portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Equipped to spy

posted on Wednesday 20th of February 2019 in ,

Some very eventful days, especially when you are in for some good, old privacy drama. First we had news about Singapore Airlines having cameras in their on board entertainment systems and now microphones in Nest smoke detectors. Thanks to the last few years the conclusion that companies are equipping their hardware to gather more information about you is not far fetched. Especially if one of them is basically designed around gathering as much information as possible about everyone.

Singapore Airlines was pretty quick to comment on this and state that the cameras are not in use, that there are no plans for them to be used and that they were simply part of what they bought.

Singapore Airlines replied that it was indeed a camera, embedded into the seat back by the original equipment manufacturers of the plane, but said the cameras had been disabled on its aircraft and “there are no plans to develop any features” using them.

https://www.cnet.com/news/airplane-seat-cameras-could-be-your-new-spy-in-the-sky/

And obviously Google was also pretty quick to explain that they never intended to keep this a secret from their customers.

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the person said. “That was an error on our part.”

https://www.businessinsider.de/nest-microphone-was-never-supposed-to-be-a-secret-2019-2?r=US&IR=T

Now the company doing evil telling you they are actually not, so all is good, right? Okay, enough cynicism. Let us ignore the obvious conclusion that there was malicious intent.

Looking at both incidents leaves some room for doubt about the intention to spy on everyone. Now assume a “regular user”, someone who is exposed to IoT devices, maybe even uses them, but has no motivation to learn anything. How should a regular user know if there is a risk for their privacy?

Singapore Airlines bought something and it happened to have a camera. So they deactivated it, why would they need one on board of a plane anyway, right? They surely did not go out of their way ordering a custom made system without a camera at a way higher cost, disabling the existing one is easier.

And Nest could use the microphone to record shattering glass to detect a break in. But they never got to the part where they developed the feature, maybe because the acquisition came along. And not documenting unused hardware is not a big deal anyone would have an eye on, right?

I do not think we have to discuss the long term feasibility of deactivating hardware via software. There have been more than enough examples that show what garbage security features in network connected devices are.

If we trust both statements, both companies paid for components they did never intend to use. How feasible it would be to skip adding them depends on many factors – it could have been more economic to keep them in the design and assemble them.

The really important thing is that both companies are big enough to just change it if they would see the existence of the components as problematic. And they decided having a camera and a microphone in a place where they are not needed is not something to be concerned about.

In an age where companies are notoriously bad at securing their little toy devices they want to put everywhere and where most of them lost all trust from privacy concerned people this is simply a bad stance to take. On top of that some of those companies business model boils down to “gather as much information as you can and sell it to whoever pays for it”.

Not having regular users being able to tell anymore if a company is trying to setup yet another device next to your TV to spy on you or if an honest mistake was made is a real problem. And there seems to be no sufficient backlash to instil the mindset of thinking about privacy in companies – enterprises and startups alike – product teams. And if an honest mistake happened the paranoia is already there hitting the wrong company and people.

I am not saying those two incidents were mistakes. I am also not saying Singapore Airlines and Google were working on yet another way to spy on people. But what I can say for sure is that every single little incident which can have some potential impact on privacy will become a bigger deal in the future. There could be two potential, worrisome outcomes – regular users will get more concerned with every device, leading us to some diesel punk inspired future. Or worse, people start ignoring all of this, leading to the dystopian future some people predict.

The third option is finally starting to design privacy as a first class feature in every single product. No matter if hardware or software. If companies finally step up and take responsibility not only for what they individually did, but also how the larger industry messed up over the past years we might have a chance to recover some of the lost trust. But to get there and to instil this mindset of privacy first we need people pointing out every single small incident – and make it a big deal.