Author: FINAO Admin

IoT: The Government Ostrich Effect?

On October 20th, four ranking members on the Senate Commerce Committee, Sens. Deb Fischer (R-Neb.), Corey Booker (D-N.J.), Kelly Ayotte (R-N.H.) and Brian Schatz (D-Hawaii), wrote a letter to Chairman Jay Rockefeller (D-W.V.) emphasizing the need for an Internet of Things (IoT) hearing before the end of 2014.

The letter states, “The introduction of these innovative consumer products present a wide range of cutting-edge policy issues impacting a broad set of businesses and industry sectors.”

While the content of this letter is true, the government has earned its reputation of being slow to put cybersecurity policies in place – and when they do, the policies are often already outdated. For example, in 2013, the U.S. National Institute of Standards and Technology updated the federal cybersecurity standards for the first time since 2005. If it took them eight years to figure out that Wi-Fi should be regulated, then they are way in over their heads when it comes to the security challenges that will result from the proliferation of the IoT.

A year ago, the Federal Trade Commission held a workshop on the IoT entitled, “Internet of Things: Privacy & Security in a Connected World.” During this session, Chairwoman Edith Ramirez noted that IoT devices facilitate the collection of user data, which not only invades the privacy of the users – but also puts them at risk for exploitation. I hope she bought a lottery ticket.

This workshop was over a YEAR ago. Before Snapchat was hacked, before the celebrity photo leaks, even before the Target data breach, the government was aware of the security risks that result from an increasingly connected world.

I commend the four lawmakers who laid out the need for a general oversight and information-gathering session on the IoT, as it is severely overdue. IoT developers are rushing to make every appliance “smart” without having to comply with IoT standards or regulations to protect the consumer and American corporations from threats that many would classify as national security risks.

The security threats are not going to wait for the government to understand the depths of IoT – it is already here and the challenges will only get more complicated as the number of devices proliferates.

And it is fair to say that a complete cyber security disaster that derives from a coordinated attack on some type of IoT device is inevitable. Think about an attack on big business for example and how it could result in employee exploitation and confidential information leaked into the hands of foreign spies or terrorists. 

It is necessary for the government to at least debate what responsibility it has in regulating the IoT. But that’s a conversation for another day.

In the meantime, as the gift-giving season is quickly upon us, there will certainly be a surge in IoT devices as connected wearables and appliances are exchanged. It will be interesting to see if the holiday rush adds urgency to the Senate or if the IoT will fall victim to the lame duck Congress. My money is on the latter.

Final in Series: Be Wary of Wearables, Part 3

It happened. Black Friday and Cyber Monday came and went (weren’t they kind of economic disasters?), and as predicted, one of the hottest items flying off the shelf was wearable technology. So now we face the dilemma of all of these (and other IoT devices) flooding into the Enterprise.

There are a few considerations that need to be addressed with regards to consumer IoT products entering the enterprise. The first is security. How can a corporation make sure that the devices coming into their airspace, and likely connecting with their network, are safe? There’s already been one published DDoS attack on the Internet of Things in recent months; this will surely be the beginning of many more. One of the toughest challenges faced by IT staff is the multiple protocols that these devices use for communication. The most popular is Bluetooth, but as you can see by the recent update, Bluetooth is riddled with holes are ripe for exploit. Bluetooth is just one of many invisible communication protocols that organizations cannot even see, let alone secure. And, at the risk of sounding trite, I’d be remiss to leave out the Target and Home Depot breaches that came from connected devices from non-employees.

A secondary consideration for the Enterprise deals with privacy. Many companies have already adopted wearables for fitness and wellness programs and early studies point to some very positive benefits. However, responsibility for the data collected from these wearables remains undetermined. Who is responsible for personally identifiable information and what, exactly, can companies do with the data that they collect? There will come a time when someone is passed by for promotion by a super-fit colleague with too many 26.2 stickers on their car. Such a situation could spell litigation. Furthering the privacy concerns, what pieces of this data can be shared, with say, insurance companies? Again, it would seem that it’s only a matter of time before someone leverages this data for unintended purposes with negative consequences.

Finally, in this wearables and IoT explosion, companies have to consider what it’s going to do about the massive demand on network resources. In a study conducted earlier this year with 400 network professionals, more than half said that their networks are already running at full capacity. In addition, the recent large scale retail breaches has led to increased recommendations around creating a dedicated network for IoT and BYOD. But going back to my previous point, this would be a network of chaos, since the idea of IDS or vulnerability assessment for IoT simply doesn’t exists yet (we’re working on it). I suppose you could always name it The Wild Wild West or Use at Your Own Risk.

The use cases, and benefits, of wearable devices are vast. Sales data and surveys abound to show that this trend isn’t going anywhere. Thankfully, people are starting to realize that the Internet of Things is real and is going to present a significant change to the IT landscape. Unfortunately, security remains a weakness, standardization is non-existent, and with history as an indicator, many corporations may only stand up and take notice after a breach. 

Series: Be Wary of Wearables, Part 2

In the first part of this series, we discussed how many IoT devices are selling out their users to the highest bidder. Today’s blog explores how our forfeiture of this privacy data can have real life consequence.

One of the benefits of fitness trackers and other wearables is the visibility that they bring into everyday activities. But their popularity means that they are coming to market faster and cheaper and with little focus on security. What does this influx and affordability mean to the user? Chances are, it’s a lesser control over your data, including who sees it. In some cases, this might mean personally identifiable information or location data.

Apps like MapMyRun and Lose It! are built for sharing and showcasing your performance. These good intentions, however, often leave people sharing the most precious information of all – their daily routines. These wearables and their supporting apps share when and where you jog, when you go to the gym, and how long it takes you to do these things. Over time, patterns begin to develop about your behavior. This is good for product marketing, but how secure is this data? As a father, I want to be sure that my daughter’s cross country training route doesn’t end up in the wrong hands.

So what can you do to stay safe? Wearables, by themselves, are of little risk. Though as we mentioned in part one of this series, you need to know your privacy policy inside and out. More importantly, be mindful of what you’re sharing; the more you share, the more vulnerable you become. Are you sharing that you’re running a trail in another state? You might recall years ago when Facebook became the burglar’s best friend– your wearable achievements could serve a similar purpose.

Of course, make sure you’re not sharing in real time. If you’ve dominated the hardest trail in the city, wait until you’ve left the park to share your triumph. And while we all know who might be on our Facebook friend’s list, be mindful to device and application privacy and data sharing policies– don’t just hit “accept” on those terms and conditions – know when and where you’re sending your data and make sure you control who can see it.

So, we’ve established that with most devices your data is for the taking (and using, and sharing, and selling in some cases). We’ve also explored how data points, used together, could be harmful. In the next blog, we’re bringing it home. Where does the Enterprise fit in with wearable devices and what will the impact of IoT be in (and to) the workplace? Stay tuned…

Series: Be Wary of Wearables, Part 1

According to some estimates, the wearable market is set to explode, reaching nearly $12 Billion by 2020. Fitness trackers alone are currently a $2.2 Billion dollar industry. While these devices are designed to help make our lives easier, more efficient, and healthier, there are some critical flaws in the technology that will undoubtedly fill many stockings this holiday season. This blog series will focus on some considerations for consumers and businesses alike as this new boom of wearable technology finds its rightful place in our everyday lives.

Privacy

Allow me to paint a picture. Your loving spouse decides 2015 will be the year of fitness for your family. To jump start your new, healthier lifestyle, you get a fitness band to help you understand your daily activities. You set up your device, integrate it with your phone, and install third party apps, like MapMyRun, to help keep you accountable with friends. What you probably haven’t done is read the terms and conditions and privacy statement from your new fitness pal.

Here’s what many privacy policies state you agree to when using their devices and services:

• Agree to allow the product company to use your data for any purpose they choose
• Agree to allow the product company to sell or share your information
• Release the product manufacturer and it’s “partners and affiliates” from any liability to how this information is used

People are unaware that by using these devices and the data they provide to become more enlightened to their activities (coined the quantified self), they are unknowingly releasing tons of personal information and data to the manufacturer. Some products are better than others when it comes to privacy, but after combing through numerous privacy policies, we found that many manufacturers require you to give up your data for the purposes of marketing, tracking, and just about any other reasons they deem necessary.

While this might not seem like a big deal, essentially your agreement to these invasive policies turnsyou into the product. Not only are you agreeing to get emails when you’ve taken enough steps to need a new pair of shoes, but if those steps slow, you could start receiving emails for weight loss meals or gym memberships. Or what about those third part apps that track where you’ve been? Run by the same department store everyday? You just might start getting text messages with coupons.

These intrusions may seem a small price to pay for health, but when you authorize companies to share your personal data, it can be for sale to the highest bidder. What if your fitness band started sharing your sedentary lifestyle with your insurance company? That could spell trouble for your premiums. Finally, as one last word of caution, we’d be remiss to not share this story of the year – if you’re going to use a fitness tracker and share your activity with your spouse, make sure you can explain those increases in heart rate or you might find yourself running for a reason other than weight loss.

The next blog in our series will explore security and how to stay safe in a shared world.