IoT Security and Privacy- According to a new report (“State of IoT Security”), so-called “smart” devices might not be so smart after all. The report from Pepper IoT and Dark Cubed detailed a wide variety of security issues and privacy flaws in common Internet of Things (IoT) devices, including some cases where devices such as smart light bulbs were communicating personal data and information to third-party companies in China. The major conclusion of the report is that both retailers and manufacturers need to be taking comprehensive new steps to resolve these IoT security and privacy issues.
Key findings of the report on IoT security and privacy
As Pepper noted in its report, just because the smart device space is complex and fast developing, there is “no excuse” for companies not to be doing more to guarantee IoT security and privacy. The report specifically looked at 12 different off-the-shelf IoT smart home devices from brands such as Guardzilla, iHome, Merkury, Vivitar, Wyze, Zmodo, Momentum, and Oco. The list of retailers where these devices were purchased included Walmart, Best Buy and Amazon – basically, the three biggest retailers in the U.S. where American consumers would be most likely to purchase these IoT devices.
And, yet, despite the comfort level that customers might have when buying from these stores, the products turned out to be almost embarrassingly weak when it came to protecting IoT security and privacy. In the base case scenario, the security failures included lack of data encryption, missing encryption certificate validations, and data that is often collected and transmitted between devices and apps without any safeguards in place.
In one particularly egregious case, a Merkury smart light bulb that had only one function (to turn on and off) also required the installation of a Merkury smartphone app that tracked location data, recorded audio, and accessed the storage on the phone. Moreover, what was particularly worrisome was the fact that the Merkury app had hard coded links back to 40 different third-party websites, including a number of Chinese tech companies (e.g. Alibaba, Taobao, Weibo).
China’s role in the Internet of Things
In the report, Pepper specifically called out China’s role in the Internet of Things. Many of the consumer tech brands currently selling IoT devices in the U.S. marketplace have strong ties back to China, and that naturally raises questions about how exactly any personal information acquired by smart devices as part of their data collection might be used without user consent. In an era of Big Data and real-time communication, there are now very real concerns about the amounts of data being shared and collected.
In some cases, the relationship with China might be benign, as in simply giving a user the ability to post about his or her amazing smart device experience on a social media platform like Weibo (China’s version of Twitter). However, there is a darker alternative scenario: the Chinese government may be using its tech firms as a “backdoor” to spy on everyday Americans. That concern is at the root of the dispute over Chinese telecom firm Huawei, which is accused of spying and conduct cyber-espionage in the United States.