Author: Bob Baxley

FTC Report on IoT: The Debate over Opportunity, Liability, and Privacy

Over the weekend, I combed through the FTC’s recent report – all 71 pages – on the Internet of Things (IoT), entitled, The Internet of Things – Privacy and Security in a Connected World. 

Everything that I had previously read online about the report didn’t reveal anything novel about IoT that I had not already heard – or said myself. But since it took the FTC over a year to produce, I thought a close inspection of the report was warranted. Surely there would be some nuggets of substantive information lodged within six-dozen pages of bureaucratic conjecture, right?

Luckily for me, Ofcom, the communications regulator in the UK, also released a similar report just days before the FTC, which I also traversed through for comparison purposes. In the end, neither report, by and large, produced any earth shattering revelations or actionable advice. Both were not much more than a situation analysis at best.

Nonetheless, there are four key takeaways central to the report worth discussion.

Key Takeaway #1: IoT Holds Promise

In what comes as no surprise to the IoT enthusiast, both reports proclaim healthcare to be the industry that stands to benefit the most, from IoT, mainly through embedded devices. The idea of instant, data driven reporting to doctors will provide a huge leap forward in the treatment of chronic conditions, like diabetes. The idea that people will no longer have to rely solely on patient reporting means that healthcare treatments can become more timely and accurate, potentially yielding a significant improvement to patient healthcare and a cost savings for doctors, hospitals and pharmaceuticals. Both reports also speculate transportation and energy to be the secondary industries to see the most benefit from IoT. We already know this to be true, as major enterprises like GE and AT&T are steadily driving Machine-to-Machine innovations (M2M), also referred to as the “Industrial Internet of Things.”

Additionally, we’re already witnessing rapid adoption of any and all IoT by consumers. In fact, IoT is exploding so rapidly that, Gartner expects there to be a quarter billion connected cars by 2020! Other devices, such as Smart TV’s, IoT fitness bands and digital thermostats like NEST are also gaining popularity en mass.

But as the FTC appropriately states, the one barrier to IoT reaching its mass-market potential is directly correlated to the degree in which they are successful in the establishment of consumer trust. Ultimately, if people don’t feel safe with the constant communication of IoT devices, then that person is likely to impede adoption. Whether he or she is a CIO that is leery of a new industrial control system, or a consumer worried about their healthcare data being compromised, IoT vendors must continue to make strides that reinforce consumer confidence in their products.

Key Takeaway #2: Developer Liability is Minimal at Best

Both the FTC and Ofcom strongly recommend that IoT device manufacturers start producing devices with “security by design,” meaning that security must be considered at the onset of product development.

However, in somewhat of a contradiction to this recommendation, the FTC openly questions whether or not device manufacturers actually have the security experience and expertise to really ensure that products coming to market are safe. The FTC also cautions that many devices are inexpensive or “disposable,” essentially calling into question whether the threat assessment and internal productivity outweighs any reward of consistently patching new attack vectors each time one is discovered.

As you might suspect, billions of connected devices have increased the attack surface exponentially. In fact, 2014 was referred to as “the year of the hacker” by multiple news outlets. But what many people don’t know is that the Home Depot and Target breaches are actually the result of exploited IoT within the enterprise. Of course, there were also notable IoT breeches to consumer devices in 2014, German researchers, for example, were able to hack a smart meter to determine what TV shows you watch. Hackers even heckled a toddler through a baby monitor and a third party app proved to be a playground for misuse.

One of the most critical discussion points left out of the FTC paper, but highlighted in the Ofcom paper, was the IoT communication infrastructure. IoT devices are currently operating on a broad range of the RF spectrum. While the report noted that availability would not be a barrier to the success of the IoT, it did bring up the long-term viability of available bands. The same holds true to for network availability for all of the millions – potentially billions – of devices in our future.

Simply put, enterprise security and detection for devices that operate on the wireless spectrum outside of Wi-Fi is non-existent; making corporations highly susceptible to increasingly sophisticated adversaries with tangible motives.

In my opinion, both reports were void, probably intentionally so, of actionable advice; reinforcing my belief that we’re still charting new territory. The truth is simply that none of us, including the FTC, fully know or understand the extent for which the unintended consequences of IoT will shot its ugly head. That’s probably why the FTC also decided that any government regulation at this point could stifle innovation,, more than ease consumer concerns. So, Americans will still be faced with a buyer beware scenario, at least in the short term.

Key Takeaway #3: The Parable of Privacy – IoT is all about Data

The word parable is often used to describe a story intended to teach a lesson. Perhaps the greatest lesson we have yet to learn is how to truly protect our data. As the IoT ushers in modern conveniences like not having to call our doctors to report pacemaker information and provides us with the ability to access enterprise control systems remotely – the real value for adversaries will reside in the data that is being collected and if they are successful at manipulating it to meet their purpose.

In a sense, IoT devices are really just a courier for data flow, allowing us to analyze trends and, ultimately, make more informed decisions about our lives and our businesses. In order for this to happen, however, we must not only agree to give up our data, but also allow it to be transmitted to our vendors – and potentially their vendors – so that in turn, we can access actionable insights into our performance. But, how much of our data should be up for grabs?

Data privacy was one of the most contentious issues addressed in the FTC’s report.. Device manufacturers are looking to harvest as much data as they can, seeing infinite possibilities for future product enhancements and offerings. However, the FTC warns that any accumulation of data only serves to make companies and consumers more attractive to criminals that want to misuse it.

The FTC thus recommends data limitation – only collecting what is necessary and destroying data after it’s needed; in addition to plainspoken privacy statements and opt-in abilities for consumers to choose what they share. Of course, we encounter so many of these lengthy documents (averaging around 2,500 words) each year that we rarely have the time to read them. But as long as consumers are willing to give up everything in the name of convenience, which many Millennials have proven they will, IoT device manufacturers will continue to collect all available information to profit off your patterns in the future.

As the entirety of the IoT market now hinges on consumer adoption driven by trust, it’s probable that manufacturers will advance their focus on security to some extent, just like the FTC recommends.

Key Takeaway #4: Prepare for the Debate to Continue

I found it both interesting and also annoying that the FTC used the word ‘reasonable’ 32 times, calling on IoT providers to implement “reasonable security,” meet “reasonable privacy expectations,” and offer “reasonable data protection” for IoT devices. The use of this subjective adjective ensures that the conversation around what is reasonable will continue.

The FTC report, in large part, is nothing more than a starting point for a debate on IoT and the security concerns it creates. Those of us in the industry likely read the report and were disappointed or surprised by its actual content. But in hindsight, what exactly should have been expected? It’s likely that we’ll need to see more substantial breaches from the IoT before we ever get a clear definition of what’s reasonable in our connected world.. It’s something that we all must consider, individually and as businesses, what exactly constitutes reasonable risk for the rewards of technology.

Five Ways IoT Will Impact Your Business This Year

The Internet of Things has gained historic momentum and exposure since the last quarter of 2014. No longer are there differing opinions around viability – general consensus is that IoT is here to stay. Beyond staying power is the staggering amount of growth that is expected in the coming years. If you follow IoT, which you likely do if you’re reading this blog, I’ll just simply reiterate that there will be TENS OF BILLIONS of devices in a market worth TRILLIONS of dollars in the next five years.

But, what about this year? There are five ways that IoT will impact every organization before the year is over. 

Network Bandwidth – Gartner predicts that the average enterprise network will see a 28% compound annual growth to bandwidth through 2017 – a demand nearly 20 times larger than what was required in 2012. IDC predicts that by the same year, networks will go from having a surplus to being constrained, forecasting 10% of companies will be overwhelmed. Bottom line, your pipeline is already handling more than imagined with video and application demand, now imagine putting a funnel on it to bring in even more traffic from RF connected devices. This could disrupt business continuity and should be addressed and budgeted for in the short term.  Consider also, the incredible network bandwidth 4G/LTE devices bring into the enterprise.  I carry an iPad and iPhone, laptop, FitBit, and Bluetooth headset typically.  My 2 LTE devices have about 20Mb/s of bandwidth apiece.  In a building with 5,000 employees you are talking about 100Gb of potential outbound data leakage via RF.

Data Risks – Big data just got bigger. Corporations looking to connect devices from to the Internet and harvest the data will have to consider what pieces of information are really valuable. This will usher in a new need for analysis, storage, and security. For instance, if your HVAC system collects operational data, do you need to analyze all of it, or just your data centers and other high consumption areas? It remains to be seen just what the impact will be to having so much data once the enterprise looks beyond their industrial infrastructure. Wearables and BYOD devices, whether company issued or brought in by gadget junkies, will mean a steady increase of data moving on the corporate network. Some of this data will contain sensitive information that, if intercepted, could lead to embarrassment or financial loss. Bottom line, corporations must plan for data implications – storage, analysis and not becoming the next Sony.

New Threat Vectors – The news isn’t good, folks. Retail was hit the hardest in 2014, costing Target and Home Depot millions, and this year it’s predicted that healthcare should be ready to claim top spot for data breaches in 2015. With embedded devices and decentralized mobile computing transforming patient health and reducing costs, it’s not surprising that hospitals and medical devices would be prime targets for exploitation. But, the reality is that every connected device presents an opportunity for misuse. Hackers will seek to exploit insufficient security in rushed-to-market products to steal data or spread malware. Corporations and consumers alike should get used to this ‘Brave New World’ where we gladly forfeit security for convenience and efficiency. The mesh foundation of protocols and platforms will just prove to be more opportunity for the bad guys. It will be very important for organizations to know their traffic patterns and be able to quickly react to anomalies. The average breach takes months to discover – and this survey shows that it could be, in part, due to only 20% of companies continuously monitoring their traffic.

Patches – IoT sensors are small and dispersed by design, which is what allows them to spread far and wide like little data collecting honeybees. This compact nature is great for gathering lots of data and intelligence, but it also means that IoT sensor computing power (which affects battery life) must also be small. Because of this, over the air updates are challenging and patches on many IoT devices must be done manually. Unfortunately, when updates require human intervention, there is not only a drain on resources but also an additional layer to consider in patch management policies.  The enterprise struggles to keep up with patching today, but in 2020 we are talking about TRILLIONS of patches a year; entrepreneurs note, there’s probably a new startup there ‘GigaPatch’.

Dark IoT – There has been a lot of media around the dark web lately with the prosecution of the founder of Silk Road, a marketplace for just about anything illegal or immoral. The truth is that Silk Road and its variations are just people using the Internet for bad, just as hackers have used exploits for harm. With all good comes some bad, and this is true for IoT. The promise of efficiency, cost savings, and increased convenience also brings forth the prospect of harmful IoT products. For less than $100 you can get an IoT keystroke logger (cleverly disguised as a phone charger) to record the typing from wireless keyboards. This is just the beginning of embedded devices being used as vehicles for wrongdoing.

As Data Proliferates in the IoT, So Does Risk

Consumers don’t read privacy policies. While this isn’t news, a recent PEW Research survey showed that more than half of Americans don’t even know what a privacy policy really is. Many consumers cite the length of privacy policies as a reason for not being informed, but few realize the implications that could result from this negligence.

So how much do people really understand about what it is that they’re giving up when they buy an Internet connected device? Take, for instance, “smart” TVs. These televisions take home entertainment to the next level, giving owners not just amazing visuals, but also the ability to use things like voice recognition to change the channel or turn up the volume. This seems like a revolution for those of us that seem to always be misplacing the remote, but there is a down side to being able to talk to your TV.

We dug into one popular manufacturers privacy policy and we were alarmed at what we saw. According to the Samsung Smart TV Addendum in their privacy policy, Samsung may send your voice data “to a third-party service that converts speech to text”. This seems innocuous enough, after all, we are accustom to applications using our historical preferences to serve up more relevant ads and information. However, Samsung’s policy goes on to read, “please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Wait a minute. I’m okay with Samsung knowing that I spent the weekend catching up on Homeland, but capturing personal conversations that I have in the comfort of my living room? This is a true invasion of our most intimate spaces and cannot be tolerated.

While it may seem I’m picking on Samsung, I actually applaud them for being so plain spoken (I bet they pick a sneakier law firm for their next EULA). Most of the other electronics companies make their privacy policies so complicated you need a lawyer to make sense of it. For those that don’t require you to have a JD to understand it, they’re so vague and ambiguous that it’s almost a waste of time to read. And time is another factor dissuading consumers from being informed. The average privacy policy takes 10 minutes to read. And, the average American encounters nearly 1,500 of these policies per year!

Many of us are okay with releasing some of our private habits to our technology provider; after all it’s much better to be served advertisements for things we actually want. But having our personal conversations analyzed so that corporations know about our most intimate affairs is going too far. Imagine that you’re discussing your upcoming surgery over a meal and you turn on your TV to be greeted with an ad for life insurance.

When Privacy Becomes Security

Samsung is transmitting your data through pretty normal means, the Internet, either wired or wireless, protected by your ISP. But “smart devices” are becoming a norm and many of these are designed to go with you. As such, battery life is a concern. To address that, manufacturers are relying on newer protocols such as Bluetooth LE (low energy) and ZigBee. In turn, these protocols create a personal area network (PAN), which is allows each person to use a mobile device as a networking hub. What you end up with is a lot of data transmitting across a lot of devices using a lot of different protocols.

And…lots of opportunity for that data to be intercepted.

The World Economic Forum released its Global Risk Report which states that IoT hacking is ‘very likely’ and points out that today’s Internet infrastructure was simply not created to handle this kind of flood of new devices.  CES2015 also reinforced this sentiment, with FTC chairwoman Edith Ramirez warning that attackers could “access and misuse personal information collected and transmitted by [IoT] devices.” While Smart TV’s have access to a fairly safe means of transmission via wifi or hard-wired ethernet, the market for IoT devices is growing by the day. These devices have equally loose privacy policies and are constantly sharing data between devices and apps; all of this activity is putting data at risk for exploit.

Another example of this data dragnet is Uber, the car service that has made transportation a socially connected service. No more hailing a cab, now you simply request an Uber driver from your phone. Uber made the news late last year for its questionable data collection. While, sure, it needs your geolocation to send a car, it also takes the opportunity to look at your contacts, your geolocation history, what apps you have installed – even your neighbor’s wifi information. The list is endless and has nothing to do with a car service. It’s clear that data is a secondary business for Uber. And, looking at their privacy policy – that you must agree to in order to use the service – they are able to share it. This means your data drifting around the Ethernet to third parties that may “perform other administrative services”. Whatever the hell that means.

For certain, data analytics is big business. But, this is your data that is flying around out there. As it makes it’s stops between your service provider and whatever third, fourth, or fifth parties their sending it to, this data as more opportunity than ever to intercepted and captured or for your personal area network devices to be compromised.

 Read your privacy policies. It will be up to each of us to determine what we’re willing to give up in the name of modern convenience.

Ready or Not, IoT is Coming: 2015’s IoT Report Card

The Internet of Things seems to be an unavoidable force these days – from rabid investment news to stealing the show at this year’s CES show, Internet enabled devices are emerging in 2015. Ready or not, the Internet of Things is coming, and maybe it’s arguable that it’s already here. So, in this blog, I decided to explore just that – what’s ready and what’s not when it comes to IoT.

Consumer Adoption – A+

Consumers are wild for Internet connected devices. We’ll have 75 billion internet devices connected by 2020, though some firms put that number much higher. IoT dominated this year’s CES show; everything from fitness to light bulbs and home automation. Wearable technology is predicted to be a $90B market by 2025. And, even if consumers don’t openly embrace it – improved healthcare may push them to plug in, offering embedded devices in everything from pacemakers to insulin pumps.

Device Manufacturing and Innovation – A

Massive amounts of IoT devices are coming to market at a rate we haven’t seen since the first bubble of technology in the late 90’s. Not since the flat screen TV was released have we seen manufacturers competing to come up with the newest consumer must-have. Of course, the real revolution is happening behind the scenes. Industries, like manufacturing and supply chain, are making huge leaps in operational efficiency by leveraging smart machinery and analyzing the data it produces to cut costs.

Usefulness – B

Noticeably, there are a lot of really cool things coming from the IoT. Many provide life-changing improvements; self parking cars, industrial automation, and embedded healthcare not only enhance our lives, but have the potential to fundamentally advance the way we live and communicate with our world. Of course, there are also some pretty ridiculous things that have decided to covet our bandwidth, like the EggMinder, which lets you know if you’re low on eggs. Convenient? Perhaps. But this one isn’t going to make a huge difference in your quality of life. We’ll give it a B+ when my fridge starts being able to order my meal plan ingredients for delivery via InstaCart.

By now, you might be thinking that the Internet of Things has a pretty good report card, but there’s still a lot of maturing to be had. In fact, the newness and shine of IoT devices and their cool new tricks has meant that many haven’t taken the time to really look under the hood yet. If you did, you’d discover that in some areas, IoT is still an all out fail.

Interoperability – C

Plenty of companies are coming out with platforms for IoT development, which means great innovation but more problematic integration. Combine this with the numerous communication protocols that devices are using and you can see that any hopes of standardization is still in the Dark Ages. The good news is that this tangled web of development is offering big promise for IoT data analytics, which is predicted to be a nearly $6 billion dollar market this year. IoT is riding on a half dozen protocols today, and new ‘standards’ are being proposed quarterly. Need to dial this in for any reasonable interoperability. Ever try and connect Banyan Vines, Sun NIS and Novell Netware? Ain’t happening.

Privacy – D

Many device companies are intentionally loose with their privacy policies. In a recent blog, I explored the numerous ways that device manufacturers are using your personal data – in essence, making you the product. This may seem harmless on the surface, but IoT device users are still not reading privacy policies and are sharing way too much information. And we’re not limiting our disclosure of personal information to the devices companies we buy from, we are also giving it to third party applications. This recent Gigaom article dives into the topic more in depth, but everyone is going to have to agree that privacy should be a fundamental component of IoT and consumers will need to demand that device manufacturers and app developers treat their data as critical and personal information. Consumers will demand an option for micropayments to keep their data to themselves; they will happily pay for whole grain bread at Whole Foods vs a loaf of white Wonder bread at the local super market.

Security – F

Big. Fat. Fail. Looks like security of the Internet, in 1994. The rush to market has definitely shown that security in IoT devices is an afterthought at best. The 2014 Snapchat hack illustrated that application providers are just careless with your sensitive information. Minimal encryption and generic liability waivers are dangerous for users and irresponsible of developers. What we’re left with is a pervasive landscape of Internet enabled devices entering our personal and corporate networks. The numerous protocols mean that they can operate virtually undetected. The potential for malicious activity via IoT devices is just now being explored, but the fear is that it will take a massive attack before IoT security gets the attention it needs and devices start being developed with security first of mind.

There is always a good, bad and ugly to emerging technology and the Internet of Things is certainly in its infancy. The struggle is in the speed to which these things grow in today’s world and what corners are cut to satisfy a seemingly insatiable market. Since adoption is strong, it’s likely going to take the user community to push for improvements in areas where IoT is still falling short.

There is a silver lining; IoT manufacturers are building, deploying and selling. We are consuming things that would have been considered science fiction 20 years ago. In parallel with this enormous trend, there are immense opportunities for security innovators to invent new technologies to keep our corporations, and our intimate spaces including our homes, car and bodies, safe and secure.

Insecurity Looms for One Billion Android Users

Nearly a billion Android users are more vulnerable today then they were yesterday. Google has casually discontinued support for their WebView tool to Android users that haven’t yet upgraded to KitKat version 4.4. According to Google, nearly 60% of Android users will be left in the lurch when it comes to safety on their Android devices.

In lieu of support, Google will consider releasing patches that are discovered – and fixed – by the user community. This move by Google only adds to the growing conversation on exactly where Google stands on vulnerability assessment. Over the weekend, Google decided to release details of a Microsoft vulnerability that was scheduled to be patched just a few days later, bringing into question Google’s interest in the technology user community as a whole. So, Google is paying researchers to find vulnerabilities in competitive products, but doesn’t want to pay researchers to find and fix problems in it’s own operating system.

While we can speculate as to the reason for Google’s recent laissez faire security posture, the answer may be in the hardware sales. The discontinuation of support of pre-KitKat devices may mean that Android users will be forced to adopt Android’s poorly received Lollipop OS. This could require a hefty price tag, since so many devices haven’t been part of the rollout…yet.

In contrast to Google, Windows 8 was released in 2012 and will have extended support through 2023, and Ubuntu recently sunset v12 while offering extended support for five years. It comes down to lifecycle management and customer service. Frankly a 2-3 year support lifecycle is dangerous for consumers, app vendors and IT staff that support infrastructure that communicates with these devices.

Of course, having nearly a billion vulnerable devices roaming around the world isn’t just dangerous for device owners. These exposed and defenseless phones are connecting to networks as part of the growing Internet of Things. Recently, InfoWorld was so bold as to make the statement that “Android will power the IoT”.  And perhaps that’s true, since the Android marketplace already boasts nearly a million applications in the GooglePlay store and developers are always willing to embrace open source for it’s flexibility and agility.

With non-linear growth expected over the next several years in the IoT, and multiple vendors vying to be the embedded operating system driving that growth long term support and security are paramount.  Google will need a more friendly strategy to users and partners than leaving then in the dust every few years.

2015 CES International Review – Where’s the Security?

This year’s Consumer Electronics Show (CES), surely didn’t disappoint. And while the car stereo systems and massage chairs lurked in the cheap seats, front and center were over 900 companies demonstrating thousands of new Internet connected devices that will be flooding the market this year. Quite honestly, CES was all about the Internet of Things. Lots, and lots, and lots of things.

The bulk of the things were part of the “connected” or “smart” home. There were impressive displays from ADT, Honeywell, Kwikset and even Lowe’s hardware (we’re guessing that Home Depot’s absence was for security perfection). And while these companies had lots of shiny new toys to show off, the IoT sessions at CES were all about 2015 being ‘The Year of the Smart Home Hack’. These sessions elevated the questions around how these smarter homes will be maintained. Who is going to manage and patch your 12 smart locks, 42 light controls, 8 video cameras, and 3 thermostats? Since the average netizen can’t manage to come up with a secure password, it’s unlikely they’ll keep up with all of these firmware updates. Result? Vulnerable homes. While I don’t see the smart-home being hacked per-se, I can see PC based malware collecting or compromising IoT sensors in the home and workplace, as well as self-propagating malcode. A 100Gbps DDOS launched from IoT devices was observed on 12/31.

CES definitely confirmed that security is an afterthought not just for device owners, but for their manufacturers as well.  In fact, there was only one dedicated security and privacy session led by FTC Chairwoman Ramirez, but across many IoT sessions security concerns were top of mind. Q&A sessions were dominated by security concerns. Encryption and security in product design was encouraged to avoid the recent breaches experienced by apps like SnapChat and Yik Yak, though there was a clear absence of security assessment or mitigation in IoT. 

Also on display at CES were new wireless protocols. While the old faithfuls like Wi-Fi and Bluetooth remained the Belles of the Ball, ZigBee, Z-Wave, and EnOcean made their debut as key IoT protocols. This is foreign territory to the majority of IT staff and it will be critical for them to get up to speed, or at a minimum, come up with a way to see these protocols when they are trying to access the networks. Of interest, is the amount of security and automation riding on these protocols, it remains to be seen who keeps Z-Wave and ZigBee secure.

And finally, and least impressive, consumers love electronic knockoffs.  As I dug into the little Chinese manufacturer booths, I found many little devices that looked identical to Fitbits, smart watches, etc just waiting to jump on a market looking for a good deal. And just like the cheap, vulnerable, Android tablets that hit the market in 2014, I expect 2015 will be the year of the knockoff wearable. Just as you can buy a cheap Rolex in Chinatown or a Louis Vuitton bag for $100 in Times Square, you get what you pay for and these devices will have more security vulnerabilities than their pricier counterparts. I predict a huge market for counterfeit wearables over the next few years.

So, to summarize. Lots of gadgets. Lots of walking (just ask my FitBit). Lots of room for both the good and the bad guys to get in the Internet of Things game.

The Platform Pandemic

This week we saw two new platforms for the Internet of Things emerge, the most notable from microchip heavy hitter, Intel. Of course, this is just this week. There have probably been a dozen or more new IoT platform announcements in the last month and the number coming to market is steadily increasing. Postscapes offers a fairly comprehensive list here. While the battle is on to see who will win the title of Supreme IoT Platform Provider, one thing is certain – this plethora of platforms is a security nightmare.

Much like the early days of the networking, multiple protocols (think IPX, IP, Banyan Vines) and platforms usually spell mayhem for users and security professionals alike. Instead of leveraging a common language or foundation, everyone is building their IoT devices with their own future in mind. While some of the larger players are coming out swinging with solutions on the device and the platform side, for the most part there hasn’t been much interest in playing nicely with each other.

Printers are a great example, the lowest common denominator workhouse of the office has to speak up to a dozen protocols, and whenever someone bothers to look they tend to find vulnerabilities quite easily. Good story about them here.

One of the reasons that IoT has become such a big deal this year is due to the overwhelming ease at which sensor technology can collect and transmit data. Companies seem to be focused more on how to collect and profit from this data than how to secure it. Of course, right now, it doesn’t seem like to many people are worried about security or standardization. In fact, the only folks that seem to be concerned with IoT data breaches are in the government…and maybe Sony.

Of course, most of the platforms coming to market are offering all kinds of promises, middleware for edge management, fancy consoles for traffic monitoring and APIs for integration. So, the race is on for best in breed. My bet is on the vendors that focus on functionality, low power consumption, and ignore security.

IoT: The Government Ostrich Effect?

On October 20th, four ranking members on the Senate Commerce Committee, Sens. Deb Fischer (R-Neb.), Corey Booker (D-N.J.), Kelly Ayotte (R-N.H.) and Brian Schatz (D-Hawaii), wrote a letter to Chairman Jay Rockefeller (D-W.V.) emphasizing the need for an Internet of Things (IoT) hearing before the end of 2014.

The letter states, “The introduction of these innovative consumer products present a wide range of cutting-edge policy issues impacting a broad set of businesses and industry sectors.”

While the content of this letter is true, the government has earned its reputation of being slow to put cybersecurity policies in place – and when they do, the policies are often already outdated. For example, in 2013, the U.S. National Institute of Standards and Technology updated the federal cybersecurity standards for the first time since 2005. If it took them eight years to figure out that Wi-Fi should be regulated, then they are way in over their heads when it comes to the security challenges that will result from the proliferation of the IoT.

A year ago, the Federal Trade Commission held a workshop on the IoT entitled, “Internet of Things: Privacy & Security in a Connected World.” During this session, Chairwoman Edith Ramirez noted that IoT devices facilitate the collection of user data, which not only invades the privacy of the users – but also puts them at risk for exploitation. I hope she bought a lottery ticket.

This workshop was over a YEAR ago. Before Snapchat was hacked, before the celebrity photo leaks, even before the Target data breach, the government was aware of the security risks that result from an increasingly connected world.

I commend the four lawmakers who laid out the need for a general oversight and information-gathering session on the IoT, as it is severely overdue. IoT developers are rushing to make every appliance “smart” without having to comply with IoT standards or regulations to protect the consumer and American corporations from threats that many would classify as national security risks.

The security threats are not going to wait for the government to understand the depths of IoT – it is already here and the challenges will only get more complicated as the number of devices proliferates.

And it is fair to say that a complete cyber security disaster that derives from a coordinated attack on some type of IoT device is inevitable. Think about an attack on big business for example and how it could result in employee exploitation and confidential information leaked into the hands of foreign spies or terrorists. 

It is necessary for the government to at least debate what responsibility it has in regulating the IoT. But that’s a conversation for another day.

In the meantime, as the gift-giving season is quickly upon us, there will certainly be a surge in IoT devices as connected wearables and appliances are exchanged. It will be interesting to see if the holiday rush adds urgency to the Senate or if the IoT will fall victim to the lame duck Congress. My money is on the latter.

Final in Series: Be Wary of Wearables, Part 3

It happened. Black Friday and Cyber Monday came and went (weren’t they kind of economic disasters?), and as predicted, one of the hottest items flying off the shelf was wearable technology. So now we face the dilemma of all of these (and other IoT devices) flooding into the Enterprise.

There are a few considerations that need to be addressed with regards to consumer IoT products entering the enterprise. The first is security. How can a corporation make sure that the devices coming into their airspace, and likely connecting with their network, are safe? There’s already been one published DDoS attack on the Internet of Things in recent months; this will surely be the beginning of many more. One of the toughest challenges faced by IT staff is the multiple protocols that these devices use for communication. The most popular is Bluetooth, but as you can see by the recent update, Bluetooth is riddled with holes are ripe for exploit. Bluetooth is just one of many invisible communication protocols that organizations cannot even see, let alone secure. And, at the risk of sounding trite, I’d be remiss to leave out the Target and Home Depot breaches that came from connected devices from non-employees.

A secondary consideration for the Enterprise deals with privacy. Many companies have already adopted wearables for fitness and wellness programs and early studies point to some very positive benefits. However, responsibility for the data collected from these wearables remains undetermined. Who is responsible for personally identifiable information and what, exactly, can companies do with the data that they collect? There will come a time when someone is passed by for promotion by a super-fit colleague with too many 26.2 stickers on their car. Such a situation could spell litigation. Furthering the privacy concerns, what pieces of this data can be shared, with say, insurance companies? Again, it would seem that it’s only a matter of time before someone leverages this data for unintended purposes with negative consequences.

Finally, in this wearables and IoT explosion, companies have to consider what it’s going to do about the massive demand on network resources. In a study conducted earlier this year with 400 network professionals, more than half said that their networks are already running at full capacity. In addition, the recent large scale retail breaches has led to increased recommendations around creating a dedicated network for IoT and BYOD. But going back to my previous point, this would be a network of chaos, since the idea of IDS or vulnerability assessment for IoT simply doesn’t exists yet (we’re working on it). I suppose you could always name it The Wild Wild West or Use at Your Own Risk.

The use cases, and benefits, of wearable devices are vast. Sales data and surveys abound to show that this trend isn’t going anywhere. Thankfully, people are starting to realize that the Internet of Things is real and is going to present a significant change to the IT landscape. Unfortunately, security remains a weakness, standardization is non-existent, and with history as an indicator, many corporations may only stand up and take notice after a breach. 

Series: Be Wary of Wearables, Part 2

In the first part of this series, we discussed how many IoT devices are selling out their users to the highest bidder. Today’s blog explores how our forfeiture of this privacy data can have real life consequence.

One of the benefits of fitness trackers and other wearables is the visibility that they bring into everyday activities. But their popularity means that they are coming to market faster and cheaper and with little focus on security. What does this influx and affordability mean to the user? Chances are, it’s a lesser control over your data, including who sees it. In some cases, this might mean personally identifiable information or location data.

Apps like MapMyRun and Lose It! are built for sharing and showcasing your performance. These good intentions, however, often leave people sharing the most precious information of all – their daily routines. These wearables and their supporting apps share when and where you jog, when you go to the gym, and how long it takes you to do these things. Over time, patterns begin to develop about your behavior. This is good for product marketing, but how secure is this data? As a father, I want to be sure that my daughter’s cross country training route doesn’t end up in the wrong hands.

So what can you do to stay safe? Wearables, by themselves, are of little risk. Though as we mentioned in part one of this series, you need to know your privacy policy inside and out. More importantly, be mindful of what you’re sharing; the more you share, the more vulnerable you become. Are you sharing that you’re running a trail in another state? You might recall years ago when Facebook became the burglar’s best friend– your wearable achievements could serve a similar purpose.

Of course, make sure you’re not sharing in real time. If you’ve dominated the hardest trail in the city, wait until you’ve left the park to share your triumph. And while we all know who might be on our Facebook friend’s list, be mindful to device and application privacy and data sharing policies– don’t just hit “accept” on those terms and conditions – know when and where you’re sending your data and make sure you control who can see it.

So, we’ve established that with most devices your data is for the taking (and using, and sharing, and selling in some cases). We’ve also explored how data points, used together, could be harmful. In the next blog, we’re bringing it home. Where does the Enterprise fit in with wearable devices and what will the impact of IoT be in (and to) the workplace? Stay tuned…