Granular behavior profiling paves the way for new digital lifestyles – and creates big privacy and security questions
The city of Portland, Ore. has set out to fully leverage the Internet of Things and emerge as a model “smart” city.
Portland recently shelled out $1 million to launch its Traffic Sensor Safety Project, which tracks cyclists as they traverse the Rose City’s innumerable bike paths. That’s just step one of a grand plan to closely study – and proactively manage – traffic behaviors of cyclists, vehicles, pedestrians and joggers. This is all in pursuit of the high-minded goal of eliminating all accidents that result in death or serious injury.
Portland is shooting high, and it is by no means alone. Companies in utilities, transportation and manufacturing sectors are moving forward with the Industrial Internet of Things, or IIoT. Plans are being implemented to tie ever more sensors together across the Internet, use them to gather vast amounts of operational data and then massage this data with advanced behavior analytics.
Much the same progression is overtaking consumer goods businesses. Our homes and work spaces are on a fast track to get ever smarter. Everyone in business, it seems, is consumed by the notion of leveraging IoT to add value to their operations.
The big hitch, of course, is that major privacy and security gaps have yet to be accounted for. Billions of computing nodes and sensors tied into the Internet are feeding rich data to analytics systems – with billions more IoT devices to come. The trend increases the odds of two unwanted outcomes: invasive surveillance and increased exposure to hackers.
The good news is that there is wide acknowledgment among corporate and political leaders that these profound privacy and security concerns must be comprehensively resolved if IoT is to approach full fruition. Public awareness and transparency will be vital. That said, here’s what consumers and companies ought to grasp about the Internet of Things.
A technologist named Kevin Ashton coined the phrase “Internet of Things” back in 1999. Even well before that, circa early 1980s, folks were examining ways to add sensor intelligence to things such as vending machines – but the technology just wasn’t ready.
Then along came RFID (radio frequency identification) chips – the technology that uses small tags, or chips, to transmit information to a nearby scanner. RFID chips were originally deployed to keep track of railroad cars. Then they began turning up in employee ID badges, retail store inventory counting systems and even U.S. passports, foreshadowing what was to follow. As digital technology advanced, sensors got miniaturized and commoditized; virtual servers and cloud computing came into their own; data storage became almost limitless; and data analytics vastly improved.
Along the way, tech industry leaders hammered out Internet Protocol version 6 (IPv6), the next-gen Internet Protocol address standard. IPv6 meant there would be enough IP addresses to accommodate billions of IoT sensors. Along came 4G and now 5G wireless technology; the latter is expected to pave the way for new business models revolving around billions of freshly deployed IoT sensors communicating across 5G connections.
The Internet of Things, at its core, is all about collecting and analyzing data from billions of sensors, placed everywhere conceivable – embedded inside of a smart prescription pill, or a smart wristwatch, or a smart refrigerator, or smart thermostat, or all over a smart factory floor. And coming very soon, some predict within five years: fully autonomous cars and trucks. Each IoT sensor adds a snippet of information that incrementally makes the device itself, and the system as a whole, smarter than either would be without the other.
How high can IoT architecture get scaled? Much, much higher. Momentum is building on several fronts. Technology research firm Gartner predicts that by 2020, there will be 25 billion IoT devices in use by the end of 2021, up from 14 billion at the close of this year.
Boston-based global management consultancy Bain & Company reported last year that large enterprises remain bullish on the Internet of Things, albeit with tempered enthusiasm. It seems the realization has sunk in that complete solutions may take longer to implement and yield a return than once anticipated. Even so, Bain expects the markets for IoT hardware, software, systems integration, and data and telecom services to grow to $520 billion in 2021, more than double the $235 billion spent in 2017.
This suggests that Portland, Ore. is likely to be in a flock of cities that go on an IoT shopping spree. Knud Lasse Lueth, founder and CEO of IoT Analytics, a Hamburg, Germany-based consultancy, pegs smart cities as a rising trend, pointing out that they account for one fifth of all publicly announced IoT projects, including many cities across Europe.
When the FBI pressed Apple to supply a passcode that would unlock the San Fernando terrorist shooter’s iPhone, CEO Tim Cook refused – and was lionized as the people’s privacy champion. The FBI backed down, but only because it found a hacker who could crack the shooter’s smartphone for them.
Apple’s tussle with the FBI put a spotlight on this question: Should law enforcement and military officials have access to a digital backdoor enabling them to bypass any and all types of encryption that exist today?
Other technology leaders back Cook’s stance, aligning themselves with privacy and civil rights advocates who argue that this is a terrible idea. Critics worry that encryption backdoors almost certainly would find their way into the hands of criminals, or worse than that, get abused by a dictator to support a totalitarian regime.
The Internet of Things has the scary potential to make purpose-built encryption backdoors a moot point. It would do this by scaling up the capacity to carry out undetected surveillance and by introducing myriad new tiers of easy-to-hack side doors. In short, IoT stands to greatly enhance the means for criminals, dictators and law enforcement alike to invade the privacy of an individual or of an organization.
Also related to privacy, just imagine what a field day IoT promises for companies that engage in predatory marketing practices, as well as ideologues and propagandists. The ability to manipulate individuals and groups of like-minded folks – for whatever agenda – would receive a big boost as IoT puts ever more granular behavioral intelligence into their hands.
Retailers already use Bluetooth technology and facial recognition software to profile shoppers as they walk into stores to target promotions to them while they shop. Similarly, in a smart home, sensors can be set to detect all sorts of monetizable behavioral data. As things stand today, there is little stopping the manufacturer of a smart watch from monitoring the heart rates of a couple to determine how often they have sex, for instance.
Most IoT devices today are being rushed to market, at a low profit margin, with negligible security. Yet any computing node, even the tiniest of sensors, that’s discoverable on the Internet and connected to a wider network represents a fresh attack vector, just waiting to be tapped.
The case of the hacked fish tank drives this point home. Hackers breached the network of a North American casino by hacking into a fish tank equipped with sensors gathering temperature, food and cleanliness data and sending this information along to an Internet-connected PC. The fish tank hack is a microcosm. IoT-enabled hacks are escalating across the board. It’s clear that the top criminal hacking collectives recognize the opportunity and have added IoT probing and hacking as a major initiative.
Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors, according to a recent report from Cequence Security, a Sunnyvale, Calif., startup that helps companies repel botnet attacks.
Enterprises are sustaining material damage. A quarter of organizations in five nations reported IoT security-related losses of at least $34 million in the last two years, according to the 2018 State of IoT Security study sponsored by certificate authority DigiCert. Similarly, software security company Irdeto polled 220 security decision makers in the healthcare, transportation and manufacturing sectors and found 80% experienced a cyberattack on their IoT devices in the past year, sustaining, on average, $330,000 in losses.
Cybercriminals have been quick to recognize that IoT systems introduce added layers of network complexity. That often translates into expanded attack surfaces anchored on legacy networks that are poorly defended.
“We live in a world where we have nearly three Internet-connected devices for every human on the planet. Beyond our smartphones and smart TVs, that includes smart thermostats, sensors throughout your automobile, medical devices and complex industrial controls running our power plants and factories,” said Mike Nelson, vice president of IoT Security at DigiCert. “Enterprises are finding there’s no escape – they must address head-on the unprecedented exposures arising from this massively increased threat surface.”
So where do we go from here? As I’ve mentioned, tech industry and political leaders are aware that this is a complex problem in dire need of substantive solutions. Bipartisan stirrings to enact a sweeping new federal privacy law are playing out in the U.S. Congress. Criticism thus far has been directed mainly at e-commerce and social media giants, though there has also been talk of limiting brick-and-mortar retailers’ use of IoT-gathered data.
As is to be expected, at the first sniff of new federal rules, private industry has manned the battle stations, and rolled out the usual mechanisms for arriving at self-regulation. Founding members of the IoT Cybersecurity Alliance, which is spearheading this effort, include AT&T, IBM, Nokia, and Qualcomm.
“As the IoT ecosystem rapidly evolves, concerns about implementation, transparency and security can be overwhelming,” a narrator states in a video explaining the group’s goals. “While we agree the IoT can be challenging, we envision an IoT ecosystem that is highly secure, one that companies can fully embrace, in a way that balances growth and security.
“To foster this vision, we have forged a collaborative network of some of the industry's top companies, leading providers and IoT experts. Together, we believe the key to embracing and protecting the IoT ecosystem lies in education, collaboration and innovation as an alliance.”
It’s going to be fascinating to see how all this plays out, and how quickly and thoroughly the pivotal privacy and security questions actually get addressed. Moving forward, a certain level of IoT hygiene practices may very well become necessary. Consumers may have to get used to recognizing, configuring and updating certain risky IoT devices.
Avast recently introduced in the United States a new network-based consumer security product called Omni that protects all connected devices in the home and on the go by connecting to the existing home router. I expect more consumer-focused IoT security services will appear over time.
Everything that we’ve ever commercially connected to the Internet – desktop PCs, laptops, browsers, smartphones, mobile apps, virtual servers and cloud services – got introduced with functionality and user convenience as top priorities, and security as an afterthought. Each and every time, consumers and companies have had to step up and bear a heightened burden for protecting themselves.
Nothing really has changed, except the stakes seem to get higher each time out. Talk more soon.
Read what Avast CEO Ondrej Vlcek believes can be a “big picture” solution for Internet of Things security vulnerability.
Find out what you need to know about the leak of a half-million security credentials for routers and Internet of Things devices.