A few years ago nobody cared about the thermostat in your home. It was a simple manually operated thermostat that kept your home at a comfortable temperature. Then thermostats became programmable. And then a company, Nest, decided that you should be able to control your programmable thermostat with an Internet-based app. You can sense where I’m going with this, right?
In one vengeful product review of the Honeywell Wi-Fi Smart Touchscreen Thermostat, someone who calls himself the General wrote on Amazon that his ex-wife took the house, the dog, and the 401(k), but he retained the password to the Honeywell thermostat. When the ex-wife and her boyfriend were out of town, the General claimed he would jack up the temperature in the house and then lower it back down before they returned: “I can only imagine what their electricity bills might be. It makes me smile.”1
Researchers at Black Hat USA 2014, a conference for people in the information security industry, revealed a few ways in which the firmware of a Nest thermostat could be compromised.2 It is important to note that many of these compromises require physical access to the device, meaning that someone would have to get inside your house and install a USB port on the thermostat. Daniel Buentello, an independent security researcher, one of four presenters who talked about hacking the device, said, “This is a computer that the user can’t put an antivirus on. Worse yet, there’s a secret back door that a bad person could use and stay there forever. It’s a literal fly on the wall.”3
The team of researchers showed a video in which they changed the Nest thermostat interface (they made it look like the HAL 9000 fishbowl camera lens) and uploaded various other new features. Interestingly, they were not able to turn off the automatic reporting feature within the device—so the team produced their own tool to do so.4 This tool would cut off the stream of data flowing back to Google, the parent company of Nest.
Commenting on the presentation, Zoz Cuccias of Nest later told VentureBeat, “All hardware devices—from laptops to smartphones—are susceptible to jailbreaking; this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat. If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewelry. This jailbreak doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely. Customer security is very important to us, and our highest priority is on remote vulnerabilities. One of your best defenses is to buy a Dropcam Pro so you can monitor your home when you’re not there.”5
With the advent of the Internet of Things, companies like Google are eager to colonize parts of it—to own the platforms that other products will use. In other words, these companies want devices developed by other companies to connect to their services and not someone else’s. Google owns both Dropcam and Nest, but they want other Internet of Things devices, such as smart lightbulbs and baby monitors, to connect to your Google account as well. The advantage of this, at least to Google, is that they get to collect more raw data about your personal habits (and this applies to any large company—Apple, Samsung, even Honeywell).
In talking about the Internet of Things, computer security expert Bruce Schneier concluded in an interview, “This is very much like the computer field in the ’90s. No one’s paying any attention to security, no one’s doing updates, no one knows anything—it’s all really, really bad and it’s going to come crashing down.… There will be vulnerabilities, they’ll be exploited by bad guys, and there will be no way to patch them.”6
To prove that point, in the summer of 2013 journalist Kashmir Hill did some investigative reporting and some DIY computer hacking. By using a Google search she found a simple phrase that allowed her to control some Insteon hub devices for the home. A hub is a central device that provides access to a mobile app or to the Internet directly. Through the app, people can control the lighting in their living rooms, lock the doors to their houses, or adjust the temperature of their homes. Through the Internet, the owner can adjust these things while, say, on a business trip.
As Hill showed, an attacker could also use the Internet to remotely contact the hub. As further proof, she reached out to Thomas Hatley, a complete stranger, in Oregon, and asked if she could use his home as a test case.
From her home in San Francisco, Hill was able to turn on and off the lights within Hatley’s home, some six hundred miles up the Pacific coast. She also could have controlled his hot tubs, fans, televisions, water pumps, garage doors, and video surveillance cameras if he had had those connected.
The problem—now corrected—was that Insteon made all Hatley’s information available on Google. Worse, access to this information wasn’t protected by a password at the time—anyone who stumbled upon this fact could control any Insteon hub that could be found online. Hatley’s router did have a password, but that could be bypassed by looking for the port used by Insteon, which is what Hill did.
“Thomas Hatley’s home was one of eight that I was able to access,” Hill wrote. “Sensitive information was revealed—not just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world. The names for most of the systems were generic, but in one of those cases, it included a street address that I was able to track down to a house in Connecticut.”7
Around the same time, a similar problem was found by Nitesh Dhanjani, a security researcher. Dhanjani was looking in particular at the Philips Hue lighting system, which allows the owner to adjust the color and brightness of a lightbulb from a mobile device. The bulb has a range of sixteen million colors.
Dhanjani found that a simple script inserted onto a home computer on the home network was enough to cause a distributed denial-of-service attack—or DDoS attack—on the lighting system.8 In other words, he could make any room with a Hue lightbulb go dark at will. What he scripted was a simple code so that when the user restarted the bulb, it would quickly go out again—and would keep going out as long as the code was present.
Dhanjani said that this could spell serious trouble for an office building or apartment building. The code would render all the lights inoperable, and the people affected would call the local utility only to find there was no power outage in their area.
While Internet-accessible home-automation devices can be the direct targets of DDoS attacks, they can also be compromised and joined to a botnet—an army of infected devices under one controller that can be used to launch DDoS attacks against other systems on the Internet. In October 2016, a company called Dyn, which handles DNS infrastructure services for major Internet brands like Twitter, Reddit, and Spotify, was hit hard by one of these attacks. Millions of users on the eastern part of the United States couldn’t access many major sites because their browsers couldn’t reach Dyn’s DNS services.
The culprit was a piece of malware called Mirai, a malicious program that scours the Internet looking for insecure Internet of Things devices, such as CCTV cameras, routers, DVRs, and baby monitors, to hijack and leverage in further attacks. Mirai attempts to take over the device by simple password guessing. If the attack is successful, the device is joined to a botnet where it lies in wait for instructions. Now with a simple one-line command, the botnet operator can instruct every device—hundreds of thousands or millions of them—to send data to a target site and flood it with information, forcing it to go offline.
While you cannot stop hackers from launching DDoS attacks against others, you can become invisible to their botnets. The first item of business when deploying an Internet of Things device is to change the password to something hard to guess. If you already have a device deployed, rebooting it should remove any existing malicious code.
Computer scripts can affect other smart-home systems.
If you have a newborn in your home, you may also have a baby monitor. This device, either a microphone or a camera or a combination of both, allows parents to be out of the nursery but still keep track of their baby. Unfortunately, these devices can invite others to observe the child as well.
Analog baby monitors use retired wireless frequencies in the 43–50 MHz range. These frequencies were first used for cordless phones in the 1990s, and anyone with a cheap radio scanner could easily intercept cordless phone calls without the target ever knowing what happened.
Even today, a hacker could use a spectrum analyzer to discover the frequency that a particular analog baby monitor uses, then employ various demodulation schemes to convert the electrical signal to audio. A police scanner from an electronics store would also suffice. There have been numerous legal cases in which neighbors using the same brand of baby monitor set to the same channel eavesdropped on one other. In 2009 Wes Denkov of Chicago sued the manufacturers of the Summer Infant Day & Night baby video monitor, claiming that his neighbor could hear private conversations held in his home.9
As a countermeasure, you might want to use a digital baby monitor. These are still vulnerable to eavesdropping, but they have better security and more configuration options. For example, you can update the monitor’s firmware (the software on the chip) immediately after purchase. Also be sure to change the default username and password.
Here again you might come up against a design choice that is out of your control. Nitesh Dhanjani found that the Belkin WeMo wireless baby monitor uses a token in an app that, once installed on your mobile device and used on your home network, remains active—from anywhere in the world. Say you agree to babysit your newborn niece and your brother invites you to download the Belkin app to your phone through his local home network (with any luck, it is protected with a WPA2 password). Now you have access to your brother’s baby monitor from across the country, from across the globe.
Dhanjani notes that this design flaw is present in many interconnected Internet of Things devices. Basically, these devices assume that everything on the local network is trusted. If, as some believe, we’ll all have twenty or thirty such devices in our homes before long, the security model will have to change. Since everything on the network is trusted, then a flaw in any one device—your baby monitor, your lightbulb, your thermostat—could allow a remote attacker onto your smart home network and give him an opportunity to learn even more about your personal habits.
Long before mobile apps, there were handheld remotes. Most of us are too young to remember the days before TVs had remote controls—the days when people had to physically get up off the couch and turn a dial to change the channel. Or to pump up the volume. Today, from the comfort of our sofas, we can just instruct the TV with our words. That may be very convenient, but it also means that the TV is listening—if only for the command to turn itself on.
In the early days, remote controls for TVs required direct line of sight and functioned by using light—specifically, infrared technology. A battery-operated remote would emit a sequence of flashes of light barely visible to the human eye but visible (again, within a line of sight) to a receptor on the TV. How would the TV know if you wanted to turn it on when it was off? Simple: the infrared sensor located within the TV was always on, on standby, waiting for a particular sequence of infrared light pulses from the handheld remote to wake it up.
Remote-control TVs evolved over the years to include wireless signals, which meant you didn’t have to stand directly in front of the TV; you could be off to one side, sometimes even in another room. Again, the TV was on in standby mode, waiting for the proper signal to wake it up.
Fast-forward to voice-activated TVs. These TVs do away with the remote you hold in your hand—which, if you’re like me, you can never find when you want it anyway. Instead you say something silly like “TV on” or “Hi, TV,” and the TV—magically—turns on.
In the spring of 2015 security researchers Ken Munro and David Lodge wanted to see whether voice-activated Samsung TVs were listening in on conversations in the room even when the TV was not in use. While they found that digital TVs do in fact sit idle when they are turned off—which is reassuring—the TVs record everything spoken after you give them a simple command, such as “Hi, TV” (that is, they record everything until the TV is commanded to turn off again). How many of us will remember to keep absolutely quiet while the TV is on?
We won’t, and to make matters even more disturbing, what we say (and what is recorded) after the “Hi, TV” command is not encrypted. If I can get on your home network, I can eavesdrop on whatever conversation you’re having in your home while the TV is turned on. The argument in favor of keeping the TV in listening mode is that the device needs to hear any additional commands you might give it, such as “Volume up,” “Change the channel,” and “Mute the sound.” That might be okay, except the captured voice commands go up to a satellite before they come back down again. And because the entire string of data is not encrypted, I can carry out a man-in-the-middle attack on your TV, inserting my own commands to change your channel, pump up your volume, or simply turn off the TV whenever I want.
Let’s think about that for a second. That means if you’re in a room with a voice-activated TV, in the middle of a conversation with someone, and you decide to turn on the TV, the stream of conversation that follows may be recorded by your digital TV. Moreover, that recorded conversation about the upcoming bake sale at the elementary school may be streamed back to a server somewhere far from your living room. In fact, Samsung streams that data not only to itself but also to another company called Nuance, a voice-recognition software company. That’s two companies that have vital information about the upcoming bake sale.
And let’s get real here: the average conversation you’re having in your TV room probably isn’t about a bake sale. Maybe you’re talking about something illegal, which law enforcement might want to know about. It is entirely likely that these companies would inform law enforcement, but if law enforcement, for example, were already interested in you, then officers might get a warrant forcing these companies to provide complete transcripts. “Sorry, but it was your smart TV that narc’d on you…”
Samsung has, in its defense, stated that such eavesdropping scenarios are mentioned in the privacy agreement that all users implicitly agree to when they turn on the TV. But when was the last time you read a privacy agreement before turning on a device for the first time? Samsung says in the near future all its TV communications will be encrypted.10 But as of 2015, most models on the market are not protected.
Fortunately, there are ways to disable this HAL 9000–like feature on your Samsung and presumably on other manufacturers’ TVs as well. On the Samsung PN60F8500 and similar products, go into the Settings menu, select “Smart Features,” and then under “Voice Recognition,” select “Off.” But if you want to stop your TV from being able to record sensitive conversations in your home, you’ll have to sacrifice being able to walk into a room and voice-command your TV to turn on. You can still, with remote in hand, select the microphone button and speak your commands. Or you could get up off the couch and switch the channels yourself. I know. Life is hard.
Unencrypted data streams are not unique to Samsung. While testing LG smart TVs, a researcher found that data is being sent back to LG over the Internet every time the viewer changes the channel. The TV also has a settings option called “Collection of watching info,” enabled by default. Your “watching info” includes the names of files stored on any USB drive you connect to your LG television—say, one that contains photos from your family vacation. Researchers carried out another experiment in which they created a mock video file and loaded it to a USB drive, then plugged it into their TV. When they analyzed network traffic, they found that the video file name was transmitted unencrypted within http traffic and sent to the address GB.smartshare.lgtvsdp.com.
Sensory, a company that makes embedded speech-recognition solutions for smart products, thinks it can do even more. “We think the magic in [smart TVs] is to leave it always on and always listening,” says Todd Mozer, CEO of Sensory. “Right now [listening] consumes too much power to do that. Samsung’s done a really intelligent thing and created a listening mode. We want to go beyond that and make it always on, always listening no matter where you are.”11
Now that you know what your digital TV is capable of, you might be wondering: Can your cell phone eavesdrop when it’s turned off? There are three camps. Yes, no, and it depends.
There are those in the privacy community who swear you have to take the battery out of your turned-off smartphone to be sure that it is not listening. There doesn’t seem to be a lot of evidence to support this; it’s mostly anecdotal. Then there are the people who swear that just turning off your phone is good enough; case closed. But I think in reality there are instances—say, if malware is added to a smartphone—when it doesn’t turn off entirely and could still record conversations held nearby. So it depends on a variety of factors.
There are some phones that wake up when you say a magic phrase, just as voice-activated TVs do. This would imply that the phones are listening at all times, waiting for the magic phrase. This would also imply that what is said is somehow being recorded or transmitted. In some malware-infected phones that is true: the phone’s camera or microphone is activated when there is not a call in progress. These cases, I think, are rare.
But back to the main question. There are some in the privacy community who swear that you can activate a phone when it is turned off. There is malware that can make the phone appear to be off when it is not. However, the possibility that someone could activate a turned-off phone (no battery power) strikes me as impossible. Basically any device that has battery power that allows its software to be in a running state can be exploited. It’s not hard for a firmware back door to make the device appear that it’s off when it isn’t. A device with no power can’t do anything. Or can it? Some still argue that the NSA has put chips in our phones that provide power and allow tracking even when the phone is physically powered off (even if the physical battery is pulled).
Whether or not your phone is capable of listening, the browser you use on it certainly is. Around 2013 Google started what’s called hotwording, a feature that allows you to give a simple command that activates the listening mode in Chrome. Others have followed suit, including Apple’s Siri, Microsoft’s Cortana, and Amazon’s Alexa. So your phone, your traditional PC, and that stand-alone device on your coffee table all contain back-end, in-the-cloud services that are designed to respond to voice commands such as “Siri, how far to the nearest gas station?” Which means they listen. And if that doesn’t concern you, know that the searches conducted by these services are recorded and saved indefinitely.12
Indefinitely.
So how much do these devices hear? Actually, it’s a little unclear what they do when they are not answering questions or turning your TV on and off. For example, using the traditional PC version of the Chrome browser, researchers found that someone—Google?—appeared to be listening all the time by enabling the microphone. This feature came to Chrome from its open-source equivalent, a browser known as Chromium. In 2015, researchers discovered that someone—Google?—appeared to be listening all the time. Upon further investigation, they discovered that this is because the browser turns the microphone on by default. Despite being included in open-source software, this code was not available for inspection.
There are several problems with this. First, “open source” means that people should be able to look at the code, but in this case the code was a black box, code that no one had vetted. Second, this code made its way to the popular version of the browser via an automatic update from Google, which users weren’t given a chance to refuse. And as of 2015 Google has not removed it. They did offer a means for people to opt out, but that opt-out requires coding skills so complicated that average users can’t do it on their own.13
There are other, more low-tech ways to mitigate this creepy eavesdropping feature in Chrome and other programs. For the webcam, simply put a piece of tape over it. For the microphone, one of the best defenses is to put a dummy mic plug in the microphone socket of your traditional PC. To do this, get an old, broken set of headphones or earbuds and simply cut the wire near the microphone jack. Now plug that stub of a mic jack into the socket. Your computer will think there’s a microphone there when there isn’t. Of course if you want to make a call using Skype or some other online service, then you will need to remove the plug first. Also—and this is very important—make sure the two wires on the mic stub do not touch so that you don’t fry your microphone port.
Another connected device that lives in the home is the Amazon Echo, an Internet hub that allows users to order movies on demand and other products from Amazon just by speaking. The Echo is also always on, in standby mode, listening to every word, waiting for the “wake word.” Because Amazon Echo does more than a smart TV does, it requires first-time users to speak up to twenty-five specific phrases into the device before they give it any commands. Amazon can tell you the weather outside, provide the latest sports scores, and order or reorder items from its collection if you ask it to. Given the generic nature of some of the phrases Amazon recognizes—for example, “Will it rain tomorrow?”—it stands to reason that your Echo might be listening more than your smart TV is.
Fortunately, Amazon provides ways to remove your voice data from Echo.14 If you want to delete everything (for example, if you plan to sell your Echo to another party), then you need to go online to do that.15
While all these voice-activated devices require a specific phrase to wake up, it remains unclear what each device is doing during downtime—the time when no one is commanding it to do anything. When possible, turn off the voice activation feature in the configuration settings. You can always turn it back on again when you need it.
Joining the Amazon Echo in the Internet of Things, in addition to your TV and thermostat, is your refrigerator.
Refrigerator?
Samsung has announced a model of refrigerator that connects with your Google calendar to display upcoming events on a flat screen embedded in the appliance’s door—kind of like that whiteboard you once had in its place. Only now the refrigerator connects to the Internet through your Google account.
Samsung did several things right in designing this smart fridge. They included an SSL/https connection so traffic between the refrigerator and the Google Calendar server is encrypted. And they submitted their futuristic refrigerator for testing at DEF CON 23—one of the most intense hacker conventions on earth.
But according to security researchers Ken Munro and David Lodge, the individuals who hacked the digital TV communications, Samsung failed to check the certificate to communicate with Google servers and obtain Gmail calender information. A certificate would validate that the communications between the refrigerator and the Google servers are secure. But without it someone with malicious intent could come along and create his own certificate, allowing him to eavesdrop on the connection between your refrigerator and Google.16
So what?
Well, in this case, by being on your home network, someone could not only gain access to your refrigerator and spoil your milk and eggs but also gain access to your Google account information by performing a man-in-the-middle attack on the fridge calendar client and stealing your Google log-in credentials—allowing him or her to read your Gmail and perhaps do even greater damage.
Smart refrigerators are not the norm yet. But it stands to reason that as we connect more devices to the Internet, and even to our home networks, there will be lapses in security. Which is frightening, especially when the thing being compromised is something really precious and private, like your home.
Internet of Things companies are working on apps that will turn any device into a home security system. Your TV, for instance, might someday contain a camera. In that scenario an app on a smartphone or tablet could allow you to view any room in your home or office from any remote location. Lights, too, can be turned on when there is motion inside or outside the house.
In one scenario, you might drive up to your house, and as you do so the alarm system app on your phone or in your car uses its built-in geolocation capabilities to sense your arrival. When you’re fifty feet away, the app signals the home alarm system to unlock the front or garage door (the app on your phone has already connected to the house and authenticated). The alarm system further contacts the in-home lighting system, asking it to illuminate the porch, entryway, and maybe either the living room or kitchen. Additionally, you may want to enter your home while soft chamber music or the latest Top 40 tune from a service such as Spotify is playing on the stereo. And of course the temperature of the house warms or cools, according to the season and your preferences, now that you are home again.
Home alarms became popular around the turn of the twenty-first century. Home alarm systems at that time required a technician to mount wired sensors in the doors and windows of the house. These wired sensors were connected to a central hub that used a wired landline to send and receive messages from the monitoring service. You would set the alarm, and if anyone compromised the secured doors and windows, the monitoring service would contact you, usually by phone. A battery was often provided in case the power went out. Note that a landline usually never loses power unless the wire to the house is cut.
When a lot of people got rid of their copper-wire landlines and relied solely upon their mobile communication services, the alarm monitoring companies began offering cellular-based connections. Lately they’ve switched to Internet-based app services.
The alarm sensors on the doors and windows themselves are now wireless. There is certainly less drilling and stringing of ugly cable, but there is also more risk. Researchers have repeatedly found that the signals from these wireless sensors are not encrypted. A would-be attacker need only listen to the communications between devices in order to compromise them. For example, if I can breach your local network, I can eavesdrop on the communications between your alarm company servers and your in-home device (assuming it’s on the same local network and not encrypted), and by manipulating those communications I can start to control your smart home, spoofing commands to control the system.
Companies are now providing “do-it-yourself” home monitoring services. If any sensors are disturbed, your cell phone lights up with a text message informing you of the change. Or perhaps the app provides a webcam image from inside the house. Either way, you are in control and are monitoring the house yourself. That’s great until your home Internet goes out.
Even when the Internet is working, the bad guys can still subvert or suppress these do-it-yourself wireless alarm systems. For example, an attacker can trigger false alarms (which in some cities the homeowner has to pay for). Devices that create false alarms could be set off from the street in front of your house or up to 250 yards away. Too many false alarms could render the system unreliable (and the homeowner out of pocket for a hefty fee).
Or the attacker could jam the do-it-yourself wireless sensor signals by sending radio noise to prevent communication back to the main hub or control panel. It suppresses the alarm and prevents it from sounding, effectively neutralizing the protection and allowing the criminal to walk right in.
A lot people have installed webcams in their homes—whether for security, for monitoring a cleaning person or nanny, or for keeping tabs on a homebound senior or loved one with special needs. Unfortunately, a lot of these over-the-Internet webcams are vulnerable to remote attacks.
There’s a publicly available Web search engine known as Shodan that exposes nontraditional devices configured to connect to the Internet.17 Shodan displays results not only from your Internet of Things devices at home but also from internal municipal utilities networks and industrial control systems that have been misconfigured to connect their servers to the public network. It also displays data streams from countless misconfigured commercial webcams all over the world. It has been estimated that on any given day there may be as many as one hundred thousand webcams with little or no security transmitting over the Internet.
Among these are Internet cameras without default authentication from a company called D-Link, which can be used to spy on people in their private moments (depending on what these cameras are set to capture). An attacker can use Google filters to search for “D-Link Internet cameras.” The attacker can then look for the models that default to no authentication, then go to a website such as Shodan, click a link, and view the video streams at his leisure.
To help prevent this, keep your Internet-accessible webcams turned off when they’re not in use. Physically disconnect them to be sure they’re off. When they are in use, make sure they have proper authentication and are set to a strong customized password, not the default one.
If you think your home is a privacy nightmare, wait until you see your workplace. I’ll explain in the next chapter.