In 2015, a lawsuit was filed in federal court against Lenovo (formerly IBM) and Superfish charging that the companies violated wiretap laws and trespassed on personal property. Around the same time, a class action investigation was also launched against Lenovo.
The Chinese PC manufacturer found itself in hot water for including a software program called Superfish Visual Discovery on its computers. This adware, which is also called spyware, tracks users’ Web searches and browsing activities to place additional ads on the sites consumers visit.
Blogger Jessica Bennet filed the individual lawsuit charging that the software tracked her Internet use, invaded her privacy and damaged her computer. The class action investigation, meanwhile, alleges that the adware “exposes computer users to serious security vulnerabilities” that could result in the theft of users’ logins, passwords and sensitive data as well as degrade their Internet experience.
“Lenovo is a Chinese company, meaning it is essentially owned by the Chinese government, which is the biggest threat to us by the way for counterfeiting and economic espionage,” says Joey Alonso, president of Quortum, a provider of insider threat and risk management services based in northern Virginia. “The adware they installed on their computers sent user data back to China, so that the company would know how customers were using their computers. Essentially, this information was going directly back to the Chinese government.”
Though this example pertains to adware rather than the Internet of Things (IoT) per se, it demonstrates what is possible once the IoT is in play in products and within companies. The IoT collects volumes of data, and simplifies the transfer of this data, putting customers and companies at risk for cyber theft.
“With the IoT, you’re going to have many more things connected to your corporate and internal networks,” states Alonso, who spent 22 years in the U.S. Navy working exclusively in the intelligence community. “When you talk about the IoT, you’re talking about some very publicly accessible items that people in the know could use maliciously. We can secure that laptop and copier down the hall, but when you talk about the IoT, you’re taking things to a whole new level where those with malicious intent have access to your company, client and employee data.”
According to John Dickson, principal of Denim Group, a computer security service based in Texas, the concerns are multifaceted within the supply chain. “For government buyers, the concern involves sophisticated nation state-sponsored supply chain tampering that enables traditional adversaries of our country to inject hardware or software that allows them to conduct intelligence gathering or to gain unauthorized access to a U.S. government network. For personal users, concerns involve the snooping of personal information—think spyware/adware on a massive scale—that could put their Internet surfacing habits in the public domain or make it possible to steal personal information that could be used for commercial purposes.”
Access to a company’s proprietary data are also a concern. “The rapid proliferation of IoT devices creates additional security issues that may open a business to vulnerabilities that were previously not a risk,” says Sam Kassoumeh, cofounder of Security Scorecard, a security rating and benchmarking platform.
A Storm is Brewing
The IoT has magnified long-standing privacy issues, maintains Dickson, who explains that until now privacy issues have been isolated to devices used for computing and communication purposes, such as smartphones, laptops and tablets. “The IoT brings a full range of devices into the household that are designed to track information that exposes a spectrum of behaviors and habits, all quietly and without the knowledge of users. Couple that with the fact that manufacturers of many consumer devices are not on the bleeding edge of security and privacy, and that many of the devices [or their components] are manufactured in countries like China, where privacy protections are nonexistent, and you have a perfect storm brewing.”
This storm will continue to build due to what Dickson refers to as “market failures,” arising from the fact that the market lacks incentives addressing privacy and security among companies using IoT devices in their consumer products. “When manufacturers build IoT devices [or purchase them from another supplier], there is not a planning consideration that generates features involving privacy controls. The impact is that these features are rarely implemented, and I think we’ll eventually have a high-profile IoT breach,” he says.
Issues of liability and brand protection will eventually drive companies to protect themselves from such risks. “However, we are at a very early stage. There is no Underwriters Lab for the IoT at this point … no universally accepted measures exist,” he says.
Dickson, who has more than 20 years of experience in intrusion detection, network and application security, likens IoT privacy security to where Internet security was in 1993. As a result, he feels the immediate future for the IoT and privacy on a consumer level will be rocky, and predicts “there will be high profile privacy breaches that spur public outrage and change the course of IoT development.”
The Frontlines of Protection
The good news, says Neil Hampshire, CIO of ModusLink Global Solutions Inc., which provides supply chain management services to global technology and software companies worldwide, is that companies are increasingly seeing the importance of security in connected devices and are thinking of it in a more strategic way.
Some companies using the IoT in finished products are employing user license agreements (ULAs) to protect themselves from liability. However, Stacy Cannady, head of technical marketing—Trustworthy Computing TRIAD (threat response, intelligence and development) for Cisco Systems Inc., a company that designs and sells networking equipment worldwide, states that ULAs can be a slippery slope.
“When is the last time you read a ULA before clicking ‘Accept’ and moving forward?” he asks. “If I’m evil, and I want your information, all I need to do is construct a ULA that’s a minimum of five pages and 7-point type and has a clause in it that says I can take whatever information I want. Then, once I’ve captured the information, it’s fine to do what I want with it.”
That might mean selling the information to the highest bidder having a vested interest in the data. “But that could come back to bite me if consumers start getting flooded with offers, and people start asking why is it that everyone who buys this product gets buried by requests for uninvited solicitations?” asks Cannady, a member of the Trusted Computing Group’s Embedded Systems Work Group.
He feels selling the data in this way would be unlikely in that it would reflect poorly on a company once it came out, and “it would eventually come out,” he says.
The more likely risk pertains to collecting consumer information as made possible in the ULA, then keeping it unprotected, and having that information compromised by an outsider. “That certainly can happen, and there will be no consequences, because the company owns this data,” he says.
Cannady advises companies to carefully consider the information they keep about their customers. Currently, the default guidance from executive management is to keep everything. But Cannady calls the keep everything mentality “a disastrous notion in a world where it’s certain the enterprise will be hacked.”
He adds, “the best thing they can do about privacy [of the information collected by the IoT] is to think very carefully about what information they absolutely need to have, and destroy any additional information.”
Hampshire recommends taking things a step further and developing a technological view of how IoT devices are connected to an ecosystem, then putting processes in place to handle authorizing and authenticating the devices. They also need to ask the following of suppliers: How is the IoT managed? What protocol and security do they use and employ to secure the communication between the device and the enterprise? Do they have extra 509-type security for the device’s communication protocols and host environment? How are they collecting information and making sure the information collected is not being intercepted?
“Part of the challenges is there are a lot of standards around communication and message formats,” he says. “You need to go beyond talking about the standards you will use to connect, and drill down into the processes that will work to maintain the security of the data. Don’t be satisfied with a supplier stating ‘We use the latest technology standards.’ ” You have to understand what’s going to work and what’s beneath that to secure the information and access to the environment.”
He reminds companies that “at the end of the day, people can write and put code onto that process or smart device, and unless you’re willing to go through every line of code and work through it, it’s difficult to make sure there are no backdoors or Trojan horses in there.”
Securing the IoT in consumer products should be addressed like any other supply chain sourcing challenge, Hampshire stresses. “You need to apply the best practices in supply chain sourcing. Companies need to know how to ask the right questions to build a trusted supplier,” he says.
Initially, from a supply chain perspective, Dickson predicts corporate buyers will enforce security and privacy via contracts with manufacturers. “There will be private contracts between manufacturers and suppliers that we will never see,” he says.
Greg Braun, senior vice president of sales and marketing at C3 Solutions, a manufacturer of dock scheduling software and yard management solutions, also advises appointing an employee to oversee security issues posed by the IoT, and to consider whether or not their suppliers have done so as well. “Do they have someone committed to cyber security? Do they have a security officer and internal policies? Do they have standards and documented processes in place to deal with sensitive data?” he asks.
Protecting the IoT might be in its infancy but Hampshire stresses that as these ecosystems become more and more complex and more connected, companies need to think about security in the very early stages of deploying and using this technology. “If not, there will be vulnerabilities out there,” he says. “Executives need to think about how they engineer IoT from the very beginning, in their companies and in their products,” he says. “They need to engineer the whole value chain for that data, and think about how they will secure that data from the point of creation to the point of consumption.”
Perceptions of Privacy by the Numbers
45% - Consumers having low trust or no trust in companies securing their data and protecting their privacy.
56% - Consumers reporting it’s important or extremely important that they be notified when data are being gathered to provide real-time services.
78% - Are highly concerned with companies selling their data.
70% - Of consumers own a connected device other than a phone, tablet or laptop.
87% - Of consumers do not know what the Internet of Things is.
--“Customer Perceptions of Privacy,” Altimeter Group