Dear, privacy pros.
I trust you have been keeping well since my last introduction.
Coming hot on the heels of the recent spate of reports concerning major data breaches stemming from the scraping of personal data from Facebook (estimated 533 million users affected), LinkedIn (estimated 500 million users affected) and Clubhouse (estimated 1.3 million users affected), I found this article on the NAME:WRECK vulnerabilities particularly intriguing.
To briefly summarize, security researchers have uncovered nine domain name system implementation vulnerabilities in four commonly used TCP/IP network stacks, potentially affecting at least 100 million devices worldwide, including high-performance servers, networking equipment and operational technology systems that monitor and control industrial equipment. These vulnerabilities may also potentially be exploited by malicious actors to tamper with or control Internet of Things devices. Security patches for all four vulnerabilities have been released, but these have to be installed by the network administrators for the affected stacks.
While there have already been a large number of documented security breaches arising from individual IoT devices that have been poorly secured (e.g., weak default password), I wonder if attacking multiple devices at a network level may represent a new threat vector for the appropriation of large amounts of potentially sensitive personal data. Given the ever-increasing number of household devices that are getting connected to the internet, from fans to lightbulbs, this is an area that bears further scrutiny.
In this regard, the U.S. National Institute of Standards and Technology report summarizing key takeaways from its virtual workshop covering security and privacy measures affecting IoT devices is instructive. Given the foreseeable difficulties in getting the end consumer to fully understand the risk factors and proactively take steps to secure the IoT device, we will likely have to fall back on the manufacturers and government authorities to take appropriate steps to safeguard the consumer’s interest (see for example the Cybersecurity Labelling Scheme launched by the Cyber Security Agency of Singapore).
Interestingly, I also recently came across another article that might be relevant in this context. Local internet service provider ViewQuest has launched a new “clean pipes” broadband service that it claims can protect its subscribers from attacks by scanning for and blocking threats at the network level. This will allow the service to act as the first line of defense against compromised IoT devices and potentially obviate the need for the user to install security patches on individual IoT devices on the home network.
Perhaps we can combine that with this other innovative piece of technology from another local firm called the X-Phy Cyber Secure SSD, which is a solid-state computer drive that leverages artificial intelligence to block the access to and exfiltration of data by hackers. The drive will also automatically wipe the data stored in the event that it is physically tampered with. The use of such drives in IoT devices, particularly where it is not feasible to install antivirus software, may potentially function as a great second line of defense.
As a footnote, I would also point you to this report from the Future of Privacy Forum provides recommendations to address the privacy risks of augmented reality and virtual reality technologies. After IoT devices, AR and VR technologies might prove to be the next frontier we have to protect in order to secure the personal data of consumers in the not-too-distant future.
All I can say is that there is never a dull day in this business.
Read this news from the iapp here https://iapp.org/news/a/notes-from-the-asia-pacific-region-23-april-2021/