Smart-home hacking could be a 2015 risk

With the advent of the internet of things, 2015 will be a year in which connected devices can transform daily living, potentially for the better—and also potentially for the worse.

“We are told that, in 2015, the world will have 25 billion connected devices; the number of smart home devices will reach nearly 25 million; and IoT software platforms will become the rage,” said Edith Ramirez, Federal Trade Commission chairwoman at the International Consumer Electronics Show in Las Vegas.

“But we have also been warned that 2015 will be the year we start hearing about smart-home hacking,” she added. “These predictions highlight the complexity of the IoT. It has the potential to provide enormous benefits for consumers, but it also has significant privacy and security implications.”

Ramirez detailed three specific challenges to consumer privacy presented by the advent of the IoT, as well as three steps that companies should take to enhance consumer privacy and security.

Challenges to privacy

• Ubiquitous data collection—“In the not-too-distant future, many, if not most, aspects of our everyday lives will leave a digital trail. That data trove will contain a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete picture of each of us; one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends.”

Not only can private activities be monitored by remote and possibly unknown entities, but the sheer volume of data can be analyzed to make additional sensitive inferences and to compile even more detailed profiles of consumer behavior, she said. [Editor’s note: Already, some “disruptors” say that credit approvals can be performed simply through publicly available data found on the internet.]

• Unexpected uses of consumer data—“Your smart TV and tablet may track whether you watch the History Channel or reality television, but will your TV-viewing habits be shared with prospective employers or universities? Will they be shared with data brokers, who will put those nuggets together with information collected by your parking lot security gate, your heart monitor, and your smart phone? And will this information be used to paint a picture of you that you will not see but that others will?” she asked.

• Security—“Any device that is connected to the internet is at risk of being hijacked,” she said. “Like traditional computers and mobile devices, inadequate security on IoT devices could enable intruders to access and misuse personal information collected and transmitted by the device. As we purchase more smart devices, they increase the number of entry points an intruder could exploit to launch attacks on or from.”

Ramirez noted that unlike established hardware and software companies, some of the newer IoT developers have not spent decades thinking about how to secure their products and services from hackers.

Industry-based solutions

• Security by design—“Companies should prioritize security and build security into their devices from the outset,” Ramirez said. “Specifically, companies should: conduct a privacy or security risk assessment as part of the design process; test security measures before products launch; use smart defaults, such as requiring consumers to change default passwords in the set-up process; consider encryption, particularly for the storage and transmission of sensitive information…; and monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities.”

Companies should also implement technical and administrative measures to ensure reasonable security.

• Data minimization—“Companies should collect only the data needed for a specific purpose and then safely dispose of it afterwards … I agree that we need more dialogue on acceptable and unacceptable uses of consumer data. But I continue to believe that reasonable limits on data collection and retention are a necessary first line of protection for consumers,” she said.

Also, she added, companies should de-identify consumer data where possible.

• Notice and choice for unexpected uses—“Companies should give consumers clear notice and provide simplified choices for unexpected collection or uses of their data,” Ramirez said, adding that this may be easier said than done. “But in my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice.”

“I am confident that the same ingenuity, design acumen, and technical know-how that is bringing us the IoT can also provide innovative ways to give consumers easy-to-understand choices,” Ramirez concluded.

Read a text of the Ramirez speech