How Safe Are IoT Devices for Your Privacy?



The IDC predicts worldwide Internet of Things (IoT) spending to top $772 billion this year.

And then surpass a trillion in just the next few years.

That pace would already place it around the fourth largest industry segment in the US.

You probably already see this trend playing out in your house, with smart devices like televisions, phones, and even refrigerators multiplying like… well, bunnies that love each other very, very much.

All of this sounds great in theory. Your refrigerator will let you know when the milks run dry, and in return, you can tell it to drop the temp so your beer is nice and chilled by the time you get home.

The problem is that the devices that are always on, always listening, and always watching, aren’t secure.

Like, not at all. Not even a little bit.

Which means even you’re sacrificing security for convenience.

Here’s why this is a problem, and what you can do to lock-down your own personal security when every device in your house is listening to you.

Mo’ Devices, Mo’ Problems

The Jetsons allure is appealing.

I mean, who wouldn’t want to be George Jetson. Just push a button and whatever you want appears before your eyes. (Don’t get me started on Jane.)

Incredibly, this iconic show from the sixties is starting to play out all around us.

Every day, dumb household devices are starting to become smart with the help of a little Wi-Fi.

The issue is that the more connected devices you have in your home, the more access points you’re giving to these cyber criminals.

And it’s not exactly difficult to hack IoT devices right now. In fact, it’s downright easy.

Unlike computers or mobile devices, there’s no authentication and encryption built in to many of these home devices. And device makers are reportedly cutting corners on basic cybersecurity measures.

Security expert, Todd Beardsley, relayed how easy hacking IoT devices are to NPR:

Hackers that I know and hang out with refer to Internet of Things hacking as ‘hacking on easy mode,’ or ‘hacking like it’s 1998’

Always-on IoT devices offer malicious hackers the ability to spy on you in your own home. The device and connection are compromised to the point where they start turning these devices against you.

Smart baby monitors, for instance, could be used to listen in on your private conversations. Or to flip around and see if you’re still in vacation so they can break in. Or even creep on a single mother breastfeeding her baby.

True story.

Connected doorbells could be hacked remotely, giving hackers access to the remote camera inside. Thieves could use this technology to find out when you typically leave the house in order to plan a robbery.

This may all sound a little far-fetched, but these examples are already playing out around you.


Take the 2016 Mirai Botnet Attack as a prime example.

A DDoS attack coordinated by a botnet called Mirai targeted IoT devices. Scanning large blocks of the internet, it was able to isolate open telnet ports and used 61 common usernames and passwords that are used as factory defaults with these devices.

Users who never changed their passwords fell victim to the Botnet’s assault, allowing Mirai to take control of closed-circuit cameras and routers all around the world.

Not much has changed in terms of security within the last two years, either.

Unencrypted firmware updates, video streaming communications, plain text servers, and unprotected stored passwords are all the norm when it comes to a lot of the new tech coming out today.

That’s an invitation for cybercriminals to come in and take advantage.

What is being done about it?

If anyone is going to protect you, it has to be you.

There is some helpful legislation being passed that hopes to fix this issue. For example, a proposed bill in California is calling for “reasonable” security features to be a part of all IoT devices sold within the state by 2020.

Congress have also introduced a bill, aiming to improve the security of IoT devices.

Unfortunately, if passed, the bill will only ensure a minimum security standard on devices used by the federal government. Meaning your devices could still be at risk.

But is all of this legislation too little, too late?

Anyone who has watched the Congressional hearings with Zuckerberg and other tech luminaries can agree on one thing:

Those in public office don’t get technology. Their grasp on the reality (and danger) is shockingly outdated best case, and surprisingly naive at worst.

All of which means if anyone is going to protect you, it has to be you.

Start with the Basics: Update Your Devices ASAP

Those notifications are annoying.

They’re easier to ignore and dismiss.

But simply updating your devices, as soon as an update comes out, is the simplest way to avoid exposing loopholes.

Regular firmware updates keep your system secure. That’s because technology is growing and evolving every day. And do you know who stays on the forefront of those advancements? Cybercriminals.

They’re always keeping up with the latest security upgrades, trying to find ways to circumvent them and gain access to your information. Many updates will voluntarily explain security patches they fixed up in previous versions, giving hackers a giant blinking light to where they can wreak the most havoc.

That’s why it’s important that if you’re going to invest in an IoT device, it has to be one that involves regular security upgrades to keep up with the ever changing cyber world.

Computers and phones have learned this. That’s why their updates largely occur automatically. You almost can’t proceed without.

Another IoT-specific problem is how quickly the market is evolving.

Many companies are in a rush to push out their next generation, so they don’t expend much effort on updating older models.

That’s all well and good for the gadget-crazed among us with deep pockets, but the average person will not be able to afford a constant influx of new smart gear.

So, we’re left with old outdated technology that puts our personal data at risk.

How much risk are we facing? Glad you asked!

Device or App Companies are Often the Worst Offenders

 

Gathering and selling the personal information of users to advertising agencies is a hugely lucrative business.

Not all IoT-related threats to your privacy come from hackers or criminals. A lot of the major breaches in security come from the companies you’re purchasing these devices from.

Personal data is the currency of malicious actors and large corporations alike.

We know how malicious actors use your information. They steal your identity, using it to gain access to your financial data. But what about the corporations you’re supposed to trust?

Gathering and selling the personal information of users to advertising agencies is a hugely lucrative business. Look at all of those ‘free’ services you know and love, like YouTube and Facebook.

If they’re not siphoning off your cash, they’re consuming your data and selling it to the highest bidder.

Better targeted ads convert at a higher percentage. So advertisers are ready and willing to spend big to acquire more and more data about your life.

And do you want to know the real kicker here? You give them permission to do it.

Check that Privacy Policy next time.

It’s intentionally long and detailed. It’s intentionally confusing. That way, you get overwhelmed. You don’t ask questions. You just click “Agree” because it was too much of a bother to read.

Unfortunately, there’s some fiiiiiiine print in there that usually has some rubbish about the collection of private information.

Make sure that you read the privacy policy for any service that you use. And when they update it, remember to read it again. If you don’t understand it, do some research or don’t use that product.

Remember, when using a new IoT service you need to know a few things:

  1. Are they keeping my data?
  2. Are they selling it to other companies?
  3. How are they using my data internally?
  4. Are they tracking my activity?

And look for euphemisms or jargon that basically mean those same points.

Literally, every company is doing this to you. The biggest, like your Apples or Googles or Facebooks, are among the worst offenders. Even some free VPNs, which are supposed to protect your private data, collect your information and sell it off.

In a perfect world we could just trust that all of the companies we do business with have our best interests at heart.

Unfortunately, this is far from a perfect world.

I spoke with John Opdenakker, an ethical hacker and cybersecurity blogger, who said:

What end users often don’t realize is that vendors collect massive amounts of data via IoT devices. These data are often stored insecurely which regularly result in data breaches. A famous example is Cloudpets, an IoT toy company that not only leaked the email addresses and passwords of almost half a million users, but also voice recordings of children that used its products.

User Error Often Creates Data Breaches

Take that, puny human.

Today’s encryption standards are excellent. The best-in-class AES-256 that all VPNs use? Virtually impenetrable.

It’s used by banks around the world over for this very reason. No known supercomputers can crack it.

Guess what? Cybercriminals know that, too. That’s why they don’t even bother applying a brute-force attack.

Instead, they go after easier targets:

Humans.

This includes two groups: Those in control of your data, and you, yourself.

Unfortunately, a lot of data breaches boil down to simple, avoidable, user error.

It’s like putting a weapon in the hands of someone untrained in its use. If you don’t know what you’re doing when it comes to these devices, you might unwittingly create a serious situation for yourself.

Most users don’t have a real understanding of what devices they’re buying, and what those devices collect data-wise. That’s because they’re not tech savvy or because they didn’t read that privacy policy.

What truly helps when buying a new device is to ask yourself, “how can this device be used for me?” and “how can this device be used against me?”

The first thing you need to determine is what information you are sharing, and can that information be shared with another party, either through malicious action or corporate sale.

It’s also important to remember that when you buy cheaper devices from a small company and that company goes out of business, there will be no future upgrades to those devices. As the industry moves on and becomes more advanced, your devices will stagnate and become a liability.

Then, it comes down to a few basics. Upgrade devices ASAP. Use passphrases or randomly-generated codes so that your password isn’t “password1234.”

And change your password reminder questions to answers that someone couldn’t find on Facebook (like your mother’s maiden name, or high school mascot).

Cheaper is Not Always Better

In 1981, IBM priced its first PC at $1,565. Adjusting for inflation, that would be near $5,000 in today’s market.

Today, you can buy a small laptop computer for $200 at Walmart. One that’s faster and objectively better. (Although, you did have to take that unfortunate trip to Walmart.)

IoT technology is the same. Thanks to the rapidly falling price of IoT sensors, these devices are going to come down in price as they become more popular and commonplace.

However, in trying to undercut the competition, many developers take unfortunate shortcuts with their hardware. Sometimes this means skirting some security features that would strengthen the safety of the device.

Only 9% of IoT vendor budgets are used for security. And that’s not nearly enough. The results are already apparent:

As device prices fell throughout 2017, DDoS attacks rose by 91%.

Because of this constant war for price supremacy, secured devices may not be affordable in the current market. To properly protect yourself, you have to understand what it is that you’re buying. If you take nothing else from this article, let it be that.

How to Secure Alexa & Google Assistant

Personal assistance Artificial Intelligence programs like Amazon’s Alexa and Google Assistant appear in most houses today.

But did you know that these programs could also pose a risk to your security?

The risk of a hacker or cybercriminal breaking through the systems at Google or Amazon are slimmer than your average mom and pop IoT company, but these huge companies thrive on personal data.

Luckily, it’s easy to secure these devices, making your life simpler while maintaining a sense of privacy. Here’s how.

Amazon Echo (Alexa)

Alexa records everything you say to it.

So if someone accesses your Amazon account, not only can they use it to make purchases, but they can access all of your stored voice recordings.

Sounds trite, but make sure your Amazon password is complex for starters.

Hackers love weak passwords. And if they gain access to Alexa, they’ll know how to arm your home security system, where you go on a daily basis, and other personal information that you’d rather keep to yourself.

One way to make sure your Alexa recordings are never accessed by another user is to delete them regularly. Alexa can even remind you to do it once a month.

We aren’t just talking about those, “Hey Alexa, play that Evermore song from the new Beauty & the Best” conversations, either. (Makes me cry every time.)

Alexa can also record private conversations.

You know what that includes. Now imagine some AI bot is recording everything you say to your spouse and kids, while some blackmailer tries to get their hands on it.

Until deleted, all recordings will remain on Amazon’s cloud.

One issue with deleting recordings is that Alexa relies on that information to learn more about you and personalize its responses over time. If you’re regularly deleting recordings, Alexa will have to relearn those patterns.

A more time consuming but practical solution to this issue is to comb through your recordings manually and only delete sensitive information.

If you do nothing at all, you could be exposed. After all, thousands of people are employed by Amazon to help with Alexa’s voice review process. These teams listen to your private conversations, and even use internal chat rooms to share amusing or unsettling recordings.

Alexa can also be outfitted with third-party skills that can also collect your personal data. Make sure that you’re reading the privacy policies of any skills you install to see what it’s keeping its hands on. (This information can be found on the skill detail page.)

You can (and should) also change Alexa’s “wake word.” That’s the term you use that makes the service start recording. By making it something you rarely say, like “blatherskite” (DuckTales, woohoo!) rather than a common word like “hi,” so Alexa only starts recording when you’re specifically addressing her (err, it).

Still not secure enough for you? No problem. Just explicitly turn off the mic.

Yes, you’ll have to turn it on every time you do want use it. But it’s the simplest way to make sure it won’t inadvertently pick up and record those sensitive conversations next time your boo says, “We have to talk about something.”

Google Home Devices

The first step in securing your Google Home device is to limit the number of personal accounts that you’re connecting to it.

Surprisingly, this is harder than it sounds.

The more smart devices and financial accounts you connect to the service, the more vulnerable you become in the event that Google’s data centers are ever compromised.

Fortunately, all of the data sent through the service is encrypted, so your accounts are only at risk in the event of a large data breach. So it’s a little more secure than Amazon’s Alexa.

Google Home also has a voice-match function. Set this up on the Google Home app, ASAP.

By activating this feature, Google will learn to recognize the voices of authorized users and will give the proverbial cold shoulder to anyone else looking to access your info. Using voice match, Google Home can even personalize the experience based on the user.

If you’re not using voice match and your personal results feature is left activated, anyone using the system can access your personalized data. Remember that non-authorized users can still interact with Google Home when voice match is activated, but your personal data will remain hidden.

Much like we did with Alexa, it’s best to delete old recordings from Google Home as well. The system stores conversations on its servers until a user manually deletes them. So if you’re asking Google about your bank balance or personal data, other users can access those recordings if they gain access to your system.

You can delete any sensitive recordings in the My Activity section of your Google Account.

Google also offers two-factor sign-in authentication, which is a fantastic way to add another level of security to your password. When you try to login to the system you will first enter your password and then a code will be sent to your smartphone that must also be entered.

The only way someone could access your account with two-factor authentication activated is to have your mobile phone in hand.

The most direct way to control what Google Home records is to mute the device when it’s not in use or just turn it off completely.

Secure Your Unencrypted Devices by Locking Down the Connection

A VPN connected to a router will tunnel the entire connection.

Most products do use encryption on some level.

Thankfully, most daily services — like Google — do too.

Unfortunately, others, like the vast majority of IoT ones currently, do not.

Of course, “don’t buy them” is bad advice. In some cases, you can’t help it. Smart devices will invade your kitchen and living rooms one day very soon.

So instead of encrypting the un-encryptable device, you can also start by locking-down the internet connection itself.

That way, those pesky devices have no choice (and no say) in divulging your privacy to anyone who knows how to run a basic brute-force attack.

The first option is a firewall to prevent unwanted access. Most computers come with a built-in firewall, however, that’s not going to help your smart refrigerator. This is where a network-based firewall could come in handy.

A hardware network firewall, like those included in many wireless routers, can be a decent security upgrade. This one option can instantly add protection to every system connected to your home network in one fell swoop.

But firewalls are not an easy fix to all of your security woes. While they block harmful transmissions, firewalls do not act as an antivirus program. So a hacking attack initiated through email would be an easy way to get around your security.

A VPN connected to a router, on the other hand, will tunnel the entire connection.

That means you’re always-on, protected no matter where your internet travels take you. It also uses the latest-and-greatest encryption standard, which prevents a simple password from unlocking access to your bank account.

You can’t force IoT device makers to protect you. You’re just going to have to protect yourself, instead.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*