The proliferation of internet-connected home devices such as thermostats, baby monitors and fridges is creating an ever-expanding interconnected web known as the Internet of Things, or IoT. But security and legal experts warn that machine-to-machine communication is creating a new level of risk — by providing hackers with new vulnerabilities to exploit.
“I think being suitably paranoid is appropriate when you’re dealing with IoT technology,” said Mark McArdle, chief technology officer for eSentire Security.
The advent of “smart home” technologies — a type of IoT that includes internet-enabled TVs, security cameras, and major appliances — could allow hackers, for example, to break into an everyday device to gather personal information or even hold it for ransom.
“Software’s fragile and new problems are discovered in it,” he said.
“You have to be able to respond to fix those problems reasonably quickly or else you leave the window open for hackers.”
According to various reports, hackers infiltrated Equifax Inc. — in one of the most serious cyberattacks on record — by using a flaw that was identified and disclosed in March. Despite a patch for that flaw, not all Equifax systems were updated in time to prevent the leak of important information — including social security numbers — for millions of people.
In the past, companies like Microsoft learned they had to pour considerable resources into security protections or risk losing their customers.
But many IoT devices are built with convenience in mind and “security is often not a consideration at all, let alone a primary one,” McArdle said.
He added that it’s possible the marketplace will again force suppliers to make cybersecurity a priority, but pointed out that consumers of IoT devices tend to care more about price than privacy protection when making purchasing decisions.
The number of consumer-owned connected devices in Canadian households is expected to increase by 60 per cent between now and 2021, according to IDC Canada market analyst Manish Nargai.
“So, of course, that does brings in more points of vulnerability, more points where a security breach or hack can happen,” Nargai said.
Telecom providers may find themselves under increased pressure to show they’ve taken reasonable precautions, said Toronto-based lawyer Imran Ahmad, a partner with Miller Thomson who specializes in cybersecurity and privacy law.
“There’s an expectation, quite frankly, from basic consumers that there’s a minimum guarantee of vetting going on,” Ahmad said.
But IDC’s research suggests consumers show relatively little concern about the privacy and security aspects of their household technology — especially after it becomes a familiar part of their life.
About 48 per cent of the respondents to a recent IDC survey said they didn’t care about the privacy issues associated with intelligent assistants or they felt the advantages outweighed the risk or that they trusted the supplier.
When the same group of respondents was asked about home automation in general, only 20 per cent indicated that privacy risks and 17 per cent indicated that security risks were preventing them from acquiring such technology.
Nargai himself was initially wary about buying a Google Home Mini, a smart speaker linked to an intelligent assistant, when it became available in Canada this fall.
“I couldn’t get over the idea of something listening to me,” Nargai said.
“Now I’m quite surprised about how much and how often I’m using it.