The hacker toolkit that helps us to live safer02/05/2020
Smart speakers, smartphones, vacuum cleaners and other devices connected in our homes place users in the focus of security attacks. Credit: Panumas Nikhomkhai.
ISABEL RUBIO ARROYO | Tungsteno
Beds that detect how long a user is sleeping, washing machines that can choose the most efficient washing program and warn when to buy more detergent, and even smart toilets that analyse urine and monitor a person's health. These are striking and innovative examples of connected devices, increasingly present in our homes in more common forms such as smart light bulbs or thermostats. While they can make our daily lives more comfortable, the unfortunate truth is that they increase the likelihood of cyber-attacks.
There have been many examples in recent years. Back in 2016, a group of security experts managed to hack into one of Samsung's smart refrigerators and intercept communications between the refrigerator and Google Calendar. More recently, in 2019, a surveillance camera installed in the home of politician Pablo Iglesias, Second Deputy Minister of the government of Spain, and his domestic partner, Irene Montero, Minister of Equality of Spain, was hacked and its images could be seen live on the Internet. That same year an attacker managed to hack into smart light bulbs and gain access to private user data such as the Wi-Fi password.
These types of attacks on IoT (Internet of Things) devices are growing all the time. In the first half of 2019 alone they increased sevenfold, according to a study by Kaspersky. In that period, some 105 million attacks on IoT devices were detected from 276,000 unique IP addresses. In a context in which more and more users are covering their laptop cameras while at the same time introducing smart speakers and other devices with microphones and cameras into their homes, ensuring security has become one of the main challenges of the large tech manufacturers.
The Shoda platform, threat and defense tool at the same time, allows users to control any IoT device without adequate security. Credit: Hogartec.
Risks from Virtual Assistants
The number of virtual assistants in use worldwide is expected to continue to grow in the coming years. Statista expects the number to rise from 3.25 billion devices in 2019 to 5.11 billion in 2021 and 8 billion in 2023. These devices are also susceptible to cyber-attacks. In fact, a team of cybersecurity researchers at the University of Michigan has shown that it is possible to hack a smart speaker with a laser from up to 50 metres away. Among other actions, they have managed to get Google Assistant, Alexa or Siri to turn lights on or off or to open doors.
What’s more, despite the fact that companies such as Amazon, Google or Apple claim that their virtual assistants are only activated when a command is pronounced, sometimes they are activated by mistake and store private conversations. Former employees who have participated in the listening programs of these companies claim to have heard users discuss private details such as names or bank details.
In addition to the challenge of ensuring the security of these devices, there is also the challenge of safeguarding the privacy of users. Despite assurances from the large tech manufacturers that they are doing so, different experts in artificial intelligence and in privacy and data ownership warn of the risk of introducing connected devices into the home. Companies, and cyber-attackers, can learn their customers' habits perfectly: when they do their laundry, what they eat, what happens in their bathroom and even how their house is laid out. For example, the manufacturer of the popular smart vacuum cleaner Roomba acknowledged in 2017 its intention to sell data with the plans and layouts of the homes that the machine had been collecting in millions of households around the world.
After some errors detected in main companies devices, virtual assistants have the challenge of guaranteeing the security of the devices and the privacy of the users.Credit: Andres Urena.
A search engine pushing the limits of privacy
This kind of private information could also end up in unwanted hands. There is a platform that allows users to control all kinds of IoT devices without adequate security. It is called Shodan and has been described by different international media as "the most terrifying search engine on the Internet" or "a window into the world of absolute insecurity". Through this platform, users can find all kinds of information: from security cameras, yachts or taximeters to gas stations, license plate readers and medical devices. Also accessible are devices connected in the home such as security cameras, printers, televisions, smart ovens or refrigerators and even video consoles such as PlayStation.
But this search engine, which was created by Swiss computer scientist John Matherly, can also be used to defend users. Manufacturers can check if their devices can be found on this search engine in order to stay ahead of potential attackers, find vulnerabilities in their own devices and fix them.
But staying safe in an IoT world is not only up to the manufacturers; it is also important for users to take some responsibility. Immediately changing the username and password of internet-connected devices should be the first step. "Admin", "root" and "12345" are among the most common codes for these types of devices, according to a report by the cyber security company Symantec. It is also advisable to update the software of the devices to the latest version whenever possible and disable the remote access for IoT devices when not strictly necessary.
· — —
Tungsteno is a journalism laboratory to scan the essence of innovation. Devised by Materia Publicaciones Científicas for Sacyr’s blog.