They see you when you're sleeping.
IoT devices are at once a grotesquerie for the security- and
privacy-conscious, and a delicious, convenient poison. And chances are
pretty good you got one as a holiday gift.
You might say we're in the heyday of IoT — though a significant number
of infosec professionals might be more inclined to call it the apex of
the Internet of Shit. They have a point. Even just a glance at recent
headlines is enough to convince anyone that the so-called smartness of
these products is a bit lacking.
Just last week, an Amazon customer's GDPR request to see his data
resulted in him being sent 1,700 Alexa voice files belonging to someone
else, which included conversations between two people. The man wasn't an
Alexa user himself, but he did manage to figure out whose files they
actually were.
Amazon said the situation was the result of human error and an isolated
incident. Yet it's hard to shake the feeling that all our misgivings
about basically being spied on have been validated. It's probably cold
comfort for anyone who got an Echo for the holidays.
Perhaps you got a smart thermostat this year? In January, we reported on
an East Coast ISP that decided the best way to crack down on internet
bandwidth hogs was to throttle their connection. The ISP warning letter
openly threatened suspected file-sharers that they might be cut off from
their webcams and connected thermostats. That was bad enough, and it
kind of gave connected thermostat makers an idea for soft-sell extortion
posing as a subscription service that promises to "enhance" your
devices with "efficient settings."
Maybe you got a Sonicare toothbrush and it wants to know your location
at all times. Or a hot tub that can be hacked and remotely controlled.
What about a connected vibrator that can spy on you? Did you really want
those Tommy Hilfiger connected jeans that track you in exchange for
"one-of-a-kind rewards and experiences"? Hey, and some people only found
out this year that their Vizio TV might've spied on them in 2015.
Yep, it all feels wrong. Surprisingly, California lawmakers have been
thinking the same thing. The state's Information Privacy: Connected
Devices Act goes into effect January 1, 2020, banning default and
pre-loaded passwords.
"The new regulation mandates device manufacturers to either create a
unique password for each device at the time of production or require the
user to create one when they interact with the device for the first
time," we reported. "According to the bill, it applies to any connected
device, which is defined as a 'physical object that is capable of
connecting to the internet, directly or indirectly, and that is assigned
an Internet Protocol address or Bluetooth address."
Remember that time a botnet shut down a huge swath of the internet by
using connected devices? Well, that's the threat this bill hopes to
mitigate by forcing better password practices on device makers. This
makes users have better password practices by extension. But the real
problem, of course, is that IoT device companies have been (and still
are) terrible about considering our security and privacy. Ten years and
counting, and they still just aren't thinking it through.
So if you've read this far and have laugh-cringed along the way about
potentially demonic toothbrushes, our collective fear of Amazon becoming
Skynet and Ring's scary AI profiling, you may be feeling helpless. Or
mad. Or disgusted. All of the above makes sense, actually. It's too late
for us to do anything about how the companies screw up. But we're not
as helpless as we feel.
If you got anything over the holidays that asks for a password even just
once, or that you notice has a password field anywhere: Change it ASAP.
Make it something unique, or at least not something on any commonly
used passwords list. This stops attackers (like botnets and jerky
hackers) from hijacking your device, spying on you or leapfrogging onto
your home network to do more nefarious things.
For instance, the one thing that would've prevented a hacker from
getting into a man's Nest security camera this month -- and talking to
him -- would have been a strong, unique password. "The hacker couldn't
see images through the camera and didn't know where Gregg lived, he
said. But he told Gregg such information wouldn't be hard to find,"
reported the Arizona Republic. "The man then recited a password Gregg
had used for multiple websites."
One strong way to protect yourself as well as your friends and family,
from your connected gifts and their often-invasive, poorly-secured apps,
is to prevent them access to your contacts. It may not be possible with
some, but do it if you can. The opportunity to say "no" is during the
setup process. Doing so will keep attackers and careless companies from
scraping your contacts, using them for marketing purposes or putting
them in a database profile to sell, rent or trade with third parties
(like Facebook does). Remember that story in May, when Amazon sent Echo
conversations to a user's contacts? Keeping Alexa out of your address
book will prevent "accidents" like that.
If you missed your chance, some allow you to revoke it (they just don't
make it easy or convenient). For instance, you can revoke access to your
contacts with Amazon's Alexa (Echo) by calling the company's customer
service at 877-375-9365. The process isn't quick and will curtail the
device's ability to send messages, but as we're all becoming more aware,
convenience and security are often at odds.
Another step you can take is to do a little homework on your connected
device. Find out if it stores your data and how, and if you can delete
it — just so you know your risks. See if the device uses encryption. If
it doesn't, think really hard about whether you really want to use it.
Search the product's name on Twitter to see if any security
professionals are talking about, and what they're saying. Google it in
conjunction with the words "privacy" and "security" as well as "hacked" —
and check for news articles as well.
It's hard to imagine our lives now without IoT devices. It's painfully
obvious that few gave much thought to user privacy and security -- plus,
the devices mostly don't work the way they're supposed to. While we
welcome their inventions into our homes with a mixture of delight,
trepidation and amusement at the humiliation of their security teams,
it's good that we're wearing our "cynical" hats. Because it's probably
going to get a lot dumber before it gets smarter.
https://www.geezgo.com/sps/51119
Join Geezgo for free. Use Geezgo's end-to-end encrypted Chat with your Closenets (friends, relatives, colleague etc) in personalized ways.>>
Comments
Post a Comment