January 21, 2015

As Data Proliferates in the IoT, So Does Risk — Bastille

As Data Proliferates in the IoT, So Does Risk

Consumers don’t read privacy policies. While this isn’t news, a recent PEW Research survey showed that more than half of Americans don’t even know what a privacy policy really is. Many consumers cite the length of privacy policies as a reason for not being informed, but few realize the implications that could result from this negligence.

So how much do people really understand about what it is that they’re giving up when they buy an Internet connected device? Take, for instance, “smart” TVs. These televisions take home entertainment to the next level, giving owners not just amazing visuals, but also the ability to use things like voice recognition to change the channel or turn up the volume. This seems like a revolution for those of us that seem to always be misplacing the remote, but there is a down side to being able to talk to your TV.

We dug into one popular manufacturers privacy policy and we were alarmed at what we saw. According to the Samsung Smart TV Addendum in their privacy policy, Samsung may send your voice data “to a third-party service that converts speech to text”. This seems innocuous enough, after all, we are accustom to applications using our historical preferences to serve up more relevant ads and information. However, Samsung’s policy goes on to read, “please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Wait a minute. I’m okay with Samsung knowing that I spent the weekend catching up on Homeland, but capturing personal conversations that I have in the comfort of my living room? This is a true invasion of our most intimate spaces and cannot be tolerated.

While it may seem I’m picking on Samsung, I actually applaud them for being so plain spoken (I bet they pick a sneakier law firm for their next EULA). Most of the other electronics companies make their privacy policies so complicated you need a lawyer to make sense of it. For those that don’t require you to have a JD to understand it, they’re so vague and ambiguous that it’s almost a waste of time to read. And time is another factor dissuading consumers from being informed. The average privacy policy takes 10 minutes to read. And, the average American encounters nearly 1,500 of these policies per year!

Many of us are okay with releasing some of our private habits to our technology provider; after all it’s much better to be served advertisements for things we actually want. But having our personal conversations analyzed so that corporations know about our most intimate affairs is going too far. Imagine that you’re discussing your upcoming surgery over a meal and you turn on your TV to be greeted with an ad for life insurance.

When Privacy Becomes Security

Samsung is transmitting your data through pretty normal means, the Internet, either wired or wireless, protected by your ISP. But “smart devices” are becoming a norm and many of these are designed to go with you. As such, battery life is a concern. To address that, manufacturers are relying on newer protocols such as Bluetooth LE (low energy) and ZigBee. In turn, these protocols create a personal area network (PAN), which is allows each person to use a mobile device as a networking hub. What you end up with is a lot of data transmitting across a lot of devices using a lot of different protocols.

And…lots of opportunity for that data to be intercepted.

The World Economic Forum released its Global Risk Report which states that IoT hacking is ‘very likely’ and points out that today’s Internet infrastructure was simply not created to handle this kind of flood of new devices.  CES2015 also reinforced this sentiment, with FTC chairwoman Edith Ramirez warning that attackers could “access and misuse personal information collected and transmitted by [IoT] devices.” While Smart TV’s have access to a fairly safe means of transmission via wifi or hard-wired ethernet, the market for IoT devices is growing by the day. These devices have equally loose privacy policies and are constantly sharing data between devices and apps; all of this activity is putting data at risk for exploit.

Another example of this data dragnet is Uber, the car service that has made transportation a socially connected service. No more hailing a cab, now you simply request an Uber driver from your phone. Uber made the news late last year for its questionable data collection. While, sure, it needs your geolocation to send a car, it also takes the opportunity to look at your contacts, your geolocation history, what apps you have installed – even your neighbor’s wifi information. The list is endless and has nothing to do with a car service. It’s clear that data is a secondary business for Uber. And, looking at their privacy policy – that you must agree to in order to use the service – they are able to share it. This means your data drifting around the Ethernet to third parties that may “perform other administrative services”. Whatever the hell that means.

For certain, data analytics is big business. But, this is your data that is flying around out there. As it makes it’s stops between your service provider and whatever third, fourth, or fifth parties their sending it to, this data as more opportunity than ever to intercepted and captured or for your personal area network devices to be compromised.

 Read your privacy policies. It will be up to each of us to determine what we’re willing to give up in the name of modern convenience.

Close your cybersecurity gaps with AI-driven wireless visibility

See Bastille in action with a live demo from our experts in wireless threat detection.