Hey Alexa, What's a Phone Book?

Recently, my husband came home from his day at work and during our normal evening conversation, I asked, “How was work today?” His reply was, “It was alright. We had another order of phone books come in.” My immediate response was to ask, “Who even uses phone books anymore?” The answer to that question is hardly anyone. In fact, my husband, who works for a delivery company, says he often finds phone books that were delivered two or three years ago still sitting in the same place he originally put them, slowly deteriorating. 

At One Time the Phone Book Was…

At one time, a phone book was your only way of finding a local business or personal number. However, the age of the Internet now makes the phone book obsolete. Indeed, all of that information now lies at our fingertips…and now, even with just the sound of our voice. For example, with a simple “Hey, Siri…” or “OK, Google…” we can ask Internet-based devices for a plethora of information which they deliver immediately. Additionally, beyond these systems, there is now an Internet-based gadget that can do just about anything. There is also a device that can order you food, place your Amazon order with one click, pay your bills, raise and lower the temperature of your home, and even control your home security. Beat that, phone book! 

Enter…loT

Internet of Things (IoT)-based technologies are rapidly appearing in our lives and collecting personally identifiable information (PII) in massive quantities. IoT devices often claim to collect this information in order to personalize your device with your needs and wants. Those who were born and raised in the age of technology usually utilize these modern conveniences without any thought of concern.

Sometimes, we become so fascinated with these Internet-based tools that we even put them on our gift lists to get for our friends and family to also enjoy. But how much is too much? Are these devices safe enough to be storing our personal information? This is what our December newsletter is going to discuss. But first, we’ll start with how this all began… 

IoT Beginnings – The Rise of the Assistants

Remember your original phone? Mine was a flip phone, one of the “Razr” editions that were all the rage for how thin they were. It was a graduation present and I remember thinking,  it was really, really cool. Compared to the phone I own today, that phone was actually pretty lame. All it could do was make a phone call. With the creation of mobile devices like the iPhone, making a call became the last thing you did on your phone.

In October 2011, Apple announced they had recently purchased the rights to “Siri,” an app that was created by a 24-person startup in 2010. Siri, a virtual assistant would help you with your daily needs. And it even has a fun, dry sense of humor (for proof just ask Siri what 0 divided by 0 is…) In fact, Siri started a wave of new devices that could respond to you just by the sound of your voice. Microsoft would create Cortana, Google would make Assistant, and even Amazon would even join the ranks with Alexa. Eventually, these new-age gadgets would not just live inside of our phones, but also inside of our homes—making them available anytime, day or night.  

Originally, these devices would control minor functions; usually from things we already had on our phone. Want to play that song from your Spotify playlist while you’re making dinner? Just ask Alexa and the music will start playing. Want to add an event to your calendar? Google Assistant will add it and will even set a reminder for you. However, that was just the start of things. As this new wave of technology continued, their abilities grew. And they would start to be able to control much more. 

“OK Google, Are You Listening?”

Shortly after release, these Internet-based devices quickly started to enter homes. And very shortly after, these devices started to hit the newsbut not in all good ways. Some of the reports were scary.

In Oregon, a woman named Danielle received a message from her husband’s colleague which simply stated, “Unplug your Alexa device right now.” The colleague had received a text message, sent from their Amazon Echo, which had an attached recording of a private conversation between Danielle and her husband. After listening to the message, the couple could confirm that it was their voices. And it was indeed a recent conversation in what they thought was the privacy of their own home.

After contacting Amazon customer support, Amazon reviewed the logs and confirmed that the Echo had, without permission of the owner, recorded the conversation and sent it to a contact listed under one of the users.  

Alarmingly, this was not the only report of IoT devices listening to our conversations. Google admitted that their workers listen to thousands of Google Assistant queries after more than 1,000 of those queries were leaked to a media outlet. Many people were disturbed over the previously unknown fact that Google employees were listening to their conversations.

To add to the worry, several Flemish citizens found that there were more than 150 conversations recorded without permission. Google says, Google Home devices are only supposed to start recording when you state the phrase “OK, Google” or “Hey, Google”. However, this leak contained conversations that were clearly private conversations. The Belgium news source that received the leaks claimed to be able to hear “bedroom conversations, conversations between parents and their children, also blazing rows (intense arguments) and professional phone calls containing lots of private information.” 

Social Engineering Your Home

On average, there are more than seven million IoT devices alive in homes every day. Notably, many of these have known security issues, or often, no security at all. With this, attackers can turn your home into an attack hub, allowing them access to vast amounts of personal information.

One such way was recently demonstrated by SRLabs. Using a malicious app named “My Lucky Horoscope” on both a Google Home and Amazon Echo device, they simulated how the app could easily gain information from you without you realizing it.

First you would try to access the app but you would hear a voice telling you that this app was not yet available in your country. After a few moments of silence, a voice that is very similar to your devices normal voice will tell you that a new update is ready for the device and it needs to verify your password.

Once you give the password over to the malicious app, it can continue to ask for information it needs to further infiltrate your device. It can then start requesting everything from your email address, credit card numbers, and more—all without you ever realizing that you are giving over information to a malicious attacker. The app may even send you an email asking you to verify information, requesting you to click on malicious links. To see a live demonstration of this attack in action, you can view SRLabs YouTube videos 

When Everything Is Connected  

Beyond home devices, IoT has taken over many aspects of life. The hype for these smart devices has caused an explosion in their development and the reports are mounting: the FDA had to recall pacemakers, after a concern of potential vulnerabilities were found. Warnings were issued to parents based on reports that baby monitors have been hacked. Samsung’s unpatched smart refrigerators were exposing Gmail login information.  

Computer scientist Ang Cui developed a way to scan the web for vulnerable embedded devices. These systems still carried default usernames and passcodes programmed into them at the factory—usernames such as “name” and passcodes such as “1234”. These codes published in the device manuals could be found for free on the Internet. When this scan was done, Cui found more than one million vulnerabilities. At that time, he estimated about 13% of all devices that are connected to the Internet were “essentially unlocked doors,” waiting for a malicious criminal to walk through. Four months later, after running the same scan, more than 90% of those devices had the same security vulnerabilities.  

Sounds Scary…Right?

Reading these reports are scary.  But it raises the question, why manufacture these devices so insecurely? One reason is that these devices are developed in a rush and often, manufacturers don’t have the ability to follow best practices when it comes to security. In addition, the systems usually run off specialized computer chips. These chips are inexpensive and their features and bandwidth differentiate them. Typically, they operate off a Linux operating system and require as little engineering possible.

After making the chip, it is sent to the system manufacturer who builds a router or server, adds a user interface as well as special features. The manufacturer also makes sure everything works properly. Finally, the IoT gadget is done. However, the problem with this process is that none of these entities have the expertise or ability to patch the software once it ships and is in the hands of the consumer.

The incentive to update their support package is typically very little, until it has become necessary. Unfortunately, often times, that necessity doesn’t come until after a massive vulnerability or breach is discovered. Consumers usually have to manually download and install patches, but rarely are they utilized since consumers are not sent alerts or notifications. As a result of these practices, hundreds of millions of devices have unsafe connections to the Internet, and attackers are noticing.  

Mitigation or Just Unplug?

IoT devices and products aren’t going anywhere anytime soon. The availability of products has exploded in recent years and its projected to increase. To be honest, not all of it is bad. In fact, there are plans to use IoT devices to help improve life and respond to disasters quicker. However, the concern of using something that may not be storing your PII safely is something that weighs heavily on the mind of those who are cybersecurity conscious.

So, what’s the answer? A security researcher at the University of Pennsylvania says to weigh your risks, “a simple rule of thumb here could be to visualize the best case, average case, and worst-case scenarios. See how each of those affects you and make a call on whether you are equipped to deal with the fall out, and whether the tradeoffs are worth the convenience.”  

Taking calculated risks is subjective and personal, so it’s up to everyone individually to research and educate themselves on IoT devices and how each one affects their lives. There are many security researchers who offer expert advice on privacy control. Many have been on the Social-Engineer Podcast, such as Michael Bazzell. By being an informed consumer, you can make purchases and make decisions that are based on safety and security.  

While products may only offer so much protection, there are things you can consider and do yourself to use your products safely and securely.  

Monitor Your Accounts and Devices Regularly

Watch for any unusual activity on your account. Report suspicious purchases or activity immediately.

Have Robust Passwords

Use passwords that are long, unique, and include special characters. Don’t use the same password for multiple devices and accounts. In addition, make sure to change your device password from the default password.

Read the Terms of Service (ToS)

I know, I hear you thinking, “No one reads those things!” However, the permissions and access outlined in the ToS will often surprise you and will help you make more informed decisions.

When signing up for something you often need to connect to an active email or social media account. By creating an anonymous email address or fake social media profile you can protect your personal information.

Keep IoT Devices Off the Main Network

Keeping your IoT devices on their own, individual network that has a firewall keeps your main network sealed off. By creating another network or a “guest” network on your router you can keep these devices separated.

Unplug Your Devices

Choose a specific location where your IoT device will reside, somewhere where it may not have access to “listen” to sensitive conversations. Unplug your devices when not in use.

Enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

If any of your devices offer 2FA or MFA, USE IT! These add an extra layer of protection that can keep criminals from easily gaining access to your account.

Only You Can Manage Security

Staying ahead of attackers and securing your IoT devices may seem like an overwhelming task. However, it is the price you pay for convenience and benefiting from what IoT devices have to offer. Securing your devices doesn’t have to be difficult and it is something you absolutely must be doing if you want a secure home network. By using some of the security tips above and taking measures to make smart consumer purchases, you can keep yourself safe from the threats posed by using these devices. And if that isn’t something you want to do; I know where I can get you a stack of phone books.  

Stay safe!  

Written By: Amanda Marchuck

Sources:
https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#40d877ee1d09
https://www.huffpost.com/entry/siri-do-engine-apple-iphone_n_2499165
https://arstechnica.com/gadgets/2018/05/amazon-confirms-that-echo-device-secretly-shared-users-private-audio/
https://arstechnica.com/information-technology/2019/07/google-defends-listening-to-ok-google-queries-after-voice-recordings-leak/
https://it-online.co.za/2019/11/21/with-cybercrime-forewarned-is-forearmed/
https://srlabs.de/bites/smart-spies/
https://www.youtube.com/channel/UCXfBXC1Y7q2lpm-cOaf1N0A/videos
https://thehackernews.com/2017/08/pacemakers-hacking.html
https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable
https://www.networkworld.com/article/2976270/smart-refrigerator-hack-exposes-gmail-login-credentials.html
https://www.newsweek.com/2019/11/01/trust-internet-things-hacks-vulnerabilities-1467540.html
https://www.schneier.com/essays/archives/2014/01/the_internet_of_thin.html
https://www.forbes.com/sites/louiscolumbus/2018/06/06/10-charts-that-will-challenge-your-perspective-of-iots-growth/#702e51ca3ecc
http://www.libelium.com/resources/top_50_iot_sensor_applications_ranking/#show_infographic
https://money.cnn.com/2017/10/26/technology/business/amazon-key-privacy-issue/index.html
https://www.social-engineer.org/category/podcast/
https://www.social-engineer.org/?s=michael+bazzell
https://www.forbes.com/sites/louiscolumbus/2018/06/06/10-charts-that-will-challenge-your-perspective-of-iots-growth/#35eb2ed83ecc
https://money.cnn.com/2017/10/26/technology/business/amazon-key-privacy-issue/index.html
https://www.makeuseof.com/tag/tips-securing-smart-iot-devices/
Image: https://www.cso.com.au/article/646860/nist-17-reasons-we-can-t-trust-certify-iot-devices/