Connecting all our stuff to the internet – making devices “smart” – brings with it a lot of risks. Besides the more obvious cybersecurity vulnerabilities, these devices are also collecting a lot of personal data, offsetting razor thin profit margins by monetizing our data. In most cases, we can limit this data exfiltration using outbound firewalls and DNS services, or just by disconnecting the devices from the internet altogether. But I fear that very soon we will lose this ability. Here’s why.
Monetizing IoT Data
The Internet of Things (IoT) has connected billions (with a “b”) of computerized devices to the internet. Most of these devices have crappy security and I’ve long encouraged people to put their less trustworthy IoT stuff on a guest network to compartmentalize the risks they bring.
But IoT devices also have serious privacy issues. For that reason, I also sometimes recommend that people keep their smart devices dumb – that is, disconnect them from the internet. Smart TVs today are monetizing your data by selling your viewing habits. However, if you’re using a separate streaming box for watching Netflix, you don’t need to connect your TV to the internet at all.
But what if the smart device in question didn’t need your Wi-Fi to connect to the internet? What if it could connect to the internet without ever requiring you to configure a thing? You would hope that it would at least ask your permission first, but there’s no law (at least not in the US) requiring them to do so. Your information is valuable and most companies today will not leave that money on the table.
Mining Data for Compliance
This is not a hypothetical scenario. Some smart devices are already doing this today. Here’s one example. Someone I know recently got a new CPAP machine (a medical device used to treat sleep apnea). Insurance companies require that you prove “compliance” before they will agree to pay for the device. This means proving that you’re actually using it regularly for some period of time. In the past, this compliance was measured by storing usage information on a little SD card inside the device. After the trial period, you’d bring the SD card to your doctor and they would check the data to verify that you complied with the minimum usage. If so, the insurance company would pay for the device.
Some newer models have built-in Wi-Fi that will allow you to upload your data to “the cloud” and save you a trip to the doctor. Of course, it can continue uploading data after that period is over, unless you disable the Wi-Fi access. So, you’re still in control of the data sharing.
The Cellular Circumvention
But the latest CPAP devices have a different mechanism for getting on the internet: a built-in cellular modem. The person I know was told (after asking – this wasn’t volunteered) that the device would come pre-configured. Not only would it automatically connect to the cellular network using a service plan that was already created, the device would come with the patient’s CPAP prescription settings pre-programmed and be tied to that user. This association could not be altered by the user (at least according to the tech support person). Welcome to the Cellular Internet of Things.
Cellular modems are cheap and getting cheaper. If a device comes with a cellular modem built in, it probably also already has a cellular data plan, too – and that plan is probably not going to be owned or controlled by you. Modern cars have cellular modems built in and they’re sending lots of data back to the manufacturer whether you pay for access to the cellular data (“hotspot”) or not. Tesla Powerwall’s (and perhaps their solar systems) connect to your Wi-Fi network, but have a cellular modem as a backup. And cellular isn’t even the only wireless data option today, and more technologies will be coming (LoRa, satellite, Sigfox and more).
The bottom line here is that the “smart” devices of the future will be able to connect to the internet with or without your help. And without privacy laws, they will also do it with or without your express, informed permission. There’s honestly not a lot you can do about this, personally – which is the problem I’m raising here. We need strong privacy laws, and we just don’t have them in the US – yet. In the meantime, I at least wanted you to be aware of this new avenue for data collection via Cellular IoT.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!