Dangers Of [b]The Internet Of Things[/b]
Jun 12, 2014 17:38:00 #
Dangers Of The Internet Of Things
The Internet of Things refers to objects (including people and pets with digital implants) that can be assigned electronic unique identifiers that communicate with each other machine-to-machine (M2M) through an Internet-like structure. Devices enabled for IoT can be controlled remotely using nothing more than a smartphone.
Marshall Honorof of Tom's Guide described the utility of IoT in a "smart home." "Using Wi-Fi-enabled devices, you can control your home's temperature, monitor your grounds, unlock your doors, control your lights and keep your food fresh." But if you can control these devices over the Internet, so can a hacker. "Any device with an operating system can be hacked, be it a thermostat, TV or even a toilet," Honorof wrote.
The problem is that in the enthusiastic rush to develop and market these nifty gee-whiz gadgets, little thought has been given to security. "In recent years, consumers have generally been wise enough to protect their computers from cybercriminals and harmful software. They've begun to protect their mobile devices in the same way, but their household electronics are woefully unprepared for the next wave of cyberattacks," Honorof warned.
Honorof reported: "'Motion sensors, sirens, window and door sensorsthose are marketed as secure devices with the assumption that ... it would be very difficult for an attacker to [target them],' said Behrang Fouladi, a security researcher at SensePost. 'This assumption is not correct.'"
The Black Hat computer security conference last summer featured presentations on the vulnerabilities of smart home devices and the serious lack of security protection in currently available devices.
Writing for The Washington Post, Danny Yadron reported from the conference: "Daniel Crowley can pick a dead-bolt lock without ever seeing the door. From his computer, Mr. Crowley can also disarm a home-security system, open a garage door and turn off lights. He just needs those gadgets to be connected to the Interneta step consumers are increasingly taking to control facets of their lives using smartphones and tablets... For fun, Mr. Crowley also recently hacked an automated toilet made by Lixil Corp., a Japanese company, in such a way that he could make it flush or play music, one of its advertised features, by remote command."
Yadron reported: "'As we increase the smarts of everything, it really means more attack surfaces,' said Aaron Grattafiori, a security researcher at iSEC Partners in San Francisco who is one of the researchers who hacked a Samsung TV.
"'A lot of the times a manufacturer will worry about time to market and deadlines and hasn't done any security review,' said David Bryan, a senior security consultant at Trustwave, who worked with Crowley on a home-hacking project for a Chicago firm."
A stranger turning your lights on and off or flushing your electronic toilet may be an unnerving inconvenience but is not a real threat of harm to you. Shutting down your security system and unlocking your doors is another matter. Thieves can walk right into your home and walk out with your goods without the noise of smashing a window or the suspicious act of prying open your door. Imagine trying to convince the police and your insurance company you were robbed when there is no sign of forced entry.
Hackers may not want to rob you. They may just want to spy on you. Do you have a baby cam in your house? One creepy hacker took over a baby cam and even spoke to the child.
Have you given your kid one of those cute radio-controlled toys with a built-in webcam? Hackers can use it to peep on activities in your house and explore it when you're gone. Heather Kelly reported on CNN: "Software engineer Jennifer Savage bought a cute bunny toy called Karotz for her daughter. The plastic bunny can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers. After testing the security of the toy, Savage was able to take control of the [sic] it from a computer and remotely watch live video, turning it into an unwitting surveillance camera."
Forbes journalist Kashmir Hill decided to find out firsthand just how easy it is to hack into eight homes of total strangers. All she needed was the Internet and Google. She found that the popular wireless remote control system Insteon is vulnerable, as are competitors. She had access to the homes' lighting systems, TV, garage doors, security cameras and other devices via the Internet. Incredibly, the systems were searchable online. Hill was able to access private information like family names and addresses, and gain full control over the home systems.
In her hair-raising report, Hill said, "The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search enginesmeaning they show up in search resultsand due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people's homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion."
Hill not only could control devices in the homes but had access to information about the occupants. "Sensitive information was revealednot just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world."
There's an app that can monitor and take control of your car. There's one to track your eating habits. There's an app to turn your home phone into a remote listening device (like the spy movie "Bugs").
According Reuters, the home automation market was worth $1.5 billion in 2012. It's only going to get exponentially bigger. Microsoft and Google are both working to develop home operating systemsMicrosoft's HomeOS and Google's Android@Hometo unify all the smart objects in a household and make them easy to control and monitor from a single dashboard on your mobile phone.
Software architect Troy Hunt blogs about a "perfect storm" of exploits threatening the Internet of Things:
1. An increasingly large number of devices are getting IP addresses. "Inherent risk that a device that can be controlled remotely can end up being controlled by a malicious party."
2. Devices within internal networks are being controlled externally. We've already seen many prior incidents of personal security cameras being inadvertently exposed publicly, now it's going to be cameras, home security, toilet seats and so on and so forth.
3. There's a race to "get connected." "The rush for vendors to compete in this extremely fast moving market will inevitably result in rushing aspects of the product design and we know very well from past incidents that security is one of the areas most frequently overlooked in favor of delivering features."
4. Our levels of personal security awareness still suck. "59% of accounts that were common across both Gawker and Yahoo! Voices shared the same password. Password reuse and other sloppy practices such as predictable (or even memorable) passwords are one thing when it means an attacker can make comments under your name on a media site, it's quite another when they can unlock your front door."
5. Our levels of developer security awareness also suck. Network security breaches are often in the news. "What if the same people who built [those systems] are also building the interfaces for your IP-enabled home automation?"
Computer security experts say the only way to be completely safe is to avoid buying the "smart" gadgets altogether. But that means being deprived of the convenience they offer, which will be too much for many people to resist.
After her successful hacking into strangers' homes, Forbes' Hill compiled a list of "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy" (to guard your privacy in general, not just smart home devices):
1. Password protect your devices: your smartphone, your iPad, your computer, your tablet, etc. "Choosing not to password protect these devices is the digital equivalent of leaving your home or car unlocked."
2. Put a Google Alert on your name. "This is an incredibly easy way to stay on top of what's being said about you online. It takes less than a minute to do."
3. Sign out of Facebook Twitter, Gmail, etc. when you're done with your emailing, social networking, tweeting, and other forms of time-wasting. "Not only will this slightly reduce the amount of tracking of you as you surf the Web, this prevents someone who later sits down at your computer from loading one of these up and getting snoopy. If you're using someone else's or a public computer, this is especially important."
4. Don't give out your email address, phone number, or ZIP code when asked. "Obviously, if a sketchy dude in a bar asks for your phone number, you say no. But when the asker is a uniform-wearing employee at a store such as Best Buy, many a consumer hands over their digits when asked. Stores often use this info to help profile you and your purchase. You can say no."
5. Encrypt your computer. "Encrypting your computer means that someone has to have your password (or encryption key) in order to peek at its contents should they get access to your hard drive."
6. Gmailers, turn on 2-step authentication in Gmail. "This simple little step turns your phone into a security fob in order for your Gmail account to be accessed from a new device, a person (hopefully you) needs a code that's sent to your phone. This means that even if someone gets your password somehow, they won't be able to use it to sign into your account from a strange computer."
7. Pay in cash for embarrassing items. "Don't want a purchase to be easily tracked back to you? You've seen the movies! Use cash."
8. Change Your Facebook settings to "Friends Only." "Visit your Facebook privacy settings. Make sure this 'default privacy' setting isn't set to public, and if it's set to 'Custom,' make sure you know and are comfortable with any 'Networks' you're sharing with."
9. Clear your browser history and cookies on a regular basis. "Go to the 'privacy' setting in your Browser's 'Options.' Tell it to 'never remember your history.' This will reduce the amount you're tracked online. Consider a browser add-on like TACO to further reduce tracking of your online behavior."
10. Use an IP masker. "When you visit a website, you leave a footprint behind in the form of IP information. If you want to visit someone's blog without their necessarily knowing it's you say if you're checking out a biz competitor, a love interest, or an ex you should consider masking your computer's fingerprint, which at the very least gives away your approximate location and service provider."
Any information that flows through wires or the air is vulnerable and can be intercepted and manipulated by anyone with the motivation, knowledge, and equipment to do so. Don't make it easy for them.
Sources:
http://en.wikipedia.org/wiki/Internet_of_Things
http://news.yahoo.com/hacking-internet-things-204510448.html
http://motherboard.vice.com/blog/the-internet-of-things-can-be-hacked-too
http://en.wikipedia.org/wiki/Black_Hat_Briefings
http://www.cnn.com/2013/08/02/tech/innovation/hackable-homes/
http://motherboard.vice.com/blog/the-internet-of-things-can-be-hacked-too
http://online.wsj.com/news/articles/SB10001424127887323997004578640310932033772
http://www.troyhunt.com/2013/01/inviting-hackers-into-our-homes-via.html
The Internet of Things refers to objects (including people and pets with digital implants) that can be assigned electronic unique identifiers that communicate with each other machine-to-machine (M2M) through an Internet-like structure. Devices enabled for IoT can be controlled remotely using nothing more than a smartphone.
Marshall Honorof of Tom's Guide described the utility of IoT in a "smart home." "Using Wi-Fi-enabled devices, you can control your home's temperature, monitor your grounds, unlock your doors, control your lights and keep your food fresh." But if you can control these devices over the Internet, so can a hacker. "Any device with an operating system can be hacked, be it a thermostat, TV or even a toilet," Honorof wrote.
The problem is that in the enthusiastic rush to develop and market these nifty gee-whiz gadgets, little thought has been given to security. "In recent years, consumers have generally been wise enough to protect their computers from cybercriminals and harmful software. They've begun to protect their mobile devices in the same way, but their household electronics are woefully unprepared for the next wave of cyberattacks," Honorof warned.
Honorof reported: "'Motion sensors, sirens, window and door sensorsthose are marketed as secure devices with the assumption that ... it would be very difficult for an attacker to [target them],' said Behrang Fouladi, a security researcher at SensePost. 'This assumption is not correct.'"
The Black Hat computer security conference last summer featured presentations on the vulnerabilities of smart home devices and the serious lack of security protection in currently available devices.
Writing for The Washington Post, Danny Yadron reported from the conference: "Daniel Crowley can pick a dead-bolt lock without ever seeing the door. From his computer, Mr. Crowley can also disarm a home-security system, open a garage door and turn off lights. He just needs those gadgets to be connected to the Interneta step consumers are increasingly taking to control facets of their lives using smartphones and tablets... For fun, Mr. Crowley also recently hacked an automated toilet made by Lixil Corp., a Japanese company, in such a way that he could make it flush or play music, one of its advertised features, by remote command."
Yadron reported: "'As we increase the smarts of everything, it really means more attack surfaces,' said Aaron Grattafiori, a security researcher at iSEC Partners in San Francisco who is one of the researchers who hacked a Samsung TV.
"'A lot of the times a manufacturer will worry about time to market and deadlines and hasn't done any security review,' said David Bryan, a senior security consultant at Trustwave, who worked with Crowley on a home-hacking project for a Chicago firm."
A stranger turning your lights on and off or flushing your electronic toilet may be an unnerving inconvenience but is not a real threat of harm to you. Shutting down your security system and unlocking your doors is another matter. Thieves can walk right into your home and walk out with your goods without the noise of smashing a window or the suspicious act of prying open your door. Imagine trying to convince the police and your insurance company you were robbed when there is no sign of forced entry.
Hackers may not want to rob you. They may just want to spy on you. Do you have a baby cam in your house? One creepy hacker took over a baby cam and even spoke to the child.
Have you given your kid one of those cute radio-controlled toys with a built-in webcam? Hackers can use it to peep on activities in your house and explore it when you're gone. Heather Kelly reported on CNN: "Software engineer Jennifer Savage bought a cute bunny toy called Karotz for her daughter. The plastic bunny can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers. After testing the security of the toy, Savage was able to take control of the [sic] it from a computer and remotely watch live video, turning it into an unwitting surveillance camera."
Forbes journalist Kashmir Hill decided to find out firsthand just how easy it is to hack into eight homes of total strangers. All she needed was the Internet and Google. She found that the popular wireless remote control system Insteon is vulnerable, as are competitors. She had access to the homes' lighting systems, TV, garage doors, security cameras and other devices via the Internet. Incredibly, the systems were searchable online. Hill was able to access private information like family names and addresses, and gain full control over the home systems.
In her hair-raising report, Hill said, "The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search enginesmeaning they show up in search resultsand due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people's homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion."
Hill not only could control devices in the homes but had access to information about the occupants. "Sensitive information was revealednot just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world."
There's an app that can monitor and take control of your car. There's one to track your eating habits. There's an app to turn your home phone into a remote listening device (like the spy movie "Bugs").
According Reuters, the home automation market was worth $1.5 billion in 2012. It's only going to get exponentially bigger. Microsoft and Google are both working to develop home operating systemsMicrosoft's HomeOS and Google's Android@Hometo unify all the smart objects in a household and make them easy to control and monitor from a single dashboard on your mobile phone.
Software architect Troy Hunt blogs about a "perfect storm" of exploits threatening the Internet of Things:
1. An increasingly large number of devices are getting IP addresses. "Inherent risk that a device that can be controlled remotely can end up being controlled by a malicious party."
2. Devices within internal networks are being controlled externally. We've already seen many prior incidents of personal security cameras being inadvertently exposed publicly, now it's going to be cameras, home security, toilet seats and so on and so forth.
3. There's a race to "get connected." "The rush for vendors to compete in this extremely fast moving market will inevitably result in rushing aspects of the product design and we know very well from past incidents that security is one of the areas most frequently overlooked in favor of delivering features."
4. Our levels of personal security awareness still suck. "59% of accounts that were common across both Gawker and Yahoo! Voices shared the same password. Password reuse and other sloppy practices such as predictable (or even memorable) passwords are one thing when it means an attacker can make comments under your name on a media site, it's quite another when they can unlock your front door."
5. Our levels of developer security awareness also suck. Network security breaches are often in the news. "What if the same people who built [those systems] are also building the interfaces for your IP-enabled home automation?"
Computer security experts say the only way to be completely safe is to avoid buying the "smart" gadgets altogether. But that means being deprived of the convenience they offer, which will be too much for many people to resist.
After her successful hacking into strangers' homes, Forbes' Hill compiled a list of "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy" (to guard your privacy in general, not just smart home devices):
1. Password protect your devices: your smartphone, your iPad, your computer, your tablet, etc. "Choosing not to password protect these devices is the digital equivalent of leaving your home or car unlocked."
2. Put a Google Alert on your name. "This is an incredibly easy way to stay on top of what's being said about you online. It takes less than a minute to do."
3. Sign out of Facebook Twitter, Gmail, etc. when you're done with your emailing, social networking, tweeting, and other forms of time-wasting. "Not only will this slightly reduce the amount of tracking of you as you surf the Web, this prevents someone who later sits down at your computer from loading one of these up and getting snoopy. If you're using someone else's or a public computer, this is especially important."
4. Don't give out your email address, phone number, or ZIP code when asked. "Obviously, if a sketchy dude in a bar asks for your phone number, you say no. But when the asker is a uniform-wearing employee at a store such as Best Buy, many a consumer hands over their digits when asked. Stores often use this info to help profile you and your purchase. You can say no."
5. Encrypt your computer. "Encrypting your computer means that someone has to have your password (or encryption key) in order to peek at its contents should they get access to your hard drive."
6. Gmailers, turn on 2-step authentication in Gmail. "This simple little step turns your phone into a security fob in order for your Gmail account to be accessed from a new device, a person (hopefully you) needs a code that's sent to your phone. This means that even if someone gets your password somehow, they won't be able to use it to sign into your account from a strange computer."
7. Pay in cash for embarrassing items. "Don't want a purchase to be easily tracked back to you? You've seen the movies! Use cash."
8. Change Your Facebook settings to "Friends Only." "Visit your Facebook privacy settings. Make sure this 'default privacy' setting isn't set to public, and if it's set to 'Custom,' make sure you know and are comfortable with any 'Networks' you're sharing with."
9. Clear your browser history and cookies on a regular basis. "Go to the 'privacy' setting in your Browser's 'Options.' Tell it to 'never remember your history.' This will reduce the amount you're tracked online. Consider a browser add-on like TACO to further reduce tracking of your online behavior."
10. Use an IP masker. "When you visit a website, you leave a footprint behind in the form of IP information. If you want to visit someone's blog without their necessarily knowing it's you say if you're checking out a biz competitor, a love interest, or an ex you should consider masking your computer's fingerprint, which at the very least gives away your approximate location and service provider."
Any information that flows through wires or the air is vulnerable and can be intercepted and manipulated by anyone with the motivation, knowledge, and equipment to do so. Don't make it easy for them.
Sources:
http://en.wikipedia.org/wiki/Internet_of_Things
http://news.yahoo.com/hacking-internet-things-204510448.html
http://motherboard.vice.com/blog/the-internet-of-things-can-be-hacked-too
http://en.wikipedia.org/wiki/Black_Hat_Briefings
http://www.cnn.com/2013/08/02/tech/innovation/hackable-homes/
http://motherboard.vice.com/blog/the-internet-of-things-can-be-hacked-too
http://online.wsj.com/news/articles/SB10001424127887323997004578640310932033772
http://www.troyhunt.com/2013/01/inviting-hackers-into-our-homes-via.html
Jun 13, 2014 16:49:24 #
Jun 13, 2014 17:12:32 #
If you want to reply, then register here. Registration is free and your account is created instantly, so you can post right away.
Check out Travel Photography - Tips and More section of our forum.