Thursday, November 15, 2018

"Smart" gadgets versus your privacy and security


I've had a few things to say about the so-called "Internet of Things", and how it threatens our personal privacy and security.  Any moderately competent hacker can use such devices as a way to spy on us.  However, it now appears that the authorities are doing the same thing, by forcing the providers of such devices to hand over what they record.  Worse still, the companies in the field are not very helpful in letting their customers know about such issues.

A decade ago, it was almost inconceivable that nearly every household item could be hooked up to the internet. These days, it’s near impossible to avoid a non-smart home gadget, and they’re vacuuming up a ton of new data that we’d never normally think about.

Thermostats know the temperature of your house, and smart cameras and sensors know when someone’s walking around your home. Smart assistants know what you’re asking for, and smart doorbells know who’s coming and going. And thanks to the cloud, that data is available to you from anywhere — you can check in on your pets from your phone or make sure your robot vacuum cleaned the house.

Because the data is stored or accessible by the smart home tech makers, law enforcement and government agencies have increasingly sought data from the companies to solve crimes.

And device makers won’t say if your smart home gadgets have been used to spy on you.

. . .

As helpful and useful as smart home gadgets can be, few fully understand the breadth of data that the devices collect — even when we’re not using them. Your smart TV may not have a camera to spy on you, but it knows what you’ve watched and when — which police used to secure a conviction of a sex offender. Even data from when a murder suspect pushed the button on his home alarm key fob was enough to help convict someone of murder.

Two years ago, former U.S. director of national intelligence James Clapper said the government was looking at smart home devices as a new foothold for intelligence agencies to conduct surveillance. And it’s only going to become more common as the number of internet-connected devices spread. Gartner said more than 20 billion devices will be connected to the internet by 2020.

As much as the chances are that the government is spying on you through your internet-connected camera in your living room or your thermostat are slim — it’s naive to think that it can’t.

There's more at the link.

I won't have a "smart" appliance in my home at all.  If I have to buy one because nothing else is available, I'll make darn sure it can function without an Internet connection, then I'll disable - or, if necessary, physically block or destroy - its ability to make such a connection, or record any information about me on an internal memory device.  I value my privacy, and I'll be damned if I'm going to allow an electronic black box to compromise it, for law enforcement or anyone else.

Peter

10 comments:

Jess said...

The ignorance of consumers is almost unbelievable. Where they would be horrified if some stranger stood in their kitchen recording everything they did, they don't bat an eye at a refrigerator doing the same thing.

Glen Filthie said...

Pbbffbbfbfft.

Fretting about smart gadgets overhearing you as squabble with the wife, or listening in as you sit on the couch watching football - is absurd. It’s like gun grabbers blaming the gun for criminals. Libertarians are the worst: they picture Big Brother, or his Gestapo with the earphones on, intently listening to them as they b*tch about the gubbimint, gathering evidence so that they can swoop in and drag them off to a gulag somewhere.

The forces arrayed against liberty and freedom won’t care about that process at all; look at the tyrants of the past: if they think you are against them, that’s all they need to end you. Saddam Hussein killed innocents by the score just to make political points. In early Soviet Russia, if you didn’t know and blow the right people - you got purged. Ditto for Cambodia, China, Vietnam, and every second third world chit hole in South America or Africa. You didn’t need evidence or courts to remove your enemies - you just kill them.

Which brings us to your real enemies. Hillary Clinton gets four people killed in Benghazi and everyone shrugs: what difference does it make? Instead of being locked up in a cage, she’s running for president. The nation nearly lynched Brett Kavanaugh for daring to apply for a position on the Supreme Court with not one shred of actual evidence against him. Purple faced liberal harpies and cat ladies demand that we believe all women even though they are making false accusations daily. Your judiciary is teetering... and you are worried about high tech toys and shopping aids.

You need to seriously up your game, Pastor. Just my humble opinion.

Aaron said...

Remember: the “S” in IoT stands for “Security”.

Anonymous said...

I'm now asking people I visit what electronic devices they have; if I hear the words "Alexa," "Echo," "Google Home," or "smart TV" I won't go inside. I'm also getting concerned about smart phones, although I'm not aware of any that are "aways on" like Alexa.

Tal Hartsfeld said...

You know that Alexa lady is a confidence trickster don't you?

Beans said...

Glen.

The authorities have already used IoT devices against people. And, quite frankly, if the authorities are listening, even after the fact, then what makes you think the IoT companies, especially Amazon or Google, don't already listen in?

Consider the smart phone with the tracking/location software. I have a friend who loves that her phone 'tells' her what is available as she's driving down the road, popping up shopping and eating selections. This means that something or someone or both are following her every move.

Not to mention that tracking phone movements has aided police and prosecutors in all sorts of investigations.

Loss of privacy due to IoT isn't a sci-fi dream. It is a reality.

Jonathan H said...

Some intelligent devices can be used only inside the home in a 'stand alone' manner; others can't. Most of the cheap and heavily publicized ones require, or are designed to be used, over the internet.

There are some very good ones out there that don't have issues, but they are expensive and you have to look for them - and then you have to work at setting them up properly.

CGR710 said...

I work in Information Security and I can't disagree more with Glen! The first thing you should consider is the fact that IoT devices are very "lightweight" in terms of processing capabilities and the manufacturers use small footprint operating systems so the device can work as intended with the limited processing power available. Most IoT devices I've tested (and believe me, I've tested a lot of them in the last couple of years) use relatively old Linux kernel versions, like the 2.6.32 and even older. The reason is that it's much smaller than the more current versions like 4.12 and they also don't include some features which the limited hardware can't use anyway. The problem with this approach is that those kernel versions have well known and documented vulnerabilities for which there are easily available exploits an attacker can use with minimum effort. The vulnerabilities have not been patched because the kernel version has been long out of support, so when you buy one of these devices you not only get an insecure device, basically you open a door into your home network because the device can also be used for pivoting attacks to other devices inside your home network.
This is just one of the many security risks IoT devices bring into your home, but there are more which I'm not going to describe here, but you should just read the story of Brian Krebs and Mirai.

Beans said...

CGR,

I remember, maybe a year or more ago, IoT devices being used as the portal for denial of service attacks upon places. So what you said ties directly into those incidences.

And, hah. Linux being used for bad things. Gee, all my Linux people out there saying Linux is the Light and Linux is good and Microserf is TEH DEBIL and I've been saying it's because of the limited exposure of Linux and now Linux is so big it's being used for nefarious purposes and the organization (whatever it is) has fallen down the SJW hole. Ha. Always seems the forefront of the "Revolution" is usually lined up against the wall within a relatively short time by the forces of the same revolution. Happens in politics, happens in education, now it's happening in programming.

CGR710 said...

The whole technological "holy war" between Microsoft vs Linux fans is not new - remember Java vs .net or RedHat vs Debian and so on and so forth... This is irrelevant, there is no "good" and "bad" in technology, just in the way it is being used...
As for why most IoT devices use Linux kernel, the reason is as almost always economic - why pay license fees to Microsoft when you can get and even customize the Linux kernel for your IoT device for free...
Anyway, the evolution of the Internet and related services is based on a profoundly insecure suite of protocols. When TCP/IP was designed security wasn't even considered and each security feature was a later add-on to the suite. That makes handling security like a set of overlay functions, detached from but extending the core protocol features. The consensus in the specialist community is that meaningful security needs to be embedded in the main system requirements, but as long as we use TCP/IP (and yes, that includes IPv6) security will remain an overlay.
That means that if you want to keep as much of your security and privacy as possible (and that is very relative in the modern society, given the prevalence of internet connected devices we encounter daily) you should minimize the usage of connected devices, and those you use should be limited in the information about you they store and process. That is becoming increasingly difficult so good luck to you!