Maker.io main logo

Why Designers Should be Careful with their Personal Information

2019-09-11 | By Maker.io Staff

Staying Safe while Staying Connected

The integration of sensors and microcontrollers into everyday products is an increasingly common practice. These sensors and devices, when coupled with internet capabilities and online cloud-based AI systems, can provide users with interactive, intuitive interfaces. Current basic systems can pre-order items for your home (such as milk, eggs, and toilet paper) by learning about what you want and need in your home, but it won’t be long before these same systems can start to make intuitive decisions and determine things you need, before you even know that you need them! While this type of intuitive behavior can save time and effort, it does come at a cost: your personal data is being collected.

The Trouble with Metadata

When thinking about personal data, the first thoughts that may come to mind might include your name, age, date of birth, and address. While this data is personal information, it is not the only personal data that an internet-enabled device may monitor. In fact, the use of the word “personal” may lead designers to ignore data that is not directly related to a specific person and therefore believe that other data is not sensitive. Perhaps the word we should use instead is “sensitive” or “private,” as these words better cover other forms of data that go beyond an individual’s name or password.

Any internet-enabled device that has sensor capabilities (whether those sensors are something as trivial as temperature or humidity) is collecting information about its surroundings. While it may not be obvious, this data is potentially sensitive and could provide attackers key information about the surroundings of the device. Knowing the temperature of a kitchen or bathroom may be useless to an attacker on face value, but if, for example, the temperature sensor was situated in a refrigerator containing organic cultures in a laboratory, attackers may be able to fool the system into thinking it is too cool (by feeding false values) or learn about industrial secrets regarding temperature settings.

Of course, temperature sensors are a bit of an extreme example, but other devices (such as piezo elements) should be taken with extreme caution. While piezo and speaker elements are used to generate tones and beeps, they can also be used in reverse as a microphone. If an audio port was configured as an input instead of an output, the attacker could monitor conversations or learn the location of guards at certain times, for example. Recent real-world examples of IoT breaches should give us all pause.

Simple Steps to Protect your Personal Information

While it may seem paranoid to be worried about any and all data collected by a circuit, it is amazing what hackers are capable of with powerful AI systems. Yet another issue with sensors is that they can provide indirect access to subsystems that may normally be inaccessible to an attacker. If, for example, attackers want to turn off security sensors in a system, they could trick a weakly protected IoT fire detector device to think that there is a fire. This fire detector may be linked to the security system, which causes all doors to unlock so that people inside the facility can evacuate.

This hypothetical demonstrates that a perfectly reasonable system can allow outside manipulation because of one weak point (e.g., a fire sensor that has no login system or no password protection). Sensitive information goes far beyond usernames and passwords, and if your circuit is capable of reading outside sensory data, then you need to think what someone could do with that data, and if it’s possible to prevent outside access to that data.

A basic knowledge of IoT Security Certifications is a great starting point for protecting your projects. Beyond that, here are a few simple things you can do to protect your design from attackers:

  • Use encryption – Whenever possible, encrypt data that is external to your device.
  • Use strong passwords – Don’t use default passwords such as “admin” and “password”.
  • Integrate a lockout system – If an attacker gets it wrong 3 times, lock the system out!
  • Don’t use HTTP – If your device connects to the internet, use HTTPS.
  • Use non-standard code and systems – Try not to use Arduinos or Raspberry Pi’s for products as these are well-known for their vulnerabilities.
  • Don’t use interpreted languages – Compiled languages are harder to meddle with.
  • Use microcontrollers with cryptic engines – Try to use a micro with a crypto engine or core.
  • Avoid external memory – While not always possible, try to avoid the use of external memory chips, as these can be an entry point for attackers.
  • Avoid direct internet access – This is not always too convenient but using strange or non-standard protocols can confuse attackers. For example, consider using 433MHz or Bluetooth between your device and a gateway, which then connects to a router, as opposed to using Wi-Fi for connecting your device to a router.

Consider the Impact of your Choices

Innovation is something that should never be hindered or prevented, but as an innovator, it is your job to envision the future and the impact of your vision. Will your product or design benefit the masses? Will it need to collect personal data? Does it NEED to gather personal information? If so, think carefully about the way you have insulated yourself from potential attacks, for your sake and the sake of everyone around you.

TechForum

Have questions or comments? Continue the conversation on TechForum, DigiKey's online community and technical resource.

Visit TechForum