The Internet of Things market is forecasted to hit $520 billion in the next two years. According to International Data Corporation (IDC), IoT will account for at least 10 percent of the total digital universe — which will explode to 40 trillion GB of data by 2020. We’re talking 40 trillion GB of IoT data in the foreseeable future.

Connected devices, particularly those designed for the smart home and health/wellness, are always listening, always recording data.

Once data is on a device, it becomes part of a spiderweb of information that is stored in a variety of places, and it is shared among third parties and interacts with data from other sources. What information lives within all that data? Where is it stored? Who has access to it? How is it protected? How is all of this data tested?

The range of implications and opportunities that have arisen with this market are far-reaching and complicated.

Consumers around the world, are eager to embrace the convenience and innovation that the IoT brings to daily life. Most are unaware of what is happening in the background with the vast amount of data the devices collect. But we’re already seeing a flurry of news reports about data privacy violations relating to IoT data.

Malicious actors are leveraging these devices for their own gain, and information from connected devices are now entering courtrooms as evidence.

As a society, we must begin to think about the individual and corporate risks that we’ll face as IoT adoption proliferates, escalates, and breeds. To that end, our team conducted a series of tests and research to look deeper into connected devices and issues that are emerging with their widespread use.

Our research studied where and how data resides on these devices, how they transfer it to the cloud and amongst other devices, and recent legal matters involving IoT data. The examination uncovered the following five findings, which many people may find surprising:

Intersecting corporate and personal worlds will raise challenges. IoT data and the ways in which data and information are collected, stored, and secured — is colliding with the blending of corporate and personal worlds.

This linking of worlds is raising important questions about the future of data privilege, privacy, and compliance.

An employee working from home in the proximity of a smart device may unknowingly record sensitive conversations. That data is then sitting on a server somewhere indefinitely. With more and more people working remotely and using these devices in their home offices, corporations must be aware of the implications. The ways in which IoT information can impact both legal matters and compliance initiatives are far-reaching.

The discoverable cloud databases for IoT accounts are expansive.

  • access is easily attainable to find all of the users’ credentials
  • cloud data can be collected and stored from APIs
  • all smartphone apps
  • any account paired with the devices

When testing on the Alexa, data available included:

  • device information
  • additional devices the user has associated with their account
  • third-party apps added to the device
  • user activity
  • credit cards, your library card, and any other card
  • audio files of every command given
  • network configurations
  • all groups the user has associated with the account
  • the last 50 activities performed by Alexa on any device
  • activities that have Alexa enabled hearing within hearing range
  • specific voice recordings

Example on Google Home:

  • further correlates commands
  • records for third-party apps such as Nest
  • investigators can identify and pull related Nest SQLite databases
  • investigators can identify and use .plist files
  • data is found and can be used from a user’s iPhone backup

These artifacts can be dug-up and harvested — the saved data reveals day-to-day lifestyle habits.

SQLite can enter a subquery and then an inner query (called a Nest query) within another SQLite and embed that query within the WHERE clause. The WHERE clause is then used to extract other records.

These devices “helps” will then report when someone has left the premises or arrived home — and any other home changes. Data will be kept, preserved and saved forever; showing when your lights turned on and off — and any temperature changes. What information will this reveal about you?

All of these devices are always listening.

These home devices are the only absolute true constant in our lives. Alexa has a configurable feature called “drop-in.” This feature acts like an intercom between different Alexa enabled devices. The devices are always listening.

Two devices can be connected if allowed access to one another. Once connected, a user has the ability to drop-in and listens without the end user’s ability to accept or deny the connection. Have you ever connected your information in someone’s office? Hum.

Alexa also actively records conversations that are preceded with what the device interprets as a command word.

Our testing found .wav files of the test subjects having a casual conversation, following any word that sounded enough like “Alexa” to wake the device. (How surprising. What a shocker…oh my).

Yes, these types of recordings may be relevant during an investigation — but their storage also introduces privacy considerations. How long is the data kept? Answer: forever. What will the data say about you?

IoT data is actively being used as evidence in litigation: When tested on Google Home and the Echo Dot, even when data was deleted from the app’s “activity” section — it remained in the device history. (again: How surprising. What a shocker. Oh my).

All of this collected data and information will be a boon for investigators. We’ve seen information and data from these devices already appearing as evidence in criminal cases.

  • In one murder case, the defendant’s smart speaker audio recordings were subject to a search warrant — and ultimately the files were turned over to prosecutors.
  • In a home arson case, the homeowner told police that he did a series of things when he discovered the fire. However, a search of his pacemaker showed that the man’s heart rate barely changed throughout the incident.
  • Testimony from a cardiologist, that it was “highly improbable” that a man in his condition could do the things claimed, ultimately supported a guilty conviction for charges of arson and insurance fraud.

Privacy breaches have already occurred:

  • In one report, audio and other files from an individual’s smart assistant were inadvertently released by the company storing the data to an unrelated individual.
  • When the files were later handed over to a media outlet, the staff was able to easily piece together the identity, relationships, and daily habits of the subject.

This incident corroborates mainstream worries.

  • In a study from EIU, 74 percent of respondents said they are concerned that small privacy invasions from IoT devices may eventually lead to a loss of civil rights.

The considerations above are only a snapshot of the more significant issues connected devices will continue to introduce. The type of information available through a user’s IoT account is only a small fraction of the larger pool of data that resides with the companies that make these devices.

The broader implications are extensive. As the IoT space evolves — it will be crucial for individuals and businesses to remain vigilant over the way all of their information is handled.

Megan Danilek

Megan Danilek is a consultant in FTI Consulting's Technology Segment. She assists with digital forensics and investigations, including the forensic collection and analysis of digital evidence sources including computers, email servers, mobile devices and social media platforms. She provides computer forensic expertise to corporations and law firms involved in legal matters regarding theft of intellectual property and trade secrets, and second requests.