Smart Objects and Their Privacy Implications

In the cybersecurity realm, it has long been discussed and understood that people are considered the weakest link in cybersecurity. And, like security, everyone has a crucial role to play to ensure a reasonable degree of privacy, to keep personal data safe. Measure beyond those implemented by governments and private entities are needed. However, with the continuing explosion of the Internet of Things (IoT) throughout industries and in homes, and with the deployment of 5G technology, it is likely that humans will become the second weakest link in cybersecurity. The new first will be smart objects. There are 3 reasons smart objects are likely to take the top spot:

• There will be more smart object than humans. It is estimated that the total installed base of IoT-connected devices will amount to 21.5¹ billion units worldwide and will represent a market of US$1.6 trillion² by 2025. This means, on average, 3 smarts objects per 1 human, and the trend will likely not stop there.
• Smart objects will process and generate approximately 80 zettabytes of data by 2025 (approximately 45% of the global data volume, which will be up from 34 percent in 2019).³
• IoT devices are built to make decisions almost independently. Hackers will likely prefer putting their efforts toward attacking these devices to get access to critical assets rather than trying to deceive humans who possess cognitive abilities and can naturally spot abnormal behaviors or patterns.

Increased Privacy Attack Surface

Beyond concerns in relation to jobs and social interactions, people encounter security and privacy concerns regularly and must deal with them accordingly. For example, a perpetrator can hack into smart cameras and smart thermostats in homes and gain access to the movements of those who live there, potentially for years. Another disconcerting scenario involves smart medical devices, which can be accessed by third parties and can, at best, disclose personal health information to the general public and, at worst, change the course of a patient’s treatment, which could lead to injury or even death. One news outlet managed to access a variety of camera feeds being broadcast online.⁴

These potential issues are compounded by the fact that IoT devices are, by design, less secure than other “traditional” devices (i.e., computers, mobiles phones). There are several reasons for this including the lack of incentives for manufacturers to include cybersecurity in devices. The focus is on bringing affordable products to market quickly and cybersecurity controls may add additional cost and reduce the time to market. Other challenges include native hardware and logical limitations that do not enable the building of top-notch cybersecurity features and hardcoded/default passwords that can be exploited by hackers. However, researchers are working to overcome these challenges, and there is no doubt that the situation will evolve.

IoT will be the new playground of hackers, and cybersecurity professionals have to play an important role to protect end users from the hacking tsunami that will affect them in the coming years.

The Role of Cybersecurity Professionals

The privacy threat is real, and people should be aware of it. IoT will be the new playground of hackers, and cybersecurity professionals must play an important role to protect end users from the hacking tsunami that will affect them in the coming years by prioritizing the following:

• Enforce security by design—Cybersecurity enforcement will become increasingly important while doing anything from designing a single smart object to installing/managing a network of smarts devices (edge and gateway devices). From the design of the smart device or the architecture in which the device will be installed, security professionals should include the most relevant security measures to limit the risk. There are a variety of known measures that can be used in combination such as 2 factor authentication (2FA), zero trust, trusted platform modules and data encryption.
• Spread awareness and best practices—Awareness has always been one of the top methods for limiting limit cyberrisk. Awareness programs should adapt to include risk arising from IoT and tips on how to increase protection. Sharing best practices among professionals and enterprises can help the cybercommunity better protect the organization’s crown jewels. For instance, the IoT Cybersecurity Alliance, which groups enterprises such as AT&T, IBM and Symantec has taken a step by bringing together experts “to raise awareness, establish and share best practices, and research and develop methods to holistically secure the IoT ecosystem for the good of all.”⁵
• Support regulatory decision-makers—There is very little doubt that regulations around the globe will evolve to include IoT cybersecurity. In that space, cyberprofessionals can help authorities better understand the risk and shape the new regulations that could force organizations and IoT manufacturers to include strong cybersecurity controls in their devices. The US State of California has already taken the lead by introducing an IoT security law (SB-327 Information Privacy: Connected Devices) that requires all IoT devices sold in California to be equipped with reasonable security measures.⁶ At the US federal level, the bill H.R. 1668: IoT Cybersecurity Improvement Act of 2020, currently under consideration by the US Senate, aims to establish minimum security standards for IoT devices owned or controlled by the US federal government.⁷

Of course, end users are in the driver’s seat of their privacy and should also take actions, for instance by making sure to integrate cybersecurity as one of the most important features before purchasing a device regardless of other features the device might offer. After purchasing IoT products, users should also change default settings and passwords to stronger ones (both at the device and network level, 2FA for devices being a major plus) and ensure that any smart device is regularly updated to integrate the most recent security patches.

Artificial Intelligence and Machine Learning to Improve Smart Devices Security Profile

Artificial intelligence (AI) and machine learning (ML) can significantly reduce the cyber risk posed by IoT devices from identification of the risk to the response. By systematically and securely capturing security-related events and sending them to a dedicated advanced analytics processing center, manufacturers with the support of cyber professionals can better understand threat patterns and predict how to improve security in their devices, even with constraints.

Conclusion

Smarts objects will change the way people view and interact with their environments, and with them will come advantages and disadvantages. However, one key element to watch for when considering how, when and where to use these devices is cybersecurity and its implication on privacy. Users, whether individuals or organizations, should not only ensure that manufacturers of the smart devices they purchase and use are cybersecurity conscious, but also take actions to protect their own privacy.

Endnotes

¹ Holst, A.; “Internet of Things—Active Connections Worldwide 2015-2025,” Statista, 4 January 2021
² Holst, A.; “Global IoT End-User Spending Worldwide 2017-2025,” Statista, 4 January 2021
³ O’Dea, S.; “Data Volume of IoT Connected Devices Worldwide 2019 and 2025,” 26 October 2020
⁴ Griffiths, J.; “'Internet of Things' or 'Vulnerability of Everything'? Japan Will Hack Its Own Citizens to Find Out,” CNN, 2 February 2019
⁵ Internet of Things (IoT) Cybersecurity Alliance
⁶ California Legislative Information, SB-327 Information Privacy: Connected Devices, USA, 2018
⁷ GovTrac, HR 1668 IoT Cybersecurity Improvement Act of 2020, USA, 2020

Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3, PMP, PSM

Is currently a strategy and technology management consultant and tech startup advisor with more than 12 years of experience. He has worked on projects across Africa, Europe, the Middle East and North America.