Talk to Josh Corman long enough and the beeps and blinks of the Internet of Things (IoT) devices that increasingly dot our world take on a terrifying shape.
"There are more devices and more types of devices, so this just gives you more ways for people to track you or hurt you," Corman, a long-time security expert and cofounder of I Am The Cavalry, says. "What we've done is blindly assume that [adding software and connectivity] is always good. And we're making really horrible, horrible choices."
Corman founded IATC—a cybersecurity research non-profit focused on reducing IoT-related public safety risks—with security researcher Nick Percoco at a 2013 hacker conference. Medical devices are a big area of concern for Corman and his group. Besides vulnerable insulin pumps and pacemakers, hacker-researchers have shown high-tech hospital equipment—from Bluetooth-enabled defibrillators to remotely controlled drug infusion drips—could be manipulated toward grievous, even deadly, ends. IATC is also keeping an eye on connected cars, home security and automation systems and "smart" public infrastructure, like utility grids and traffic control.
Then there are the old-fashioned privacy concerns that arise when data on your every move is collected and accessible. FitBit data has already been admitted into court in personal injury cases and, legal scholars say, could be coming to a divorce court near you. Was that heart rate spike just innocent cardio or an extramarital tryst?
"I think what will happen is that there is going to be enough people spied upon by ex-girlfriends or boyfriends, or distrust their government or get hurt from IoT devices," says Corman, "And we’re gonna realize we did too much."
Corman, who has consulted the NSA and is currently CTO of a software company used by top financial and credit card companies, says he and his contingent of IATC volunteer researchers were motivated by the security practices they had seen at the top echelons of large companies. "We got to the adults in the room," he says, "and realized there were no adults."
The IoT—a loosely defined term encompassing anything with a sensor, connectivity and some kind of processor—has officially hit peak hype. But on the consumer side, data privacy and security has been largely left behind, and two recent reports from government officials are starting to bring IoT concerns into the mainstream.
A January report from the Federal Trade Commission on IoT security and privacy shortfalls, the first of its kind from the agency, called for manufacturers to take a more pro-active role in embedding security in their products. And Massachusetts senator Ed Markey released the results of his inquiry into the cybersecurity practices of major car manufacturers in February. He was not impressed with what he found, calling security measures "alarmingly inconsistent and incomplete."
Despite the well-documented cases of IoT freakouts—the spamming fridge, the disabled car, the manipulated insulin pump, the list goes on—consumers appear relatively unfazed. A 2014 Accenture survey found 13% of consumers plan to buy an in-home connected device within a year (that number jumps to 69% over five years), and 22% plan to buy a connected wearable device this year.
The IoT at present is one massive upward curve—of devices, dollars and especially data. With IoT manufacturers far outweighing cybersecurity researchers, how will privacy and safety safeguards keep up?
"The majority of the security industry has been focused on private sector, protecting a bank or credit cards," points out Corman. As software started springing up in insulin pumps and cars, he became more concerned. "I’m thinking, 'Guys, we can’t even secure credit cards with $80 billion of our best and brightest—why are we putting dependencies in areas that can kill people?'"
Through IATC, Corman and a network of volunteer cybersecurity experts and whitehat hackers have developed a five-point list of standards for connected cars and have started collaborating with the Society of Automotive Engineers. He plans to release similar guidelines for other "life and limb" applications of the technology, including medical devices and public infrastructure.
But security remains an optional pursuit for manufacturers. "IoT technologies in general don’t have good security," says Susan Landau, faculty member at Worcester Polytechnic Institute and a distinguished scholar on cybersecurity and privacy issues. "There are no legal frameworks that demand good security. We’re racing ahead yet again without putting the security and privacy in."
Tech companies, meanwhile, are piling on with a mega-growth curve. Gartner, a research firm, estimates there will be nearly five billion connected "things" by the end of the year, a 30% increase from 2014, and the market will continue to grow to reach 25 billion things and $263 billion worth of spending by 2020. Growth in microcontroller and sensor sales—two essential enablers for the IoT—is already outpacing the semiconductors used in more developed electronics, according to Goldman Sachs research.
The rush for cheaper, faster, and smaller devices usually leaves security by the wayside. "The whole development cycle works against you from a privacy and security standpoint, especially if you are a start-up," says Lee Tien, Senior Staff Attorney at the Electronic Frontier Foundation and an outspoken critic of IoT privacy risks. "Larger companies have more resources, but are not necessarily better at it."
Instead of company investments at the front end, the unstructured work of safety and privacy evaluation has instead been picked up by cybersecurity researchers and hackers at the back-end.
"When you look at information security, the rules to build software are not like the rules to build a bridge," says Lee Weiner, SVP of products and engineering at Rapid7, a security engineering firm. "If you want to build a bridge there are well-known structural codes. That is not the case in the software world. The only way those flaws get found is the equivalent of someone driving on that bridge with different types of vehicles." That's a process that takes time and money.
Some IoT devices, say experts, are so small that they lack the computing power needed for data security or remote patching once vulnerabilities are found. And with billions of connected devices entering the world every year, consumer protection and privacy advocates face an uphill battle.
"It doesn't scale," says Tien, "to have a hundred companies and a few watchdog agencies."
But surely, the argument goes, just because something can be hacked, doesn’t mean it will be hacked. Right?
While security researchers have been able to put on a dramatic show of hacking the controls of current cars on the market, the only publicized case of malicious car hacking was a 2010 job by a disgruntled car dealer employee.
Corman bristles against the argument that attacks on physical IoT devices are not worthwhile. "To assume that all adversaries are financially motivated is really ignorant," he says. "There are no safe neighborhoods in the Internet. If your last barrier of protection is the willpower of every human being on Earth being fluffy and good, then we’ve gone from an era where they can’t hurt me to one where I’m hoping they don't."
Tien points to the expanded opportunities for surveillance made possible by the IoT, from wearable activity trackers to traffic sensors and building monitoring systems. "Historically, our built world has been relatively inert," he says. "It’s like the TV in your living room—you watch it but it doesn’t watch you. That is all changing."
The proliferation of precise location data is an big area of concern. "In particular because these devices are small and will travel with people in all sorts of ways, they will be really revealing of people’s activity," notes Landau.
The answer to who benefits from this massive data influx depends on who you ask. IoT advocates point to better urban planning, more efficient energy use, and public or personal health benefits. The FTC’s recent report notes researcher’s concerns that the escalation in personal activity and location data could be used to make employment, credit, and insurance decisions. Since data from IoT device manufacturers that own their analytics is considered "first party," it would not be covered under existing consumer protections like the Fair Credit Reporting Act.
Privacy advocates, naturally, are wary of the unsavory uses of the data.
"I think [the NSA] views it as a wonderful thing," says Tien. "Part of their mission is to collect a great deal of information. It is, I think, a help from their perspective to know that other people are also collecting a lot of information." He also points to the faded lines between private and public data stores in the post-9/11 era. "We’re long past the days when we can really think of private sector collection of data and government collection of data as two separate silos."
Tien suggests that the fact that the well-meaning motivation that powers data collection in public places—for "smart city" initiatives, for example—helps normalize the Big Brother-esque creepiness of Big Data.
"There is a real attraction to what I would call dangerous surveillance practices when those practices are aimed at people and their everyday lives and trying to solve urban problems," he says. "If you associate the surveillance with Dick Cheney it’s bad; if you associate the surveillance with Bill de Blasio that is another thing."
One of the biggest gray areas in the still murky world of the IoT is the issue of data ownership. On the question of who owns all the data generated by all your smart appliances and devices, Rapid7's Weiner says: "It’s not clear today. While it’s your data, it is sitting in a variety of places that could be accessed by others for perfectly good use or for malicious use."
Overall, IoT data, like most other applications, is bound for the cloud. Research firm IDC predicts that 90% of IoT data will be stored in the cloud by 2020. Once it’s there, says Weiner, it’s up to the app or device provider to secure it as they see fit.
Moving forward, the IoTspace looks primed for the classic "will regulation kill innovation?" debate in Washington. In February, the Senate Commission on Commerce, Science and Transportation held a hearing on IoT regulatory risks with a panel of industry executives and researchers. The committee's Republican chairman, John Thune of South Dakota, cautioned against a "'government knows best' mentality that could halt innovation and growth," noting some of the most "fascinating" examples of new IoT technology, like smart bed sheets that monitor your tosses and turns and a web-enabled toothbrush used by one of his staffers. Democrats in the group were divided, with Florida's Bill Nelson calling talk of over-regulation a "red herring" and New Jersey's Cory Booker noting that government intervention should not "inhibit a leap in humanity."
Even some privacy advocates say that IoT-specific legislation would be premature right now. But there is wide consensus that more companies should be more transparent about data-use policies and that more cybersecurity research is clearly needed—without treating researchers like malicious hackers. "There's an element of ensuring that the legislation and proposals continue to promote security research and not chill it," says Weiner.
President Obama’s administration has taken up cybersecurity as a national safety and security issue with a recent push to enlist the help of private industry. In January, Obama proposed legislation that would help shield companies that share online-threat data with the government from lawsuits, and last month he signed an executive order that urges (but does not require) companies to share information on cybersecurity threats more broadly, in the interest of improving threat protection systems.
Still, the shaping of online privacy and security policies remains largely in the hands of IoT companies themselves.
"We need to get it to a state where the vendor is much more proactive about going through a series of security tests before they release their software, and is required to be able to patch that software," says Weiner.
Consumer expectations, too, will likely go through an adjustment period. But even Corman is optimistic on the potential utility of the IoT. "The ultimate end state is to not give up on technology, but to realize that there are risks and not just rewards," he says. "And to stop adopting things faster than we can fix them."
Corman and other experts agree that the FTC’s broad recommendations for IoT manufacturers—build security in at the outset, implement lifecycle monitoring, train employees in security—are on the right track. But with the industry consigned to self-regulation for now, the current growing pains of data, security, and privacy within the IoT are likely to persist.
"We’ve moved into a completely new world," says Landau. "We are facing massive losses of privacy and, until we learn how to operate in it—we, the public, and we, the government—getting protection for it is going to be awkward. Or more than awkward."