It already seems like the Internet of Things is everywhere but this is just the beginning. IoT is on the rise, penetrating an increasing number of industries, from finance to healthcare. The connected devices market reached $130bn in 2018 and will more than double by 2023. However, beyond convenience, not many users are aware of the risks associated with these gadgets.
From easily hackable baby monitors to fitness trackers exposing the locations of US military bases, smart, internet-enabled devices don’t have the best reputation for security. Device vulnerabilities coupled with the tech industry’s greed for data make the Internet of Things gadgets a privacy nightmare. Why exactly is IoT so dangerous and what (if anything) can we do to fight back?
The real price of Alexa is your privacy
For something that carries extremely sensitive information about our homes, bodies, and lifestyles, IoT devices are surprisingly easy to hack. This is often due to the manufacturer’s negligence. In a competitive and fast-paced market, connected devices are rushed to market release without proper security testing. What’s worse, many of the low-cost devices are based on a similar blueprint. A vulnerability exposed by hackers in one of them becomes a gateway to the others.
Smart home devices are at the highest risk of attack, with security cameras being the most frequent target. Even such seemingly innocuous devices as baby monitors or children’s toys can fall prey to hackers. In an age when we invest more time and money in securing our homes than ever before, we are unknowingly giving criminals new ways of getting in.
IoT devices have poor security but their own manufacturers might be as much of a threat as cybercriminals. Both Alexa and Google Home have recently shocked us with news of listening to our smart home devices. As it turns out, Amazon and Google send a sample of users’ smart home recordings to be transcribed and annotated by their employees. It’s part of training AI to understand human speech better and offer more accurate suggestions.
Whether you deem AI training a legitimate reason for recording users or not, the secrecy of the undertaking shows how much Amazon and Google care about our consent. And this is some deeply sensitive data we’re talking about: Google Home recordings included bedroom activities, arguments with spouses, and even domestic violence. Google contractors reported also that some recordings contained enough personal information to identify the user, such as names and addresses.
But wait, surely the law protects me?
Unfortunately, not quite. As is usually the case with technological disruption, legislation struggles to catch up with the latest developments in IoT. Legal grey areas leave many matters up for the freewheeling tech companies to decide.
Europe seems to be leading the way to implementing more comprehensive rules. Privacy policies for connected devices must comply with EU’s General Data Protection Regulation (GDPR) which unifies data laws across most of Europe. The European Telecommunications Standards Institute (ETSI) also released the first global standard for cybersecurity in IoT, an important milestone given widespread cybersecurity negligence in the industry. But time will show whether this standard will become legally enforced by the EU.
In the U.S., California just became the first state with an Internet of Things cybersecurity law. Scheduled to come into force on January 1, 2020, the bill requires all IoT manufacturers to equip their devices with “reasonable” security features. While security experts called the law “a good start”, many critics have pointed out that it doesn’t go far enough to fully protect consumers from cyber threats.
How to fight for your IoT privacy
When the law doesn’t provide sufficient protection, it’s up to us, users, to fight the privacy war. We can’t safeguard ourselves from the IoT manufacturers over-collecting our data but we can take steps to keep hackers away. Simple cybersecurity precautions go a long way.
You can start by making sure your device’s software is up to date. Security vulnerabilities often reveal themselves after a device has entered the market — software updates are the manufacturer’s way of fixing them so you should never disregard an update prompt.
Setting a new password as soon as you install a device is another good practice. A strong password is not easily predictable — so your partner’s, child’s or pet’s name are all ruled out — and should be at least ten characters long. If you have trouble coming up with a random password on your own, use one of many password generators available online.
Finally, secure your home network. A VPN, short for a virtual private network, encrypts your internet traffic, and protects it from prying eyes, be it your internet provider or a cybercriminal. You can use a VPN router to protect all devices connected to your home network.
All this said, until the IoT industry is better regulated by law, it’s largely up to tech companies to establish security and privacy standards for connected devices. And as we have witnessed in recent years, most of them can’t be trusted with that much power. This means that making our homes smarter might mean giving up on our privacy. It’s up to you to decide if it’s worth it.