Cybersecurity in the IoT: protecting consumers in the 21st century
Over the past few years, products connected to the IoT (Internet of Things) have become commonplace. These usually improve consumers’ daily lives - for example, by improving the quality of health care services, reducing the obsolescence of products through software updates and providing a more personalised usage.
The downside is that these devices rely on data usage (including personal data) to function properly, which is a cause for concern for a number of reasons. Indeed, if we have learned anything from the 2018 Cambridge Analytica scandal it is that personal data is a much more valuable resource than it would appear. In addition, the connected nature of these devices also reduces the security of the whole ecosystem. As an example, connected washing machines may be used as an access point to home networks through which other devices are connected, and these other devices may hold private data that later can be held as ransomware.
At Euroconsumers, we believe that consumers should be in full control of their data (see our manifesto My Data is Mine). This is why consumer organisations have been developing new capabilities in the area of IoT, security and privacy. Euroconsumers is a proud member of ICRT (International Consumer Research and Testing), an independent organisation committed to the development of an IoT test protocol to assess how safe products are from cyberattack. Today, we would like to highlight two examples of our fight against cyberthreats.
Case study 1: outdoor IP cameras
In July 2019, our Belgian member Test-Achats published a test on outdoor IP security cameras. These are Internet-connected and can be controlled by an app through which owners can watch the video feed or receive notifications when a person is detected by the camera. Videos are also stored, on a local SD-card or in the cloud. All very convenient, but not without risk. Of the 12 cameras we tested, six turned out to have security flaws, such as faulty encryption.
The most important issue with the three least secure devices is that they feature UPnP (an old network technique to make devices in a home network accessible from the public internet),active by default. If, in this case, UPnP is also active on a home router, hackers can easily gain access from the Internet. After the test, the manufacturers were informed about the issues we uncovered. Just two responded speedily, addressing our concerns adequately. Others remained vague in their responses, without indicating a clear intent to address the issues.
Case study 2: mobile applications
Most mobile apps today rely on the use of personal data to function properly. Hence, it is our expectation that this kind of information must be handled responsibly. In the past few years, a dangerous trend has begun to emerge with many app providers secretly selling personal data to third parties, who in turn make use of the acquired personal data for other purposes.
For the past eight years, we have been performing a test known as the “Man in the Middle Attack”, which allows us to track all network communications going to and coming from mobile devices. We have uncovered several serious security issues which we have reported to developers. The most recent example of this was with a popular entertainment app called “House Party”. Following registration, this app would automatically send usernames and emails to several different third parties, as well as a full list of already installed apps on the users’ device.
Most of the issues we find are typically related to insufficient privacy safeguards. Many apps we test (specially but not exclusively free apps) send unique IDs that are then used by third parties to construct profiles for marketing purposes. Consumers are generally misinformed due to convoluted T&Cs and privacy policies, which also happen, often, to be GDPR non-compliant.
The consumer perspective on cybersecurity
Our research shows that consumers are often completely unaware of the scale of the risk they face when they make use of IoT devices. Manufacturers and software companies have exploited this asymmetry of knowledge to their advantage. At Euroconsumers, we believe this situation is unsustainable. Soon enough, public dissatisfaction with the latest cybersecurity scandal will increase, and consumer trust in technology will plummet. This is no longer an issue of ex-post consumer protection. If the digital ecosystem is not rebalanced, society risks losing technology as an effective means of development, fulfilment and entertainment. Euroconsumers is committed to bridging this gap.
We believe that an effective strategy must be three-pronged. First, on the supply side, manufacturers and developers must be challenged when their products pose a threat to privacy and security. Second, on the demand side, an effective information campaign must be put in place to educate the public on the dangers of insufficient cybersecurity in the digital ecosystem. Third, Euroconsumers believes that multi-stakeholder cooperation is critical to ensure that the interests of consumers are placed at the forefront of the data economy. Consumer organisations, industry representatives and lawmakers must keep in continuous contact with each other, as the legislative process is often slow, and no opportunity for collaboration should be missed.