Predicting the rate of IoT adoption is a risky business. Guesses made earlier this decade were astronomically high. IBM believed there would be some trillion connected devices by 2015, while others were little more conservative. Ericsson, for one, estimated that there would be 50 billion by 2020, a number it has since reduced to 28 billion by 2021. These numbers may again have to be re-evaluated, with the latest WikiLeaks revelations around CIA hacking of connected device bringing IoT’s security vulnerabilities fully into the mainstream consciousness.
The tranche of files released by WikiLeaks this week describe CIA plans for malware and other tools that could be used to hack into some of the world's most popular technology platforms. The documents show that the developers tried to inject these tools into targeted computers without the owners' awareness, using on-board cameras and microphones on smart televisions, automobiles, smartphones, laptops, and so forth to spy on people - even when they are offline. One CIA program named ‘Weeping Angel’ provided the agency’s hackers with access to Samsung Smart TVs that allows the television’s built-in voice control microphone to be remotely enabled while keeping the appearance that the TV itself was switched off, called ‘Fake-Off mode.’ The alleged cyber-weapons are said to include malware that targets Windows, Android, iOS, OSX, and Linux computers as well as internet routers.
The files do not give details of who the prospective targets are, and it is not actually suggested that they will enable mass surveillance. Indeed, most will require a warrant and even physical access to the device itself, making them little different to a wiretap. According to Matt Blaze, a University of Pennsylvania computer scientist, ‘It's unsurprising, and also somewhat reassuring, that these are tools that appear to be targeted at specific people's (devices) by compromising the software on them — as opposed to tools that decrypt the encrypted traffic over the internet. The exploits appear to emphasize targeted attacks, such as collecting keystrokes or silently activating a Samsung TV's microphone while the set is turned off. In fact, many of the intrusion tools described in the documents are for delivery via ‘removable device’.’
That intelligence agencies have created tools to turn IoT devices into listening posts should surprise no one, especially those in information management who will be well aware of vulnerabilities. In fact, if the CIA hadn’t been exploring these options they would have been frankly irresponsible. Anything with an internet connection can be hacked, and for an organization like the CIA to be behind the curve in terms of how it is done would be look ridiculous. The revelations are, admittedly, worrying in terms of the recklessness with which the operations were conducted. According to Edward Snowden, the CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. ‘Reckless beyond words’, tweets Snowden, arguing that ‘until closed, any hacker can use the security hole the CIA left open to break into any iPhone in the world.’
This does not paint the CIA in the best light, though their reputation was not exactly gleaming before. But the hack is likely to have far great repercussions for the IoT, as it exposes the general public to the many security issues previously only really discussed in relatively niche areas of the technology press. IoT is still a nascent technology that can ill afford a publicity disaster. The depth of the damage inflicted here though, really depends on whether people actually care about privacy enough to decide against using such devices as a result.
The question of data privacy has been much discussed in recent years, but while many consumers see it as a major issue, it is certainly not clearcut. In a recent report by KPMG International, 55% of consumers surveyed globally said they had decided against buying something online due to privacy concerns. Fears around the government use of data seems to be divided along roughly the same lines. In a recent Pew survey, conducted in spring 2016 and released this January, 46% of respondents said the government should be able to access encrypted communications when investigating crimes. Just 44% said tech companies should be able to use encryption tools that are ‘unbreakable’ by law enforcement.
However, someone having access to your data is one thing. Even private messages, which many would feel to be more of a violation than, say, knowing your location, are still just text. The idea of being watched and listened to in your home, on the other hand, is another ball game entirely. Whether or not this is actually what the CIA is doing is essentially immaterial, this is what the headlines and the tweets will make many who see this news believe - government agents watching everyone through their televisions, ‘Big Brother’ watching, 1984 come to life. This news really drums home that the prospect of achieving antiquated notions of privacy are to become a distant memory when the IoT lays down roots in our everyday lives. Lack of privacy is already becoming an accepted part of modern life. FBI director James Comey declared after the CIA disclosures that ‘There is no such thing as absolute privacy in America.’ Since smart tech has become so integrated into our society, it's hard to take the only reasonable step you can if you want total privacy - to cut out smart devices and messaging apps. It simply means sacrificing too great a part of our social life. There’s little getting away from it.
Ultimately, it comes down to whether or not people really care enough. I betray my privacy far too often voluntarily through social media, personal writing, and talking in public spaces, to really be able to say I worry about it without looking like a hypocrite. But I have control over these things. I enter into agreements to hand over my data everyday in the knowledge that it will be used by a company for marketing. I even send messages knowing they might be flagged up by some government agency if I say bomb too many times because I am aware this is useful in national security. The idea of someone listening in to conversations I have in my own home without my consent or good reason feels like far more of a violation, though. I also expect any companies to whom I give my data to do everything they possibly can to secure it. The issue is control and consent. What matters for the growth of IoT moving forward is that people feel like they have control over their data and that there is clarity from governments as to whether they will be able to hack it. These tools may be intended for enemies of the state, but who determines what this means?
IoT manufacturers firstly needs to work on their security far more than they have, as it is clear that in the rush to get out devices and exploit the trend, they have left some pretty gaping holes. The CIA is not going to be the only organization hacking connected devices, there are likely to be some far more nefarious characters willing and able to do the same. And stopping them needn’t even be too complicated. Mark Zuckerberg showed last year when images of his Macbook with a bit of tape over the lens went viral, that it’s pretty easily achieved. Even putting a cap over the camera lens of a smartTV would probably be enough to show that companies were thinking about security and showing you that you should be aware there are risks. J.R.R. Tolkien once wrote, ‘It does not do to leave a dragon out of your calculations — if you live near him.’ For IoT, cybersecurity is the dragon, and manufacturers need to think carefully about it or they risk being severely burned.