The paparazzi are known for often taking covert photographs of celebrities and selling them to tabloids or gossip magazines. In a similar vein, could the increasing number of smart, connected devices coming into our lives start acting like covert “data paparazzi”?
Today, our devices collect and forward information to all sorts of external parties: our home security alarm provider, our electricity supplier, our fitness watch vendor, our car manufacturer, and so on. Smart assistants listen to our voice commands and take that information to the internet to execute our orders.
Data from one device may not be a problem, but combining data from several devices could create a pattern that may reveal unwanted information about a user or a business. And with more devices coming into homes, concerns around the way personal data is managed, controlled and used by devices and organisations are increasingly being raised.
Each new device may introduce a new security risk, if not properly managed through its life cycle. The security risks must be handled by all actors in the value chain, including the device owner, regardless if devices are used by consumers, industries, or smart cities.
So what will be important to think about to ensure that users benefit and get value from devices and their related services, but avoid adding security issues? Should we risk unintentionally becoming surrounded by data paparazzi with their viewfinder aimed at us?
What to protect?
At first, this data may be seen as producing no risk, but even simple data in a certain context may be sensitive. For example:
- Power consumption data recorded by a smart metre can provide a lot of information about what’s happening in a home. For example, based on the power consumption profile of TVs, switching on the TV will be visible from the data and if it’s possible to match the time the TV is turned on with the TV guide, that will provide a good indication as to what people at home are watching.
- Any competent smart lock manufacturer will make sure that the communication with the lock is encrypted and its integrity protected. However, this might not be enough; by observing the traffic generated by a smart lock, one could potentially deduce whether the lock has been opened from the inside or the outside and thereby predict if there’s anyone in the house at any given moment.
- At some point, an electric device will reach the end of its lifetime and will need to be disposed of. If the information stored on the device isn’t properly removed, a hacker who retrieves the device from a waste bin or who purchases it from a second hand store could dig out data or credentials, as well as information about the services the device has been connected to. This is information that could be used to spy on the owner in a more efficient way, or even control or modify other devices belonging to the owner from the backend.
What can I do as a device owner to avoid unauthorised use of private data?
- Check whether the device manufacturer/service provider offers firmware/software upgrades in case of security issues.
- Consider what data is generated and how it’s used and stored, for example, locally and/or in the cloud.
- Check user terms and conditions to find out how data is used.
- Remember to change the default device password.
- Remember to keep device software up to date.
- Remember to wipe the device before recycling.
And remember to consider the trustworthiness of a device and its services before purchase.