IoT Could Be Used by Spies, U.S. Intelligence Chief Says

James Clapper tells senators the vulnerabilities in connected devices that hackers exploit can also be used for surveillance by foreign countries.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


As the Internet of things has grown, so has the debate about security around it.

Much of the focus has been around the fact that with billions of new systems, devices and sensors connecting each year, the attack surface for hackers continues to widen. Add in a lack of security in many of these connected devices and their growing popularity in homes and businesses, and the issue becomes even more concerning.

"It says neither consumers nor vendors care about security, and it's going to be an amazing apocalypse," security researcher Dan Tentler told eWEEK last month after reports of vulnerabilities in webcams surfaced.

Earlier this week, James Clapper, U.S. director of national intelligence, added another element to the issue of security and the Internet of things (IoT). In a presentation to the Senate Armed Services Committee Feb. 9 about various threats to the United States—which touched on everything from terrorism, weapons of mass destruction and transnational organized crime—the IoT presented a cause for concern, representing a threat to the country and its citizens.

Specifically, the security issues around these various devices—from electric grids to connected and autonomous cars to household appliance—pose a threat to data privacy, data integrity and continuity of services, Clapper wrote in his report to the committee. In addition, they could become pathways for foreign countries to gain access to information.

"In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials," Clapper wrote in his report.

He pointed to efforts by such countries as Russia, Iran and China, as well as "nonstate actors"—particularly terrorists—to find ways to use the Internet for everything from cyber-espionage to organization and recruitment, all of which ramp up the threats the United States. However, Clapper also noted that the United States also can take advantage of these vulnerabilities.

"Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems," he said, according to a Newsweek report. "These developments will pose challenges to our cyber defenses and operational tradecraft, but also create new opportunities for our own intelligence collectors."

Clapper's presentation came less than a month after a study by the Berkman Center for Internet and Society at Harvard University disputed the FBI's contention that data encryption on the Internet was significantly hindering efforts to track terrorists and other criminals. The study found that the rapid growth of connected devices and systems gives the federal government a widening array of opportunities for surveillance and data gathering,

Researchers have argued that security in the age of connected devices and the collection of personal data by companies and service providers is a multifaceted and complex issue made more challenging by the lack of attention given to it by consumers and device makers alike. Consumers are more interested in the convenience that connected devices give them, while system and device makers tend to worry more about the features in their products than the security, which can be costly. During a conference in Cambridge, Mass., about security and the IoT, panelists talked about the need to include security in the development process.

"We build features for consumers without thinking of security," Chris Poulin, research strategist for IBM's X-Force R&D team, said at the event. "We don't build security in when we're building features."

While the IoT was a point in Clapper's Senate presentation, it wasn't the only cyber-security issue he brought up. He also noted that other emerging areas, including artificial intelligence (AI), augmented reality (AR) and virtual reality (VR), are opening up security vulnerabilities that other countries or non-governmental groups can exploit.

"The increased reliance on AI for autonomous decision-making is creating new vulnerabilities to cyber-attacks and influence operations," he wrote in his report, noting that such problems as false data and unexpected algorithm behaviors have occurred in automated trading systems that have caused significant fluctuations in the stock market.

"Efficiency and performance benefits can be derived from increased reliance on AI systems in both civilian industries and national security, as well as potential gains to cyber-security from automated computer network defense," Clapper wrote. "However, AI systems are susceptible to a range of disruptive and deceptive tactics that might be difficult to anticipate or quickly understand. Efforts to mislead or compromise automated systems might create or enable further opportunities to disrupt or damage critical infrastructure or national security networks."