With everything from televisions to smart meters now connecting to the expanding Internet of Things, Mike King, Supervisor at WhiteHat Security’s Threat Research Centre, looks into the biggest conspiracy theories surrounding this technology movement.
The Internet of Things (IoT) is becoming increasingly well known in a world that is becoming more connected. The IoT is no longer a fleeting idea, but a very real phenomenon. Recent figures from Gartner predict there will be 4.9 billion connected ‘things’ in use globally by the end of this year, with as many as 25 billion by 2020.
Whilst it seems the majority are embracing the IoT, some have growing concerns over what it means for privacy and security. Conspiracy theorists are lining up to prove that the IoT isn’t the wonder it is made out to be.
Remember the Samsung TV incident where reporters claimed that smart TVs were listening to your conversations at home? Do you remember when a series of videos was posted on YouTube and Facebook claiming that the stickers affixed to mobile phone batteries were transmitters used for data collection or spying? Or when privacy activists claimed that smart meters were the ultimate spying tool – taking note of the TV shows we watch, appliances we use and music we listen to?
But is this all accurate and something businesses should be concerned about or has it all been over exaggerated?
Smart Televisions
Samsung hit the headlines when has Smart TVs were accused of being a little too smart for their own good. The device’s privacy policy suggested that users shouldn’t discuss any sensitive topics whilst the television was plugged in, as the information could be transmitted to a third party. Of course, this generated concerns, as users felt their right to privacy was being encroached upon.
However, the concerns were confidently dismissed and Samsung assured users their fears were unfounded. Samsung argued the smart TVs weren’t always listening and that they were on a ‘standby’ mode until activated by a pre-programmed phrase.
So logically speaking, how does the smart TV know it has heard a pre-programmed phrase? The microphone must be on, so that ambient sounds and the pre-programmed phrases can be compared. We already know the device can transmit data over the Internet. The real issue here is whether or not data can be transmitted at the wrong time, to the wrong people. What if there was a simple bug that kept the microphone from shutting off, once it’s turned on?
Additionally, some information, like IP addresses and other stored data may be transmitted as well. According to Samsung, its speech recognition technology can also recognise regional dialects and accents, among other things, in order to enhance the user experience. To achieve this, smart television makers often employ third-party applications and servers to process the data received, though this is encrypted during transmission and not retained or for sale – at least according to the company’s privacy policy.
So the actual question is: can we trust that the encryption is done correctly, and nobody has stolen the keys? Can we trust that the third parties doing natural language processing haven’t been compromised?
Smart Phones
Conspiracy theories needn’t be complex. Most people have an understanding that there is a potential threat when using a smart phone in a public place, but there is often an element of misunderstanding in this. For example, some people believe that simply charging a device via a wall socket can result in stolen data – the premise is there, but the understanding is skewed. Stealing data in this manner is nigh on impossible.
Similarly, recent videos on YouTube and Facebook claimed that stickers affixed to mobile phone batteries were used for covert data collection and transmission, when in fact they are merely Near Field Communication (NFC) transmitters. Removing these stickers – as suggested by these videos – would subsequently render the device useless for apps using NFC, Apple Pay and Google Wallet for example.
One of the few scenarios where NFC could contribute to the compromising of personal data is if a device is in the vicinity of another user who could transmit malicious code. This could then exploit known vulnerabilities in a document reader or browser, or even the operating system itself.
Smart Meters
Smart meters are top of the list when it comes to security and privacy concerns. Privacy activists over the years have argued that smart meters open up opportunities for companies to collect detailed personal information such as the television shows they watch, the appliances they use, the music they listen to, the websites they visit and their banking habits. These conspiracy theorists claim that smart meters really are too smart and are used as the ultimate spying tool, making the electrical grid and the utilities that run it the ultimate spies.
Often people do have the right intuitions, without being technically accurate. Their concerns aren’t completely absurd. Different appliances use different amounts of power and so when power consumption is higher, smart meters can identify what devices and appliances might be being used in a house. Although this isn’t the same as smart meters knowing what you’re watching on TV or cooking for dinner it is understandable that people are wary of their right to privacy and want to make sure that it isn’t being infringed upon.
What is clear is that as the IoT world expands, consumers and businesses alike are inevitably going to be more aware of what this means for their privacy. Technological advancements mean that there are new unknown areas in technology that are challenging to navigate and no doubt, new conspiracy theories surrounding the IoT will arise which organisations will have to address. Businesses are right to be concerned about the security of the IoT and these examples show that the intuition and suspicion in not trusting them is correct. What needs to change is the understanding of the technicalities in these technologies. Once we fully understand how they work, then we can accurately analyse their effects on privacy and security.
[su_box title=”About Mike King” style=”noise” box_color=”#336588″]Mike King is a supervisor in WhiteHat Security’s Threat Research Center, where he’s been working since late 2010. Before WhiteHat, he was in grad school studying short-term memory in rats. When the Animal Liberation Front targeted his lab at UCLA, he discovered that security is pretty interesting, too. These days, the psychology of security is fun to think about, but he’s glad to work with humans instead of rodents.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.