The Internet of Things: A new prescription for consumers and manufacturers

Feb. 24, 2016
Lysa Myers, Security Researcher, ESET

Even for those of us who don’t attend tradeshows that display the most cutting-edge digital gizmos, it’s plain to see the Internet of Things (IoT) is an increasingly popular way to get people involved in monitoring their health. And certainly any way to increase patient involvement and improve ease of treatment with connected devices is a good thing, right?

Any time you record personal information, especially on a device that has Internet access, you’re increasing your risk of encountering a security problem. Before adopting new technology, it’s important to be aware of the specific risks and to consider ways in which that risk can be reduced. But while buyers should be aware of risks, device makers themselves can and should be taking steps to assure the privacy and safety of their users.

What is the problem?

Many people feel that if a digital health tracker doesn’t store payment card information, the risk is minimal. But this is not necessarily the case. There is a lot of information on these devices that criminals might find useful to steal or modify.

Fitbit Surge, Courtesy of Fitbit

The specifics of what each device stores, or what havoc an attacker might wreak, will differ depending on the type of tracking it’s doing or what information it stores. The implications of an attack on an Internet-enabled insulin pump or pacemaker will naturally be significantly different from those of a fitness tracker. Different manufacturers may have given more or less thought to privacy – or have different levels of security or transparency – even among similar devices.

At the very least, an attack on a connected device could expose personal information, including email address, username, and password; this scenario is less problematic if you don’t reuse log-in credentials on multiple sites. Theft could also expose GPS data including your home or work address, and it could indicate when you’re away from home or asleep. An attack on an implantable medical device could allow criminals to make a variety of changes to prescribed therapeutic measures, which could cause serious (even fatal) medical problems.

Many connected healthcare and fitness devices are rushed to market without considering security implications. They may not encrypt data in storage or in transit. They probably don’t yet have two-factor authentication available for user accounts. Few device manufacturers are currently likely to be continuing to search for and remediate security vulnerabilities on devices already on the market. And if researchers or other users find security vulnerabilities on the device, device manufacturers may not have a policy or process in place to fix those issues and get updated software to customers’ devices.

This state of affairs has led to a very static and increasingly vulnerable environment at a time when most of the technology world is moving toward frequent, automated updates. We’re only just beginning to see the first reports of real-world attacks on IoT devices, though researchers have been warning of this eventuality for years.

Customers lose confidence

Many people in the technology sector view the general public as unaware of security issues and consider this the cause of the poor state of IoT security. However, a recent study by Accenture reports that 47 percent of respondents had avoided IoT devices due to security concerns.1 It also found that about 66 percent of those contacted were aware of recent security breaches, and 18 percent of those people had stopped using the product until better security was implemented. An additional 24 percent reported delaying a purchase until security is improved.

The problem of waning customer confidence is not purely theoretical; it is happening already, and is likely to increase as more attacks and vulnerabilities are discovered.

Yet more problems arise

After recent attacks on Fitbit devices, this situation is likely to get even worse for device manufacturers with insufficient security: According to reports by Brian Krebs2 and Buzzfeed,3 a number of Fitbit accounts were compromised as part of a warranty fraud scheme.

This was not a large-scale breach affecting the company’s database or server. Individual account credentials were most likely stolen, guessed, or brute-forced. This can happen in a variety of different ways. Scammers can obtain compromised account credentials on the black market, sometimes provided by attackers who have infected users’ computers with spyware. They may also try to guess username and password combinations; this can be especially effective if criminals have credentials that were harvested during prior attacks on other companies.

In the Fitbit attack, scammers changed the information on the account as soon as they accessed it, thus preventing the real account holders from logging in. The scammers then used the hacked accounts to request new devices to replace “faulty” ones under warranty. Naturally, accounts for higher-end devices were primarily targeted in this scheme.

As reported by Krebs, Fitbit’s cybersecurity team is now assigning risk scores to all warranty replacement requests. He quoted Fitbit’s CSO Marc Bown as saying, “If we see an account that was used in a suspicious way or a large number of log-in requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information.” Fitbit also has plans to introduce two-factor authentication to combat hijacking of Fitbit accounts via the company website.

If home users are already avoiding using or purchasing devices over security concerns, and criminals are able to receive new high-end devices fraudulently, poor security is clearly a factor that is already affecting manufacturers’ bottom lines. To combat this, there are ways users and manufacturers can create a substantive cultural shift toward better security.

A new prescription for device makers

Device manufacturers have the opportunity to help lead a shift toward better security by giving it real consideration, starting in the design phase. Some in the security industry have even suggested a “Hippocratic Oath” for device makers. This can make a significant change in the current perception of the lack of security among connected devices to one that is more cooperative and concerned with the safety of users.

There are several things device makers should be doing to make devices more secure:

  • Design for privacy: Learn the seven principles of Privacy by Design.4
  • Encrypt data: This includes data both on disk and in transit, when sent via email, Web, or through an instant messenger, for example, or when synced with the user’s computer.
  • Clarify data storage options: Give users the ability to store tracked info local-only, rather than just in the cloud.
  • Authenticate account access: Verifying that users are who they say they are is not just important for devices that have online access. It is doubly important to authenticate users for implanted devices, as the consequences of misuse are significantly higher. Provide multi-factor authentication for online account access.
  • Prepare for vulnerabilities: Establish and publicly publish a responsible disclosure policy for vulnerability reports.
  • Prepare for breaches: Create an incident response plan so that you can react appropriately in the event of a data breach, however limited in scope it might be. Folks who are likely to use fitness trackers are also likely to be active on social media. Word spreads fast when something goes wrong, and you want your words and actions to be well chosen.
  • Prepare for government scrutiny: The FTC and FDA are both watching the IoT space closely, so making changes now can help avoid legal problems and hefty fines down the road.
What can consumers do?

As users of these devices have the most to lose, we need to weigh the risks of using them and realize that at least some of the burden of protection is on us. We also need to observe the rules of cyber hygiene:

  • Buyer beware: Before buying a wearable or installing a wearable app, search for its name together with the word “hack,” as well as with the words “fraud” and “scam.” This may reveal published problems and enable you to make a more informed purchasing decision.
  • Cultivate good password habits: Set up your wearable and any associated online accounts with an obscure user name and strong, unique passwords, all of which should be hard to guess.
  • Enable security features: If a device or online account allows you to use a second factor of authentication, set your account to require it. If they allow you to monitor log-in attempts or approved devices, check these lists regularly. If they allow passcodes or biometric authentication, use them to restrict physical access to the device.
  • Educate yourself: Read the privacy policy of any device and app you currently use or plan to use. Look closely at privacy assurances and evaluate how serious you think the company is about protecting your data.
  • Just say no: Be prepared not to use certain features or apps if you do not feel the provider is serious about security and privacy.

There are plenty of things consumers and device manufacturers can do to get the benefits of health tracking and implantable devices without putting sensitive personal data a risk.