IoT security: Five things to change to make your smart devices really secure
By Steve Ranger
Big tech doesn’t have to make all the rules; here are five things we should demand from all our gadgets, or else we risk losing all our privacy. We’re in the middle of an Internet of Things gold rush, with big tech companies racing to persuade us to cram as many smart gadgets as possible into our homes, our offices, our cars. Most of these are cheap, in many cases with the aim of encouraging us to buy as many as we can.
Web security cameras can tell us who is at the door or what the dog is up to while we are out. Digital assistants come with microphones so they can hear us to set a timer or turn the lights on or play a favourite track. Motion sensors tell us when the door is open and smart thermostats tell us if the house is cold, so that we can switch the heating to warm things up before we get home.
But the data from those cameras and microphones and motion sensors has a second life beyond simply making your life easier.
In many cases the data those sensors gather during the course of the day is stored, analysed and repackaged. It’s sliced and diced and re-used by companies that want to understand us and what we do. That second revenue stream is why so many of these things are cheap in the first place.
Recently, the UK government made a first attempt at coming up with a set of rules for IoT security that gadget makers must stick to if they want to sell their devices in the country. For example, it requires:
- That all consumer internet-connected device passwords must be unique and cannot be reset to any universal factory setting
- Makers of consumer IoT devices must provide a public point of contact, so anyone can report a vulnerability and agree it will be acted on in a timely manner
- Consumer IoT devices makers must state the minimum length of time that the device will receive security updates at the point of sale, either in store or online
The government has promised (but also set no date) to back up the list with law. And it’s a pretty modest list, and it goes nowhere near far enough, and ignores the issue of IoT privacy entirely.
But it serves, if nothing else, as a reminder that we – and not big tech – can, when we want to, still make rules about the technology invading our lives.
So, in the same spirit, here’s my wish-list of what I’d like to see as a set of requirements for IoT devices – either in the home or in the office. Another five requirements that would go a long way to improve the privacy of everyone that comes into the range of those sensors:
- Every IoT device should come with a clear explanation of how any data created is transmitted, how and where it is stored and for how long
- Every IoT device should make clear whether that data it creates is encrypted (and how) and who has access to the data and the keys
- IoT device makers should keep a list of what of the data collected they are analysing or monetising or reselling, even if anonymised, and a list of who they sold it to
- Users of IoT devices should be able to see what data is being held and have the right to have it permanently deleted
- All IoT devices should be capable of being automatically upgraded if bug fixes become necessary
There’s a few more I could throw in; that devices should be designed with repair and recycling in mind, for example.
Now, I’m well aware that this is an impossible list.
No tech company would agree to this level of data about their business being made public; and yet they expect us to allow them to eavesdrop and watch our every intimate moment. I’m sure plenty will call me naïve or stupid for even asking for some of these things. But the very idea that things on this list – like knowing what happens to video recorded inside your own home – are considered impossible dreams, shows just how deeply surveillance capitalism has dug its hooks into us in the past decade. Few of us understand the Faustian bargain about privacy and security that we’ve made with tech companies, thanks to the IoT.
Few of us understand or can manage privacy or security implications of inviting these devices into our lives. That’s not surprising, in that we’ve mostly signed up without understanding what we’ve agreed to. Few of us bother to read terms and conditions; fewer still understand them: and often those T&Cs are vague on the details anyway. If the IoT is not simply going to be another technology that chips away at our privacy and security, we need to understand what these devices are doing. We need to make it clear what we are willing to exchange, in terms of our privacy, in order to use these devices. We need to be clear what we will accept and what we will not – before we lose the chance to choose.