Tis the season to start hunting for the latest and greatest gifts, and smart technology is making just about anything, from homewares to exercise equipment, hot ticket tech toys. Are these smart devices on your shopping list this holiday? Buyer beware – there’s often not any consumer warnings about the cybersecurity risks these new IoT toys can bring.
Ntirety CEO Emil Sayegh has done deep dives into the potential hazards of smart mirrors in his article Mirror, Mirror On The Wall and the very real consequences of IoT cyber-attacks in Peloton Breach Reveals a Coming IoT Data Winter both published in Forbes.
Mirror, Mirror On The Wall and Peloton Breach Reveals a Coming IoT Data Winter
Recently, attacks against Internet of Things (IoT) systems have emerged. With the technology in billions of everyday items, the scope of these attacks is worrisome. Because the migration to Internet-everything is unstoppable, we’ll be seeing these security incidents for a long time unless we adjust course quickly.
The financial motive to add Web features to every device known to mankind is clear. It seems everyone wants to be on the Web, uploading data from their bicycles, sprinkler systems, refrigerator energy consumption, and just about everything you can possibly think of.
Consumers accept risks, sometimes unknowingly, because many assume that the worst-case scenario will not happen to them or affect them significantly.
The Peloton Breach
That leads us to the breach of Peloton, the at-home connected fitness equipment company. A security researcher discovered an open unauthenticated API in Peloton bikes and treadmills, which revealed an open channel to information about users such as age, weight, gender, workout statistics, and birthdays. A significant amount of scrutiny has fallen on Peloton, which made a mess of remediation communications and deadlines. It appears that this is just the beginning of issues to come, as more items from the physical world come online, handling sensitive information that few people think about protecting until it is too late.
In the wake of consumerized products from all walks of life, IoT systems and online accounts are under significant threat. It does not matter what the product is. An increasing number of smart camera platforms are being targeted by thieves. At risk are privacy, security, and the risk of fraud, and criminal gangs are exploiting the spoils of data to their merciless benefit.
The Smart Mirror
A recent story getting a lot of attention involves an interconnected “smart mirror.” With a price tag of $1,495, this mirror provides tips, suggestions, can set and keep progress on fitness goals, as well as delivering streaming workout classes. The company was picked up by the sportswear giant Lululemon for $500 million last year. Under the home exercise boom precipitated by the global pandemic, the product could be finding a mainstream groove. Reviews for the new product are trending well on the positive side and Lululemon appears to have a rare winning omnichannel marketing vehicle to pin onto their main product lines.
Clothing and marketing retailers, like Lululemon, wield a fine history of supply chain, retail, and e-commerce experience, but a device with this kind of technology introduces challenging privacy and security concerns for the consumer and the company.
Can IoT Be Slowed? Should It?
Once upon a time, distributed alternating current electricity was the next new thing. Electricity, lighting, and motors were added to every item available at the time. Therefore, people no longer had to crank record players, grind coffee beans by hand, or shine shoes with a pile of rags. What it meant to consumers was that convenience and functionality were clear winners. With IoT, we’re seeing a parallel application of the Web to real-world things, but with additional variables of security and privacy concerns. Consumers seem to be unable to resist these features, and the ecosystem continues its stratospheric growth.
What many consumers don’t seem to realize is that consumer products companies are in the business of selling the products they make. They are not in the business of securing our information. If history is any indication, they have failed at protecting personal information as their products connect to billions of endpoints in your kitchen, your garage, your bedroom, and every place you live your life.
Considering factors such as the growth of the market, continual cybersecurity threats, and financial motivations driven by successful compromises, we can expect to see more information losses, even in places thought to be safe. Worse, threats once affected only digital things, but IoT drops the cyber realm directly in the middle of our physical world. Attacks against data can be attacks against critical systems, human beings, resources, and the world around us.
Even the smallest bits of leaked data can be enough to compose purpose-built phishing attacks or be stacked into significant waves of fraud. Unfortunately, it will take an unknown event of significant scale or personal financial impact for users to collectively wise up and demand more security from the market.
The Need for Strict Security and Privacy Standards
Proper use of privacy settings, privacy protocols, and comprehensive security tools are an absolute necessity. Companies must be held accountable when there are significant variances, misuse of data or violations of trust. Privacy regulations in Europe, California, and Texas have done their share to elevate the element of privacy to the forefront of discussion, but it may not be enough. Certain compliance measures also demand the ability for individuals to select their privacy settings of choice.
Protection is Comprehensive
Companies and individuals should embrace a security-first strategy that prevents unauthorized access by enabling a comprehensive security and compliance approach to technology implementations. Outlined by outside and organization-driven compliance, an organization can achieve compliant comprehensive security with the tooling of:
- Strong authentication
- Strong privacy rules
- Third-party monitoring and validation
- End-to-end encryption from the user device down to the database, application, and systems
- Roles-based access to data and systems
- Data classifications
This is a list that goes on and on, tracking highly to the mission, capabilities, and parameters of each organization that ventures into comprehensive security.
Don’t let these risks make you cross the latest smart devices off your wish list— work with experts to learn how to always be proactive when it comes to protecting your data. Practicing good cybersecurity hygiene isn’t just a priority for the holidays – schedule a Security Assessment any time of the year to strength your security posture (but don’t wait til it’s too late!)