We live in a connected world. So connected that we have to schedule vacations specifically to escape the noise of constant advertising, work emails, group texts, friend requests, and countless other distractions vying for our attention. Still, being accessible is a double-edged sword: despite the nuisance of nearly ubiquitous attachment to technology and media, connectivity (and the Internet of Things, or IoT, specifically) gives us the ability to automate daily tasks, improve productivity, and live more efficiently.
Are we trading privacy and security for convenience?
Cisco and Intel have independently estimated that approximately 50 to 200 billion devices will be interconnected by 2020. According to VentureBeat, “Amazon also said it sold ‘millions’ of Alexa-enabled gadgets …” during the recent holiday season. And those gadgets’ owners will now be able to call Alexa by name and use voice commands to set a timer or order their next Amazon Prime shipments.
Behind the scenes, the small-footprint devices submit the audio captured from voice commands to the Amazon Lex API, powered by “automatic speech recognition” (ASR) and “natural language understanding” (NLU). Admittedly, the underlying processes that make users’ experiences more conversational captivate both tech-savvy and non-techy users alike.
Even more interesting, though, is the small buffer of audio captured just prior to a user invoking the Alexa service—a potential privacy nightmare for those within close proximity of the devices. Amazon does provide the capability to manage the data that is captured and stored, but the privacy and security implications are uncertain at best.
For example, local police in Bentonville, Arkansas, recently obtained a warrant for Alexa recordings to use as evidence in a murder case (though Amazon has refused to comply with the data request and prosecutors have not forced the issue). We should expect new legislation and case law to develop around users’ privacy rights related to IoT devices and voice- or video-enabled systems.
In addition to privacy issues, IoT devices present security challenges. Imagine you get a multi-camera security system to record activities in and around your homestead. The benefits of this type of system could range from cloud-based notifications of motion to ensuring from another room that your toddler is taking his or her mid-day nap. The privacy implications are fairly obvious in this scenario, but the security implications may not be as apparent.
The security camera system includes not only the cameras themselves, but also the Digital Video Recorder (DVR) to capture content for analysis and display. If you want to remotely access the DVR from a cloud-enabled application on your mobile phone, tablet, or web browser, the DVR will regularly be accessing the Internet. In many cases, the broadband router on your network will leverage the Universal Plug and Play (UPnP) to make this interconnectivity even easier. Often, the cameras and the DVR unit are built on a slimmed-down operating system with a web server to make the management very easy for the end user.
Unfortunately, these systems contain basic security vulnerabilities and application weaknesses that make obtaining remote control of the devices fairly simple even for novice attackers. These devices have largely been used in Distributed Denial of Service (DDoS) attacks; fortunately, most times they only impact end users by slowing down their Internet instead of being used to snoop on people’s activities and invade privacy.
But a larger question remains. As threats become more sophisticated and connectivity expands, at what point do we prioritize security and privacy over convenience? Sadly, we’re not there yet.
About the Author
Landon Lewis is a founding partner of Pondurance. With over 17 years of experience, he has a strong information security background that spans multiple industries and also includes experience in SCADA and ICS/DCS environments.
Prior to starting Pondurance, Landon gained much of his experience working for Accuvant, IBM, Midwest ISO, VeriSign, and Fifth Third Bank. When Landon is not behind a keyboard, he’s typically scuba diving, prepping his BMW for track days, mountain biking, or hiking.