By Stephen Cobb
Privacy breaches and cybersecurity failures are
becoming – it pains me to say – all too commonplace. However, that doesn’t mean
some of them are not uncommonly strange, involving circumstances so odd they
are almost unbelievable. Consider the following tale of two images
(which may be worth more than two thousand words for the pair).
First, consider the striking image on
the left, created last year by ESET for an infographic about the Internet
of Things or IoT. In the picture you can see a bunch of different
“things” that could potentially be connected to the internet, from an automobile
to home appliances, from wearable devices to a teddy bear (and if you think
this particular teddy looks a little sinister, that’s thanks to the skill of
this particular artist).
The infographic itself, to which there is a link at
the end of this article, display the results of a survey that ESET carried out
last October in conjunction with the National Cyber Security Alliance. The goal
was to assess consumer attitudes to the IoT (as you may know, October is
National Cybersecurity Awareness Month). Because the survey results were
published later in the month, close to Halloween, and the science
fiction-horror series Stranger Things had become quite
popular, ESET thought that “Internet of Stranger Things” would be
a nice twist to put into the title of the resulting infographic
(hence teddy’s intentionally sinister look).
Now checkout the image on the right. This
is an actual toy, sold in America, that connects to the internet, namely a
CloudPet (a brand owned by California-based Spiral Toys). This toy, which can
record, send, and receive voice messages over the internet, has been in the
news lately, but for all the wrong reasons.
First, there are the hundreds of thousands
of customer records found stored on the web in a way
that exposed them to anyone curious enough to look for them. Then
there are the two million recorded voice messages, often very personal messages
between children and parents, that were exposed for an extended period of time
to anyone with basic skills, despite numerous warnings to the company about
this problem. Here is how security researcher Troy Hunt put it in his lengthy but truly excellent blog post:
“By now it’s pretty obvious that multiple parties
identified the exposed database, it remained open for a long period of time and
it exposed some very personal data. It would be a safe bet to assume
that many other parties located and then exfiltrated the same data because
that’s what people do; scanning for this sort of thing is enormously prevalent
and that data – including the kids’ and parents’ intimate audio clips – is now
in the hands of an untold number of people.”
That is Troy’s emphasis, and he goes on to say
“But it gets worse again” because not only was data from the toys and their
owners badly handled and poorly protected by a company that did not
respond to multiple warnings that this was indeed the case, but as his research
shows: “CloudPets data was accessed many times by unauthorized parties before being
deleted and then on multiple occasions, held for ransom.”
And if you were thinking this could not get even
worse, and truly scary like the teddy bear in the “stranger things” graphic,
you’d be wrong, as I will explain in a moment. But first consider this finding
from the ESET/NCSA survey: “more than 40 percent of Americans
are not confident that IoT devices are safe and secure, with more than half of
people indicating they were discouraged from purchasing an IoT device due to
cybersecurity.” More specifically the survey found: “36 percent of respondents
were very concerned about the privacy and security of children that use
‘smart-toys’.”
In other words, companies who are making internet
connected devices are already on notice that there is skepticism and
concern about their security and the privacy of personal information that
they process. We have seen poor security affecting connected
toys before, as in the VTech case. I have previously written about security risks related to wearables and connected/autonomous vehicles. And to say that
voice-activated connected devices may cause unexpected side effects is clearly an
understatement.
What ties all of these things together – besides
the internet – is the fact that too many people who make technology are
also making poor decisions about technology risks. Those poor decisions lead to
problems, not just for the unwitting consumers that buy the poorly secured products,
but also for the wider digital ecosystem. Consider the massive Distributed
Denial of Service (DDoS) attack on October 21 of last year. That resulted in lost
revenue and unbudgeted costs for hundreds of companies, and it was made
possible by insecure IoT devices. How long before an attack of this type
impacts patient care in the increasingly connected medical world of
electronic health records?
And when you hear about devices giving up
the secrets of their users like these cuddly toys did, you have to ask how
long before patient fears around privacy loss due to weak security lead to the
rejection of connected monitoring and treatment devices, undermining the much
anticipated benefits of telemedicine? That day may come sooner than you
think, because as I said, the CloudPets story gets worse. It turns out that,
due to design flaws and poor risk assessment, these things can be turned into
spying devices, as described in this article and also here. While you could say “they’re just toys,” it is
not hard to see that a string of cases like this could seriously undermine the
public’s faith in more critical digital technology, an outcome with
potentially dire economic consequences.