The manifold dangers of IoT devices and their foreign platforms

The number of consumer IoT devices entering the U.S. market is staggering. Gartner said a typical family home could contain more than 500 smart devices by 2022. These devices represent internet endpoints that will penetrate every household before we know it, and those endpoints will rapidly multiply from there. This trend is fueled by insatiable user demand and substantially enabled by retail distributors that see the windfall economic benefit.

The threat associated with a potential enemy-state’s role in consumer IoT is massive, but the U.S. continues to enable it. Before our very eyes, China is gaining direct access and insight (literally) into our homes through digital access from the connected devices we put in our homes, as researchers from Dark Cubed recently discovered.

An everyday cybersecurity scenario

Let’s imagine a simple scenario. You walk in to a major retailer and see an LED lightbulb for less than $10 that you can control from an app. You think, “Great! I can program this bulb to come on automatically when the sun goes down and turn it off from my phone when I go to bed. $10? It’s a no-brainer.”

You go home, open the box and are instructed to download an app to your phone. You do so, and by selecting “download,” you don’t know it, but you give this app legal permission to access many things on your phone and to do things you’ll never understand.

Once the app opens, you set up an account. You wonder for a second why the lightbulb app is asking for your location and access to your contacts, but you allow it. To be safe, you set your typical password but change one number.

The app tells you to screw the bulb into the lamp and asks for your Wi-Fi password and, like magic, the app is connected to the lightbulb, which is connected to your Wi-Fi router that is likely several years old. You set the schedule for the light and think, “How does it know when the sun goes down at my house? Oh, that’s why it needed my location, makes sense.”

A few days in, you think, “This cheap bulb is awesome.” You get three more. You see a Wi-Fi camera at the store and realize you can add this to your app. You can check from work to see if the kids are doing their homework. Best of all, it’s less than $25. No-brainer!

You receive a notification that you can record video and store it to watch it later. You can get a notification when the front door opens and a 20-second video is captured and sent to your phone. For $5 a month, you can see when your kids get home. So, you enter your credit card number into the app.

The most prominent foreign country that is home to the companies that control the communications from these devices and the apps that control them is China. In the scenario above, this company and its governing nation now have the access and the means to create and maintain an up-to-date profile of this home and its occupants.

Perhaps more frightening is the fact that this company can easily access these devices to find holes in your Wi-Fi network to access computers, hard drives and other devices or data repositories. And remember, you supplied this company with your log-in information; hopefully those credentials are substantially different than your online banking credentials. Password-guessing attacks thrive on clues contained in alternative passwords. This is a reasonably common situation in millions of households right now, and growing rapidly due to the continued distribution of these devices by trusted U.S. retailers.

How your home is spying on you

A significant number of these devices, virally spreading to and inside our homes, are in fact controlled by Chinese communications platforms. Consumer demand for connected things in the U.S. has caused device manufacturers to rapidly produce connected devices to meet this demand, but they have to use communications platforms to connect and allow these devices to converse with us over the internet. This has created a challenge for the manufacturers to find platforms that can enable the communications and supply the software that consumers need to control their devices.

A huge new industry has been created in China to solve this challenge, creating a grave problem for the U.S. while enabling a massive opportunity for the Chinese government. What could they do with direct access to and control of hundreds of millions of connected devices in millions of U.S. households? Every single day, data goes from your home to China or to servers in the U.S. owned and accessed by China.

This data becomes more informative every day, and new data is created when new features are added or new devices installed. China leads the world in analytical technologies like machine learning, AI, augmented reality and computer vision. Not only will it have the raw data to know everything about you — your behavior, where you are, where you go, who you know — with its data analysis prowess, it can begin to anticipate your future behavior and locations. Could there be a greater cyberthreat?

Three steps to mitigate the damage

If you didn’t know, China censors everything internet-related domestically — there is no chance that the U.S. or any other state could accumulate this level of insight on China’s citizens. Shrewdly, China clearly understands the impact of the cyberthreat and uses its censorship policies to remove the risks of foreign access. It also realizes that there is no regulation, enforcement or even a level of awareness that might cause friction to its effort to access our population. It sees the demand of these devices, it is eating the cost of hosting and software to make these devices work, and it is catering to the wishes of the U.S. retail community by keeping the pricing of these devices very low. It’s a perfect storm.

The good news is that it is not too late. Massive damage has been done and much cannot be undone, but we can reduce the damage done and prevent further impact. Here’s how:

  1. Retailers must stop selling connected devices whose software and communications are managed by off-shore communications platforms. These platforms will do everything to obscure their role and function to satisfy non-technical decision-makers, so retailers must align with U.S.-owned and -operated platform providers to protect users.
  2. Many devices can and should be sourced from China, but the communications function should be American. And manufacturers need to ensure that the devices themselves have an adequate level of cybersecurity protections and are easily patchable.
  3. Stop the unnatural race to the bottom on device pricing. IoT is made of living objects that require support over time. Like a car that needs gas and maintenance, these devices and their user software must be managed, updated, maintained and hosted for the life of the device. The $10 connected LED lightbulb requires support for the life of the bulb — perhaps 20 years. What happens when it runs out of gas in a couple of years?

Focus on the platform and take a stand for data privacy

Much of the narrative on how to protect ourselves from IoT security risks has focused on the connected device. Sure, without proper engineering in the device itself, it can be vulnerable to a cybersecurity breach. California has taken a bold step in focusing on device protections. The bigger unaddressed problem is the platform governing these data communications. Think of it as similar to your wireless carrier. You have a smartphone likely built somewhere in Asia, but you use a regulated and trusted U.S.-based wireless communications carrier to manage your voice and data activities. The greater problem is that we are allowing unregulated, unknown, foreign entities into our homes with the permission to do and take what they want.

As the number of IoT devices skyrockets, so does the risk to consumer, corporate and nation-state information if a foreign nation is able to use such unprecedented access to individuals’ data. Indeed, industry observers like Om Malik have called for a constitutional amendment addressing digital privacy to help protect against these trends.

Consumers can’t tell the difference between a secure and unsafe IoT device — and they shouldn’t have to. Retailers must take up a bold position along this cybersecurity and privacy frontline to protect their customers from these real risks today.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Data Center
Data Management