I have been looking into the privacy risks of the Internet of Things (IoT) for the past few years. I initially became interested through my work with National Institute of Standards and Technology (NIST) while researching the privacy risks of the smart grid and leading the group responsible for NISTIR 7628 Volume 2, and then a new version two years later in NISTIR 7628 Volume 2 Revision 1. Looking into smart meters led to my personal research of looking into smart appliances and then wearables.
For the past year, I have been working with a large medical devices group (and spoke at its conference) to identify the information security and privacy risks that are created by new and emerging medical devices, many of which are “smart” devices, generally meaning they are also part of the IoT. Smart medical devices can bring significant benefits to the associated patients, such as automatically applying medication based upon health readings, or sending alerts to a physician or hospital in the event of a medical emergency. However, they also create privacy risks when inappropriate entities get access to the data and use it for malicious actions. For instance, health insurance companies that use the medical device data as a basis to increase insurance premiums or cancel health insurance coverage; or those with ill intent accessing the medical device to do physical harm to the associated individual.
I also gave a keynote at an international conference in Bogotá, Colombia, about IoT and associated risks. And, I will be speaking on this topic again at a conference in Melbourne, Australia, in October. Privacy and information security of IoT truly is a hot topic around the world. And it is with good reason. Here is just one real-life example of how weak controls within smart devices were exploited and resulted in privacy and/or information security harm:
- TRENDnet told customers that its web-enabled wireless home security and baby monitoring cameras were secure. However, starting in January 2012 a hacker exploited the lack of security controls in the devices and sent livestream images to multiple Internet sites showing the images and sounds of people and their activities from the rooms where they were used. TRENDnet agreed to a sanction consisting of a 20-year consent decree to implement a comprehensive security and privacy program, and be subject to ongoing audits from the Federal Trade Commission (FTC).
A recent 2014 HP Security Research study determined 70% of these smart IoT connected devices are vulnerable to attack. Why? Three common culprits include: 1) insecure Web interfaces, 2) insufficient software protections and 3) lack of encryption.
Resulting high-level risks (as described within NIST’s draft Privacy Engineering Workshop papers) from these vulnerable IoT devices include:
- Personal information may be used in ways that exceed the associated individual’s expectation or authorization.
- The use or dissemination of inaccurate or misleadingly incomplete personal information can lead to breaches or inappropriate actions.
- Loss of autonomy of the associated individuals through induced disclosure of data from the devices
- Loss of trust, as well as exposing individuals to economic loss, and stigmatization
- Tracking or monitoring of personal information that is disproportionate to the purpose of the device
- Exposure of the associated individual in unexpected way, stigmatization, power imbalance and loss of trust and autonomy
- Denial of access to the device leading to exclusion, economic loss, loss of trust, or physical harm
- Inappropriate access leading to changes in device settings, changes to the device data, or misuse of the data, leading to physical harm to the associated individual
While doing research and visiting with others to discuss IoT issues, I have had interesting conversations with many bright and insightful folks. Here are some important recurring points made during these experiences, with which most agree:
- Current information security and privacy controls are not sufficient for most IoT devices.
- IoT devices typically collect, share and process data automatically, more often with no human intervention. This makes it essential for the engineers creating the devices to have a good understanding of the related information security and privacy risks, and how to build the devices to appropriately mitigate the risks.
- We cannot wait for laws or regulations to be created to govern the privacy and security of IoT devices. We must be proactive and establish such controls now, based on our own expertise and cooperative research. This will ensure that the billions of devices that will soon be put into use will not create a security and privacy disaster.
I am encouraged by NIST’s initiative to create privacy engineering standards, and ISACA’s support and participation in that initiative. The goal is to provide privacy engineers with standards to use to build controls into IoT devices—hopefully in the not so distant future. I believe ISACA will play a key role in getting those standards created and communicated and will provide guidance on how to use them for ISACA members worldwide.
If you would like to learn more, please view the video of the April NIST Privacy Engineering Workshop session where I represented ISACA: http://cdnapi.kaltura.com/index.php/extwidget/openGraph/wid/0_eac0g2ra.
Rebecca Herold, CISA, CISM, CISSP, CIPP, FLMI
Owner & CEO, Rebecca Herold & Associates