Category: Uncategorized

As Data Proliferates in the IoT, So Does Risk

Consumers don’t read privacy policies. While this isn’t news, a recent PEW Research survey showed that more than half of Americans don’t even know what a privacy policy really is. Many consumers cite the length of privacy policies as a reason for not being informed, but few realize the implications that could result from this negligence.

So how much do people really understand about what it is that they’re giving up when they buy an Internet connected device? Take, for instance, “smart” TVs. These televisions take home entertainment to the next level, giving owners not just amazing visuals, but also the ability to use things like voice recognition to change the channel or turn up the volume. This seems like a revolution for those of us that seem to always be misplacing the remote, but there is a down side to being able to talk to your TV.

We dug into one popular manufacturers privacy policy and we were alarmed at what we saw. According to the Samsung Smart TV Addendum in their privacy policy, Samsung may send your voice data “to a third-party service that converts speech to text”. This seems innocuous enough, after all, we are accustom to applications using our historical preferences to serve up more relevant ads and information. However, Samsung’s policy goes on to read, “please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Wait a minute. I’m okay with Samsung knowing that I spent the weekend catching up on Homeland, but capturing personal conversations that I have in the comfort of my living room? This is a true invasion of our most intimate spaces and cannot be tolerated.

While it may seem I’m picking on Samsung, I actually applaud them for being so plain spoken (I bet they pick a sneakier law firm for their next EULA). Most of the other electronics companies make their privacy policies so complicated you need a lawyer to make sense of it. For those that don’t require you to have a JD to understand it, they’re so vague and ambiguous that it’s almost a waste of time to read. And time is another factor dissuading consumers from being informed. The average privacy policy takes 10 minutes to read. And, the average American encounters nearly 1,500 of these policies per year!

Many of us are okay with releasing some of our private habits to our technology provider; after all it’s much better to be served advertisements for things we actually want. But having our personal conversations analyzed so that corporations know about our most intimate affairs is going too far. Imagine that you’re discussing your upcoming surgery over a meal and you turn on your TV to be greeted with an ad for life insurance.

When Privacy Becomes Security

Samsung is transmitting your data through pretty normal means, the Internet, either wired or wireless, protected by your ISP. But “smart devices” are becoming a norm and many of these are designed to go with you. As such, battery life is a concern. To address that, manufacturers are relying on newer protocols such as Bluetooth LE (low energy) and ZigBee. In turn, these protocols create a personal area network (PAN), which is allows each person to use a mobile device as a networking hub. What you end up with is a lot of data transmitting across a lot of devices using a lot of different protocols.

And…lots of opportunity for that data to be intercepted.

The World Economic Forum released its Global Risk Report which states that IoT hacking is ‘very likely’ and points out that today’s Internet infrastructure was simply not created to handle this kind of flood of new devices.  CES2015 also reinforced this sentiment, with FTC chairwoman Edith Ramirez warning that attackers could “access and misuse personal information collected and transmitted by [IoT] devices.” While Smart TV’s have access to a fairly safe means of transmission via wifi or hard-wired ethernet, the market for IoT devices is growing by the day. These devices have equally loose privacy policies and are constantly sharing data between devices and apps; all of this activity is putting data at risk for exploit.

Another example of this data dragnet is Uber, the car service that has made transportation a socially connected service. No more hailing a cab, now you simply request an Uber driver from your phone. Uber made the news late last year for its questionable data collection. While, sure, it needs your geolocation to send a car, it also takes the opportunity to look at your contacts, your geolocation history, what apps you have installed – even your neighbor’s wifi information. The list is endless and has nothing to do with a car service. It’s clear that data is a secondary business for Uber. And, looking at their privacy policy – that you must agree to in order to use the service – they are able to share it. This means your data drifting around the Ethernet to third parties that may “perform other administrative services”. Whatever the hell that means.

For certain, data analytics is big business. But, this is your data that is flying around out there. As it makes it’s stops between your service provider and whatever third, fourth, or fifth parties their sending it to, this data as more opportunity than ever to intercepted and captured or for your personal area network devices to be compromised.

 Read your privacy policies. It will be up to each of us to determine what we’re willing to give up in the name of modern convenience.

Ready or Not, IoT is Coming: 2015’s IoT Report Card

The Internet of Things seems to be an unavoidable force these days – from rabid investment news to stealing the show at this year’s CES show, Internet enabled devices are emerging in 2015. Ready or not, the Internet of Things is coming, and maybe it’s arguable that it’s already here. So, in this blog, I decided to explore just that – what’s ready and what’s not when it comes to IoT.

Consumer Adoption – A+

Consumers are wild for Internet connected devices. We’ll have 75 billion internet devices connected by 2020, though some firms put that number much higher. IoT dominated this year’s CES show; everything from fitness to light bulbs and home automation. Wearable technology is predicted to be a $90B market by 2025. And, even if consumers don’t openly embrace it – improved healthcare may push them to plug in, offering embedded devices in everything from pacemakers to insulin pumps.

Device Manufacturing and Innovation – A

Massive amounts of IoT devices are coming to market at a rate we haven’t seen since the first bubble of technology in the late 90’s. Not since the flat screen TV was released have we seen manufacturers competing to come up with the newest consumer must-have. Of course, the real revolution is happening behind the scenes. Industries, like manufacturing and supply chain, are making huge leaps in operational efficiency by leveraging smart machinery and analyzing the data it produces to cut costs.

Usefulness – B

Noticeably, there are a lot of really cool things coming from the IoT. Many provide life-changing improvements; self parking cars, industrial automation, and embedded healthcare not only enhance our lives, but have the potential to fundamentally advance the way we live and communicate with our world. Of course, there are also some pretty ridiculous things that have decided to covet our bandwidth, like the EggMinder, which lets you know if you’re low on eggs. Convenient? Perhaps. But this one isn’t going to make a huge difference in your quality of life. We’ll give it a B+ when my fridge starts being able to order my meal plan ingredients for delivery via InstaCart.

By now, you might be thinking that the Internet of Things has a pretty good report card, but there’s still a lot of maturing to be had. In fact, the newness and shine of IoT devices and their cool new tricks has meant that many haven’t taken the time to really look under the hood yet. If you did, you’d discover that in some areas, IoT is still an all out fail.

Interoperability – C

Plenty of companies are coming out with platforms for IoT development, which means great innovation but more problematic integration. Combine this with the numerous communication protocols that devices are using and you can see that any hopes of standardization is still in the Dark Ages. The good news is that this tangled web of development is offering big promise for IoT data analytics, which is predicted to be a nearly $6 billion dollar market this year. IoT is riding on a half dozen protocols today, and new ‘standards’ are being proposed quarterly. Need to dial this in for any reasonable interoperability. Ever try and connect Banyan Vines, Sun NIS and Novell Netware? Ain’t happening.

Privacy – D

Many device companies are intentionally loose with their privacy policies. In a recent blog, I explored the numerous ways that device manufacturers are using your personal data – in essence, making you the product. This may seem harmless on the surface, but IoT device users are still not reading privacy policies and are sharing way too much information. And we’re not limiting our disclosure of personal information to the devices companies we buy from, we are also giving it to third party applications. This recent Gigaom article dives into the topic more in depth, but everyone is going to have to agree that privacy should be a fundamental component of IoT and consumers will need to demand that device manufacturers and app developers treat their data as critical and personal information. Consumers will demand an option for micropayments to keep their data to themselves; they will happily pay for whole grain bread at Whole Foods vs a loaf of white Wonder bread at the local super market.

Security – F

Big. Fat. Fail. Looks like security of the Internet, in 1994. The rush to market has definitely shown that security in IoT devices is an afterthought at best. The 2014 Snapchat hack illustrated that application providers are just careless with your sensitive information. Minimal encryption and generic liability waivers are dangerous for users and irresponsible of developers. What we’re left with is a pervasive landscape of Internet enabled devices entering our personal and corporate networks. The numerous protocols mean that they can operate virtually undetected. The potential for malicious activity via IoT devices is just now being explored, but the fear is that it will take a massive attack before IoT security gets the attention it needs and devices start being developed with security first of mind.

There is always a good, bad and ugly to emerging technology and the Internet of Things is certainly in its infancy. The struggle is in the speed to which these things grow in today’s world and what corners are cut to satisfy a seemingly insatiable market. Since adoption is strong, it’s likely going to take the user community to push for improvements in areas where IoT is still falling short.

There is a silver lining; IoT manufacturers are building, deploying and selling. We are consuming things that would have been considered science fiction 20 years ago. In parallel with this enormous trend, there are immense opportunities for security innovators to invent new technologies to keep our corporations, and our intimate spaces including our homes, car and bodies, safe and secure.

Insecurity Looms for One Billion Android Users

Nearly a billion Android users are more vulnerable today then they were yesterday. Google has casually discontinued support for their WebView tool to Android users that haven’t yet upgraded to KitKat version 4.4. According to Google, nearly 60% of Android users will be left in the lurch when it comes to safety on their Android devices.

In lieu of support, Google will consider releasing patches that are discovered – and fixed – by the user community. This move by Google only adds to the growing conversation on exactly where Google stands on vulnerability assessment. Over the weekend, Google decided to release details of a Microsoft vulnerability that was scheduled to be patched just a few days later, bringing into question Google’s interest in the technology user community as a whole. So, Google is paying researchers to find vulnerabilities in competitive products, but doesn’t want to pay researchers to find and fix problems in it’s own operating system.

While we can speculate as to the reason for Google’s recent laissez faire security posture, the answer may be in the hardware sales. The discontinuation of support of pre-KitKat devices may mean that Android users will be forced to adopt Android’s poorly received Lollipop OS. This could require a hefty price tag, since so many devices haven’t been part of the rollout…yet.

In contrast to Google, Windows 8 was released in 2012 and will have extended support through 2023, and Ubuntu recently sunset v12 while offering extended support for five years. It comes down to lifecycle management and customer service. Frankly a 2-3 year support lifecycle is dangerous for consumers, app vendors and IT staff that support infrastructure that communicates with these devices.

Of course, having nearly a billion vulnerable devices roaming around the world isn’t just dangerous for device owners. These exposed and defenseless phones are connecting to networks as part of the growing Internet of Things. Recently, InfoWorld was so bold as to make the statement that “Android will power the IoT”.  And perhaps that’s true, since the Android marketplace already boasts nearly a million applications in the GooglePlay store and developers are always willing to embrace open source for it’s flexibility and agility.

With non-linear growth expected over the next several years in the IoT, and multiple vendors vying to be the embedded operating system driving that growth long term support and security are paramount.  Google will need a more friendly strategy to users and partners than leaving then in the dust every few years.

2015 CES International Review – Where’s the Security?

This year’s Consumer Electronics Show (CES), surely didn’t disappoint. And while the car stereo systems and massage chairs lurked in the cheap seats, front and center were over 900 companies demonstrating thousands of new Internet connected devices that will be flooding the market this year. Quite honestly, CES was all about the Internet of Things. Lots, and lots, and lots of things.

The bulk of the things were part of the “connected” or “smart” home. There were impressive displays from ADT, Honeywell, Kwikset and even Lowe’s hardware (we’re guessing that Home Depot’s absence was for security perfection). And while these companies had lots of shiny new toys to show off, the IoT sessions at CES were all about 2015 being ‘The Year of the Smart Home Hack’. These sessions elevated the questions around how these smarter homes will be maintained. Who is going to manage and patch your 12 smart locks, 42 light controls, 8 video cameras, and 3 thermostats? Since the average netizen can’t manage to come up with a secure password, it’s unlikely they’ll keep up with all of these firmware updates. Result? Vulnerable homes. While I don’t see the smart-home being hacked per-se, I can see PC based malware collecting or compromising IoT sensors in the home and workplace, as well as self-propagating malcode. A 100Gbps DDOS launched from IoT devices was observed on 12/31.

CES definitely confirmed that security is an afterthought not just for device owners, but for their manufacturers as well.  In fact, there was only one dedicated security and privacy session led by FTC Chairwoman Ramirez, but across many IoT sessions security concerns were top of mind. Q&A sessions were dominated by security concerns. Encryption and security in product design was encouraged to avoid the recent breaches experienced by apps like SnapChat and Yik Yak, though there was a clear absence of security assessment or mitigation in IoT. 

Also on display at CES were new wireless protocols. While the old faithfuls like Wi-Fi and Bluetooth remained the Belles of the Ball, ZigBee, Z-Wave, and EnOcean made their debut as key IoT protocols. This is foreign territory to the majority of IT staff and it will be critical for them to get up to speed, or at a minimum, come up with a way to see these protocols when they are trying to access the networks. Of interest, is the amount of security and automation riding on these protocols, it remains to be seen who keeps Z-Wave and ZigBee secure.

And finally, and least impressive, consumers love electronic knockoffs.  As I dug into the little Chinese manufacturer booths, I found many little devices that looked identical to Fitbits, smart watches, etc just waiting to jump on a market looking for a good deal. And just like the cheap, vulnerable, Android tablets that hit the market in 2014, I expect 2015 will be the year of the knockoff wearable. Just as you can buy a cheap Rolex in Chinatown or a Louis Vuitton bag for $100 in Times Square, you get what you pay for and these devices will have more security vulnerabilities than their pricier counterparts. I predict a huge market for counterfeit wearables over the next few years.

So, to summarize. Lots of gadgets. Lots of walking (just ask my FitBit). Lots of room for both the good and the bad guys to get in the Internet of Things game.

The Platform Pandemic

This week we saw two new platforms for the Internet of Things emerge, the most notable from microchip heavy hitter, Intel. Of course, this is just this week. There have probably been a dozen or more new IoT platform announcements in the last month and the number coming to market is steadily increasing. Postscapes offers a fairly comprehensive list here. While the battle is on to see who will win the title of Supreme IoT Platform Provider, one thing is certain – this plethora of platforms is a security nightmare.

Much like the early days of the networking, multiple protocols (think IPX, IP, Banyan Vines) and platforms usually spell mayhem for users and security professionals alike. Instead of leveraging a common language or foundation, everyone is building their IoT devices with their own future in mind. While some of the larger players are coming out swinging with solutions on the device and the platform side, for the most part there hasn’t been much interest in playing nicely with each other.

Printers are a great example, the lowest common denominator workhouse of the office has to speak up to a dozen protocols, and whenever someone bothers to look they tend to find vulnerabilities quite easily. Good story about them here.

One of the reasons that IoT has become such a big deal this year is due to the overwhelming ease at which sensor technology can collect and transmit data. Companies seem to be focused more on how to collect and profit from this data than how to secure it. Of course, right now, it doesn’t seem like to many people are worried about security or standardization. In fact, the only folks that seem to be concerned with IoT data breaches are in the government…and maybe Sony.

Of course, most of the platforms coming to market are offering all kinds of promises, middleware for edge management, fancy consoles for traffic monitoring and APIs for integration. So, the race is on for best in breed. My bet is on the vendors that focus on functionality, low power consumption, and ignore security.

IoT: The Government Ostrich Effect?

On October 20th, four ranking members on the Senate Commerce Committee, Sens. Deb Fischer (R-Neb.), Corey Booker (D-N.J.), Kelly Ayotte (R-N.H.) and Brian Schatz (D-Hawaii), wrote a letter to Chairman Jay Rockefeller (D-W.V.) emphasizing the need for an Internet of Things (IoT) hearing before the end of 2014.

The letter states, “The introduction of these innovative consumer products present a wide range of cutting-edge policy issues impacting a broad set of businesses and industry sectors.”

While the content of this letter is true, the government has earned its reputation of being slow to put cybersecurity policies in place – and when they do, the policies are often already outdated. For example, in 2013, the U.S. National Institute of Standards and Technology updated the federal cybersecurity standards for the first time since 2005. If it took them eight years to figure out that Wi-Fi should be regulated, then they are way in over their heads when it comes to the security challenges that will result from the proliferation of the IoT.

A year ago, the Federal Trade Commission held a workshop on the IoT entitled, “Internet of Things: Privacy & Security in a Connected World.” During this session, Chairwoman Edith Ramirez noted that IoT devices facilitate the collection of user data, which not only invades the privacy of the users – but also puts them at risk for exploitation. I hope she bought a lottery ticket.

This workshop was over a YEAR ago. Before Snapchat was hacked, before the celebrity photo leaks, even before the Target data breach, the government was aware of the security risks that result from an increasingly connected world.

I commend the four lawmakers who laid out the need for a general oversight and information-gathering session on the IoT, as it is severely overdue. IoT developers are rushing to make every appliance “smart” without having to comply with IoT standards or regulations to protect the consumer and American corporations from threats that many would classify as national security risks.

The security threats are not going to wait for the government to understand the depths of IoT – it is already here and the challenges will only get more complicated as the number of devices proliferates.

And it is fair to say that a complete cyber security disaster that derives from a coordinated attack on some type of IoT device is inevitable. Think about an attack on big business for example and how it could result in employee exploitation and confidential information leaked into the hands of foreign spies or terrorists. 

It is necessary for the government to at least debate what responsibility it has in regulating the IoT. But that’s a conversation for another day.

In the meantime, as the gift-giving season is quickly upon us, there will certainly be a surge in IoT devices as connected wearables and appliances are exchanged. It will be interesting to see if the holiday rush adds urgency to the Senate or if the IoT will fall victim to the lame duck Congress. My money is on the latter.

Final in Series: Be Wary of Wearables, Part 3

It happened. Black Friday and Cyber Monday came and went (weren’t they kind of economic disasters?), and as predicted, one of the hottest items flying off the shelf was wearable technology. So now we face the dilemma of all of these (and other IoT devices) flooding into the Enterprise.

There are a few considerations that need to be addressed with regards to consumer IoT products entering the enterprise. The first is security. How can a corporation make sure that the devices coming into their airspace, and likely connecting with their network, are safe? There’s already been one published DDoS attack on the Internet of Things in recent months; this will surely be the beginning of many more. One of the toughest challenges faced by IT staff is the multiple protocols that these devices use for communication. The most popular is Bluetooth, but as you can see by the recent update, Bluetooth is riddled with holes are ripe for exploit. Bluetooth is just one of many invisible communication protocols that organizations cannot even see, let alone secure. And, at the risk of sounding trite, I’d be remiss to leave out the Target and Home Depot breaches that came from connected devices from non-employees.

A secondary consideration for the Enterprise deals with privacy. Many companies have already adopted wearables for fitness and wellness programs and early studies point to some very positive benefits. However, responsibility for the data collected from these wearables remains undetermined. Who is responsible for personally identifiable information and what, exactly, can companies do with the data that they collect? There will come a time when someone is passed by for promotion by a super-fit colleague with too many 26.2 stickers on their car. Such a situation could spell litigation. Furthering the privacy concerns, what pieces of this data can be shared, with say, insurance companies? Again, it would seem that it’s only a matter of time before someone leverages this data for unintended purposes with negative consequences.

Finally, in this wearables and IoT explosion, companies have to consider what it’s going to do about the massive demand on network resources. In a study conducted earlier this year with 400 network professionals, more than half said that their networks are already running at full capacity. In addition, the recent large scale retail breaches has led to increased recommendations around creating a dedicated network for IoT and BYOD. But going back to my previous point, this would be a network of chaos, since the idea of IDS or vulnerability assessment for IoT simply doesn’t exists yet (we’re working on it). I suppose you could always name it The Wild Wild West or Use at Your Own Risk.

The use cases, and benefits, of wearable devices are vast. Sales data and surveys abound to show that this trend isn’t going anywhere. Thankfully, people are starting to realize that the Internet of Things is real and is going to present a significant change to the IT landscape. Unfortunately, security remains a weakness, standardization is non-existent, and with history as an indicator, many corporations may only stand up and take notice after a breach. 

Series: Be Wary of Wearables, Part 2

In the first part of this series, we discussed how many IoT devices are selling out their users to the highest bidder. Today’s blog explores how our forfeiture of this privacy data can have real life consequence.

One of the benefits of fitness trackers and other wearables is the visibility that they bring into everyday activities. But their popularity means that they are coming to market faster and cheaper and with little focus on security. What does this influx and affordability mean to the user? Chances are, it’s a lesser control over your data, including who sees it. In some cases, this might mean personally identifiable information or location data.

Apps like MapMyRun and Lose It! are built for sharing and showcasing your performance. These good intentions, however, often leave people sharing the most precious information of all – their daily routines. These wearables and their supporting apps share when and where you jog, when you go to the gym, and how long it takes you to do these things. Over time, patterns begin to develop about your behavior. This is good for product marketing, but how secure is this data? As a father, I want to be sure that my daughter’s cross country training route doesn’t end up in the wrong hands.

So what can you do to stay safe? Wearables, by themselves, are of little risk. Though as we mentioned in part one of this series, you need to know your privacy policy inside and out. More importantly, be mindful of what you’re sharing; the more you share, the more vulnerable you become. Are you sharing that you’re running a trail in another state? You might recall years ago when Facebook became the burglar’s best friend– your wearable achievements could serve a similar purpose.

Of course, make sure you’re not sharing in real time. If you’ve dominated the hardest trail in the city, wait until you’ve left the park to share your triumph. And while we all know who might be on our Facebook friend’s list, be mindful to device and application privacy and data sharing policies– don’t just hit “accept” on those terms and conditions – know when and where you’re sending your data and make sure you control who can see it.

So, we’ve established that with most devices your data is for the taking (and using, and sharing, and selling in some cases). We’ve also explored how data points, used together, could be harmful. In the next blog, we’re bringing it home. Where does the Enterprise fit in with wearable devices and what will the impact of IoT be in (and to) the workplace? Stay tuned…

Series: Be Wary of Wearables, Part 1

According to some estimates, the wearable market is set to explode, reaching nearly $12 Billion by 2020. Fitness trackers alone are currently a $2.2 Billion dollar industry. While these devices are designed to help make our lives easier, more efficient, and healthier, there are some critical flaws in the technology that will undoubtedly fill many stockings this holiday season. This blog series will focus on some considerations for consumers and businesses alike as this new boom of wearable technology finds its rightful place in our everyday lives.

Privacy

Allow me to paint a picture. Your loving spouse decides 2015 will be the year of fitness for your family. To jump start your new, healthier lifestyle, you get a fitness band to help you understand your daily activities. You set up your device, integrate it with your phone, and install third party apps, like MapMyRun, to help keep you accountable with friends. What you probably haven’t done is read the terms and conditions and privacy statement from your new fitness pal.

Here’s what many privacy policies state you agree to when using their devices and services:

• Agree to allow the product company to use your data for any purpose they choose
• Agree to allow the product company to sell or share your information
• Release the product manufacturer and it’s “partners and affiliates” from any liability to how this information is used

People are unaware that by using these devices and the data they provide to become more enlightened to their activities (coined the quantified self), they are unknowingly releasing tons of personal information and data to the manufacturer. Some products are better than others when it comes to privacy, but after combing through numerous privacy policies, we found that many manufacturers require you to give up your data for the purposes of marketing, tracking, and just about any other reasons they deem necessary.

While this might not seem like a big deal, essentially your agreement to these invasive policies turnsyou into the product. Not only are you agreeing to get emails when you’ve taken enough steps to need a new pair of shoes, but if those steps slow, you could start receiving emails for weight loss meals or gym memberships. Or what about those third part apps that track where you’ve been? Run by the same department store everyday? You just might start getting text messages with coupons.

These intrusions may seem a small price to pay for health, but when you authorize companies to share your personal data, it can be for sale to the highest bidder. What if your fitness band started sharing your sedentary lifestyle with your insurance company? That could spell trouble for your premiums. Finally, as one last word of caution, we’d be remiss to not share this story of the year – if you’re going to use a fitness tracker and share your activity with your spouse, make sure you can explain those increases in heart rate or you might find yourself running for a reason other than weight loss.

The next blog in our series will explore security and how to stay safe in a shared world.