We tend to think about cybersecurity threats in terms of rogue states, geeky hackers or criminals bent on extortion attacking key infrastructure or big companies. However, as the Internet of Things (IOT) becomes embedded in devices we use across our daily lives, cybersecurity is becoming a more intimate threat for all of us.
In 2018, the UK Government published a Code of Practice (COP) on IOT for consumer equipment. The UK Government has now announced that it will introduce consumer connected product cyber security legislation.
University College has recently published a review of consumer IOT security risks and the COP.
The review identified the following three risk areas:
Technology-facilitated abuse or 'tech abuse' is a term used by the CoP to describe harassment of former partners and other familty members by perpetrators (usually men) by means of technology, in the past done through ‘conventional’ tech devices such as smart phones, laptops or services via the internet. However, IoT-facilitated tech abuse can expand and exacerbate abuse patterns as well as the reach of perpetrators far beyond the capabilities seen through these conventional technologies.
The review notes that the architecture of IOT lends itself to tech abuse:
"The risks that IoT technologies generate are not necessarily unique. However, IoT-facilitated tech abuse can expand and exacerbate abuse patterns … the functionalities that IoT systems offer provide perpetrators with a range of avenues to monitor and control victims and survivors. IoT technologies … can also learn patterns of behaviours and preferences, giving away sensitive details that can expose victims and survivors… the capacity to control devices from afar showcases the physicality that is inherent to IoT. The ability to amend the material environment can become an avenue for 'gaslighting'."
Imagine the terror a woman faces with a perpetrator remotely changing her household lighting, heating or door locks.
The review proposed a 'power-imbalance solution' to implement settings that enable multiple accountholders with clearly attributed and transparent rights and abilities, security and privacy push notifications, and a requirement for users to regularly re-consent to linking accounts and other features.
Handheld fitness and medical devices
Fitness devices such as Fitbit, smart watches and various other wearable devices, whilst sharing communication architecture with medical devices (IoMTs) used for similar functions, do not fall under the medical devices regulatory frameworks. Whilst IoMTs are protected to some extent through regulation, fitness devices have been found by the review to contain design vulnerabilities related to insecure authentication. The review suggested that the asymmetry in regulation may encourage developers to categorise devices as being for ‘wellness’ to circumvent medical device regulation.
But IoMTs also come in for criticism by the review, quoting experts who said they are “yet to find a [user-held medical] device that [they]’ve looked at that [they] haven’t been able to hack”. As recently as June 2020, the US Department of Homeland Security issued a security alert highlighting the lack of encryption and its safety implications for Medtronic pacemakers and defibrillators - both ‘medical devices’ otherwise regulated by the Food and Drug Authority. DoHS warned that the Conexus telemetry protocol utilised in these IoMTs would allow “an attacker with adjacent short-range access to a target product [to listen] to communications, including the transmission of sensitive data.” As IoMTs often can ‘talk’ directly to each other, there is a risk that an intrusion could spread like a virus through the health system.
The review noted that the usual approach to cybersecurity with fitness devices and IoMTs is the ‘patch management’ in which a software ‘fix’ is distributed when a security problem is revealed. The review noted that this approach was much more cost effective for manufacturers ‘in comparison to the substantial skills- (e.g., in secure coding), capital- and time- resources needed to operationalise secure manufacturing which push up retail prices of fitness and medical devices.’
The review suggested more support fitness and medical manufacturers in developing meaningful resilience from cyber-related business threats. But the review thought that there was unlikely to be a big shift without mandatory regulatory requirements because only that would eliminate the competitive disadvantage a manufacturer faces in investing in better security in the design and manufacturing processes over manufacturers who stuck with ‘patch management’ (or nothing).
Children's IoT connected toys
Children's IoT such as toys, learning development devices and baby monitors have many advantages but also expose children and their families to safety and security risks. Most of IOT toys are manufactured in China, and contain little if any cybersecurity functionality.
The review gave the example of IOT toys designed to record children’s conversations, which are then stored in the cloud. Security researchers found that it was “possible to access the voice recordings without any authentication if [one had] the exact URL at which they are stored – something that can be gleaned by examining the app when a user is logged in”. Recent studies reveal that digital “fingerprints” left by IoT devices make re-identification of anonymised sensor data (i.e., data with personally identifiable information such as name, address, telephone number removed) much easier than previously thought.
While ‘stranger danger’ through hacking web-enabled teddy bears is a risk, the review identifies the bigger issue as the ethical dilemmas concerning parental control, children’s right to privacy and children’s autonomy. UNICEF has said that “always-on surveillance ...that continuously monitor everything from children’s engagement in the classroom to their emotional states throughout the day threaten the creativity, freedom of choice and self-determination of children...”
The review suggested promoting open discussion about safe online behaviour, a greater involvement of children in the design of 'online safety' features, and legislative support for parents in tackling the rapidly evolving nature of online privacy concerns. But these measures leave unanswered the question of child privacy vs their parents.