providing them to others are turning a blind eye and deaf ear to the IoT privacy risks and harms. Consider these situations:
- The U.S. Government Accountability Office (GAO) recently warned that the Wi-Fi systems installed on airplanes are poorly secured and could lead to “hackers seizing control of a plane mid-flight.”
- A recent lawsuit was filed in Northern California against some car manufacturers for having inadequate security and privacy built into the vehicles’ wireless electronics.
- A security researcher recently discovered serious vulnerabilities in several models of drug infusion pumps made by the same manufacturer, which could allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. The research called them “the least secure IP enabled device” he had ever worked with. His research prompted a “10 out of 10” warning about the devices from the Department of Homeland Security.
Do you notice a common significant additional concern with these examples? They carry very real physical safety and security risks. While IoT devices can bring great benefit to those using them, they also bring new security and privacy risks and privacy harms, which must be addressed.
IoT developers, at a minimum, need to take the following actions as starting points for addressing security and privacy, to establish safeguards for the data collected, transmitted and stored by IoT devices:
1) Build in strong authentication. Don’t simply connect to specific IP addresses as a method of authentication. IP addresses can easily be spoofed. And the risks of using IP addresses have already been demonstrated several times, such as for medical devices.
2) Encrypt the data. Encrypt not only the wireless transmissions, but also the data in storage.
3) Log the access to the IoT device. Log: a) who accessed the device, b) what he did to the device and with the data, and c) when he did the accessing.
4) Embed anti-malware within the device. These smart devices are often more susceptible to malicious malware than other types of computing devices, as has been demonstrated by hacks into healthcare systems through unsecured medical devices via malware.
And every person involved with the engineering, development, testing, and use of IoT gadgets must have a strong understanding of how to secure the devices and protect the privacy of, and prevent harm to, device users. This requires effective regular training and ongoing awareness communications.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.