We promise you will never look at your appliances the same way again after listening to this episode. This is the privacy equivalent to sleeping with the lights on. But it’s scarier not to listen to this week’s podcast. Jeff Horne, Chief Security Officer at Ordr, discusses the data collected about you — by devices on your wrist or in your home.
Here are the highlights from this week’s episode:
Seeing all devices on your network
Ordr has a lot of medical customers, and Horne says the IoT devices for these customers use very deterministic communications and basic-level machine learning. He uses “This looks like a camera” and “This looks like an MRI machine” as examples. Ordr took the same concept beyond medical equipment and applies it to millions of devices by using classifiers to passively identify the devices over the wire, such as POS and cameras. He says that if a device communicates on a network, Ordr has a classification for it. Because you can’t protect what you can’t see, classification is the first play in building a real-time asset inventory.
IoT and Security
“Building real-time asset inventory is the foundation of the product. But being able to apply micro-segmentation rules to particularly IoT devices is that real sweet spot. If somebody brings in an iPhone that doesn’t meet certain security parameters, you can isolate that into a guest network that only talks to the internet.”
– Jeff Horne
Is a coffeemaker a computer?
Horne says that one of the issues he regularly sees is layers of devices that probably should not be on the same network together for both security and performance reasons. He’s even seen a vending machine and an MRI machine on the same network. He also found medical devices on guest networks in healthcare facilities. He believes some of the issues stem from a lack of knowledge about where devices are positioned on a network.
Horne also thinks that some people don’t realize that IoT devices are essentially computers — which need a high level of security. He shares the example of a television in a boardroom. For years, a TV was simply a device used to watch television shows, but now they are LCD screens that run Linux and have web services, SMB, and FTP services. He poses the interesting idea that we are now at the point where we must ask if a coffeemaker is just an appliance that brews coffee or if it’s a full-fledged computer. Even Horne got a bit spooked out when he realized how many devices in his home were connected to the internet, including two wireless radios in his television.
Wireless tire pressure
“I’m really interested in devices — not that I see every minute or every hour — but devices that I see maybe once every two days or once every week. I was really surprised about the RF signals that come off of new vehicles’ tire pressure sensors.”
– Jeff Horne
Does the cloud know your heart rate?
Horne and Gabe delve into a lively and thought-provoking episode about the privacy of the data collected by fitness trackers and smart watches. They point out the number of tools in the devices that collect data: microphones, speakers, accelerometers, and gyroscopes. While they both acknowledge that collecting this data is important for making the devices smarter, they also bring up privacy concerns. Horne uses the example of how if your heart rate accelerates and your watch tells you to go to the doctor that the data doesn’t just stay on the watch. Because the data about your cardiac rhythm is loaded to the cloud, Horne says it’s a big privacy concern if not properly protected.
Privacy and wearables
“I think that there’s probably going to be an awakening as a society, where we decide, ‘Hey, is this something we really want?’ as well as ‘What data can we really grab out of this?’ We will probably see more privacy legislation on top of that, probably similar to GDPR, but particularly for biometric or wearable-device-specific principles.”
– Jeff Horne