IoT Security: What Are the Ramifications for Spying?

Last year, I went to 172 places in 53 cities located across six countries and evidently skied 55 miles. If those trips together — whether by foot, car, plane, train or on a pair of skis — were in a straight line, it would be enough to go around the planet 1.6 times. But I know this because Google informed me that it is so. The company has been tracking me precisely and sometimes incorrectly, telling me that I went to the dentist instead of a café, for instance, but most of the time, the service is accurate. Today, Google knows that I was curious about the weather yesterday because I asked the smart speaker in my home to tell me the forecast. A Nest thermostat keeps track of how often the heat is in use.

And with the rise of IoT and AI, the amount that Google and other colossal tech companies know about us is poised to expand in ways that are hard to fathom. While adoption is arguably still in the early phases for both, there is little to stop connected sensors from continuing to proliferate all around us while algorithms take charge of a growing list of duties once only performed by humans.

While the cybersecurity ramifications of these trends have become a prominent theme, the question for how this might change the state of spying has been less considered. It would cost a fortune for a private investigator to travel the world — shadowing someone from a distance and tallying the distance of their trips, but Google offers me that information for free while also using it to enable targeted advertising.

The possibilities expand as the number of connected devices around us do. As CES showed us this year, Google is serious about being a dominant force in the smart home market. The company, along with Amazon, is steadily expanding the functionality of its smart assistants while working to integrate it with an ever-expanding assortment of products: TVs, fans, air purifiers and newer household appliances.  

What all of this might mean from a cybersecurity perspective is less clear. Decades ago, the notion of willingly setting up a network of microphones to allow a large corporation to have access to audio from within your home would have seemed ludicrous. But now, a sizable portion of the U.S. population — 32 percent according to one survey — has a so-called smart speaker.

And a large number of smartphone users enable tech firms to know nearly each and every location they visit by merely carrying a smartphone with them.

[Internet of Things World is the intersection of industries & IoT innovation. Book your conference pass and save $350, get a free expo pas, or see the IoT security speakers at the event.]

There is already evidence that the connected devices we carry  — either near us or even within us — can enable new possibilities for spying. In 2016, former Director of National Intelligence James Clapper said it is possible that the U.S. government would spy on suspects via smart home devices. While that may be more of a possibility than a reality, there are a handful of cases where such devices have enabled unprecedented types of surveillance. One such example comes via a man named Ross Compton who allegedly set fire to his home in 2016 as part of an insurance scam. Local police got a warrant for his pacemaker data and a cardiologist determined that his alibi didn’t line up with his cardiac data. He told cops, however, that he broke a window in his house with a cane and threw his possessions out it and then climbed out and pulled heavy items to the front of his house. His steady pulse during the time of the fire apparently told a different story — as did the traces of gasoline outside of his house.

That is an isolated example involving an individual. Consider the possibilities if, say, a nation-state actor or other types of threat actor was able to achieve access to millions of records of citizens — perhaps even collating them with their social security cards and other personally identifiable information.

Such an outcome is possible. It wasn’t long ago — in the summer of 2017 — when Equifax was hit by one of the most infamous cyberattacks in U.S. history. Ultimately, some 145.5 million U.S. consumers had their data exposed, including their full names, social security numbers, birth dates, addresses and in some cases driver’s license numbers.

While attribution of a cybercrime is notoriously difficult, there were tale-tell signs that a nation state was behind the Equifax breach. There was also evidence that the nation in question was China, although the investigators studying the Equifax breach did not universally agree on that conclusion. Whether China-backed hackers were behind the hack, Equifax leaders feared Chinese spies were targeting the firm and shared their concerns with the FBI, according to The Wall Street Journal. The subsequent investigation also revealed that the attackers behind the Equifax breach were targeting specific individuals.

The U.S. Justice Department concluded that Russian intelligence officers were behind another famous breach — a 2014 Yahoo attack that exposed data on 500 million users. Yahoo would go on to divulge that a 2013 attack affected its entire user base of 3 billion users.

Ultimately, when it comes to cybersecurity, it is hard to make definitive conclusions about broad-based attacks, but it is true that most of us have a growing amount of data being collected about our activities and, second, that nation-state–based agents appear to be interested in that information.