Hackers are in your home and they are entering through your smart devices
10 October, 2020
An eight-year-old girl stands petrified, frantically looking for the intruder in her bedroom. She can hear him playing an eerie version of but she cannot see him. “Who is that?” she asks, and he answers, “I’m your best friend. You can do whatever you want right now. You can mess up your room. You could break your TV.”
The girl, close to tears, yells, “Mummy!” But the prospect of a parent arriving does nothing to deter the intruder. “I’m Santa Claus,” he says. “Don’t you want to be my best friend?”
This is not a scene from a Hollywood horror movie. This happened for real last December in a suburban house in Mississippi, in the United States, to Alyssa LeMay, but it could have happened anywhere. The intruder was not hiding in Alyssa’s room, he had hacked into an internet-connected camera installed by her parents to keep an eye on her and her three siblings, and he was grooming her through its speaker.
“I did the opposite of adding another security measure,” says Alyssa’s mother, Ashley, after unplugging the Ring security camera. “I put the [children] at risk and now there’s nothing I can do to ease their minds.”
I felt invaded. A total privacy invasion. I’m never plugging that device in again because I can’t trust it
In Port Talbot, Wales, a month later, 38-year-old Paul Davies and his family can hear voices outside their front door, but nobody is there. Then his phone rings and a man says, “I’m waiting for you outside. I want to batter you. If you don’t come out, I’m going to steal your car.”
When the man asks if he might see Davies’ three children, the situation seems to be spiralling out of control. But again, the intruder is not there. He has hacked into the camera in the family’s smart doorbell and has been watching their comings and goings remotely.
“When they asked to see my kids, you just think there are some twisted people out there,” says Davies. “You can get internal cameras, too. I’m just thankful we didn’t have those.”
In Portland, Oregon, in the US, a family receives a frantic call from one of their friends urging them to unplug their Amazon Echo voice-activated smart speaker, which controls their lights, heating and home security system. “You’re being hacked,” he warns. How does he know? Because the Echo assistant, supposedly only activated when the name “Alexa” is uttered, had been secretly recording the family’s conversations and those recordings were randomly emailed to the friend by the device.
The mother of the family, who does not want to be named, says, “I felt invaded. A total privacy invasion. I’m never plugging that device in again because I can’t trust it.”
All these scenarios have one thing in common; the smart devices they feature are part of the “
” (IoT), a term that describes a world in which almost everything is connected and interconnected via the web to perform the most wondrous tasks to make your life easier, safer and more convenient.
IoT smart devices in your home can learn from your movements and preferences to control temperature, lighting and even music for when you come home. Sensors in your smart fridge can work out when you are low on different types of food and drink and order a delivery. Using your smartphone, you can switch on your internet-connected washing machine, and when running low, it will order more soap powder. Meanwhile, your smart oven gets dinner going when your car tells it you are coming home, and your coffee maker has exactly the right brew ready for when you arrive.
Most of us are already using IoT, but many of us do not realise it. If, for example, you buy a set of smart bathroom scales and link them to an app on your phone to record your weight, pulse and so on, then you are using IoT. You’ll know because you will soon be bombarded with advertisements for health and fitness products.
It is difficult to find consistent assessments of the extent to which IoT is already embedded into societies worldwide. A report published in May by the technology research company Transforma Insights claimed there were 7.6 billion active IoT devices worldwide at the end of 2019. However, according to rival research group Gartner, that figure was 20 billion, generating incomes of US$2 trillion a year.
And it is this kind of money that is causing problems such as the intruder in Alyssa’s bedroom. Because in the rush to introduce IoT products of their own and grab a slice of that US$2 trillion, many – if not most – manufacturers have made security a low priority.
“The problem is that the companies which manufacture the ‘things’ for the IoT often have no experience of the internet and the security required to keep their customers safe,” says Adam Laurie, head hardware hacker at IBM’s X-Force Red, a team dedicated to exposing exactly these sorts of lapses in cybersecurity.
Laurie and his team recently announced that they had found a security flaw in an IoT module sold by French aerospace company Thales. The module enables a vast array of products to be connected to the internet via 3G and 4G mobile phone networks, but Laurie and his team found it could be easily hacked into. The vulnerability affects millions of devices, including internet-connected medical appliances such as insulin pumps.
“The vulnerability would enable a hacker to take control of whatever device the module was inserted into and that could result in simple mischief or something much more serious,” says Laurie. “If someone took control of an insulin pump remotely, they could change the dosage and potentially kill someone.
You can have it cheap, you can have it done well, or you can have it secure and private – but you can’t have it allEd Geraghty, senior technologist, Privacy International
“We understand the same module has been used in some cars – and you can imagine what could happen if a hacker took control of your car while you were driving it.”
The IBM team told Thales about the flaw months before making it publicly known, and Thales has developed a security fix that can be installed on to the chips in devices. But not all companies act so responsibly and not all devices can have their security remotely updated.
“There are very few manufacturers making the core chips that go into these devices, mostly in China, and often they knock them out very cheaply for products that either cannot be updated or with simple default passwords that cannot be changed by the purchaser but that can easily be guessed by a hacker,” says Ed Geraghty, senior technologist at human rights charity Privacy International.
“A lot of the problem is that it is consumer behaviour driving some of these practices. We want things that are cheap and push-button. And the problem is that if you want something like that, it becomes the whole inconsistent triad; you can have it cheap, you can have it done well, or you can have it secure and private – but you can’t have it all.”
The biggest threat to an IoT network can be introduced by just one device arriving with a default username and password that cannot be changed, or by having a user who does not bother changing it. That can be disastrous because hackers share information on default passwords on devices and consistently among the most common username/password combinations are support/support, admin/admin, default/default and root/root.
There is, however, one combination that is even more common than all of these: nothing at all.
Last year, internet security company Avira set up a “honeypot”, a decoy IoT device designed to attract hackers, and waited to see what username/password combinations the attackers would try.
“The most commonly used credential is blank,” says Hamidreza Ebtehaj, a threat analyst at Avira. “Which means the attackers just enter an empty username and password – this is even more common than ‘admin’.”
During the honeypot exercise, the blank combination was tried in 25.6 per cent of all attempts to break in. Of course, the hackers tried it because they knew it has a high success rate. That is a chilling demonstration of just how insecure many IoT devices, and therefore networks, are.
But surely, with billions of devices and only a handful of geeky hackers, the odds of your home being singled out must be tiny? Well, no. The threat is growing exponentially. In similar honeypot operations conducted in the first half of 2019, antivirus software company Kaspersky detected 105 million attacks on IoT devices launched from 276,000 individual IP addresses. That was an increase of 900 per cent on the previous year.
The extent to which insecure IoT devices could leave your home vulnerable was recently explored by cybersecurity software company Trend Micro. It found that having one insecure device in a connected network could let hackers inside all your other smart gadgets.
If compromised, the smart lock can give hackers control over who comes in or out of the houseZiv Chang, Trend Micro
“Starting from the front door, there can be a smart lock,” wrote researcher Ziv Chang in Trend Micro’s report “Inside the Smart Home: IoT Device Threats and Attack Scenarios”. “If compromised, the smart lock can give hackers control over who comes in or out of the house. The most obvious action available for hackers, then, would be to let intruders or accomplices into the house, and another would be to lock out the actual residents.
“Inside the living room, other devices can be set up. One of these can be a smart speaker, which serves as the conduit for voice-initiated home automation commands. If compromised, a voice-activated device such as a smart speaker can allow hackers to issue voice commands of their own.
“In the kitchen, devices like a smart refrigerator and a smart coffee maker can cause major issues if successfully hacked. Hackers can set up a smart refrigerator to register wrong expiration dates or order an immense amount of groceries online. And even a smart coffee maker can cause great inconvenience if commanded by hackers to brew coffee incessantly.
“Smart devices can now be found even in the bathroom, most commonly in the form of smart toilets. A smart toilet has different features, such as sensing the right amount of water for flushing waste, that can be very helpful for users. But hackers can use some of its features to make the device act up, by making the toilet flush repeatedly or let water flow continuously from the bidet.”
But why would anyone bother doing this to you?
“There can be several motivations,” says Bharat Mistry, principal security strategist at Trend Micro. “The most obvious one is being a nuisance but there could be an ulterior motive behind that – to gain other information like your banking details, or to leverage that connectivity you have for online shopping and use it to order goods to be delivered somewhere else.
“Gangs that group together can compromise an IoT-connected home with the intention of using it for forward attacks. Your home router, for example [the device that links your computers and IoT appliances to the internet], could be compromised by hackers who then use it – along with routers in hundreds of thousands of other homes – to form a botnet, which is like a remote army of computing devices. Using that, at the flick of a switch, the hackers could attack a company with so much internet traffic that its site crashes.
“It’s called a ‘distributed denial-of-service’ attack and it can be used for digital extortion. We have seen cases of organisations being told, ‘Pay us this money or we will take your site down.’ If the company doesn’t pay within a certain length of time, they will launch the attack.”
So, that is the router in your home being used for extortion and you had no idea. And guess what? The default usernames and passwords for many of the most popular brands bought on the high street are … admin/admin.
These are just the security concerns. There are also serious issues with privacy, not only from all these devices spying on you in your home, but also with what happens to all the information they gather about you and send back to manufacturers or service providers.
We’ve been conditioned to assume that these machines are just doing magic machine learning. But the fact is there is still manual processing involvedFlorian Schaub, professor, University of Michigan
Do you really want someone to know how much fatty food your fridge is ordering for you? Or how much alcohol? Or when your home is usually empty?
“There are now even smart mattresses that are linked to an app that can report back on your sleep patterns,” says Geraghty. “But, of course, from your movements, it could probably tell when you’re having sex, too.”
Last year, journalists at Bloomberg disclosed that Amazon employs thousands of people to transcribe recordings of Amazon Echo users, ostensibly to help improve the Alexa digital assistant’s understanding of speech and its customers’ needs. None of the more than 100 million people who had bought an Echo had been told the device does this.
The company said workers had no way of knowing who was talking and so the results were anonymised. However, according to Bloomberg, while the Alexa reviewers could not see a user’s full name and address on the recordings they were transcribing, they could see an account number, a device serial number and a first name. And that would be enough to identify you.
“You don’t necessarily think of another human listening to what you’re telling your smart speaker in the intimacy of your home,” says Florian Schaub, a professor at the University of Michigan who has investigated smart speaker privacy issues. “I think we’ve been conditioned to assume that these machines are just doing magic machine learning. But the fact is there is still manual processing involved.”
Amazon said it had a “zero tolerance” policy for the abuse of its system, that only a tiny number of such recordings were transcribed and that “all information is treated with high confidentiality [using] multi-factor authentication to restrict access, service encryption and audits of our control environment to protect it”.
The information collected about you by your IoT devices is valuable to service providers and advertisers. The more they know about you, the more effective they can be at serving up the advertising most likely to encourage you to buy something.
A quick tour of the internet demonstrates the extent to which manufacturers and advertising companies are salivating over all the new information coming their way.
For example, as part of a pitch to attract companies who want to sell their products to you using television advertising, Samsung boasts to potential advertisers, “Samsung Smart TVs have built-in automated content recognition (ACR) technology that can understand viewing behaviour and usage including programmes, movies, ads, gaming content and [internet] apps in real-time.”
This, Samsung says, will be used to send a company’s ads to its target audience – using subscribers’ other devices, such as phones, tablets, etc – even if the target viewers missed seeing the original advert on TV.
Diageo […] has developed a bottle of Johnnie Walker that can tell when it’s consumed, and – if you opt in – who drank itBannerflow marketing pitch
And how about this pitch, from Swedish marketing company Bannerflow, telling advertisers about the potential of IoT products that can be connected through a smartphone because they contain a contactless chip similar to the one you have in your bank card.
“Touchpoints are all around us. With the IoT, where they are, the sheer number of new opportunities for businesses looks set to explode,” gushes the Bannerflow pitch. “Take, for example, the simple bottle. Thanks to contactless technology, selected bottles of Malibu offer consumers exclusive content. All an inquisitive buyer has to do is tap the ‘smart’ bottle and sign in using a smartphone.
“Owner of the brand, Pernod Ricard, will no doubt be quite happy to receive the consumer’s data, too. Oh, and if you’re not a rum person there’s whisky. Diageo, like its competitor, has developed a bottle of Johnnie Walker that can tell when it’s consumed, and – if you opt in – who drank it. The Holy Grail of marketing info.”
Linking IoT technology to advertising like this is called “ad tech” and under the European Union’s General Data Protection Regulation (GDPR), it can only be fed to customers if they agree when they adopt an app or product. That consent is given when you sign up to the “terms and conditions” that come with just about everything – the terms and conditions that hardly any of us ever read because they are too long and complex.
“GDPR [which was introduced in 2018] has been quite a sledgehammer of a piece of legislation, and anyone who wants to sell their IoT products in Europe – including the UK – must comply with it,” says Geraghty. “It covers the way our information should be safeguarded and the way ad tech is bundled up and fed to us.
“The problem is with enforcement, and there isn’t evidence of much enforcement going on. The maximum fine for anyone breaching GDPR is 4 per cent of a company’s annual turnover worldwide. But you might argue that if 100 per cent of your business model is collecting people’s private information and selling it on to advertisers in breach of GDPR, then that 4 per cent could be described as a cost of doing business.”
In terms of privacy, most observers agree that where companies comply with GDPR rules on what can and cannot be done with our information, the protections are good. However, as Geraghty says, enforcing every breach will be impossible. And while we all keep accepting terms and conditions without reading them, occasionally we will fall foul of individuals with bad intentions.
In terms of security, the world of IoT products is largely unregulated and open to massive and relentless abuses. John Moor, chief operating officer of the IoT Security Foundation, which campaigns for greater oversight of product standards and security, says it is unlikely that there will ever be internationally agreed standards on just how safe products should be.
“Having spent the last five years running the IoT Security Foundation, I can honestly say that IoT security is a wicked challenge,” he says. “It is impacted by the technical, the organisational, the user, societal, political, economic and philosophical dimensions as a minimum.
“Perfect security is elusive but we should not let perfect be the enemy of the good – ‘secure enough’ is the goal. I acknowledge that everything is hackable and it just depends on the length to which a bad actor will go to defeat the security measures – if the bad actor is, say, a nation state with a long time horizon, deep pockets and the necessary skills, then most defences can be compromised. However, a nation state is unlikely to want to hack you personally.”
Access to large amounts of user data appears to be the key for success in this sector, so we have to make sure that market players are not using their control over such data to distort competitionMargrethe Vestager, European commissioner
Last year, in conjunction with the National Cyber Security Centre, the British government drew up proposals for legislation that would ensure that all IoT products had to have unique passwords that could not be changed back to weak defaults; that their manufacturers had to provide platforms where the public could report vulnerabilities; and that manufacturers had to state for how long they would provide security updates for each IoT device.
The EU is also beginning to sit up and take notice of the potential for abuse of IoT and the way it could be exploited by the big data companies to corner the market in services linked to their devices. The European Commission recently set up an antitrust competition inquiry into the sector.
Margrethe Vestager, the European commissioner in charge of IoT competition policy, said, “The consumer ‘internet of things’ is expected to grow significantly in the coming years and become commonplace in the daily lives of European consumers. Imagine a smart fridge making your grocery list, you pulling up that grocery list onto your smart device and ordering a delivery from a shop that sends the groceries to your door that unlocks automatically with a word. The possibilities seem endless.
“But access to large amounts of user data appears to be the key for success in this sector, so we have to make sure that market players are not using their control over such data to distort competition, or otherwise close off these markets for competitors. This sector inquiry will help us better understand the nature and likely effects of the possible competition problems.”
If Covid-19 doesn’t get in the way, the legislation resulting from both these processes might go some way to restoring confidence in what is currently viewed by many as the tech equivalent of the Wild West.
In the meantime, it is worth considering that all IoT devices come with a trade-off between privacy, security and convenience. Only you can decide whether that trade-off is worth it.
Text: The Independent
Lead illustration: Mario Riviera