IoT and privacy: full transparency

In May 2018, Wesley Neelen, ethical hacker and pen tester at DearBytes, discovered a serious security leak in a smartwatch for children. These smartwatches are equipped with a GPS receiver, making it easy for parents to monitor their children’s whereabouts with an app. However, due to a leak in the cloud environment of the Chinese manufacturer, all kinds of sensitive information was up for grabs, including the current location and the full location history of the smartwatches as well as the parents’ telephone numbers. A serial number was all that was required.

If you want to launch an IoT project with your company, this type of nightmare scenario is the first thing you want to avoid. What measures should you take to guarantee privacy and comply with the GDPR (General Data Protection Regulation)? We put these questions to Jan Leonard, Data Protection Officer at Orange.

“There are two important privacy aspects to an IoT project,” Jan Leonard explains. “Security and transparency. An issue with either will compromise user confidence. It all starts with security: make sure your IoT product is safe, so no one can misuse your product and/or data for other purposes.”

This not only goes for hardware and software suppliers but for telecoms operators as well: Orange Belgium must also respect the confidentiality of communication and therefore takes the necessary measures to meet this obligation. 

As little data as possible

For security purposes it is important to consider the broader context of IoT devices. Such devices often send their data to a central location in the cloud. “I got my hands on those smartwatch data via a relatively basic security leak in the cloud environment of the manufacturer,” Wesley Neelen says. “If your IoT devices store all data in the cloud and someone gains access to one of those central servers then this has a major and immediate impact. That is why I advise manufacturers to only store those data in the cloud that are absolutely indispensable,” Neelen continues.

Secure devices

Of course, the IoT devices themselves must also be properly protected. “I once tested a home automation controller,” says Neelen. “When it was connected with the internet anyone could gain full access to the controller and operate the smart devices in the house, such as the lighting. More importantly, however, an attacker could use such a poorly protected IoT device to try and access other devices such as a NAS (network-attached storage) device or a PC.”

The problem is that for IoT applications, which are often privacy-sensitive, no actual best practices or rules of thumb have yet been established. Nevertheless, IoT developers can draw inspiration from other fields to develop safe products. “A cloud application is generally web-based and for this we have the OWASP standards (Open Web Application Security Project), which describe the pitfalls when programming. And IoT devices are often nothing more than small Linux computers that are compatible with standard Linux security. OWASP (Open Web Application Security Project) is also developing an IoT security standard,” Wesley Neelen adds.

Security is often not a priority

Wesley Neelen says that “security is often not a priority for companies that develop IoT devices because this uses up additional resources while functionality remaining the same. In other words, the product becomes more expensive. Still, if a manufacturer starts building a device without security in mind and is alerted to the lack of security after the product has gone to market, fixing the security leak is much more expensive.”

That is why Wesley Neelen advises manufacturers to take security and privacy into account from day one, this in accordance with the ‘security and privacy by design principle’. “Initially such a safe basis requires an additional investment, but in the long term it’s the cheaper option,” he concludes. Moreover, he advises resellers to ask (often Chinese) suppliers for a pen test report. A pen test is a test that searches for vulnerabilities in every computer system.“If a pen tester has tested the product in practice that gives you independent corroboration of the product’s security,” says Neelen.

Transparency

But it’s not enough for an IoT device and its cloud environment to be adequately protected. Transparency also plays a major role. What data does the device collect? What happens exactly to those data? “It’s important to offer users complete transparency. You must let them know precisely which data you collect, whom you share it with, for what purposes it is processed, what the consumer impact will be, etc. This is important enough in a standard environment but it is even more so in the IoT world,” says Jan Leonard.

If users have any lingering doubts as to the use of their data they are then crtiical even antagonistic to the IoT device. “Just look at the questions people ask about the digital gas and electricity meters,” says Jan Leonard. “What data will those meters forward? What is done with that info? What will it be used for in the future? And what will this data definitely not be used for?”

GDPR

The demand for transparency is the result of the GDPR, which came into effect on 25 May 2018. “The legislative framework is in place but now it needs to be implemented. Many companies still have their work cut out for them,” Jan Leonard claims. “That’s why it’s important, from day one of an IoT project, to think about which data is essential to the product or service and how you intend to process it.” 

Healthy suspicion

Incidentally, it’s not just the companies that have to make an effort. Jan Leonard claims that users also bear a certain degree of responsibility: “Users need to be more acutely aware of their privacy. Read the privacy agreement before you approve it. Ask the manufacturer for clarification if anything is unclear. There’s no need to be paranoid but healthy suspicion is not bad.”

According to Wesley Neelen it’s often a balancing act between user-friendliness and privacy: “We like to buy all kinds of gadgets, often without asking ourselves the following question: if my details get out, will not the cons by far outweigh the pros? If I know that my child’s smartwatch stores GPS information in the cloud, then I feel that the risk that someone else could access that information outweighs the convenience of that smartwatch.”