When your stuff spies on you

The Internet of Things brings surprising risks and security threats
Feb 2, 2017 — 7:10 am EST
security camera

“Smart” devices can gather video or other information and share it over the internet, making our lives easier. But they may also invite hackers into our homes.

PHOTOGraphicss /istockphoto

In October 2016, hackers hit a company called Dyn. Hackers are people who write computer programs that can break into other computer programs. And here, their target was an important one. Dyn makes sure the right website pops up when you type in a web address. After the hack, people around the world had trouble getting to many websites, including Amazon, Netflix and Twitter.

In the aftermath of the attack, security experts reported finding that flaws in the Internet of Things had made the problem worse. The Internet of Things is the collection of everyday objects that can gather information then share it online. These objects use built-in sensors and other small devices to interact with the environment around them.

For example, “smart” basketballs or soccer balls can collect data on shooting skills to help a player improve. Smart dolls can recognize their owners and have friendly conversations. Smart cars can monitor the road for signs of danger. Even an ordinary house can become a smart home. A heater might shut itself off when it senses that the house is empty, for example. Or a lamp might turn itself off after a child falls asleep.

smart fridge
Not so smart? Appliances like smart refrigerators that connect to the internet can offer hackers new ways to steal information.
LGEPR/Wikimedia (CC BY 2.0)

The possibilities are almost endless. But storing data about your life online — and all the time — brings hidden risks.

Smart devices collect, store and use data about the world around them. Some of these data help the device function. They might be personal — like a user’s address, eating habits or daily routines. Someone who eavesdrops on that person’s internet connection could steal those data or tamper with a device. A hacker who can crack a family’s “smart” garage door opener might gain access to their entire home.

Even without a hack, the company that makes a device may use the data in ways a user doesn’t realize. Experts say that people who use smart devices need to know who sees their data and how a company will use it. But that’s not always easy to figure out, notes Earlence Fernandes. He’s a computer scientist at the University of Michigan, in Ann Arbor, who works on network security.

The scientists who study the new ways we connect devices in our world are worried about security. They know that every new device brings new hacking risks. By focusing on those risks, however, researchers also can work on installing safeguards — and maybe stop an attack from stealing our data, our privacy and our safety.

Breaking in

In October's Dyn attack, the hackers' computer program manipulated smart objects connected to one another. Their malicious, or harmful, computer code made many of these devices send out junk messages. These messages overloaded Dyn's servers. These are computers or software that run programs or do calculations at the request of other machines. Security experts say devices that are part of the Internet of Things have security flaws that make them vulnerable to being used in this way.

In the Dyn case, hackers used people's devices to attack a company – without the people knowing.  However, experts worry that hackers could use those devices to hack individuals, too.

Some devices are especially vulnerable, says Fernandes. And he should know. He recently used some to outsmart a smart house.

At a conference earlier this year, Fernandes and his team reported on their most recent project. They hacked into devices that had been connected to Samsung’s SmartThings system. People who use this system can download hundreds of applications, or apps, for computer-controlled devices around the home. Then homeowners can use their smartphones to control their ovens or refrigerators, for example. They can raise or lower window shades or turn off lights with a tap on a phone’s screen. Users also can design their own apps.

Fernandes and his team wrote computer programs to invade a SmartThings system. One app that they made could send a bogus signal, setting off a fire alarm. They wrote another app that spied on a homeowner’s activities. It recorded the code that a person used to unlock the front door. Then the app texted the code to a waiting thief. That sneaky app could let someone pick a lock and get inside a house — just by using a smartphone.

“Malicious apps are easy to write,” says Fernandes. And they can be created to look just like ordinary, useful programs, he adds. “They’re difficult for a user to identify just by looking at the name.” That means people who download a new program to make their lives easier may later learn that they’ve opened their digital door to hackers.

It's all about your data

Electronic devices go everywhere with us. And the companies that make those devices collect data about us all the time. Most of us barely notice.

Companies like Facebook and Google track the websites we visit. Based on where we browse, they choose the ads we see on-screen. Cell phone companies keep track of where customers go and how they use their devices. These companies can make money by selling such data to marketing companies that create ads.

hello barbie
This is the Hello Barbie doll, which can have conversations with its owner. However, computer scientists found that outsiders can hack Hello Barbie and spy on kids.
Mattel

Connected devices in the Internet of Things are similar. They record a person's actions. They have access to personal information and can use it in ways that are hard to see.

In late 2015, the toy company Mattel released Hello Barbie. It looks like an ordinary Barbie, but isn’t. Hello Barbie comes with a hidden microphone and speaker. It uses built-in computer programs to recognize a person’s voice. It also connects to the internet. Hello Barbie can have conversations with children and record these conversations.

Soon after Hello Barbie appeared, computer scientists became alarmed. They said the toy had security problems. For example, they showed how hackers could break into a parent’s account and listen to conversations between a child and the doll. So the same technology that made Hello Barbie “smart” also made it possible for some stranger to spy on children in their own homes.

Maria Ebling is a computer scientist at IBM’s Thomas J. Watson Research Center in Yorktown Heights, N.Y. She says parents and children can make good decisions if they understand their gadgets. “They should be aware of what sensors are there to make them work,” she warns.

In many cases, users may still want the device. Yet even if they understand how it works, they will still be vulnerable. Connected devices open a person’s life to hackers. Consider the smart home again. If hackers get into the system and access data, they can learn about you. And with those data, they can start to plan bigger thefts. For instance, “They know what time you’re home, or when you’re on vacation,” notes computer scientist Sye Loong Keoh. He studies computer security at the University of Glasgow campus in Singapore.

The weak link

Hackers and marketers aren’t the only ones interested in learning about you. Government spy agencies are in the game, too. These include the U.S. National Security Agency, or NSA. In January 2014, a former NSA worker released secret documents from the agency. Those documents revealed a lot of surprising information. They showed that NSA wanted to use data from Angry Birds, a popular game, to spy on people. So did a spy agency in Great Britain. Like other apps, Angry Birds sends personal information over the internet — where it can be stolen. The NSA figured out how to intercept that flow.

Story continues below image. 

730_angry_birds_screenshot.png
Games like Angry Birds collect and send information about users. The National Security Agency eavesdropped on that information to spy on people.
Rovio

Keoh says security has never been a priority for Internet of Things devices. Their creators often don’t even consider the risks. Most smart devices send and receive data with wireless technology. That means that instead of using cables, they use radio waves. Data sent that way are hard to protect. “We’re not really sure if it’s secure enough,” he says. Right now, most companies don’t protect data “from end to end” — meaning from the device to your phone (and back again).

“They won’t care about security until devices are hacked,” Keoh says.

Right now, there aren’t laws about security that the makers of Internet of Things devices must follow. That’s partly because the technology has been changing so quickly.

Jonathan Margulies helped write a book for students and experts called Security in Computing.  He lives in the Washington, D.C. area.  Companies that make Internet of Things devices care more about selling people new technologies than about security, he charges. “They’re rushing to get something out,” he says. As a result, they don’t build in protection. That decision is driven by money. Simply put: It costs more to develop a more secure product.

And updates would need to be issued as new threats emerged (much as software companies issue regular updates now for popular office programs).

A big company like Apple invests in security because so many people already use its products. If Apple’s iPhones, iPads and other devices weren’t secure, people would stop buying them. But most device companies aren’t that big. They just want to attract new customers.

Moreover, the designers’ skills tend to focus on a new application, not on the highly sophisticated ability to think like a hacker and then lock the digital doors before a data thief enters.

If security concerns stopped people from buying a new product, that would change, says Margulies. Companies would start to put a premium on making secure products and advertising the safeguards. However, most people don’t make product purchases based on security. They focus instead on products that make their lives easier or more fun.

How to be smart about smart devices

“We know how to solve many of the [security] problems,” says Jason Hong. He’s a computer scientist at Carnegie Mellon University in Pittsburgh, Pa. This means it should be possible for people to protect themselves and still to join the Internet of Things.

One solution is easy: Change your password. “People don’t like passwords,” Hong says. Many people use the same password for years. Moreover, many people choose passwords that are remarkably simple, he adds — “like 12345, or their names.” To make a device more secure, change each password often. (And don’t use obvious ones like “12345” or your name!)

easy password
Stay safer online by changing your password, and choosing something a hacker can't guess.
designer491/istockphoto

October's big attack highlights that vulnerability. The hacked gadgets all had default passwords that users hadn't changed after installing the devices. As a result, the passwords were easy for the malicious computer program to successfully guess.

Hong also says a little caution can go a long way. He knows it is tempting to buy every new Internet of Things gadget. “There are all these cool kinds of potential devices,” he says. And it can be hard to tell which are secure. That’s why Hong recommends that people wait a few weeks after a new gadget appears before buying it. “My general rule of thumb is,” he says: “Don’t be the first penguin in the water.”

Ebling, at IBM, recommends people find out what data the product makers will be collecting. When people start using a new app or device, they often must agree to a document provided by the developer. This usually means clicking a button that says “I Agree.”

That document includes information about what information is collected and how the company will use it. Ebling says it’s important to actually read those long documents with tiny print. Pay attention to the terms that they outline. “We should never click through [and say] ‘Yes yes yes, I agree,’” she says. She knows that’s not easy. “The terms are hard to read,” she says. Still, it’s important for kids and parents alike to know what an app is doing. After all, she points out, many programs collect far more data than they need.

Adults aren’t the only ones who need to be smart about security, Ebling argues. “Kids have an important role to play here.” Sometimes it’s children who can educate their parents.

Most parents did not grow up having to worry about this type of security. They may not be aware of the risks that come with Internet of Things devices and other apps. They also may not realize that some of these programs allow users to adjust their privacy settings and limit which data — or how many data — they share.

privacy settings
Kids can help their parents check the privacy settings in the apps they use.
Daviles/istockphoto

As more devices join the Internet of Things, security may improve. Fernandes, who hacked a smart house, says he’s been talking to Samsung about how to boost security. He says SmartThings has been making improvements.  “We did some attacks,” he says, “and now, we are looking at defenses.”

The field needs computer scientists who can think like hackers. They have to be able to find flaws in new devices. Fernandes says he thinks his personality was suited to this area of science. “It’s a natural reaction,” he says. “I look at a system and think, how can I break it? Is it really secure?”

Margulies says those questions are typical of scientists who study security. These are people who “can't help trying to break things all the time,” he says. That’s the same thing a hacker wants to do. But instead of stealing data or interfering with a person’s life, computer-security scientists want to make the world safer.

This is the second of a two-part series. You can read part one here.

Power Words

(for more about Power Words, click here)

app     Short for application , or a computer program designed for a specific task.

application     A particular use or function of something.

browser (in computing) The software program or application that someone uses to find and retrieve information from web pages on the internet.

code (in computing) To use special language to write or revise a program that makes a computer do something.

coding    A slang term for developing computer programming — or software — that performs a particular, desired computational task.

computer program     A set of instructions that a computer uses to perform some analysis or computation. The writing of these instructions is known as computer programming.

computer science     The scientific study of the principles and use of computers.

data     Facts and/or statistics collected together for analysis but not necessarily organized in a way that gives them meaning. For digital information (the type stored by computers), those data typically are numbers stored in a binary code, portrayed as strings of zeros and ones.

digital     (in computer science and engineering)  An adjective indicating that something has been developed numerically on a computer or on some other electronic device, based on a binary system (where all numbers are displayed using a series of only zeros and ones).

hack     (in computing) To get unapproved — often illegal — access to a computer, usually to steal or alter data or files. Someone who does this is known as a hacker.

internet     An electronic communications network. It allows computers anywhere in the world to link into other networks to find information, download files and share data (including pictures).

Internet of Things     The network of physical objects that have been equipped with electronic devices to let them gather and share information. This allows these objects to observe and interact with their environment.

marketing     The strategy for getting people to adopt a new policy or buy new products. In many cases, the marketing may rely on advertising or getting celebrities and other trendsetters to endorse a policy or product.

network     A group of interconnected people or things.

online     A term that refers to things that can be found or done on the internet.

radio waves     Waves in a part of the electromagnetic spectrum; they are a type that people now use for long-distance communication. Longer than the waves of visible light, radio waves are used to transmit radio and television signals; it is also used in radar.

sensor     A device that picks up information on physical or chemical conditions — such as temperature, barometric pressure, salinity, humidity, pH, light intensity or radiation — and stores or broadcasts that information. Scientists and engineers often rely on sensors to inform them of conditions that may change over time or that exist far from where a researcher can measure them directly. (in biology) The structure that an organism uses to sense attributes of its environment, such as heat, winds, chemicals, moisture, trauma or an attack by predators.

server     A term for a computer — and especially the software on it — that provides services (hence, the name server) to other computers. A server computer program, for instance, stands ready to fulfill requests by its clients (which are other computer programs). For instance, a web server pulls up website pages or other files upon request. The web browser that you use on your computer to find things on the internet is one type of client. It calls up files from a web server.

Singapore     An island nation located just off the tip of Malaysia in southeast Asia. Formerly an English colony, it became an independent nation in 1965. Its roughly 55 islands (the largest is Singapore) comprise some 687 square kilometers (265 square miles) of land, and are home to more than 5.3 million people.

smart device     Some product or machine that can send information to and retrieve information from the internet, or that can be controlled via the internet, such as by using an app on a smartphone.

smartphone     A cell (or mobile) phone that can perform a host of functions, including search for information on the internet.

software     The mathematical instructions that direct a computer’s hardware, including its processor, to perform certain operations.

sophisticated     A term for something that is advanced, complex and/or elegant.

Twitter     An online social network that allows users to post messages (called tweets) containing no more than 140 characters.

Web     (in computing) An abbreviation of World Wide Web, it is a slang term for the internet.

Citation

Journal: S. L. Keoh et al. Securing the Internet of Things: A standardization perspective. IEEE Internet of Things Journal. June 2014. doi: 10.1109/JIOT.2014.2323395.

Meeting: E. Fernandes, et al. Security analysis of emerging smart home applications. 2016 IEEE Symposium on Security and Privacy. May 2016. San Jose, Calif.