Can hackers use your microwave to steal your credit card information thanks to the unknown security and privacy practices of device manufacturers? Households are filled with connected devices that usually interface with other devices and external servers. These devices are constantly collecting and sending data, sometimes without their owners’ awareness or consent. These devices increase the attack landscape, as evident in various IoT-specific threats such as Mirai Botnet, Brickerbot, and Tsunami.
Hungry consumers can tell how many calories are in a bag of chips because they can check the nutrition content on the bag. Contrarily, the same consumers cannot check the security and privacy practices of a new IoT device. However, this is about to change after researchers at Carnegie Mellon University developed an Internet of Things (IoT) security and privacy “nutrition label.” The new label will encourage manufacturers to disclose their IoT security and privacy practices on their devices. The disclosure will help consumers make informed choices when selecting or using IoT devices.
Presenting IoT security and privacy information
The researchers at Carnegie Mellon University’s CyLab consulted with 22 privacy and professional security experts in the IT sector, government, and academia to come up with the new IoT security and privacy solution. The new solution will feature an IoT label generator to allow manufacturers to generate labels for their IoT devices easily. The new IoT security and privacy nutrition label will be concise and easy to understand, similar to food nutrition labels.
The IoT security and privacy label consists of two information layers. The primary layer exists on the device’s box and informs users of the most basic information, such as the type of data the device collects, the reasons for data collection, and the third-party entities the data is shared with.
Users can access the secondary layer by scanning a QR code on the primary layer. The secondary layer exists online and contains additional information, which includes how long the device retains the collected data, how frequently the sharing takes place, and whether the device receives automatic security updates.
The primary and secondary layers communicate 47 important pieces of information regarding a device’s IoT security and privacy practices.
IoT security and privacy concerns
Research shows that the majority of people are concerned about the security and privacy practices of their devices, according to CyLab’s Pardis Emami-Naeini, the leading author of the study and a Ph.D. holder in Societal Computing.
A study by Economist Intelligence Unit found 89% of the respondents were uncomfortable with sharing data with third parties without consent. In comparison, 92% said it was crucial to inform consumers while collecting data. However, there lacks a means of informing users of the IoT security and privacy practices of the devices collecting this data.
The IoT security label serves as a blueprint for privacy regulations, which require transparency in consumer data collection. The Cyber Shield Act intends to create standards for IoT devices and attach labels to devices that comply with the regulations. Countries such as Finland, Singapore, and the United Kingdom are also in the process of enacting such standards.
Improvements in internet connectivity speeds have allowed most devices to include various IoT components that autonomously send and receive data online almost totally without the users’ knowledge. Consequently, many users forget that these devices are consistently collecting information that is used by third parties to target them and influence their decision on a range of issues from what to buy to which political party to vote. However, the concept is too abstract for most users who do not understand the power that personal data has on their lives.
If device manufacturers adopt the new IoT privacy and security labels, users will gain insights into the potential risks associated with their data. For example, devices collecting data unrelated to their purpose, those sending data very frequently, or those sharing information with suspicious entities will raise users’ concerns on potential suspicious intentions.