Worries about the security vulnerabilities in ‘Internet of Things’ (IoT) devices just reached a new level after a Canadian ‘adult sensual lifestyle products’ manufacturer was found to have been secretly tracking their customers’ use of their sex toys.
Customers of start-up firm Standard Innovation, manufacturers of ‘We-Vibe’ products, have been left red-faced and angry after the company was judged by a court to have been guilty of covertly gathering data about how (and how often) customers used their Wi-Fi enabled sex toy.
Why Wi-Fi Enabled?
The We-Vibe product was made Wi-Fi enabled because it was designed to be controlled via a smartphone app over long distances and via Bluetooth over shorter distances, thereby offering users a new kind of shared but distant experience.
What Kind Of Data Was Collected?
The kind of data that was collected via the smartphone by Standard Innovation, reportedly without the knowledge or consent of their customers was when customers had been using the sex toys, information about the intensity of the vibration settings used, and the email addresses of customers.
After being found guilty in class action lawsuit brought by two anonymous females at the North District of Illinois Eastern Division District Court, Standard Innovation agreed to pay £2.4 million to those who had purchased the smartphone app-controlled We-Vibe products. As a result of the ruling, those persons who used the app to control their We-Vibe device prior to 26 September 2016, will be entitled to £6,120 compensation, while those did not use the app will be entitled to £120.
Will You Still Love Me Tomorrow?
Despite the payouts and the bad publicity, Standard Innovation seems set to woo customers back with new and improved products in the future. The company has reportedly stated that it will improve security in the products, and provide customers with more choice in the data they share.
This story comes hot on the heels of a week where there seemed to be an outbreak of IoT paranoia in the US after comments made by President Trump’s senior counsellor Kellyanne Conway suggesting that microwaves have been used for spying, and we heard news that we could also be monitored via our smart televisions.
What Does This Mean For Your Business?
Although there is a light-hearted element to this story, continual media reports about anything from wearable fitness devices to household appliances being vulnerable to misuse or hacks, are evidence and manifestations of the kinds of worries and hopes that we have about the IoT and how it can best be safely used.
Where businesses are concerned, back in July 2016 a Vodafone survey showed that three quarters of businesses saw how they use the Internet of Things (IoT) as being a critical factor in their success. Many technology commentators have also noted that the true extent of the risks posed by IoT device vulnerabilities are unknown because the devices are so widely distributed globally, and large organisations have tended not to include them in risk assessments for devices, code, data, and infrastructure.
It has also been noted by many commentators that not only is it difficult for businesses to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.
Businesses therefore may wish to conduct an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible.
Security experts also suggest that anyone deploying IoT devices in any environment should require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to some kind of specific and measurable criteria.
Microsoft has also compiled a checklist of IoT security best practice. This highlights the different areas of security that need to be addressed by the organisations involved throughout the lifecycle of an IoT system e.g. manufacturing and integration, software development, deployment, and operations.