Are you Following Me? How the Internet of Things is Affecting Our Lives
The new “big thing” in the cyber world is Internet of Things (“IoT”). What is the IoT? It is your fitness tracker, your Alexa, electronic pacemakers, the GPS in your car, self driving cars -- pretty much all of those cool and new electronics and technology that makes our lives exciting and easier. However, no matter how techy our world gets some things never change, and the old adage -- there is no such thing as a free lunch -- seems more and more appropriate. IoT is set to take the world by storm, with every new little gadget that comes down the pike having a camera or sensor that collects data about you. In fact, the economic impact of IoT has been estimated to be between $3.9 trillion and $11.1 trillion by 2025. But, with all of these conveniences and cool gizmos comes the corresponding security issues that we must consider when introducing a new “species” into our home environment.
Just recently, we heard of the story that American soldiers who use fitness trackers maybe inadvertently giving away their location because there is an interactive map on the web that shows fitbit users worldwide. Basically, in sparsely populated areas, like Iraq and Syria, these interactive maps are almost completely dark except for randone pinpricks of activity. Those areas are the locations of known U.S. military bases; i.e., areas where American soldiers and other personnel are using fitness trackers as they move around. The amazing part of this story: this proliferation of location data for U.S. military bases was discovered by a 20-year-old Australian student.
In 2017, the FDA issued an alert regarding Abbott pacemakers. The FDA had discovered a security flaw putting 465,000 pacemakers at risk. The issue was not a biological one, but a technological one. The vulnerabilities included an improper authentication that could be “compromised or bypassed.” Another vulnerability discovered allowed any nearby attacker to issue commands to the pacemaker to, say, drain the battery.
In another chilling event, a fitness tracker was used as a “silent witness” in a Connecticut murder case where a woman was found shot in her basement. The timeline her husband provided the police did not match-up with the information taken from her fitness tracker. (So, I guess think twice before giving your spouse that fitness tracker for his or her next birthday?)
What about voice-activated, internet-connected personal assistant? More and more, people include these types of devices in their home (who doesn’t want to have a morning conversation with their technology about the weather?). But, could these companies who push out the personal assistants be listening to us all the time? These voice-activated, internet-connected personal assistants “hear” what we say, record it and send it to a server. Now, these devices are only supposed to record when you ask it to by call its name. But, there are instances where police are attempting to get search warrants for what the device “hears” even when not specifically “activated” in order to investigate crimes.
In Arkansas, the defendant who pled not guilty to first degree murder is allowing police to obtain records and recordings collected from his Amazon Echo. The defendant’s friend had been found face up in the bathtub in the defendant’s home. Like all voice-activated personal assistants, Amazon's Echo responds to particular keywords and then records audio from a few seconds before, during and after it “hears” one of the key words. However, it is not uncommon for the device to record non-keywords. So, it is possible that the Echo “heard” what happened leading up to the victim’s death. Amazon had been challenging the records subpoena claiming that prosecutors had not set forth sufficient evidence to show that the investigation was more important than its customers' privacy rights.
In the UK, the Information Commissioners Office warned parents to turn off cameras and other tracking devices on the Christmas presents they were giving their children. The big concern? These toys interact with the internet, typically via your home wifi router. Because most home routers are not very secure, criminals can hack into toys containing sensors, microphones, cameras, data storage and other multimedia capabilities and watch our children playing in their own home. Back in 2015, VTech, a Hong Kong-based company that sells baby monitors and digital learning toys such as children's tablets, reported that data for 5 million "customer accounts and related kids profiles worldwide" were compromised as part of a cyberattack. Included in the information taken were the names, birth dates, and mailing addresses of those children.
Companies are hoping to leap over key security features in order to cash-in on the IoT craze. Devices are not created or designed with security in mind. And, even if these products do include security features, as All Things Auth notes, “security features often do not follow the same lifecycle as “core” product features and are bolted on as an afterthought.”
It is ironic. We are a culture that is currently obsessed with organic foods and all-natural cleaning products that won’t harm us, our children or our pets. Yet, we happily invite criminals into our home by using devices that can be hacked from the street or tracked on the internet. (You can buy a WiFi Pineapple for the bargain basement price of $99 and basically have the ability to hack anyone on public WiFi).
IoT and all devices that connect or use the internet must be created with security in mind. Gone are the days when we can ignorantly believe that no one would want to hack us. We are all vulnerable. At our jobs, as we travel, in our homes -- nowhere and no one is safe. So, as you excitedly open the newest gadget, stop and consider that just because the designer did not create device with security in mind does not mean YOU should not put security front of mind. Cybersecurity, and security in general, requires constant vigilance. We buy state-of-the-art security systems, but think nothing of using IoT devices in our home with abandon and with little thought to their security.
Just remember that when you are “plugging in” (virtually, of course, because nothing has a cord anymore), think about what you may be inviting into your home. Weigh the costs of the value of the device against its security vulnerabilities. Read about the security features on the device and whether they can be enhanced or upgraded in any way. All of the security systems in the world won’t keep out a hacker if you give them the keys to the kingdom. Invest in the cybersecurity of your home, as well as your business. Because cybersecurity, whether at home or in the office, is always a good investment.
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.