Smart Appliances Have a Dark Side

There have been many instances of smart appliances and personal devices being hacked, and with each instance comes more realization of the dark side of Internet-connected devices.

by Waterloo-Cedar Falls Courier, Iowa / March 17, 2017
Shutterstock

(TNS) -- When Vizio was fined $2.5 million in February for secretly collecting and selling data about customers’ locations, demographics and viewing habits secretly obtained from 11 million “smart TV” sets, it reaffirmed qualms about the dark side of internet-accessible appliances.

It also brought back memories of an October cyberattack when websites — Amazon, Twitter, Paypal, Reddit, CNBC, Vox and more, all clients of Dyn, which provides internet domain names and infrastructure services — became inaccessible after vandals perpetrated a distributed denial of service (DDoS).

The attack underscored the vulnerability of the “Internet of Things” — internet-linked products without security such as TVs, DVRs, routers, wireless printers, surveillance cameras and baby monitors. They morphed into a “target system” of “botnets,” sending more than 150,000 requests for information per second, overwhelming Dyn’s system, which searches for web pages via internet protocol numbers whenever a domain name is entered.

The instigators weren’t identified. State-sponsored fingerprints weren’t found, but the attack could have been outsourced on the so-called “darknet” with its “Hackforums” engaging criminals.

Last week, WikiLeaks’ biggest documents dump yet — 7,818 web pages with 943 attachments from the CIA’s Center for Cyber Intelligence’s “Vault 7” dated 2013-16 — revealed the potential for spying through smartphones, computers, smart TVs and household appliances and accessing Skype, WiFi networks, PDF formats and commercial antivirus programs.

WikiLeaks’ claim the CIA had broached encryption used by the WhatsApp, Signal, Telegram and iMessage services was unfounded, but it can penetrate Android and iPhones to collect “audio and message traffic before encryption is applied.”

The revelations created a number of concerns, including damage to surveillance efforts against potential terrorists once technology companies patch vulnerabilities, which also protect us against everyday hackers. WikiLeaks redacted the computer codes but will provide the information to the companies involved.

WikiLeaks stated the documents had “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

That recalled Edward Snowden, a National Security Agency contractor working for consulting firm Booz Allen who disclosed widespread global surveillance activities in 2013. Another former Booz Allen contractor, Harold Martin, allegedly stole secrets for 20 years from the NSA and three other intelligence agencies before being apprehended last year.

Reuters reported, “Government agencies estimate that there is one insider threat for every 6,000 to 8,000 employees, an intelligence agency contractor said, speaking on condition of anonymity for fear of upsetting his employer. The contractor said there is too much sharing of information internally, with many workers having access to material they do not need.”

Former President Barack Obama issued a 2011 executive order creating the National Insider Threat Task Force after former Army private Bradley (now Chelsea) provided hundreds of thousands of State Department cables to WikiLeaks. Federal employees now are expected to monitor co-workers for suspicious actions based on behavioral profiling. Failure to report high-risk people or behaviors could result in criminal charges. Computer network monitoring also is used to detect “suspicious user behavior.”

Concerns also exist whether the intelligence agencies are overreaching.

The Guardian in Britain reported some programs were developed in a “joint workshop with MI5/BTSS, the British Security Service” as well as overseas hackers. The CIA is prohibited from domestic spying, but foreign intelligence could do its bidding, although no such evidence exists. It also could share programs with domestic agencies.

Reports the CIA could monitor Samsung smart TVs manufactured in 2012 and 2013 for viewing habits or act as a listening device appear overblown. Forbes reported the CIA can’t do it remotely and would need to attach a USB device. Turning off “voice recognition” in the smart features menu could thwart voice recording.

However, given 72 percent of all new TVs are “smart,” it’s potentially a fertile field for surveillance. Add to that 8.4 billion connected “things” in use, according to the Gartner research firm.

The Washington Post reported the WikiLeaks dump includes a 2014 “Potential Mission Areas” document for the CIA’s “Embedded Devices Branch,” including hacking car systems. WikiLeaks envisions the possibility of “nearly undetectable assassinations.” Information and entertainment systems made by QNX (now BlackBerry) on 50 million cars are potentially vulnerable.

In fact, independent security researchers have been able to disable brakes and control steering, resulting in recalls. German researchers were able to unlock and start 24 different models by remotely taking access of wireless key fobs.

The revelations create a conundrum. While surveillance techniques using advanced technology can be appreciated as applications enhancing national security, they also create qualms about the potential intrusion into daily lives. In addition, the intelligence agencies can’t keep this Pandora’s box shut, raising the specter of nefarious hackers — state-sponsored or criminals — accessing the information, which is exceedingly worrisome.

©2017 Waterloo-Cedar Falls Courier (Waterloo, Iowa) Distributed by Tribune Content Agency, LLC.

Platforms & Programs