Mobile devices: A remote control to the Insecurity of Things

By Rick Kam
08:06 AM

A toilet that can track your digestive health. Home-care digital companions. Robotic furniture that helps you up and down. According to myriad predictions, the future is looking, well, futuristic for the elderly. Another estimate examines the potential of smart grids for distributing electricity, smart cities that optimize everything from utility usage to parking and traffic flow, and smart refrigerators that tell you what to buy at the grocery store and smart washers and dryers that tell customer service agents when they need repairs. 

What do these future devices have to do with today’s mobile devices? A lot, actually, according to a new study by HP that examined the security risk of the Internet of Things (IoT). Researchers examined existing IoT devices from producers of TVs, webcams, sprinkler controllers, hubs for multiple devices, scales, and a whole lot more.

[Related: The Cybersecurity cold war. CIOs share insights on savvy information security.]

The one thing these devices all have in common: They could be accessed or controlled remotely using a mobile app. In other words: Smartphones and tablets are — and will continue to be — the remote control to a hotbed of security risks.

The study found that:

• 70 percent of the devices already in common use on the IoT have security vulnerabilities, with an average of 25 security flaws per device.
• 80 percent of the tested devices raised privacy concerns about collection of personal data, including personal identity, financial, and health information. (As researchers pointed out: “Do these devices really need to collect this personal information to function properly?”)
• 70 percent did not encrypt communications to the Internet and local networks.
• 80 percent didn’t require strong passwords. (Most allowed passwords as simple as “1234.”)

These vulnerabilities not only put consumers at risk, they also endanger businesses that deliver services via the Internet of Things. A June article in the Telegraph points out that the IoT is coming, whether businesses want it or not, and with it will come new regulatory requirements for how data is collected, protected, and used.

Phoning it in
Just because your organization sticks to tried-and-true technologies, however, don’t get too comfortable. Privacy risks don’t just lurk at the bleeding edge of new technology. A new study from security software vendor Avast, showed that the simple act of disposing of smartphones has major potential privacy risks. The company bought 20 used Android phones on eBay, supposed to have been wiped clean with the factory reset option, and was able to recover more than 40,000 photos (including a surprising number of nude selfies), various contacts, identities of previous owners, and a completed loan application.

[Q&A: True security requires 'a philosophical shift'.]

And it turns out that smartphones can be as big a privacy liability in your pocket as they are outside your possession. Indeed, Edward Snowden revealed that the NSA can keep a cell phone from turning off, even though it appears to be powered down, and then use it to record voice and images — and whatever hacks the government has, rest assured that enterprising cybercriminals have or will have figured out in short order.

No wonder the NSA was so concerned when President Obama wanted to continue using a BlackBerry device while in office. A recent article in CNN Money says the functionality of the President’s smartphone is secret but points out that “it’s a pretty safe bet it isn’t used for Oval Office selfies.”

Risk management principles on steroids
As mobile phones have shown, the promise of many new technologies is so profound, their adoption is a foregone conclusion. The question is how soon and how deeply they will affect your business, and how you will navigate the risks.

The short answer is to apply the same risk management principles you apply to every other aspect of your operations, extending best practices to what Mike Armistead, HP’s vice president and general manager of enterprise security products, called the “expanded attack surface” presented by the rising tide of new devices. The trick will be to translate those principles and practices to the brave new world of interconnected things.

And if those smart toilets ever go to market, they will give the term “royal flush” a whole new meaning. 

Related articles: 

Top 5 Government Health IT stories of the summer 

Does Apple's HealthKit prove FDA guidance is working?

EHR payments close in on $25B as Stage 2 attestations rise slightly