The Internet of Things Can't Keep Your Data Safe

It's no secret that the "Internet of Things" is the next avenue for hackers. Fridges, cars, home heating systems: more and more objects and services are being connected to the internet and are sharing data with other devices, in order to make the control of them as fluid as possible.

But a new research study from HP shows the extent to which we're not really prepared for the security risks of allowing these technologies into our smart homes.

The report found that the top 10 most popular IoT items were plagued with security problems, with an average of 25 vulnerabilities each. HP didn't name the specific brands or models examined in the study, but it did release a list of the types of gear tested, which included a home alarm, a webcam, and a door lock.

While hacking into the controls of these devices might not seem like a big deal (though someone hacking into your door lock could be quite a problem), HP additionally found that nine out of the 10 items tested retained some sort of personal information about their user. Some of the objects don't even seem to have an intuitive use for such data; although we don't know which ones were in the nine out of 10, the overall list includes such seemingly banal items as a garden sprinkler, a power outlet, and a garage door opener.

According to the OWASP Internet of Things Top 10, a series of metrics that the HP study was based upon, the sort of personal data possibly retained by devices could include a customer's date of birth, home address, phone number, and financial and health information.

That shouldn't come as a surprise. The TRUSTe Internet of Things Privacy Index found that 59 percent of internet users know that smart devices can collect information about their personal activities. Some devices may need that kind of data to work most effectively:  The Nest thermostat stores a user's zip code to check local weather reports, for instance, while an electronic pill bottle cap that reminds you to take your prescription medicine needs to send information about your usage to your pharmacy.

But more broadly, the HP study poses an interesting question: "Do these devices really need to collect this personal information to function properly?"

"Vendors want to have as much data as possible," Cesar Cerrudo, CTO of technology security firm IOActive, told me over the phone. The first reason is to make sure they have the data they need to function, and in order to improve their products, Cerrudo said. "The other side is to know the customer's habits."

An example of that is one of LG's smart televisions, which Ars Technica reported records users' viewing habits and sends them unencrypted over the internet. This sort of data could be used to inform new products and services, like Nest's sideline in managing people's energy and FitBit's analytics service, as reported by Forbes. This isn't necessarily information the devices need to do the task you expect them to.

Cerrudo wasn't as concerned about IoT devices collecting user data as I expected, but he was more worried about the mobile phone applications linked to these technologies. The amount of data given to a retailer "depends when you install the application, and the permissions you give to that application," Cerrudo said, but "usually some applications will request more permissions than they really need."

As the HP study says, when personal information including a user's "name, address, date of birth, health information and even credit card numbers" is shared with these mobile apps, the privacy concerns "are multiplied." That's true of mobile apps in general, but because your personal data is often being spread out across a greater number of devices in the Internet of Things, there is a higher risk of that information leaking out.

As for whether retailers need to beef up the security of their products, or tone down the amount of personal information being collected, Cerrudo thought it was both. "They need to be really secure, and also they shouldn't be getting data that is not needed," he said.

In the future, more IoT devices, "will have access to the most sensitive personal data such as social security numbers and banking information," according to HP's study. Before that happens, retailers and consumers might want to reconsider the tension between convenience and security that the Internet of Things presents.