Recently, my husband came home from his day at work and during our normal evening conversation, I asked, “How was work today?” His reply was, “It was alright, we had another order of phone books come in.” My immediate response was to ask, “Who even uses phone books anymore?” The answer to that question is hardly anyone. In fact, my husband, who works for a delivery company, says he often finds phone books that were delivered two or three years ago still sitting in the same place he originally put them, slowly deteriorating. At one time, a phone book was your only way of finding a local business or personal number, but now the age of the Internet makes needing that physical book obsolete. All of that information now lies at our fingertips…and now, even with just the sound of our voice. With a simple “Hey, Siri…” or “OK, Google…” we can ask these Internet-based devices for a plethora of information which they deliver immediately. Beyond these systems, there is now an Internet-based gadget that can do just about anything. There is a device that can order you food, place your Amazon order with one click, pay your bills, raise and lower the temperature of your home, and even control your home security. Beat that, phone book!
Internet of Things (IoT)-based technologies are rapidly appearing in our lives and collecting personally identifiable information (PII) in massive quantities. IoT devices often claim to collect this information in order to personalize your device with your needs and wants. Those who were born and raised in the age of technology usually utilize these modern conveniences without any thought of concern. Sometimes, we become so fascinated with these Internet-based tools that we even put them on our gift lists to get for our friends and family to also enjoy. But how much is too much? Are these devices safe enough to be storing our personal information? This is what our December newsletter is going to discuss. First, we’ll start with how this all began…
IoT Beginnings – The Rise of the Assistants
Remember your original phone? Mine was a flip phone, one of the “Razr” editions that were all the rage for how thin they were. I received it as a graduation present and I thought it was really, really cool. Compared to the phone I own today, that phone was actually pretty lame. All it could do was make a phone call. With the creation of mobile devices like the iPhone, making a call became the last thing you did on your phone. In October 2011, Apple announced they had recently purchased the rights to “Siri,” an app that was created by a 24-person startup in 2010. It was originally labeled as a virtual assistant that could help you with your daily needs. It was even equipped with a fun, dry sense of humor (for proof just ask Siri what 0 divided by 0 is…) Siri started a wave of new devices that could respond to you just by the sound of your voice. Microsoft would create Cortana, Google would make Assistant, and Amazon would even join the ranks with Alexa. Eventually, these new-age gadgets would not just live inside of our phones, but also inside of our homes—making them available anytime, day or night.
Originally, these devices would control minor functions; usually from things we already had on our phone. Want to play that song from your Spotify playlist while you’re making dinner? Just ask Alexa and the music will start playing. Want to add an event to your calendar? Google Assistant will make sure it is added and will even set a reminder for you. However, that was just the start of things. As this new wave of technology continued, their abilities grew. And they would start to be able to control much more.
“OK Google, Are You Listening?”
Shortly after release, these Internet-based devices quickly started to enter homes. And very shortly after, these devices started to hit the news—but not in all good ways. Some of the reports were scary. In Oregon, a woman named Danielle received a message from her husband’s colleague which simply stated, “Unplug your Alexa device right now.” The colleague had received a text message, sent from their Amazon Echo, which had an attached recording of a private conversation between Danielle and her husband. The couple listened to the message and could confirm that it was their voices and it was indeed a conversation that they had just recently had, in what they thought was the privacy of their own home. After contacting Amazon customer support, Amazon reviewed the logs and confirmed that the Echo had, without permission of the owner, recorded the conversation and sent it to a contact listed under one of the users.
Alarmingly, this was not the only report of IoT devices listening to our conversations. Google admitted that their workers listen to thousands of Google Assistant queries after more than 1,000 of those queries were leaked to a media outlet. Many people were disturbed over the previously unknown fact that Google employees were listening to their conversations. To add to the worry, several Flemish citizens found that there were more than 150 conversations recorded without permission. Google says, Google Home devices are only supposed to start recording when you state the phrase “OK, Google” or “Hey, Google”. However, this leak contained conversations that were clearly private conversations. The Belgium news source that received the leaks claimed to be able to hear “bedroom conversations, conversations between parents and their children, also blazing rows (intense arguments) and professional phone calls containing lots of private information.”
Social Engineering Your Home
On average, there are more than seven million IoT devices alive in homes every day. Many of these have known security issues, or often, no security at all. With this, attackers can turn your home into an attack hub, allowing them access to vast amounts of personal information. One such way was recently demonstrated by SRLabs. Using a malicious app named “My Lucky Horoscope” on both a Google Home and Amazon Echo device, they simulated how the app could easily gain information from you without you realizing it. First you would try to access the app but you would hear a voice telling you that this app was not yet available in your country. After a few moments of silence, a voice that is very similar to your devices normal voice will tell you that a new update is ready for the device and it needs to verify your password. Once you give the password over to the malicious app, it can continue to ask for information it needs to further infiltrate your device. It can then start requesting everything from your email address, credit card numbers, and more—all without you ever realizing that you are giving over information to a malicious attacker. The app may even send you an email asking you to verify information, requesting you to click on malicious links. To see a live demonstration of this attack in action, you can view SRLabs YouTube videos.
When Everything Is Connected
Beyond home devices, IoT has taken over many aspects of life. The hype for these smart devices has caused an explosion in their development and the reports are mounting: the FDA had to recall pacemakers, after a concern of potential vulnerabilities were found. Warnings were issued to parents based on reports that baby monitors have been hacked. Samsung’s unpatched smart refrigerators were exposing Gmail login information.
Computer scientist Ang Cui developed a way to scan the web for vulnerable embedded devices. These systems still carried default usernames and passcodes programmed into them at the factory—usernames such as “name” and passcodes such as “1234”. These codes were published in the device manuals that could be found for free on the Internet. When this scan was done, Cui found more than one million vulnerabilities. At that time, he estimated about 13% of all devices that are connected to the Internet were “essentially unlocked doors,” waiting for a malicious criminal to walk through. Four months later, after running the same scan, more than 90% of those devices had the same security vulnerabilities.
Reading these reports are scary but raises the question, why are these devices manufactured so insecurely? These devices are being developed in a rush and often, manufacturers don’t have the ability to follow the best practices when it comes to security. The systems usually run off specialized computer chips. The chips are inexpensive and are differentiated by their features and bandwidth. Typically, they operate off a Linux operating system and they require as little engineering possible. Once the chip has been created, it is sent to the system manufacturer who builds a router or server, adds a user interface and special features, makes sure everything works properly, and the IoT gadget is done. The problem with this process is that none of these entities have the expertise or ability to patch the software once it is shipped and in the hands of the consumer. The incentive to update their support package is typically very little, until it has become necessary. Unfortunately, often times, that necessity doesn’t come until after a massive vulnerability or breach is discovered. Consumers usually have to manually download and install patches, but rarely are they utilized since consumers are not sent alerts or notifications. As a result of these insecure practices, hundreds of millions of devices are connected to the Internet insecurely, and the attackers are noticing.
Mitigation or Just Unplug?
IoT devices and products aren’t going anywhere anytime soon. The availability of products has exploded in recent years and it’s projected to increase. To be honest, not all of it is bad. In fact, there are plans to use IoT devices to help improve life and respond to disasters quicker. However, the concern of using something that may not be storing your PII safely is something that weighs heavily on the mind of those who are cybersecurity conscious. So, what’s the answer? A security researcher at the University of Pennsylvania says to weigh your risks, “a simple rule of thumb here could be to visualize the best case, average case, and worst-case scenarios. See how each of those affects you and make a call on whether you are equipped to deal with the fall out, and whether the tradeoffs are worth the convenience.”
Taking calculated risks is subjective and personal, so it’s up to everyone individually to research and educate themselves on IoT devices and how each one affects their lives. There are many security researchers who offer expert advice on privacy control. Many have been on the Social-Engineer Podcast, such as Michael Bazzell. By being an informed consumer, you can make purchases and make decisions that are based on safety and security.
While products may only offer so much protection, there are things you can consider and do yourself to use your products safely and securely.
- Monitor your accounts and devices regularly:
– Watch for any unusual activity on your account. Report suspicious purchases or activity immediately.
- Have robust passwords:
– Use passwords that are long, unique, and include special characters. Don’t use the same password for multiple devices and accounts. Make sure to change your device’s password from the default password.
- Read the Terms of Service (ToS):
– I know, I hear you thinking, “No one reads those things!” However, the permissions and access outlined in the ToS will often surprise you and will help you make more informed decisions.
- Use “fake” accounts—if possible:
– When signing up for something, you often need to connect to an active email or social media account. By creating an anonymous email address or fake social media profile you can protect your private personal information.
- Keep IoT devices off the main network:
– Keeping your IoT devices on their own, individual network that has a firewall keeps your main network sealed off. By creating another network or a “guest” network on your router, you can keep these devices separated.
- Unplug your device:
– Choose a specific location where your IoT device will reside, somewhere where it may not have the access to “listen” to sensitive conversations. Unplug your device when they are not in use.
- Always enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
– If any of your devices offer 2FA or MFA, USE IT! These add an extra layer of protection that can keep criminals from easily gaining access to your account.
Only You Can Manage Security
Staying ahead of attackers and securing your IoT devices may seem like an overwhelming task. However, it is the price you pay for convenience and benefiting from what IoT devices have to offer. Securing your devices doesn’t have to be difficult and it is something you absolutely must be doing if you want a secure home network. By using some of the security tips above and taking measures to make smart consumer purchases, you can keep yourself safe from the threats posed by using these devices. And if that isn’t something you want to do; I know where I can get you a stack of phone books.
Written By: Amanda Marchuck