We are all marching towards a hyperconnected world and the growth of ‘The Internet of Things’ (IoT) shows no sign of slowing. However, the convenience and impressive abilities of hyperconnectivity can overshadow the potential security concerns that IoT can present.
A timely example of this was the recent scandal over the Strava fitness tracking app, which unfortunately proved that geotracking can give away a lot more information than many people realise!
Fitness tracking apps are obviously designed so the user can assess their training regime, and many allow this data to be shared with other users in the public domain to add a competitive edge and sense of achievement.
On the face of it, this doesn’t seem like much of a problem. But when you consider the amount of data being recorded (not only location but also times and dates) it offers the viewer a substantial amount of sensitive information on a given user.
This issue becomes even more problematic when the user in question works in a secure role. In this case, it was army personnel training around US military facilities who inadvertently posted information on their location, specific movements and times (suggesting shift patterns) - which could easily be interpreted as valuable intelligence by a potential enemy.
What is even more disturbing for the military personnel in question is that many of the facilities highlighted by the Strava map are deliberately hidden or masked from general maps of the area to protect people and facilities. A seemingly innocent fitness app has produced as much sensitive data as deliberate espionage!
What the Strava app case vividly demonstrates is just how potentially dangerous geodata recording can be. This is an extreme security case, but this data can also be detrimental to civilians as much as military or security professionals.
For example, imagine you are a homeowner who works in an office during the working week. You may use a fitness tracker or smartphone to log your exercise each week (or each day if you’re particularly keen!) and much like the Strava example, this will show exactly where you are and when.
Should a criminal element want to burgle your house or steal your car, they could very quickly assess the data and ascertain the best times to do so when your home is empty. Alternatively, anyone wishing to attack you could find out when you are regularly in a deserted or quiet area. Equally, a determined stalker could use the information to target their intended victim when they are most vulnerable.
Finding a Balance
This might seem a little paranoid (and certainly for many people, these potential issues will never be a problem), but malicious individuals or groups could easily benefit from this level of unsecured data theft.
It is, however, worth remembering that geolocation is a popular function of many smart devices today – just look at the benefits of Google Maps for example. Whether we are looking for a service, business or the address of a friend or colleague, these maps make life very much easier.
In many cases, it is not realistic to impose a carpet ban on the use of these services. However, as the Strava example has illustrated, the security risks cannot be ignored either.
Wider Security Considerations
It is perhaps more sensible to consider the implications of tracking apps in the wider security mix. Most smart devices allow the user to switch the location services off if they are not required, giving greater control over the data that is recorded and shared.
Any organisation with secure facilities and specific privacy requirements should consider the implications of smart devices and the data they generate. As the Strava example demonstrated, even personal devices can be a potential security problem and need to be accounted for.
This isn’t necessarily just information that is uploaded into the cloud – smart devices tend to store data locally as well, so would also make an attractive target for theft or hacking by any interested party. Along with personal, financial and banking data, this is another sensitive set of information that needs to be protected on a smart device.
Who is Watching?
Physical and online security have become much more closely aligned in recent years. Naturally, physical security protects online systems, but we are now seeing online services potentially compromising physical security as well.
Access control will stop intruders physically entering secure areas but threats from stolen data have added a new dimension to effective protection. Without careful consideration of who could be viewing data and awareness of the potential dangers, mobile devices can become an unwelcome spy in your pocket.