Yet Another Study Shows The Internet Of Things Is A Privacy And Security Dumpster Fire

from the the-dumber-the-better dept

Day in and day out, it's becoming increasingly clear that the smart home revolution simply isn't all that smart.

Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it's increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.

Study after study shows it's a problem that's not really getting better. For example, despite a decade of reports about the lack of real security and privacy standards in smart TVs, Consumer Reports recently found that most smart TVs remain impressively open to attack and abuse. And a new study out of the UK by Which? studied 19 different smart gadgets and found a "staggering level of corporate surveillance of your home" by devices that routinely hoovered up consumer data, then funneled it out to dozens of partner companies -- often without clear consumer permission:

"Many apps ask for your exact location when they don’t actually need it for the product or service to work. Far too often, specific information is requested about you when the justification seems arguable at best. Then there’s the galaxy of other companies busily working in the background of your smart gadgets. During our testing we saw more than 20 other operators involved behind the scenes, including marketing companies. When we used a smart TV for just 15 minutes, it connected with a staggering 700 distinct addresses on the internet.

You'll recall that a few years ago, the revelation that there was now a search engine specifically built to provide easy access to poorly secured webcams resulted in all manner of consternation about the problem of default usernames and passwords and devices with paper-mache-grade security. But despite flimsy webcam security being such a hot topic for years, many vendors still haven't gotten the message:

"We’re also concerned over how companies secure your data. In a separate test together with other consumer organisations, we found a flaw in this wireless security camera’s app (provided by a company called Sricam), which meant that we could access more than 200,000 passwords and device IDs for other ieGeek cameras. We could then see live video feeds of other users, and talk to those users via the camera’s microphone (which we didn’t do). ieGeek/Sricam fixed this flaw in late March 2018, but we’ve subsequently found and disclosed other critical vulnerabilities with the camera and app."

Security analysts like Bruce Schneier have clearly illustrated why there's no incentive to fix these problems:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

The reality is we're collectively more interested in making money and obsessing over the latest gadget than addressing the problem. And while there's some very good ongoing efforts to create some basic security and privacy standards in the IOT space, the prevailing attitude among IOT users and vendors alike that this is all somebody else's problem. Folks like Schneier have been warning for a while that it's likely going to take a mass casualty event (caused by hacked infrastructure) to finally motivate some changes in the internet of broken things space.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: internet of things, privacy, security