People often ask what “the next big thing” around IT security will come about next. In years past we’ve seen the rise of “big data”, “the cloud”, “cybersecurity”, and so on – but what’s next? I personally think one of the biggest unsolved problems in tech is the security of the “internet of things”.
The “internet of things” is a term used to describe connecting everyday devices like your watch, refrigerator, coffee maker, or car to the internet. Users like these type of devices because, in theory, it gives common devices new and fun new features. For example, your refrigerator can automatically send grocery lists or your watch can remind you of appointments. All of this fun comes at a big price to the consumer: Security and Privacy. None of which companies or consumers have began to deal with.
Voice and Data Harvesting
Devices like Amazon’s echo, Apple’s Siri (iPhone), Samsung smart TVs, and Google’s OK Google (on Droid) all utilize voice recognition to perform certain functions. What many people do not realize is that these functions do not happen on the device itself, but rather on a server in the cloud. What happens is that when you speak into the device your command is transferred over the internet to a processing server where the command is stored and processed. All this means that everything you say while around these devices is subject to collection.
“By using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.“
Security and Privacy Concerns
We’ll ignore the gaping issue with personal privacy and focus corporate privacy.
In a day when “bring your own device” (BYOD) is common in the workplace, how does a company protect itself from companies like Apple or Google harvesting proprietary company data (inadvertently or purposely)?
Imagine you are in a board meeting and every board member has an iPhone and iPad (which the probably do). What protections are in place to prevent Apple from harvesting proprietary corporate data, selling it, using it to compete, or drive investment decisions? And what happens when the next big hack is a few terabytes of personal conversations? Even the legality seems a bit unclear given that you agreed to the terms and conditions of using the device.
Easy Harvesting and Sorting
Think about it: These devices are directly linked to an individual. In theory, it would be an easy enough query to gather GPS information on a group of executives and collect all voice data when any specific group of individuals are together (i.e., board meetings).
My point is harvesting data like this isn’t necessarily a dragnet program – one that is impossible to sort due to sheer volume. All this data and information could be (and probably is) tied to the devices’ owner, location, and various other data points that assist in mining your data. Why else would they store it?
Companies go out of their way to protect their data from cyber criminals who want to steal it, but the biggest challenge going forward might be how to stop giving it away to companies like Apple and Google. These are he questions IT Security professionals will have to answer in the future…if we are up to the task.