I had a dream last night. The dream started with my mother-in-law approaching me and showing me a serious vulnerability she had found which involved the use of Google maps and Amazon Echo IoT devices. The vulnerability allowed her to roam around Google maps and see all Amazon Echo devices around the world, zoom into them and listen to what was going on around them.
Firstly if you knew my mother-in-law you’d know there wasn’t a hope she’d ever be the person to discover a vulnerability this huge. Secondly it confirmed I really do eat, sleep and dream IT Security. Thirdly (and most scary of all) it wasn’t so far from the truth. You may or may not have heard of “Weeping Angel” (this isn’t a reference to Dr Who apparently). Weeping Angel is a tool used by the CIA in the US to turn certain Samsung Smart TV’s into microphones in people’s homes. It allowed them to listen to what was being spoken around the TV in the home. This gave me the idea to write a bit about IoT.
What is IoT?
IoT stands for Internet of Things. They are internet connected devices that have been created to enhance our way of life. They’re CCTV cameras that you can view over the internet. They’re washing machines, cars, fridges, heating systems and light bulbs to name just a few. If they have internet connectivity and can generally be controlled, viewed or interacted with via the internet or an app, the chances are they come within the category of IoT.
The biggest issue with IoT is their level of security. In the early stages of IoT, manufacturers gave more attention to the functionality of the devices than security. It now means there are stacks of devices out there that are publically accessible which have little to protect them. This means they can be used by others for illegal activity such as creating IoT botnets (robot network) which can then be used to carry out DDoS attacks to take down websites, steal data, send spam email, and allow attackers access to the device and its connections.
This isn’t to say that IoT doesn’t have its place in the home but it’s important to be more aware of what you have on your network. Personally I have a few Amazon Echo devices. My kids love them, my wife loves them and I get a kick out of being able to switch on my electric blanket in my bedroom on the 3rd floor without having to get off my bum to do it. I do however drum into my family to have a level of awareness of what is around. I’m aware that my Amazon Echo devices are always listening and keeping records of conversations in the home, if it thinks the wake word has been said. This was highlighted in a recent case in the US where US law enforcement wanted access to audio data captured by a suspects Amazon Echo device (http://bit.ly/2iqPdNJ). Amazon refused access to the data and it’s open for discussion as to whether this was the right thing or not.
If we ever want to discuss anything of a really sensitive nature at home (which isn’t often) we put our Echo’s into mute mode or just simply unplug them. The same goes for Smartphones. If you’ve ever used “Siri” or “OK Google” on your phone you’ll logically realise that your phone is always listening and potentially recording. Google give you access to review what conversations it’s heard, recorded and kept (http://bit.ly/2wc03BE) but as far as I know the access Apple give you is a little more limited.
I’m a big fan of IoT but I use it in a controlled manner and it has its place in today’s internet age. I have awareness of its abilities and flaws. I ensure that all my internet connected devices at home are behind a moderately substantial firewall which I build using an old spare computer which I monitor on an almost daily basis and would like to think I’d know if anything was out of the ordinary. It’s all too easy in this day and age to assume the manufacturers have the security side covered and lull you into a false sense of security. I’d never trust my front door locks, heating or CCTV to be controlled over the internet and I’d encourage you to think before you do too.
You may be wondering how hackers find your devices in the first place. Well let me tell you briefly about Shodan (http://bit.ly/2xmsahc). Shodan is one of those websites that can be used equally for good and bad. Shodan is like Google search but for IoT and other internet connected devices. It’ll allow a service user to search for specific devices that may have specific vulnerabilities. This information can then be used to either patch vulnerabilities in your own equipment or used by those with nefarious intentions to exploit the vulnerabilities and take control of devices. Hopefully you can see the potential problems here and the ease with which your IoT can be found.
I hope this article will cause you to think about the internet connected world around you. The internet isn’t going away. IoT isn’t going away. You interact with IoT without even realising it on an almost daily basis. My intention isn’t to put you off using IoT but just to be more aware of how you use it and how you involve it in your world.
Alex Cole – Cyber Security Technician