The Internet of Things (IoT) is, for many, about devices we connect to a network for convenience, such as thermostats, light switches, connected cars and interactive toys for our kids.
While the IoT is indeed a marvelous invention, designed to make daily digital life even easier, how safe is it in terms of protecting your privacy?
Alongside an ESET researcher team, I investigated some of the more popular IoT devices on the market today with the aim of creating a basic 'smart home' that mimics the connectable objects likely to be found in a typical household.
Notions of interconnectivity and the 'smart home' are now rarely seen as the main focus of science fiction narrative, but assumed as background. Today, the IoT makes the 'smart home' not only achievable, but in some respects commonplace.
But how plausible is it to create your own 'smart home'? Many issues can crop up when trying to create your own interconnected dwelling space. One of the challenges facing even the most basic implementation of a 'smart home' is interoperability between devices provided by different manufacturers to provide a harmonious, unified experience… or as close as possible!
We purchased a few IoT devices that could be deemed as essential for the creation of a type of starter kit for anyone wanting the convenience of an interconnected experience in their home. We also purchased a virtual personal assistant (a device that takes verbal commands and can control many of the devices purchased; in fact, a 'smart home' may actually start with a device like this and then expand functionally with additional IoT devices).
Privacy concerns
The main area of concern was constructing a 'smart home' that did not compromise on privacy.
In that respect, there was unease that the devices in the home could potentially collect private data. Of course, we understood the need for most devices and services to collect basic personal details. Worryingly, however, we found that companies often used the term "but not limited to", meaning they might collect more than what was on the applicable privacy policy.
In total, the team tested twelve products from seven vendors, including one product that we have not included in the final report due to discovery of significant vulnerabilities. As a security company, we value the commitment to responsible disclosure and the collaborative nature of the IT security industry — therefore, we notified the company in question with specific details of the device's shortcomings and will not publish these details until the vendor has had time to rectify the issues.
While each device tested led to some privacy issues, it was the role of voice-activated intelligent assistants that raised the most concerns. This is due, among other things, to concerns the fear of oversharing of data by commercial services, insufficient protection of stored personal data, and the possibility of interception of digital traffic by cybercriminals or the mischievous.
Can you create a safe smart home?
The answer is… possibly. No device or software is guaranteed to be secure or immune to potential vulnerabilities. However, a company's security culture can be judged based on its reaction to vulnerabilities when they are disclosed. Some of the devices tested had vulnerabilities that have been dealt with quickly with new software and firmware. When vulnerabilities are not fixed promptly (or at all), then choosing an otherwise equivalent device would be an appropriate response. But with sound judgement and caution, it is possible to start a basic 'smart home'.
Conclusion
At its inception, the goal of this project was to create a basic 'smart home' that mimics something that could end up in typical household. The concern from our research team was “what if we don’t find any issues?” Alas, this was not the case, and in fact the conclusion that I have written is different from what we had envisioned at the start.
The potential for home, lifestyle, health and even browsing data collected by internet service providers to be available to a single entity should only be permitted after due consideration for the consequences.
A full list of the tested devices, along with a more technical breakdown of the products, may be found in the white paper: IoT and Privacy by Design in the Smart Home.