When your stuff spies on you
The Internet of Things brings surprising risks and security threats
In October 2016, hackers hit a company called Dyn. Hackers are people who write computer programs that can break into other computer programs. And here, their target was an important one. Dyn makes sure the right website pops up when you type in a web address. After the hack, people around the world had trouble getting to many websites, including Amazon, Netflix and Twitter.
In the aftermath of the attack, security experts reported finding that flaws in the Internet of Things had made the problem worse. The Internet of Things is the collection of everyday objects that can gather information then share it online. These objects use built-in sensors and other small devices to interact with the environment around them.
For example, “smart” basketballs or soccer balls can collect data on shooting skills to help a player improve. Smart dolls can recognize their owners and have friendly conversations. Smart cars can monitor the road for signs of danger. Even an ordinary house can become a smart home. A heater might shut itself off when it senses that the house is empty, for example. Or a lamp might turn itself off after a child falls asleep.
The possibilities are almost endless. But storing data about your life online — and all the time — brings hidden risks.
Smart devices collect, store and use data about the world around them. Some of these data help the device function. They might be personal — like a user’s address, eating habits or daily routines. Someone who eavesdrops on that person’s internet connection could steal those data or tamper with a device. A hacker who can crack a family’s “smart” garage door opener might gain access to their entire home.
Even without a hack, the company that makes a device may use the data in ways a user doesn’t realize. Experts say that people who use smart devices need to know who sees their data and how a company will use it. But that’s not always easy to figure out, notes Earlence Fernandes. He’s a computer scientist at the University of Michigan, in Ann Arbor, who works on network security.
The scientists who study the new ways we connect devices in our world are worried about security. They know that every new device brings new hacking risks. By focusing on those risks, however, researchers also can work on installing safeguards — and maybe stop an attack from stealing our data, our privacy and our safety.
In October’s Dyn attack, the hackers’ computer program manipulated smart objects connected to one another. Their malicious, or harmful, computer code made many of these devices send out junk messages. These messages overloaded Dyn’s servers. These are computers or software that run programs or do calculations at the request of other machines. Security experts say devices that are part of the Internet of Things have security flaws that make them vulnerable to being used in this way.
In the Dyn case, hackers used people’s devices to attack a company – without the people knowing. However, experts worry that hackers could use those devices to hack individuals, too.
Some devices are especially vulnerable, says Fernandes. And he should know. He recently used some to outsmart a smart house.
At a conference earlier this year, Fernandes and his team reported on their most recent project. They hacked into devices that had been connected to Samsung’s SmartThings system. People who use this system can download hundreds of applications, or apps, for computer-controlled devices around the home. Then homeowners can use their smartphones to control their ovens or refrigerators, for example. They can raise or lower window shades or turn off lights with a tap on a phone’s screen. Users also can design their own apps.
Fernandes and his team wrote computer programs to invade a SmartThings system. One app that they made could send a bogus signal, setting off a fire alarm. They wrote another app that spied on a homeowner’s activities. It recorded the code that a person used to unlock the front door. Then the app texted the code to a waiting thief. That sneaky app could let someone pick a lock and get inside a house — just by using a smartphone.
“Malicious apps are easy to write,” says Fernandes. And they can be created to look just like ordinary, useful programs, he adds. “They’re difficult for a user to identify just by looking at the name.” That means people who download a new program to make their lives easier may later learn that they’ve opened their digital door to hackers.
It’s all about your data
Electronic devices go everywhere with us. And the companies that make those devices collect data about us all the time. Most of us barely notice.
Companies like Facebook and Google track the websites we visit. Based on where we browse, they choose the ads we see on-screen. Cell phone companies keep track of where customers go and how they use their devices. These companies can make money by selling such data to marketing companies that create ads.
Connected devices in the Internet of Things are similar. They record a person’s actions. They have access to personal information and can use it in ways that are hard to see.
In late 2015, the toy company Mattel released Hello Barbie. It looks like an ordinary Barbie, but isn’t. Hello Barbie comes with a hidden microphone and speaker. It uses built-in computer programs to recognize a person’s voice. It also connects to the internet. Hello Barbie can have conversations with children and record these conversations.
Soon after Hello Barbie appeared, computer scientists became alarmed. They said the toy had security problems. For example, they showed how hackers could break into a parent’s account and listen to conversations between a child and the doll. So the same technology that made Hello Barbie “smart” also made it possible for some stranger to spy on children in their own homes.
Maria Ebling is a computer scientist at IBM’s Thomas J. Watson Research Center in Yorktown Heights, N.Y. She says parents and children can make good decisions if they understand their gadgets. “They should be aware of what sensors are there to make them work,” she warns.
In many cases, users may still want the device. Yet even if they understand how it works, they will still be vulnerable. Connected devices open a person’s life to hackers. Consider the smart home again. If hackers get into the system and access data, they can learn about you. And with those data, they can start to plan bigger thefts. For instance, “They know what time you’re home, or when you’re on vacation,” notes computer scientist Sye Loong Keoh. He studies computer security at the University of Glasgow campus in Singapore.
The weak link
Hackers and marketers aren’t the only ones interested in learning about you. Government spy agencies are in the game, too. These include the U.S. National Security Agency, or NSA. In January 2014, a former NSA worker released secret documents from the agency. Those documents revealed a lot of surprising information. They showed that NSA wanted to use data from Angry Birds, a popular game, to spy on people. So did a spy agency in Great Britain. Like other apps, Angry Birds sends personal information over the internet — where it can be stolen. The NSA figured out how to intercept that flow.
Story continues below image.
Keoh says security has never been a priority for Internet of Things devices. Their creators often don’t even consider the risks. Most smart devices send and receive data with wireless technology. That means that instead of using cables, they use radio waves. Data sent that way are hard to protect. “We’re not really sure if it’s secure enough,” he says. Right now, most companies don’t protect data “from end to end” — meaning from the device to your phone (and back again).
“They won’t care about security until devices are hacked,” Keoh says.
Right now, there aren’t laws about security that the makers of Internet of Things devices must follow. That’s partly because the technology has been changing so quickly.
Jonathan Margulies helped write a book for students and experts called Security in Computing. He lives in the Washington, D.C. area. Companies that make Internet of Things devices care more about selling people new technologies than about security, he charges. “They’re rushing to get something out,” he says. As a result, they don’t build in protection. That decision is driven by money. Simply put: It costs more to develop a more secure product.
And updates would need to be issued as new threats emerged (much as software companies issue regular updates now for popular office programs).
A big company like Apple invests in security because so many people already use its products. If Apple’s iPhones, iPads and other devices weren’t secure, people would stop buying them. But most device companies aren’t that big. They just want to attract new customers.
Moreover, the designers’ skills tend to focus on a new application, not on the highly sophisticated ability to think like a hacker and then lock the digital doors before a data thief enters.
If security concerns stopped people from buying a new product, that would change, says Margulies. Companies would start to put a premium on making secure products and advertising the safeguards. However, most people don’t make product purchases based on security. They focus instead on products that make their lives easier or more fun.
How to be smart about smart devices
“We know how to solve many of the [security] problems,” says Jason Hong. He’s a computer scientist at Carnegie Mellon University in Pittsburgh, Pa. This means it should be possible for people to protect themselves and still to join the Internet of Things.
One solution is easy: Change your password. “People don’t like passwords,” Hong says. Many people use the same password for years. Moreover, many people choose passwords that are remarkably simple, he adds — “like 12345, or their names.” To make a device more secure, change each password often. (And don’t use obvious ones like “12345” or your name!)
October’s big attack highlights that vulnerability. The hacked gadgets all had default passwords that users hadn’t changed after installing the devices. As a result, the passwords were easy for the malicious computer program to successfully guess.
Hong also says a little caution can go a long way. He knows it is tempting to buy every new Internet of Things gadget. “There are all these cool kinds of potential devices,” he says. And it can be hard to tell which are secure. That’s why Hong recommends that people wait a few weeks after a new gadget appears before buying it. “My general rule of thumb is,” he says: “Don’t be the first penguin in the water.”
Ebling, at IBM, recommends people find out what data the product makers will be collecting. When people start using a new app or device, they often must agree to a document provided by the developer. This usually means clicking a button that says “I Agree.”
That document includes information about what information is collected and how the company will use it. Ebling says it’s important to actually read those long documents with tiny print. Pay attention to the terms that they outline. “We should never click through [and say] ‘Yes yes yes, I agree,’” she says. She knows that’s not easy. “The terms are hard to read,” she says. Still, it’s important for kids and parents alike to know what an app is doing. After all, she points out, many programs collect far more data than they need.
Adults aren’t the only ones who need to be smart about security, Ebling argues. “Kids have an important role to play here.” Sometimes it’s children who can educate their parents.
Most parents did not grow up having to worry about this type of security. They may not be aware of the risks that come with Internet of Things devices and other apps. They also may not realize that some of these programs allow users to adjust their privacy settings and limit which data — or how many data — they share.
As more devices join the Internet of Things, security may improve. Fernandes, who hacked a smart house, says he’s been talking to Samsung about how to boost security. He says SmartThings has been making improvements. “We did some attacks,” he says, “and now, we are looking at defenses.”
The field needs computer scientists who can think like hackers. They have to be able to find flaws in new devices. Fernandes says he thinks his personality was suited to this area of science. “It’s a natural reaction,” he says. “I look at a system and think, how can I break it? Is it really secure?”
Margulies says those questions are typical of scientists who study security. These are people who “can’t help trying to break things all the time,” he says. That’s the same thing a hacker wants to do. But instead of stealing data or interfering with a person’s life, computer-security scientists want to make the world safer.
This is the second of a two-part series. You can read part one here.