Last week on Capitol Hill, Jack Dorsey of Twitter and Sheryl Sandberg of Facebook were in front of Congress answering a wide variety of questions about censorship and privacy, algorithms and other online practices. While these hearings are necessary at some level, Congress is missing an even larger threat in regards to Americans’ data and privacy: the Internet of Things, devices that millions of Americans have installed in their homes without realizing how insecure many of them are and where the data being collected by every IoT feature is actually going.
This is a real problem and it is going to become even more of one, according to analysis from Dark Cubed, a cybersecurity firm run by the former chief information security officer at the White House. Dark Cubed tested in real-world ways the privacy and security weaknesses of commonly purchased IoT devices bought off the shelves from Walmart, Best Buy or Amazon. All of this is important because, according to the global research firm Gartner, today there are over 8 billion IoT devices in use worldwide, and that figure will more than double to 20 billion in less than two years.
IoT devices can be connected, usually wirelessly, to the Internet and communicate with your laptop or mobile phone. For example, refrigerators can monitor what is on the shelves and remind you when to buy more milk (or order it for delivery). Other in-home devices make houses smarter by controlling thermostats, the lights, home entertainment systems, or cameras that send pictures to a computer or cloud-storage system.
Yet most people are unaware of the risks. “Within the security community it is widely understood that while many of these devices are not secure, most people remain unconcerned about this fact,” noted Vince Crisler, the CEO of Dark Cubed. If they weren’t concerned before, they should be alarmed now.
Dark Cubed found hidden code or weak security measures installed in many of the devices that can be purchased off the shelf – everything from a code that would give a stranger access to the camera on a baby monitor to the code that would allow your home security system to be set off without your control, or the ability to track your arrival and departure from home when you turn the smart light bulbs in your home on and off.
Some of those examples seem minor, but when you consider that these same security weaknesses would allow someone to intercept email traffic from your phone because your smart-home application has poor security and privacy protocols, or allow people to access your birthdate or stored passwords from other applications and services stored on your phone or laptop, you can see the real threats.
What Dark Cubed found that was even more troubling wasn’t just the security threats to consumers, but where the data was going, oftentimes with the knowledge of the equipment manufacturers and even the retailers.
For example, several of the devices used to take pictures, control lighting or home security devices from a mobile device or laptop shared personal data with large companies in China that most consumers would never be aware of (Alibaba, a large Chinese rival to Amazon and Google; QQ; Weibo) and companies they definitely have heard of (Facebook and Twitter).
These hidden permission codes in the IoT devices’ software and apps are sending consumers’ data to these companies to be mined for additional information by most likely large online businesses that advertise products or services. Remember that time you bought a digital camera and suddenly started seeing ads on your Facebook feed or popping up on your web browser for camera accessories? Now you know why.
Even more troubling, however, from both a privacy perspective and a national security concern, is the role China plays in the IoT ecosystem as it pertains to American consumers. Chinese companies aren’t just building many of these IoT devices, they are loading them with code and systems that share consumers’ personal information with other Chinese entities, many of which have ties to the Chinese government, while at the same time operating the cloud-storage systems many consumers use because they tie in with the devices or the retailers who market their services with the devices they sell.
As Dark Cubed notes in its analysis: “A number of the IoT devices and their Android applications were observed sending data to China in a format that we could not decrypt. … A number of these devices have direct connections to Chinese-based companies such as Alibaba, Tuya, and other entities.”
All of this raises a number of questions, particularly as China is increasingly seeking to use its tech industry to gain a greater toehold in the U.S. consumer market, while using its hackers to undercut U.S. military and security efforts by stealing large swaths of data and intelligence materials.
There was a time when consumers could be somewhat confident that their data and personal information would be secure if they took basic steps to protect their laptops and mobile devices, and relied on “the cloud.” But Dark Cubed’s analysis confirms consumers can’t be confident any longer.
So what should they be looking for in secure and reliable IoT tech? Manufacturers and retailers should make it easier for consumers to know what data that software and apps are collecting and may be sharing. Consumers shouldn’t have to use a magnifying glass to read through 25 pages of minuscule type to determine whether their light bulb is sending messages to Chinese hackers.
Finally, retailers should offer more secure U.S.-based cloud platform options for consumers’ use. Having confidence in where their data is being stored will not only ease the minds of consumers, it will build further trust that their privacy and security is considered paramount. It’s time to get serious about this issue: We’ve already helped build the world’s largest authoritarian police state through bad trade deals with China and forced technology transfers, in addition to the flat out theft of our innovation. There’s no need to now let that police state have unfettered access to our data as well.