Monday, April 16, 2018

This is why "connected" appliances are a bad idea


I've spoken out before against the so-called "Internet of things" in our homes.  They hold hidden dangers.
  • Frankly, I don't see any need for a "smart thermostat" that can be adjusted from my smartphone, when that means someone else can hack into it and potentially invade my privacy.
  • I think "smart security cameras" that I can operate from my smartphone, anywhere in the country, are an ideal tool for would-be burglars or home invaders, who can monitor them to select the best time to commit their crimes.
  • "Smart door locks" are an invitation to hackers to open my doors for themselves - or just leave them open for their amusement.

Now comes the news that "smart appliances" have resulted in at least two hacks of commercial establishments.

Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby.

"The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."

Robert Hannigan, who ran the British government's digital-spying agency, Government Communications Headquarters, from 2014 to 2017, appeared alongside Eagan on the panel and agreed that hackers' targeting of internet-of-things devices was a growing problem for companies.

"With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that's going to be an increasing problem," Hannigan said. "I saw a bank that had been hacked through its CCTV cameras, because these devices are bought purely on cost."

There's more at the link.

Greater convenience versus poorer security.  Guess what's more important, at least to anyone with common sense?

Peter

8 comments:

Snowdog said...

Some 'smart' devices can be left dumb. My wife bought a TV that she looked up how to skip that part of the setup. As far as the TV and the company that made it thinks, it's just being used as a display monitor. Would have preferred to buy one where that wasn't even an issue-but nowadays, that's not an option. Everything is 'smart.' Even the copiers and printers I work on report back to a server-though the only info they report is the counter, number of rotations of motors, error and jam codes and estimated life on the replaceable parts. My company's stuff is designed to make servicing the equipment better-not to spy. Sadly not everyone does that.

Old NFO said...

Which is why I stay with a 'dumb' house...

Rick T said...

If your internet gateway allows a 'guest' network that's a good place to put all your blu-ray players and IP TV boxes. They can stream your videos but not see you PCs.

+1 on not having IP-connected thermostats, cameras, refrigerators (???) etc.

Divemedic said...

What do you think is more likely:
A super smart hacker that uses a vulnerability in your smart locks to open your house, or
An ordinary burglar who simply kicks in the door?

C. G. R. said...

Actually you got a lot of hacks as a service available on the darknet so you'll probably going to see a steep increase of "smart" burglaries.
The more IoT and smart devices you have the broader the attack surface you present to attackers. It's even worse than that: these devices can be used as part of attacks to higher profile targets and you get to be responsible for that (look up Mirai for example).
Stay with "dumb" devices!

Borepatch said...

I have worked with some scary smart security researchers. One liked to say "Boot it and They will come."

JC said...

A neighbor of mine, an old friend (she's not old, I am) has a non-internet pushbutton combo lock on her front door, set to simple numbers. Like Square root of 3. Or the numerical value of e.

Hllbillygirl G said...

Peter, this is late, sorry, wrkng.
Have had a series of odd coincidences of late.
#1. had an email conversation with a friend regarding her new pool. Soon after, I began receiving ads for pool chemicals. I don't own a pool. This lead me to realize that 'someone' was tracking not only the web of my contacts, but the actual of my letters. Snowden's leaks actually confirmed my suspicions, yet he has been vilified as a traitor, and no one seems concerned that their letters are being read.
#2. was in the car, a new ford explorer, having a conversation with my partner regarding an obscure 70s artist. When we reached our destination, lo and behold, my newsfeed had an article about this very same person! Odd, I thought. Then,
#3 happened. In same car with partner, two days later, having a conversation about what to do with his dad, recently diagnosed with alzheimers. Got home, and lo and behold, the FRONT page article in my newsfeed was about new developments in Alzheimers care! (WTF) This lead me to conclude that the microphone in the car or the cellphone was picking up our conversations, interpreting content, and somehow connecting voice to my computer and placing tailored content in my feed. G Gordon Liddy went to prison for less.
Then,
#4 happened. I called my tech-savvy college daughter to ask if these were mere coincidences, or if we really are being listened to, and am in tinfoil hat territory. She confirmed that yes, its possible, probable even, but that as we're not 'up to no good,' it really didn't matter, did it. I was seething, she was blase, we commenced talking about her dog, and the flea problems shes having in Texas. We hung up, and she called me back five minutes later saying her Pintrest feed was now flooded with ads for Frontline.
Having lived most of my life without electricity or media, I am now massively creeped out and thinking of just ditching the tech. Web of contacts, check. Content of emails, check. Private conversations, check. Phone conversations, check. You can email any followup to
Jennifer at jjennwalker@aol.com