Suppose a criminal were using your nanny cam to keep an eye on your house. Or your refrigerator sent out spam e-mails on your behalf to people you don’t even know. Now imagine someone hacked into your toaster and got access to your entire network. As smart products proliferate with the Internet of Things, so do the risks of attack via this new connectivity. ISO standards can help make this emerging industry safer.
Indeed, spying on random strangers has never been easier. All it takes is a search engine like Shodan – the Google of the Internet of Things (IoT) – which, to highlight the risk of this technology, crawls the net taking pictures of unprotected devices. The inside of our homes, our pets, even our fridges, are only a click away. Some parents realized how vulnerable they were the hard way when the baby monitor they relied on for safety was hacked to yell obscenities at their sleeping children. It’s not surprising that the number of complaints related to IoT technology has risen in the UK alone by 2 000 % over the last three years.
Brave new world
The Internet of Things refers to billions of connected smart devices routinely exchanging volumes of data with each other about how we live, work and play. “They purport to make our lives easier, healthier and smarter, and our businesses more productive, but this often comes with a cost,” says Prof. Edward Humphreys, Convenor of the ISO/IEC working group on information security management systems. “We want to believe in these technologies because of everything they allow us to do. But we have to be aware of the consequences for the security and privacy of our data.”
For example, in your excitement to buy the latest voice-activated smart television, you may fail to consider that this technology needs to be able to “listen” to everything you are saying so it can recognize the right commands. If this stays between you and your TV, then what’s the harm, right? More often than not, however, the communication channels that enable devices to exchange information are not encrypted or otherwise protected from external access. “It’s pretty much like leaving your door open; anyone can walk in any time,” says Humphreys.
The crux of the problem is that most of us expect companies and legislators to have taken these risks on board and done something about them. But if customers don’t understand or demonstrate interest in data privacy, manufacturers won’t either because they know we won’t base our purchasing decisions on those features – we are more likely to buy a webcam because of compatibility, price or even looks! Research by Consumers International shows that the average person spends six seconds looking at the terms and conditions before ticking the consent box, so why should companies bother?
“As far as legislation is concerned, what we do in our homes domestically is rarely protected to the same extent as organizational data,” says Pete Eisenegger, a consumer expert working on privacy issues at the international and European levels. “Take wearable and portable technology – it tracks and monitors our movements and activities and knows exactly where to find us. If we combine this with all the personal information we provide, photos we post and connections we make, which we often unknowingly give away the rights to, there is room for alarm. Big Data analysis is making it easy to learn about people from their behaviours and preferences.”
In a hyper-connected world, the stakes are high. A recent experiment showed that it was possible to hack a moving car via the entertainment systems and disable the accelerator. “Electronic pacemakers can be life-saving, as long as they are secured from being tampered with. The range of digital technologies that are now emerging and being integrated into the fabric of our lives is overwhelming,” says Humphreys.
“We are seeing the emergence of a brave new world order of Internet technology. This is not just about products but whole systems.” Failure to secure one device can affect others. In 2013, hackers stole millions of credit card numbers from a big US retailer by accessing their systems through Internet-enabled heating. Vulnerable devices can be used to attack other devices. We need to think of security in IoT like a vaccine. If you are not protected, you risk passing it on to others. The more we protect or “vaccinate” our devices with strong security techniques, the better for all of us.
“This is why I cannot emphasize enough the importance of using information security and privacy standards,” explains Humphreys. “We have a number of solutions to address and minimize many of these risks, and more are on the way – but organizations need to use them.”
Standards like ISO/IEC 27001 and ISO/IEC 27002 provide a common language to address governance, risk and compliance issues related to information security. ISO/IEC 27031 and ISO/IEC 27035 help organizations to effectively respond, diffuse and recover from cyber-attacks. There are also ISO/IEC standards defining encryption and signature mechanisms that can be integrated into products and applications to protect online transactions, credit card usage and stored data.
For Humphreys, next in line are privacy standards. “We are working to build a solid foundation of standards that safeguard our data in a digitally connected world and reinforce consumer confidence. We hope these can be used to develop solutions that meet the specific challenges of the Internet of Things.”
Do consumers care?
The problem is further complicated by the fact that many of us have grudgingly, and sometimes willingly, been ready to compromise our privacy and security in exchange for what we regard as more valuable access to state-of-the-art technology. These devices have become must-haves of day-to-day life. Is our data really too high a price to pay for these modern conveniences?
Let’s look at consumer behaviour elsewhere online. People regularly upload pictures of themselves and publish videos of their children, they share their political persuasions, their travel destinations and their favourite shopping haunts. The issue is not really whether we should give away so much of our privacy, if we so choose to, but whether we understand the implications of what we are doing and whether we can control what data is collected from us.
As the Internet makes it easier to track and identify people, this information, in the wrong hands, could put us at risk. Awareness of Web security is growing. Research by the National Consumers League in the USA found that 76 % of US teens are concerned about privacy and being harmed by their online activity, but people rarely make the connection with IoT.
The ISO committee on consumer policy (ISO/COPOLCO) is pushing these issues into the standardization agenda. Just because consumers don’t always understand the consequences of low security doesn’t mean they should not be protected. “Consumer awareness, attitudes and values to security and privacy needs are an important piece of the puzzle that we need to address,” says Bill Dee, an ISO/COPOLCO representative. “At COPOLCO we have finalized a report on strategic privacy standards gaps and are now prioritizing the ‘privacy by designʼ of products and services purchased or used by consumers.”
Privacy by design
For Eisenegger, the heart of the problem lies in the fact that, from the start, much of the day-to-day equipment used by consumers in their daily lives is being brought to market with little or no regard for consumer issues like privacy and data protection. “Although there are many international standards that organizations can use to look after our personal information once collected, for IoT to be safer we need to build secure technology with good real-time privacy controls to begin with. Changing our approach will not only make safety the default, it can also make security features easier to use and update.”
76 % of US teens are concerned about privacy and being harmed by their online activity.
Part of the reason why companies fail to protect devices is that the designers developing IoT technologies are rarely security and privacy experts. “Engineers should work with design processes that put a strong focus on these features so that fewer vulnerabilities arise whereas, currently, too many are fixed as an ‘afterthought’,” says Eisenegger. Hoping to change this, ISO/COPOLCO is proposing to develop a standard on digital design for privacy in goods and services.
“If we could develop a privacy design process inspired by the ISO 9001 continual improvement cycle, as ISO 10377 has already done for product safety, we would be taking a great step forward,” adds Eisenegger. “Such a standard could focus on making it easier to trace and protect our data, ensure confidentiality of Big Data analytics and assess product privacy.”
“Instead of wondering whether consumers should accept the default security and privacy options currently offered by technologies, products and services, we should be asking what developers can do to build confidence and trust in consumers,” says Eisenegger. “It’s the new frontier for international security and privacy standards. One that ‘vaccinates’ products and services, that adequately protects our information and provides real-time consent control over how it can be used. One that minimizes the amount of data collected by devices. One that keeps us informed about any third-party processing, and reinforces traceability and accountability.”
If this is successful, then a similar approach could address cross-cutting digital issues like accessibility and vulnerability as well as privacy, while taking into account affordability, fairness and non-discrimination.
So although there is a wide set of cyber security standards currently available, there is still work for ISO in the Internet of Things. “The ISO/IEC 27001 family of standards are really good at helping organizations keep our information secure once it has been collected. But we need to develop solutions specifically targeting the risks raised by IoT,” says Eisenegger. Standards are a powerful way of bringing these issues to the international agenda.
We can’t wait any longer to take action. Our homes, activities and personal information are now irreversibly intertwined and connected with those of billions of other people through everyday devices. The Internet of Things is taking privacy and security implications to a whole new level by effectively making who we are and what we do accessible online. To keep our lives safe from prying eyes, we need to close the door and put a lock on it.