Risks of Data Exhaust
“Data exhaust is an area where we are all at risk, from the largest corporations to individuals at home and governments all over the world,” says Kevin de Snayer, Director of Technology Solutions and Critical Infrastructure at Calian. “We have all experienced the situation where you Google something you are interested in—new shoes, a book, a car—and then, boom, your ads on all media are based on those searches, on devices and applications you believed to be completely unconnected to your search. Maybe that is not all bad—if I’m searching for new shoes, well then great, I’m getting ads from shoe companies and not watch companies.”
However, de Snayer warns that this collection of your data could also be used to create a digital profile of you, your company, your friends, family, co-workers, etc., to be used for nefarious purposes. “For example, a company could access that data to make a hiring/promotion decision on information that they are not supposed to have—your current health, your political affiliations, your hobbies,” he warns.
From a corporate or public sector perspective, data exhaust can be an even larger risk, says de Snayer. Data exhaust can be used for social engineering, tricking employees into sharing their credentials to gain access to a company’s network and data.
It’s not just companies and individuals who are at risk. This data can then be used to raise funds to support rogue nations or fund crime circuits, and then nation-states can use the data as a path to beat national and international security, adds de Snayer. Data exhaust poses significant risks to the world at large.
Uncovering IoT Vulnerabilities
Recognizing that more research needs to be done to address these risks, Calian and Dalhousie University are collaborating on a three-year research project to study data exhaust from IoT devices and find solutions to mitigate the risks associated with it. The goal of the project is to understand how much information a malicious person will be able to access through leaked data, says Nur Zincir-Heywood, Distinguished Research Professor and Associate Dean of Research in the Faculty of Computer Science at Dalhousie University, and the chief researcher on the project. The project team also includes two post-graduate students from Dalhousie, and de Snayer and Terri Dougall, (who is Vice President, ESG and Industrial Development) from Calian.
“Whether it’s a chat with your friend at a coffee session or you are in an organization meeting with the CEO and other technical and businesspeople sitting around the table, if you have a coffee machine that is also connected to the internet, or if you have your smartphone with instant messaging apps or other applications running on it, these machines are sending data to third parties,” says Zincir-Heywood. “Your dryer, your washing machine at home, your security camera at the door, so many of these IoT—or smart—devices are creating data exhaust. They are sharing some type of data even when they are idle and that’s the most dangerous part.”
Understanding Data Exhaust to Reduce Risk
By gaining a better understanding of the data collection ecosystem, the researchers will create recommendations for how to use and not use IoT devices and be in a better position to predict what type of data is leaking and at what times. “Understanding the risks associated with data exhaust will ultimately help us develop new methods to protect against future cyber threats,” says Zincir-Heywood.
“This work is shedding light on what data is being leaked, how is it accessed, who is using it and what devices and applications are at most risk,” adds de Snayer. “We can use these findings to educate people, improve processes, and better understand related technologies and how to protect against the problem. This will ultimately help create an overall improved security posture in Canada and beyond.”
Calian is providing funding, but also bringing real-world experience to the project says de Snayer. “I am not saying that academia does not have a grasp on what is happening in industry, but we get a different perspective working on a daily basis with clients who are susceptible to data exhaust risk. Along with that experience, we meet regularly with the professors and the students working on the research to collaborate on the work completed, and to offer guidance and thoughts on next steps of the research,” he says.
The research team presented their preliminary findings in two research papers: Preliminary Results on Exploring Data Exhaust of Consumer Internet of Things Devices, which was presented on October 31, 2023, at the 19th International Conference on Network and Service Management and A Systematic Review of Data Exhaust in IoT Devices which has been submitted for review to the Association for Computing Machinery (ACM) Computing Surveys.
A Mutually Beneficial Partnership
“It’s been wonderful working with Calian,” says Zincir-Heywood. “My student Alexander—who is a postdoctoral fellow—and I meet at least once a week and we have been presenting at the monthly meetings to the Calian team and having discussions with them. At every step of this research there is a wonderful collaboration. And they are giving us the flexibility to be able to explore all the different things that we are identifying.”
The project lines up well with Calian’s ESG vision—Calian CARES—Collaboration to Advance Resilience Excellence and Sustainability. “Yes, we are a publicly traded company, so ultimately, we need to be profitable, or we can’t sustain the business,” says de Snayer. “But we really are trying to live our ESG vision as we carry out our daily business. We are looking to be trusted advisors in all we do, and this project, which ultimately contributes to improved cyber resilience, meets those goals.”
The partnership with Dalhousie University has provided a new discussion path for Calian and its customers who are keen to understand the risks of IoT applications and how to best plan for a future that includes gateways for intruders to exploit their data. In addition, this investment in cyber R&D helps Calian meet economic development obligations as a result of the Canadian federal government Industrial and Technological Benefits (ITB) program.