For all the hoopla surrounding the IoT (Internet of Things) and how it is going to revolutionize the world as we know it today, security continues to remain a concern, just as it does with the whole cloud computing business. Researchers and straight thinking consumers alike have very often expressed their discomfiture at the idea of every aspect of their lives being connected to the net at all times, but some of those concerns have also been refuted by researchers and lobby groups, often with vested interests in the IoT industry. Now, however, the results of a research done on the subject by a couple of security researchers from Princeton University, Ph.D. student Mr. Sarthak Grover and Fellow at the CITP, Princeton, Ms. Roya Ensafi, seems to suggest that the Internet of Things can indeed turn out to be a privacy nightmare for corporates and consumers alike, if securing them and their data is not made the primary point of focus by companies looking to vend such smart, connected gadgets.
The results of the duo’s research was revealed last week at the first ever PrivacyCon, held by the Federal Trade Commission (FTC) to discuss the latest in consumer privacy and data security. At the event, the two aforementioned security researchers claimed that a number of current-generation IoT devices have glaring privacy issues as they do not use end-to-end encryption for data that’s being shared over the public internet. Instead, devices like the Nest Thermostat, the Belkin WeMo Switch, the Ubi Smart Speaker, the Sharx Security Camera, the PixStar Digital Photoframe and the Smartthings hub, all share a scary reality – they either bypass encryption totally and send private user data over the public internet in cleartext, or, like the Smartthings hub, employ encryption that’s fairly rudimentary and leaves a lot to be desired, as just the traffic signatures (like traffic volume etc.) alone at times may unwittingly reveal information about users that they ought not to.
Even when the companies vending these smart devices manage to clean up their act in terms of encryption, one pertinent – and often troubling – question will continue to remain. What do these companies intend to do with all the mined data from millions of users around the globe, and how that may undermine our privacy and security in this connected era. As for the devices tested by the two researchers, the Ubi smart speaker reportedly “uses unencrypted HTTP to communicate information to its portal”, the Sharx security camera “transmits video over unencrypted FTP”, while the PixStar photoframe allegedly transfers “all traffic” in unencrypted form. The Nest Thermostat, meanwhile, had an affliction that made it reveal the “location information of the home and weather station, including the user’s zip code, in the clear”. That particular security loophole, however, is believed to have been plugged before the company was informed of the issue by the Princeton duo.