Understanding data exhaust from IoT devices

Calian and Dalhousie University are collaborating on a three-year research project to study data exhaust from IoT devices, to understand how much information a malicious person will be able to access through leaked data and find solutions to mitigate associated risks. Canadian Security magazine hosted a roundtable discussion, sponsored by Calian, revealing insights on the significance of this research, potential cyber risks, the role of quantum security and the importance of collaboration.

Setting the scene

In today’s interconnected world, the Internet of Things (IoT) encompasses devices and technology that enable communication and information sharing among themselves and with human users. But along with the benefits of these connected devices comes the real risk of data exhaust – the footprints and fingerprints left behind.

“All these connected and intelligent devices bring so much convenience to our lifestyle, so we as human beings continue to use them and increase our usage of them,” says Nur Zincir-Heywood, professor and associate dean research in the faculty of computer science at Dalhousie University. “This opens us into cybersecurity and privacy problems.”

While connected devices certainly bring convenience, Zincir-Heywood notes that in many cases, they are also contributing to data exhausting, collecting more information than a user expects or wishes to share.

These data footprints occur in everyday life, adds Kevin de Snayer, director of cybersecurity, government solutions, defense at Calian. He uses the example of searching for a restaurant on a cell phone map, or using a fitness app to track exercise and health, to emphasize the need to learn more about how and where this information can be accessed. “All of that information is collected by different data sources that can leave an exhaust trail behind,” he notes.

Zincir-Heywood is working on the project with a team of others, including Alexander Loginov, a postdoctoral researcher in the faculty of computer sciences at Dalhousie University. “It’s really important to let users know what’s going on behind the scenes,” Loginov says of the importance of the project. “Many people use these devices without knowing what kind of information is bring transmitted, and to what extent.”

The growth of IoT devices and data

Research by Statista, in co-operation with Transforma Insights, forecasts the number of IoT devices worldwide to reach more than 29 billion by 2030, creating a ton of data vulnerable to a cybersecurity breach. With that in mind, de Snayer says understanding the risks are more important than ever.

“This really extends beyond the home and personal use,” he says. “There are devices in boardrooms and office spaces too,” noting that with more companies allowing employees to work from home, meetings with potentially confidential information are taking place in various locations.

“That information can be captured outside of the home or office,” Loginov adds. Furthermore, he notes that one portion of his research found interesting insights about how smart devices collect information even when they are not in use. He points to home appliances like a washing machine as an example.

“Those devices continuously transfer information, and we detected where that information goes around the world,” he says.

With this continued proliferation of IoT devices, the cyber risks will continue to grow. De Snayer points to legal implications of information sharing, specifically when devices are recording an unintended user without their knowledge – for example, at a coffee shop. “The research will expand into that . . . for example, addressing what legal rights do people have to use – or not use – devices in public places? This is particularly important when you consider a microphone can pick up people talking several feet away.”

Future forward

As artificial intelligence and quantum computing continue to influence the world, so too will they affect cybersecurity.

“AI algorithms can play both the good guy and the bad guy, depending on who is using them,” Zincir-Heywood says. “If all this data automatically being sent from the device to the device’s creator, then someone is collecting it. Obviously, anyone who has the capability of using AI can do so to analyze collected data,” she says. “If someone is recording a conversation, an AI algorithm could guess how many of us are in this conversation, and which of us are second-language English speakers,” she adds, pointing to AI’s ability to analyze voices to determine information about the speakers.

“AI is going to help increase the use of existing threats,” de Snayer adds. “At one point it was very challenging to create a cyber threat against an organization . . . with the connected world we’re in today, AI can help assist weaker-skilled programmers. From a protective standpoint, it means we have a better understanding of the threat risk. It’s multiple layers of methodology and protection,” he continues.

Quantum security becomes part of those layers, de Snayer says, as it relates to protecting devices against quantum computing – but it can be used to both improve and break algorithms, depending on the user. As Loginov emphasizes, it’s a two-way street: “We have to protect the information we want to protect.”

The team agrees that as cybersecurity and technology continue to evolve, being complacent is not an option.

“These partnerships – not only with academia, but with our own competitors, are so important,” de Snayer says. “There are thousands of security companies out there, but no single organization can really understand it all. Collaboration needs to happen,” de Snayer says.

“We have a responsibility as academics to conduct research [that results in] a positive impact on society,” Zincir-Heywood adds. “I believe passionately that this research will create awareness and knowledge about the risks out there.”

Download a case study about this research here.