Senators Ponder Internet of Things Security in First Hearing
The same kind of attack on networked automated devices was the mission of the Stuxnet worm that led to the destruction of most of Iran's uranium centrifuges. There the invasion required tempting engineers to plug in a USB stick. These days with nearly every device connected to the Internet, it's much easier. Unfortunately, unauthorized access to networks is only one of the security problems facing the widespread use of the IoT. Another, potentially much more serious problem is the use of data gathered by those devices. In the case of the Samsung television that listens in on your conversations, the company claims that it doesn't actually use the recorded speech for anything beyond improving speech recognition. But once you've signed the user agreement allowing Samsung to record those conversations, what's to keep that from changing? Here's another example that's closer to home. I recently purchased a Garmin Vivofit activity monitor that keeps track of when I'm walking, when I'm sitting and when I'm sleeping. That data goes first to my phone, then it goes to Apple and then to Garmin. From Garmin it can go to my Windows computer where it can be retrieved. But what's to keep a law enforcement agency from demanding to see activity that's stored at Garmin?While it's unlikely that the first security problem that gets discussed in these hearings, the encryption of the link between devices, will prove to be much of a problem, the fact is that the ultimate destination of the data is a huge problem and a huge privacy issue. One of the Senators in the hearing said that while it's fine with him if his smart refrigerator tells him that he's getting low on milk, it's not fine if the refrigerator also tells the grocery store so it can be used for marketing information. And this is just one part of the problem. Consider that the majority of the IoT will probably not be used by people at all, but rather by devices in organizations that communicate with other devices. How hard will it be to protect that data, regulate where that data ultimately goes, who accesses it and how it's used? While it's likely that most of the companies gathering such data will say they protect it, will they? Or will they quietly place a disclaimer into their agreements allowing unspecified use by unnamed third parties? Ultimately, it's controlling the background distribution of private data that poses the greatest risk and somewhere in this legislation this needs to be nailed down.
The device also allows Garmin to know how much I weigh (too much) how tall I am, how old I am and my normal level of fitness (next to zero). I'm willing to take this risk if only because most of this data is already in some government database already. But suppose it was my television viewing habits? Or suppose it was data related to my credit cards or bank accounts? At some point you get to data that I'd rather not have the world see.