It's Time to Read the Small Print on IoT Devices

We hear constantly of security flaws in IoT devices, such as the new set of 125 bugs announced in ISE’s SOHOpelessly Broken 2.0 research study. What often goes unmentioned, though, are what devices are doing intentionally behind the scenes.

Software engineer Robert Heaton took a closer look at this recently when unpacking a new HP printer for his in-laws. The printer setup instructions asked him to download and install an app, which he did, so that it could set him up with the company's Instant Ink automatic consumables reordering feature (which he didn't use).

Then, the app displayed its data collection notice, which left him wide-eyed. It told him that it would collect product usage, device, application, and performance data from the printer, “as well as any apps used to facilitate device operation in accordance with the permissions given in the Data Collection Settings.” HPE would use the data for customer experience and product support, but also for administrative communications, business operations, R&D, and advertising, it added — in other words, pretty much every internal company function.

That product usage data includes pretty much everything aside from the actual document contents, including the types of files printed, what app you printed them with, the file size, and when you printed them. The company warns that it reserves the right to share that data, plus a range of other information about an individual including demographics, location, and even social media data, with unspecified third-party service providers.

HPE also mentions that it collects data from companies including data brokers and social and advertising networks. This makes it possible for the company to aggregate external data with the data it gets from its printers to gain a clearer picture of who is using them and how.

Let's be clear that HPE technically requests consent from the user to do all these things, but as Heaton's screen shots point out, these consent boxes come pre-ticked (and marked 'recommended'), nudging distracted or uneducated users into just clicking 'continue'.

How many users really read the fine print on these, or on any other connected devices, especially those that gather even more personal data, such as wearables? Perhaps it's time we started.

What’s Hot on Infosecurity Magazine?