Securing Personal Data on IOT Devices

The Internet of Things (IoT) has transformed everyday objects into smart, interconnected systems. Due to their usefulness, smart fridges, security cameras, thermostats, and voice assistants have become mainstays in our businesses and homes. However, due to their rapid growth and complexity, users and organisations need to make careful security considerations.

These devices are often interconnected, communicating with each other and cloud services, increasing exposure to security vulnerability (or the attack surface). They have large codebases. More code means more vulnerabilities, providing multiple entry points for hackers. Furthermore, due to their purpose, they are often located within homes and collect sensitive personal data, which comes with risk to the privacy of their users. This article will explore the importance of securing personal data in IoT systems and principles that could help IoT developers and users keep data secure.

Personal data and IoT

First, let’s consider what personal data is. Personal data refers to any information that can be used to identify an individual. In the context of IoT devices, this data can take many forms, including:

• Personally Identifiable Information (PII): Names, addresses, phone numbers, and email addresses.
• Biometric Data: Fingerprints, facial recognition data, and voice samples.
• Location Data: GPS tracking from smartwatches, cars, or home automation systems.
• Behavioural Data: Usage patterns, home occupancy schedules, or shopping preferences.

Why does it matter?

Users are concerned about how personal data is used. Some companies use collected data for targeted advertising, while others might share or sell user data without explicit consent. Insecure IoT devices also pose risks of data breaches, where personal information can be stolen and misused.

For example, in 2019, hackers used leaked email-password combinations from previous data breaches to access Ring Camera accounts. The hackers gained access to the live feeds from these Ring Cameras, violating user privacy. Consequently, Ring was sued by victims for not implementing strong security measures.

Importantly, users have the legal right to control their data in accordance with regulations like GDPR (General Data Protection Regulation) in the EU/UK and CCPA (California Consumer Privacy Act) in the USA.

There have been multiple cases where poor security and a lack of data protection considerations in IoT devices have led to serious privacy breaches. Here are some real-world examples that highlight why securing personal data in IoT devices is critical:

Ring security cameras (2019) – Security researchers discovered that the Ring doorbell companion app was sending the user’s Wi-Fi credentials in plain text to the doorbell via an unprotected access point. This vulnerability would allow any nearby malicious actor to intercept these credentials and gain access to the network.

Data protection regulations stress the importance of “data protection by design,” which means that these considerations need to be made in the design stage to protect user data. While Amazon did patch this vulnerability, it would have been much better if the exchange of Wi-Fi credentials had been encrypted from the start.

Strava (2018) – Strava released a heat map that showed a visualisation of users’ activity over a 2-year period. It didn’t take long for independent researchers to discover that this data could be used to map out military bases, including US bases in Syria and Afghanistan and even a UK Royal Navy base containing nuclear weapons. Strava did modify its privacy settings to make it easier for users to opt out of being displayed on this heat map; however, this illustrates how important it is to give users adequate information about how their data is going to be used.

One important measure introduced in the EU Radio Equipment Directive (RED) EN 18031-2 standard is the need for a “user notification mechanism” that notifies the user whenever there is any change that could affect data protection or privacy so that such changes cannot be made without the user’s knowledge.

These examples illustrate why considering the security of personal data on IoT devices is crucial not just for individuals but also for organisations developing IoT devices. Beyond reputational damage, organisations that fail to protect user data face severe financial penalties under regulations like GDPR and CCPA.

Failing to protect user data can lead to loss of consumer trust, legal consequences, and long-term damage to an organisation’s reputation.

What can IoT developers do to mitigate risk?

As we have seen from the examples above, the personal data collected by embedded systems can be exploited if appropriate security measures aren’t taken. A proactive approach that considers personal data protection from the beginning, in the design phase, can reduce the risk associated with collecting, storing and processing sensitive personal data.

You should consider:

• Minimising data collection – If the data isn’t collected in the first place, it cannot be exploited. So, taking an approach where only data that is necessary for functionality is collected in the first place will greatly reduce the risk of sensitive data exposure in case of a breach. Extending this principle, data shouldn’t be stored longer than necessary, and the type of data being collected should be considered carefully.
• Strong access controls – Multi-factor authentication (MFA) and role-based access controls can limit access to sensitive data to only those user roles that require it. For example, you should assess whether remote access is truly necessary for certain devices. Should a user be given remote access to an IoT fridge? Only if there is a legitimate function that requires it. Reducing the number of routes to access the personal data stored within a device reduces the risk of the data being compromised.
• Encryption and secure storage – Encrypt data at rest and in transit, and avoid storing sensitive data in plain text.
• Keep software updated – Ensure IoT devices receive regular software updates to patch vulnerabilities. This will reduce the attack surface, reducing the risk of personal data being compromised.
• Comply with regulatory standards – Ensure compliance with GDPR, EU Cyber security regulations (e.g. EN 18031), and other cybersecurity regulations and standards depending on which region your organisation operates. You can learn more about regulations and standards from our other articles.

By implementing these security measures, IoT manufacturers and developers can reduce attack surfaces for their products and systems, protect user data, and comply with existing and emerging regulations, ultimately building trust with their customers.