If there was any doubt that the Internet of Things could be used to spy on people, the head of National Intelligence has admitted that it can.
As part of the assessment with regards to threats faced by the U.S., James Clapper, the Director of National Intelligence, delivered a testimony to the Senate revealing that connected devices can be used for surveillance.
“In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said.
Clapper did not specify which agencies could be involved in this practice, but his statement is enough for consumers to abandon dreams of having a smart, connected home that’s completely free from Big Brother.
This statement solidifies some of the personal data concerns discussed in a recent paper published by a team from the Berkman Center for Internet & Society at Harvard University. The paper addresses the current evolution of security practices in light of growing consumer awareness for Big Brother tendencies in a post-Snowden era. As with landline telephones and computers, the emerging long tail of connected devices has also become a digital paper trail for law enforcement to access during investigations and proactive surveillance.
The 37-page report entitled Don’t Panic: Making Progress on the ‘Going Dark’ Debate [PDF] discusses the two main points why people’s data aren’t entirely protected from the government’s prying eyes. For starters, connected devices often lack strong security options for consumers. Worse still, manufacturers are not incentivized to spend more to build in security for connected devices.
The Internet of Things opens (too many) doors
The Internet of Things may provide a string of conveniences for users, such as remote control over home lighting, video-enhanced doorbells and digital locks, but these connected devices could also be used to learn more about the people living in the house. One weak link in the network of connected things could result in your bank account being hacked and wiped out.
The same vulnerabilities that let hackers in also leave the door open for law enforcement to request data directly from manufacturers and service providers. According to the report:
“The Internet of Things promises a new frontier for networking objects, machines, and environments in ways that we’re just beginning to understand. When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be. These forces are on a trajectory towards a future with more opportunities for surveillance,” the report noted.
Connected listening devices are already upon us. Last year it was revealed that Samsung Electronics Co. Ltd.’s Smart TVs are always listening, requiring a policy advising users to avoid discussing sensitive information in their presence. In 2012, years before IoT became a buzzword, then Central Intelligence Agency Director David Patraeus was seemingly excited about the prospect of connected appliances and their potential for surveillance measures.
The debate on going dark
Some believe that the government has been spying on landline phone calls and other activities for decades, but there’s been a lack of proof until Edward Snowden, a former National Security Agency contractor, revealed how the NSA has been snooping around.
Because of this revelation, some companies have sworn to help protect users by tightening up encryption in the services they offer, sparking the “going dark” debate. According to the government, its agencies need access to people’s data and activities to be able to prevent terrorist attacks and prosecute criminals. But keeping the government from accessing user data, especially in real-time, is seen as a consumer safety issue.
According to James B. Comey, current Director of the Federal Bureau of Investigation, going dark means that the proper authorities, such as the FBI, will not be able to access evidence needed to prosecute crime or to prevent terrorism, even with lawful territory. He explains that though the FBI has the legal authority to intercept and access communications and information pursuant to court order, they “often lack the technical ability to do so.”
But is the average device user really going dark? Device makers and service providers aren’t making the process of going dark as simple as it could be.
End-to-end encryption is not lucrative
In 2014, Apple and Google stated that end-to-end encryption will be implemented in their respective mobile operating systems. The encryption method will result in the companies not having access to user data, which means that any investigative branch of the government can no longer go directly to either company and ask for user data.
Despite this move by Google and Apple, not every company is so proactive. According to the report, most companies largely rely on advertising for revenue and the only way for this to work is by providing user data to third party companies. If service providers were to execute end-to-end encryption, user data would no longer be accessible for third party use.
“Implementing end-to-end encryption by default for all, or even most, user data streams would conflict with the advertising model and presumably curtail revenues. Market trends so far reflect that companies have little incentive to veer from this model, making it unlikely that end-to-end encryption will become ubiquitous across applications and services. As a result, many Internet companies will continue to have the ability to respond to government orders to provide access to communications of users,” the report stated.
A recent example of how lax manufacturers are with regards to security comes from Fischer-Price Smart Toy and hereO GPS, devices. The children’s toys had issues with web service authorization, which allowed attackers to send requests that should not have been authorized. The security vulnerability in the Smart Toy enabled opportunistic attackers to find a child’s name, birthday, and other sensitive information, while the vulnerability in hereO GPS allowed attackers to access to family’s location and location history, as well as abuse other platform features. Another disturbing example is when VTech Holdings Ltd. was hacked last year and exposed not only parents’ data, but also allowed access to messages and photos between parents and their kids.
There’s still hope
Yes, the Internet of Things opens up new avenues for the government to spy on people, but it doesn’t mean all hope is lost. Despite IoT manufacturers’ lack of incentive in securing their products, some companies see a market opportunity in extending security services to device makers and service providers.
Nokia Corp. recently launched a security platform called NetGuard Security Management Center which allows an operator to monitor and control all the multi-vendor security systems deployed across its telecommunications network. It combines monitoring and configuration of different systems to be able to detect and protect against threats in real-time.
Other companies with services that secures connected devices include Icon Laboratories, Inc. which offers Floodgate Security Manager, and Trustwave Holdings, Inc. which offers the Trustwave Managed IoT Security. Read more about these security offerings here.