A world of Internet-connected TVs, fitness bands, home thermostats and other devices is here to stay, says Gartner. There will be about 4.9 billion connected units in use this year, the research firm estimates; by 2020, that number will grow to 26 billion. This forecast might sound promising to companies who are already using or seek to use the Internet of Things to create more personalized experiences for their customers. But despite the benefits these devices offer, they come with a huge caveat, warns the Federal Trade Commission: The personal information these smart devices collect represents a significant security and privacy risk to consumers.
The FTC's recently published report, which summarizes a workshop discussion it hosted on the Internet of Things (IoT) and staff recommendations, listed the various ways vulnerabilities in IoT devices could pose security risks. These include: facilitating unauthorized access to or misuse of personal data; attacks into other networks; and the possibility of major risks to our physical safety.
"Although each of these risks exists with traditional computers and computer networks, they are heightened in the IoT," the report stated. In an unnerving example of how an IoT device could endanger physical safety, a workshop participant described how he was able to remotely hack into connected insulin pumps and alter their settings so that they stopped administering medicine.
A 2014 HP Security Research report illuminates just how vulnerable the IoT sector really is. The study, which looked at the 10 most common devices from the most popular IoT niches, including webcams and home alarms, found that 90% of them collected one or more pieces of sensitive information either from the device itself or its associated cloud service or mobile app. Furthermore, 70% of these devices lacked encryption when communicating with their networks or on the Internet; 60% were vulnerable to such issues as weak default credentials and persistent cross-site scripting; and a whopping 80% failed on one of the most basic of security controls -- passwords of sufficient complexity and length (many allowed passwords like "123456").
Privacy also got short shrift. The HP report found that 80% of the IoT devices examined raised privacy concerns and, even more troubling, that the risks were greater than with other types of devices that collect some form of personal data because of the cloud services and mobile apps that work in tandem with an IoT device. The study raised the question the FTC's report also seeks to address -- namely, whether these devices really needed to collect this personal information to function properly.
Consumer privacy bill of rights for the IoT?
The FTC report offers recommendations to designers about "security by design," or building security into IoT devices from the start; it also advised companies to enact security basics such as risk assessments, changing default passwords, employee training and a layered approach to defense -- standard advice in the era of data breaches. But security is only one-half of the IoT puzzle, the report asserts. Privacy, along with consumer trust, is something both designers and companies will need to address if they want to really take advantage of the IoT's potential, the FTC report states.
Whether the FTC's focus on privacy will spark a call for consumer privacy rights on the IoT remains to be seen. At present, most organizations tend to focus primarily on security, not privacy, with regard to the IoT, said former Forrester analyst Eve Maler, now vice president of innovation and emerging technology at ForgeRock, an identity management vendor. Indeed, the lack of concern about privacy borders on arrogance. "It's as though companies are automatically granted access to consumers' personal data by virtue of their privileged position, versus consumers controlling the information that is sharable," Maler said in an email.
Both Maler and the FTC stress that transparency and limiting the collection of personal information is crucial. Implementers should use devices that have privacy-respecting features built in; they should also aim to minimize data collection and retention and give end users "notice and choice" about some of their personal data. Who will enforce those practices, however, is still a question.
CIO news roundup for week of Jan. 26
Here are more tech headlines from the week as some of us recover from Snowmageddon:
- Apple just reported the largest quarter earnings of any company in the world, ever. No biggie. On Tuesday, the tech giant said net profits in its fourth quarter were a record-breaking $18.04 billion on revenue of $74.6 billion. (By comparison, the last record holder, Russian company Gazprom, pulled in a profit of $16.2 billion in a quarter.)
- For one long hour on Tuesday, Facebook and Instagram became unavailable to users worldwide, an event that many feared was the result of a cyberattack. Facebook, however, explained that it was instead caused by an internal malfunction that "affected our configuration systems." Unsurprisingly, people turned to the other big social network that was available at the time, Twitter, to joke about the incident.
- Looks like universities are wholeheartedly jumping on the big data bandwagon. University of California, San Diego, is taking advantage of employment trends on LinkedIn to drive its career services; Boston analytics startup EverTrue weeds through the social media activities of college graduates to see which of them are more likely to donate to or volunteer for certain causes.
- Amazon is at it again with another cloud service, this time tackling email services. Amazon Web Services this week launched WorkMail, a work email and calendaring product that seeks to take on the likes of Google Gmail and Microsoft Exchange (it even works with Microsoft Outlook).
- Calling all predictive analytics experts: The National Weather Service predicted "historic" snowfall for New York City early this week -- which was so off base that its director even scheduled a press conference to apologize.
Check out more security and privacy highlights from the FTC Report on SearchSecurity.
- Thingalytics –ComputerWeekly.com