No doubt about it — we live in an internet-connected world. Our mobile phones and tablets serve as jukeboxes, video arcades, personal assistants and encyclopedias, and we can get an answer to almost any question by simply saying, “Hey Siri” (or “Hey Alexa” or “Hey Genie”). It is indeed a Golden Age of technology, whether we like it or not.
It does not stop there. Over the last five years, the “Internet of Things” (or IoT—the term used to describe the ever-growing collection of physical objects connected to the Internet) has grown substantially. We have more “smart” devices in our homes, offices, cars, and on our persons, and these IoT devices can do everything from regulating the temperature in the bedroom to helping us avoid local traffic jams to letting us know we’re out of beets (we must remember to somehow disable that last function).
By the year 2020, it is estimated that there will be approximately 50 billion IoT devices connected to the internet—between 6 and 7 IoT devices for every person in the entire world.
What about security of IoT? Yet this internet explosion of convenience and technology has raised new concerns about just how secure we are when it comes to the protection of our personal information. If you think that the title of this article sounds like something out of a dystopian science fiction thriller, guess again.
Day in and day out, we are treated to constant headlines telling us that yet another company has been hacked and their repositories of personal information compromised, and IoT hacks are no exception. Although IoT hacks have not received as much attention as the more straightforward computer hacks and thefts of credit card information, in 2017 the following products came on our radar:
• Baby Monitors—Ever wondered if there was an IoT device that would let you keep an eye (and an ear) on your baby anywhere and anytime without the hassles associated with bulky receivers? Bring on the internet-connected baby monitor! this IoT technology lets you check in on your baby from any room in the house, or even the car or the office, through an app on your mobile phone or tablet. Some versions even let you talk back to the baby, so you can whisper the baby back to sleep. Yet the IoT connectivity means that pranksters, voyeurs and plain old criminals can potentially listen in to whatever is being said, download video footage of your baby and sell this personal information online (and you know someone has already found a way to monetize this data). So much for “sleep tight.”
• Implantable Cardiac Devices—The FDA confirmed that St. Jude Medical’s implantable cardiac IoT devices (things like pacemakers and defibrillators) have vulnerabilities that could allow a hacker to access it. For example, once implanted, hackers could deplete the battery or administer incorrect pacing or shocks. If you saw Damien Lewis do this on an episode of Homeland back in 2012 and thought this could never happen for real, oh how wrong you were!
• Sex Toys—Yeah. We went there. We’re not exactly sure why anyone would actually want an IoT device that could monitor certain “aspects” of your sexual activity and then store that information for later analysis, but it has garnered at least some popularity. Yet these types of IoT are apparently relatively easy to hack, and you can imagine the embarrassment if someone other than the purchaser was able to turn the IoT device on at any time or control things like speed or power. We’ll let you fill in the blanks. … sorry we even brought up the subject.
What can you do to protect your IoT? We could add to the list, but you get the idea. Every IoT device that is connected to the internet has the potential to be hacked, and the data stored within it appropriated and used against you. Yet just because these IoT devices can be hacked, it is not a foregone conclusion that your particular IoT device will be hacked or that you should revert back to the (relative) Dark Ages of 2000 when you actually used mobile phones to just call people.
There are some things that consumers can do to protect themselves.
1. Firmware Updates—The firmware is the software within an IoT device that makes it run, and IoT device manufacturers do their best (usually) to identify any security flaws in their products and publish updates on their website to eliminate them. Check the website regularly, at least once a week to see if there are any such updates, and if there are, update the IoT device right away.
2. Strong Passwords— Often, your IoT device will come straight from the factory with a pre-loaded password (something along the lines of — and I swear we are not making this up—“password” or the name of the company that made the IoT device). Change the factory set password right away to something that is relatively easy for you to remember, yet hard for a total stranger to guess or secure through trial and error.
3. Local Connectivity—With something like a baby monitor, while it might be really cool to be able to check in on your baby while you are at work, that means connecting to the monitor over the internet as opposed to the local area network in your home. Of course your local area network in your home is much more secure and much less likely to be hacked, so if you do not need global accessibility to your infant, consider implementing this kind of restriction; and
4. Product Reviews—Just as you might read reviews from trusted sources like Consumer Reports for any IoT device that you are thinking of purchasing, so you can consider things like safety and functionality, look for reviews about how secure the IoT devices are when it comes to the protection of personal data. Given how serious this issue has become, most tech-oriented companies are looking to use information security as a USP for their IoT device, so the information is definitely out there (and if it is not, maybe don’t go with that brand).
Conclusions Obviously, neither IoT devices nor the potential hacks associated with them are going away anytime soon. If you want to take advantage of all the latest technological trends, take every step possible to secure the information that IoT devices will invariably collect. With a little common sense and foresight, your refrigerator can go from being an evil surveillance IoT device to a trusted monitor of beet inventory in no time!
Eric Levy is a senior attorney at Gardere Wynne Sewell focusing on transactional and compliance matters related to information privacy and security. Eric has received the Certified Information Privacy Professional (CIPP-US) designation from the International Association of Privacy Professionals. Edward (Eddie) Block is a senior attorney at Gardere Wynne Sewell. Eddie has over 20 years of experience as an information security professional and holds numerous security certifications including Certified Information Systems Security Professional (CISSP), Certified Information Privacy Manager (CIPM), and Certified Ethical Hacker (CEH). Peter Vogel is a trial partner at Gardere Wynne Sewell where he chairs the Internet, eCommerce & Technology Group, and co-chairs the Cybersecurity & Privacy Group. Peter holds a Master’s in computer science, and has been an adjunct law professor at the Dedman School of Law for 30 years, including teaching courses on the law of e-commerce for 15 years.