by Jon Sather
September 6, 2017
In the world of espionage, developing and exploiting access to vital sources of information are the primary objectives. And these days, finding a way into information systems seems easier than ever amid the growing number of “smart” devices connected to our homes and businesses. Voice-controlled and hands-free microphones and speakers — Amazon’s Echo and Alexa, Google’s Home Assistant, Apple’s Siri and Microsoft’s Cortana, to name a few — welcome technology into our lives and trumpet the dawn of a new era: the age of artificial intelligence (AI) and the internet of things.
According to their makers, virtual home assistants are “always ready, connected and fast,” “work across your devices, and integrate with hundreds of apps,” and when you “tell it to do things … it’s your own personal Google!” As these devices have proliferated exponentially and gained increasing acceptance, we have quickly adapted our lifestyles to their marvelous and intuitive technology. But take moment to consider the consequences: Could somebody be using your devices to listen to and record your every move?
A colleague recently purchased Alexa for his home and loves it. “Alexa is up and running, and it’s slick. Seriously … for music it doesn’t get any better.” He has a point: Imagine the possibilities offered by a central device connected to many others, giving you the ability to monitor your home or control your appliances from afar.
“Alexa, start my car and set the air conditioner at 77 degrees. Alexa, play George Harrison’s ‘All Things Must Pass’ album on my car’s audio system. Alexa, remind me to stop at the grocery store after I leave work. Alexa, move all .xml work documents from my laptop to my office computer and file them under ‘Finance.’ Alexa, transfer $200 from my personal checking account to my wife’s debit card.” The last two commands may represent a stretch, but not by much. And if someone gains unauthorized access to your device, these fun and handy perks could quickly become nightmarish.
“Alexa, lock Master out of his car and send a ransom cell text for $800. Alexa, encrypt Master’s MP3 music collection and send him an email saying ‘get your music collection back for $20,000.’ Alexa, turn Master’s sprinkler system on every night from 02:00 to 05:00.”
There’s no doubt that smart devices and the internet of things are useful. The technology they entail is well on its way toward creating an incredible amount of space and latitude in our everyday lives. But how carefully do we really consider how or if we make use of all its possibilities?
A Means to Many Ends
Smart technology carries some responsibility for manufacturers (“do no harm”) and consumers (“caveat emptor”) alike. And indeed, many producers — at least to some extent — put the protection of privacy and the security of information before their profit margins. But an emphasis on caution in the use of smart devices rarely gets the amount of public attention it deserves. After all, what company would drag down its own sales and turn away potential buyers by highlighting the vulnerabilities of its product?
Security experts have decried the internet of things as “ridiculously insecure.” Just think of it: Baby monitors, light switches, security cameras, fire and smoke detectors, thermostats, and locks already are or can be made Wi-Fi ready. Though that’s great news for an individual customer, it’s also great news for companies monitoring consumer spending patterns, for intelligence and law enforcement agencies, and for criminals.
The weaknesses in the internet of things aren’t just a problem for the ordinary citizen, either. Industries and businesses face the same risks, particularly as they move quickly to adapt to and profit from cutting-edge technology. During a recent business meeting at an unnamed high-tech company, a CEO asked: “Is the [industrial] internet of things really moving as fast as the marketers are telling us; that we’ll soon have more connected machines than humans on Earth?” The question was quickly followed by a query of how best the firm could position its capabilities to leverage such rapid growth — a reasonable line of thought for a business hoping to keep up in an ever-changing world.
But for corporate security teams, there’s another matter to consider. Centrally controlled and interconnected smart devices are pathways to industrial targets, whether information, proprietary secrets, business plans or employees’ personal data. And they, too, are vulnerable to espionage by competitors, hackers and hostile state and non-state actors seeking to destroy, disrupt, steal, manipulate or delay data systems in order to achieve their own, at times nefarious, ends.
Tips for Taking Charge of Your Security
Governments haven’t stood idly by as these threats have emerged. Washington, for instance, is considering the implementation of “baseline security protection.” But it isn’t yet clear whether this legislation will be shaped for simplicity or sophistication, for the lowest common denominator or for the most ideal outcome. Then there is the budding world of cyber insurance to consider: As a way to mitigate catastrophic risk, cyber insurance seems increasingly popular and promising, but it is still untested and far from a fail-safe measure.
Without a doubt, government regulation and cyber insurance are necessary components of a comprehensive IT security strategy, but they aren’t sufficient — especially in an environment where security breaches linked to the internet of things are becoming the new norm. Instead, individual consumers and companies will have to take greater responsibility for their own protection by becoming better informed, personally invested and more motivated to invest in securing their devices.
To that end, it’s important to stay aware of the access points that smart devices offer to would-be attackers. Below are 10 vulnerabilities to keep in mind:
- Insecure web interfaces: Many smart devices have built-in web servers that host web-based apps for managing the device. As is true of any web server or web-based app, there could be code flaws that render the device vulnerable to attack. Perpetrators can exploit these weaknesses remotely, and as an August InfoWorld report so aptly stated, users should “Assume the possibility of adversarial attacks on all in-production AI assets.”
- Ineffective authentication or authorization: Though there are often weaknesses in authentication or authorization mechanisms themselves, the failure to make use of the features provided presents an even greater danger. Convenience often trumps security when it comes to consumer behavior, and more often than not, individuals and companies will not take steps to fortify their defenses until they suffer a massive breach.
- Insecure network services: Smart devices may come with services for self-diagnostics, testing and debugging. But if they run on open, insecure or vulnerable ports, they, too, can rip holes in the devices’ security. “Maintenance” services like these may be more likely to contain exploitable code, and though more features are often equated with a better device, it’s important to remember that additional capabilities can come at a price.
- Lack of transport encryption: Most devices have encryption programs that operate seamlessly. But private information sent over an insecure protocol can be read by anyone. Connecting to a hotel room’s Wi-Fi or always keeping Bluetooth on may allow an unintended party to access your information. Users in search of additional encryption can investigate the option of using a virtual private network (VPN) or enhanced security apps created by companies like Norton.
- Privacy concerns: Many personal smart devices are configured to share information with friends, family and loved ones. But if the information in a device at rest is not encrypted, anyone who has access to it will have an opportunity to sift through personal data as well. Therefore, it is important to know what information your smart device is sharing by staying aware of app, photo, social media and location auto-share settings.
- Cloud connection: A sizable share of smart devices are connected to the cloud. If those devices feature a cloud management interface, they are more open to a remote attack than are management interfaces connected to the device’s internal network. That said, the latter are also less likely than cloud management interfaces to receive regular security patches.
- Insecure mobile interfaces: Smart devices often feature mobile interfaces. But each new management interface serves as another breach waiting to happen. And because designing secure software is a complex and costly endeavor, it’s not uncommon for producers to take shortcuts. Users should limit their exposure to a level they are comfortable with and update apps routinely. (Updates nearly always include patches intended to improve device security.)
- Insufficient security features: Even for consumers who are well-versed in the perils of personal technology, some smart devices have only limited security features to work with. For example, some products constrain the use of a PIN, while others may not allow the user to select an encryption option or access activity logs. To mitigate the ever-present threat of undetected data theft, research companies offering better, more secure services such as McAfee, Norton and PC Matic.
- Insecure software or firmware: Undetected flaws in software or firmware are often found after devices already have been released for sale. Some can be easily fixed with a patch, while others might require a complicated installation. Still others may destroy a device’s ability to function. The same can be said of patches themselves: Fraudulent “fixes” may, in fact, be designed to inject a malicious agent onto a device. Consumers should install only original apps, software updates and patches created by the parent company (Amazon, Microsoft, Apple and Google, for example).
- Refurbished devices: Smart devices that have been outpaced by newer models or abandoned by previous owners often make their way to eBay or Amazon. But if you are buying or selling a refurbished product, it is critical to ensure that the former owner’s access information, data and commands have been wiped. Use caution and good sense, and if you outgrow a device and want to swap it for the latest features, consider destroying the old model and buying its replacement brand-new.
Smart devices have enormous potential to bring positive value to our lives. But they may also bring in the bad. So buyers beware, make a routine of your own security and proceed with caution.