Commentary: Your smart devices are spying on you. Here’s what you can do about it
Though smart devices are getting safer, we must know what we’re bringing into our homes and set up their security features properly, says Steve Kerrison of James Cook University, Singapore.
SINGAPORE: More modern homes are embracing the conveniences of smart appliances. Smart door locks offer convenience and flexibility in accessing our homes, robot vacuums shoulder the burden of household chores, and home voice assistants link you up with online services.
But for all the benefits, what are the costs to our privacy?
A door lock might have a fingerprint sensor, allowing it to hold some of your biometric information - the same kind you might use to unlock your smartphone or for immigration clearance.
Robot vacuums need to “see” where they’re going, which is aided by a camera or lidar (light-based detection of objects and their distance). Either can be used to form an image of the room they are in.
A voice assistant has microphones designed to pick up voices clearly from far away, so that it can hear you at all times and respond to your prompts. But that means it can also hear your most personal conversations.
DATA SECURITY CONCERNS POSED BY SMART DEVICES
As with any security concern, simply hoping for the best outcome seldom works. We must establish what could go wrong and how serious it can be.
In 2019, Belgian news agency VRT reported that Google’s devices and apps were sending audio to employees worldwide to improve the accuracy of its speech recognition software. The voice assistants accidentally captured private conversations with sensitive information, sparking debate on whether they are more of a privacy concern than originally thought.
Sure to strike a nerve with parents of young children is the prospect of a baby monitor being hacked. Modern baby monitors allow parents to check on their kids from their smartphone, but they also open the possibility for a hacker to do the same, even talk to their victims using two-way audio.
These examples highlight two areas of concern that must be addressed: First, what data smart device manufacturers collect, what they use the data for and how they keep it safe; second, how an attacker can take that data and use it against us.
While stories of device hacks might make us think twice, the good news is that both consumers and industry players are learning from them. Weaknesses that used to exist in devices have been fixed, and privacy safeguards have increased in response to growing public concern.
Our security cannot be assured only by a game of cat and mouse, however. More must be done to enshrine best practices into device development, govern how data can be used and increase awareness among consumers.
NEW TECHNOLOGY AND REGULATION FOR BETTER CYBERSECURITY
There are several ways in which this is being done. Within the industry, we see improvements to security technologies, for example Wi-Fi Protected Access 3 (WPA3), the latest protection standard for Wi-Fi.
WPA3 makes it harder for devices on the same home network to spy on each other’s wireless traffic. With a greater number of Wi-Fi-enabled smart devices in our homes, such technology makes it harder for smart devices to access your online activity. Upgrading to WPA3 isn’t always straightforward, however, as many devices still don’t support it.
In addition to technological advances, companies are also increasingly open to scrutiny from employees and external experts. Vulnerability disclosure programmes allow anyone to safely report a security issue to an affected organisation.
Bug bounty programmes take this a step further by offering monetary rewards for finding bugs, with the amount depending on the severity of the discovery.
Regulators have a role to play too. No single law or regulation can cover smart devices, but when combined, there are several that help.
In Singapore, the Personal Data Protection Act determines how companies should handle personal data, including that collected by smart devices and stored by their manufacturer. Disclosure requirements and financial penalties are in place for data breaches, so companies are incentivised to protect user data, and to be judicious with what they collect to minimise risk.
The European Union’s General Data Protection Regulation serves a similar purpose. To simplify compliance, companies may implement the strictest data protection requirements globally. Doing so may be the most cost-effective approach and will benefit all users regardless of jurisdiction.
Measures to regulate smart devices are also in place. The Cyber Security Agency of Singapore recently launched its Cybersecurity Labelling Scheme, which provides a means for testing and classifying the security of smart devices.
Manufacturers can then declare these labels when selling their product. The label is not just a badge of honour in the Singapore market either, with Singapore having established mutual recognition with similar schemes in Finland and Germany.
Additionally, the European Commission is working on legislation that lays out cybersecurity requirements for smart devices sold in the EU, along with fines for non-compliant firms.
CONSUMERS HAVE A PART TO PLAY TOO
As consumers, our main responsibilities are to know what we’re bringing into our homes, and setting them up in a way that is generally considered safe.
Don’t put off enabling security features and don’t ignore prompts to apply security updates to devices.
Conversely, do be inquisitive, ensuring that you know what data a device collects, where it goes, and what commitments the manufacturer has made to protect it as well as their reputation.
That doesn’t mean only trusting a company that has never had a cybersecurity issue - all companies have, whether disclosed or not. In fact, seeing how a company handles an issue can be an excellent insight into whether they take cybersecurity and the safety of your data seriously.
Finally, remember that security is a moving target. What we previously thought was safe and secure might not be so tomorrow. We must be prepared to respond.
Steve Kerrison is Senior Lecturer of Cybersecurity at James Cook University, Singapore.