The head of U.S. intelligence has just admitted that spies might use the Internet of things to help them spy on people. To anyone who pays any attention to the Internet of things, this will not come as a surprise.
Still, James Clapper, the U.S. director of national intelligence, should get points for honesty.
“In the future, intelligence services might use the [Internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” he testified to the Senate Tuesday, as reported by the Guardian.
The Internet of things comprises millions of sensors that are designed for monitoring things and, sometimes, people.
The idea does not just refer to smart-home devices such as Amazon’s
Echo and Google’s
Nest. It also encompasses the devices that people carry around with them.
Get Data Sheet, Fortune’s technology newsletter.
The sensors built into smartphones — measuring motion, orientation, magnetic fields, light, proximity and so on — can be part of the Internet of things if they transmit data over the Internet. The devices connected to smartphones, such as fitness trackers, are usually designed to do just that.
It’s not like spies have been entirely reticent about revealing the attraction of this rapidly expanding infrastructure before now. Here’s Gus Hunt, the chief technology officer for the Central Intelligence Agency (CIA), back in 2013:
“You’re already a walking sensor platform… As you walk around – and remember, I told you mobile is not secure – you are aware of the fact that somebody can know where you are at all times because you carry a mobile device. Even if that mobile device is turned off. You know this I hope. Yes? No? Well you should… You guys know the Fitbit, right?… We like these things… just simply by looking at the data what they can find out is with pretty good accuracy what your gender is, whether you’re tall or you’re short, whether you’re heavy or light, but what’s really most intriguing is that you can be 100% guaranteed to be identified by simply your gait – how you walk.”
Last year, Hewlett Packard Enterprise (HPE
) released a report that described the Internet of things as “worse than just a new insecure space… a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and… unfortunately seems to be taking on the worst security characteristics of each.”
There are many problems with the Internet of things from a security point of view. The market has so far failed to standardize and, being young, many of the companies providing Internet-of-things devices are likely to go under. This means a lot of their products, which may see a very slow upgrade cycle, will fail to receive updates to fix security holes for as long as they should.
For more on the Internet of Things, watch:
Generally, it seems the companies making these devices don’t care very much about security in the first place. Every one of the systems HPE tested was vulnerable to the theft of account credentials through its “cloud” interface, every one allowed stupidly weak passwords like “12345”, and most had “serious issues with their software update mechanisms.”
As eyebrow-raising as Clapper’s statement was, for most people the biggest risk doesn’t come from intelligence agencies. As the Federal Bureau of Investigation (FBI) warned last year, the Internet of things opens its users up to attack by criminals, including eavesdropping, the theft of personal information, and the gaining of access to victim’s home networks.
If these connected systems are so poorly secured that criminals can break into them, it would be beyond hopeful to expect extremely well-resourced intelligence agencies not to exploit the same flaws.
There is, of course, a solution to this. The companies selling Internet-of-things devices could start taking security seriously. Perhaps if enough people become fearful of the risks, security could even become a selling point.