What responsibilities do companies have to us in keeping our data safe from prying eyes?
On Tuesday, March 7th, WikiLeaks published nearly 9,000 documents that allegedly belonged to the CIA. The documents were said to have been stolen from the CIA’s Engineering Development Group, group tasked with the development of cyber espionage tools.
The documents outline security flaws in many popular consumer electronics like iPhones, Android phones, and Samsung smart TVs. These security flaws reportedly allow the government to spy on the owners of the products. What’s most concerning isn’t that the CIA spying on people. Hardly anyone is surprised that the CIA spies on people. They are an intelligence agency. It’s kind of what they do. The scary thing is that these security flaws are open to being exploited by anyone, including cyber criminals. The CIA doesn’t inform the companies about these vulnerabilities, choosing instead to keep them to itself, leaving consumers exposed to hackers.
Are IoT companies the target?
The major corporations that were caught up in this leak include Apple, Google, Microsoft, Samsung, Linksys, and other companies with a foot in the Internet of Things space. One of the hacks that have garnered the most attention is the Samsung smart TV hack. It allowed a third-party, such as the CIA or any other hacker, to put the TV in a fake “off” mode, making the owner thing that it was powered down. While the TV appeared to be off, it would be able to secretly record audio of what was happening in the room and transmit it over the internet.
The companies were quick to respond. They claimed that the security flaws have already been patched and that they were taking this very seriously.
An Apple spokesperson made this statement:
“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”
Heather Adkins, Google’s director of information security and privacy, provided this statement:
“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections. We’ve always made security a top priority and we continue to invest in our defenses.”
Rounding out the group, a Microsoft spokesperson chimed in stating that:
“Most of the issues are dated and likely have been addressed in its latest software.”
If these statements don’t inspire confidence, then you are already getting a sense of the severity here. The trouble is that cybersecurity isn’t being demanded by the mass consumer market. A simple historical example to take a look at is car safety and seat belts. Seat belts weren’t something that customers forced car companies to have. It took seat belt laws to drag both the companies and consumers to adopt basic safety features. But regulation has significant downsides and it would likely slow the rate of innovation to crawl.
So, what can be done?
What are the possible ways of protection?
One option would be that ISPs and consumer router companies to offer a security layer, but they are slow to innovate and it’s expensive. Instead of having every IoT company also be an expert in cybersecurity, the alternative would be to have a product that can protect all other devices. The difficulty in cybersecurity is that it is asymmetrical in nature. To be secure, a company or product needs to protect itself from all possibilities, but a hacker needs to find one crack in the armor to get in. This reality makes it nearly impossible for all companies to be experts in cybersecurity in addition to what they normally do. What’s needed is a way for cybersecurity to be provided to people without needing that expertise in every corporation.
In a recent interview with Karolis Dzeja, the Director of Marketing at CUJO. He laid out to me their perspective on protection, explaining that, ”we built a smart home firewall that is able to do network level security and protect all devices on the network. Everything on the network, including smartphones, laptops, thermostats, doorbells, and smart TVs, is protected.”
Dzeja went on to say of their policy “That is in contrast to antivirus which does filesystem level security. Antivirus can be installed on personal computers, but not on iPhones or smart TVs. CUJO uses artificial intelligence to analyze the behavior of your devices. It knows that’s normal and what’s malicious. If your smart TV is transmitting audio data to some suspicious source, CUJO will block it and notify you on the app.”
There are a few other things everyone should do to stay safe online. If nothing else, this leak should be a reminder to always keep everything updated. Companies release security patches all of the time, but they don’t do any good if people don’t actually do the updates. And as consumers, we should all be demanding more security and privacy from the companies we buy our products from.
A week after the WikiLeaks dump, Apple hired Jonathan Zdziarskian important figure from the forensic security and mobile phone hacking community, perhaps signaling that they are taking the threat more seriously. In his acceptance of the position, he posted on his personal blog that, “This decision marks the conclusion of what I feel has been a matter of conscience for me over time. Privacy is sacred; our digital lives can reveal so much about us – our interests, our deepest thoughts, and even who we love.”
Security is a matter of conscience. Privacy is sacred. If we allow ourselves to reveal our deepest thoughts to these major corporations, we have to expect them to uphold their end of the bargain. Unfortunately, trust has been lost.
As a society, it’ll take us some time to acclimate to this new reality. Over the past year, cybersecurity has been put in the forefront of our social consciousness. More people have a growing awareness of the need to take basic precautions. We have to keep the conversation going and continue to demand security from the companies with whom we entrust our data.