Smart home devices have many security risks and threats to be exploited by hackers and Intelligence agencies for mass surveillance

Rajesh Uppal February 27, 2021 Cyber, Security, Threats Comments Off on Smart home devices have many security risks and threats to be exploited by hackers and Intelligence agencies for mass surveillance 301 Views

The rise of the digital era has brought with it many wondrous changes to our daily lives, not least of which the fact that we now carry digital assistants with us everywhere we go in the form of smartphones, tablets, and laptop computers. At the same time this has also brought these connectivity devices to misuse both by terrorists as well intelligence gaencies counterterrorism operations and also for mass serviellance of its own citizens.

In 2013, Edward Snowden revealed the NSA collects personal data on every American, as well as many more people worldwide. But it’s not only the NSA spying on its own people. Its counterparts at the CIA (Central Intelligence Agency) are also spying on and hacking targets of interest. In March 2017, WikiLeaks published thousands of documents it said revealed hacking tools the CIA developed to break into servers, smartphones, computers and TVs.

U.S. District Court Judge James E. Boasberg, who serves in the District of Columbia and the FISA court, made his sweeping and condemnatory assessment in October 2018 in a 138-page ruling, which was declassified by the U.S. government in August 2020. The declassified FISA court ruling revealed that the FBI is the most prolific miner of data about “U.S. persons,” a legal term that means any U.S. citizen or foreign national legally in the country. Queries of this data are known as “backdoor searches.” In 2017, the FBI ran approximately 3.1 million searches related to U.S. persons, compared to 7,500 combined searches by the CIA and NSA during the same year. Many of the FBI’s searches were not legally justified because they did not involve a predicated criminal investigation or other proper justification for the search, as required by law, according to Boasberg’s FISA court ruling.

“Government surveillance is a worldwide phenomenon that cuts across geographies, economic development, societal well-being, and institutional design, with alarming levels of government surveillance in countries such as Austria, Colombia, India, Kuwait and the UK,” the report said. Technology has given security agencies the ability to do way more than just tapping calls or hacking e-mails. Now they can track every movement and hack most form of communication. They can watch you over with satellite imaginary, heat map, facial recognition and gait analysis.

By 2025, it is predicted that there can be as many as 100 billion connected IoT devices or network of everyday objects as well as sensors that will be infused with intelligence and computing capability. These devices shall comprise of personal devices such as smart watches, digital glasses and fitness monitoring products, food items, home appliances, plant control systems, equipment monitoring and maintenance sensors and industrial robots. Smart homes use internet-connected IoT devices, such as light switches and fridges, that can autonomously flick on your lights, open doors, or even alert you when you’re running low on milk. But all this convenience and connectivity come at a price. Namely, smart-home devices are prone to a plethora of security vulnerabilities that can put your data or property at risk if you’re not careful.

The rapid growth in IOT and smart devices, however will offer new opportunities for hacking, identity theft, disruption, and other malicious activities affecting the people, infrastructures and economy. Some incidents have already happened, an internet-connected fridge was used as a botnet to send spam to tens of thousands of Internet users. Jeep Cherokee was sensationally remote-controlled by hackers in 2015. FDA issued an alert about a connected hospital medicine pump that could be compromised and have its dosage changed.

Now US intelligence agencies are looking to smart devices and internet of things – the many devices like thermostats, cameras and other appliances that are increasingly connected to the internet – are providing ample opportunity for intelligence agencies to spy on targets, and possibly the masses, as told by director of national intelligence, James Clapper . And it’s a danger that many consumers who buy these products may be wholly unaware of.

For smart home devices to respond to queries and be as useful as possible, they need to be listening and tracking information about you and your regular habits. These devices can collect and store information on your usage, habits, and preferences — either on the device or on the network. Over the time these Smart-home devices hold a treasure trove of personal information, from your birth date to credit card details, that cybercriminals can steal via hacking if the devices lack robust protections to thwart attacks. They can then use the stolen data to launch targeted attacks. But the potential for these privacy violations has only recently started reaching millions of homes: Samsung after announcing a television that would listen to everything said in the room it’s in and in the fine print literally warned people not to talk about sensitive information in front of it.

What makes smart or IoT devices different from your traditional TV remote is that they use internet protocol to link up, and they’re all connected through a hub. That might be your home network router, or your smartphone. This allows hackers instead of breaching a single individual’s smart device to nab his data, to infiltrate the database of a smart-device company to pilfer the data of all its users.

The researchers , Noam Rotem and Ran Locar from vpnMentor, found that a user database belonging to a Chinese company called Orvibo, which runs an Internet of Things (IoT) management platform, had been left exposed to the Internet without any password to protect it. So far, so appalling. But it gets even worse when you discover that the database includes more than 2 billion logs containing everything from user passwords to account reset codes and even a “smart” camera recorded conversation. Just to add salt to the wound, a Kibana web-based app that makes navigating through the data contained in that database easier was also left with no password protection.

The list of data included in the breach is extensive according to the vpnMentor report and includes: Email addresses, Passwords, Account reset codes, Precise geolocation, IP address, Username, UserID, Family name, Family ID, Smart device, Device that accessed account, and
Scheduling information.

Massive data breaches can expose the data of hordes of users of certain smart devices. If you’re one of those unfortunate users, a digital thief can apply for credit cards using your name, take out a mortgage under your name, or otherwise impersonate you and turn your life upside down. To avoid becoming a cyber victim, financial information, such as bank details, should not be shared with smart devices, and avoid connecting email clients, calendars, and other apps that contain sensitive information with your devices.

Unidentified security loopholes in any of these devices could grant hackers permission to disable cameras or unlock doors to let in accomplices, burglarize your property, or even lock you out of your own home. A recent article from Forbes outlines several attacks against smart homes. The attacks included remotely controlling lights and TVs, turning on a hot tub water heater, and opening someone garage door. In some cases, the smart home HUB or control system did not require a password, leaving them wide open to hackers. Other reported hacks include remotely flushing toilets and turning on and streaming video from Internet camera systems and unlocking doors and windows.

Breaches of smart devices that control critical functions of the home, such as cooling and heating, can be even more disastrous. A hacker with access to your thermostat could fiddle with it, forcing your HVAC system into overdrive and causing it to malfunction. Worse yet, a hacker could crank up the oven and cause a house fire—all while you’re away from home. If you opt for these devices, look for ones that let you lock the settings to make it harder for others to change them.

If you own a smart speaker, your concern is well founded. Not only do these digital voice assistants listen in on you continuously while on, but hackers can also exploit security loopholes to break into the speaker and issue their own commands or harvest prior recordings. To protect your privacy, periodically delete stored recordings, don’t pair security devices such as cameras or door locks with the speaker, and consider turning off your smart speakers when not in use.

Many users control their connected home through a smartphone, which makes it a very valuable database for anyone wanting to hack into your life. This creates a high risk if your phone is hacked, stolen or if someone manages to eavesdrop on your connection. Many smart devices allow homeowners to remotely turn on and off lights or open and close garage doors by integrating third-party mobile apps or smart-home platforms. But apps without secure authorization may allow people other than you to impersonate you and operate your devices if they get their hands on your phone. Plus, some apps group permissions to perform operations on the device rather than requiring separate permissions for each function. This could give a hacker the ability to, say, remotely lock and unlock your front door. When in doubt, use only authorized apps and platforms to control your smart devices. Ensure your home network security isn’t compromised by a single vulnerable IoT device.

The sneakiest smart-home hijackings leave no evidence at the crime scene. Because the data transmitted by smart devices like printers and smart TVs is often unencrypted, a virtual villain can view—and alter—data collected by your devices. Through this method, someone hoping to break into your home could, for example, replace the existing video feed from your surveillance camera with edited footage to avoid getting caught. Use advanced networking monitoring tools to help alert you to suspicious communications or operations on the network.

Already Facial biometric is increasingly getting attention of security and surveillance experts. There are substantial reasons why facial recognition is taking the center stage of biometric mass surveillance. Facial features can be captured from a distance without the subject’s knowledge and consent. It is easy to implement and can be done using public surveillance cameras, which are now everywhere.

All the information smart devices collect about your habits such as your viewing history on Netflix; where you live and what route you take home so Google can tell you how to avoid traffic; and what time you typically arrive home so your smart thermostat can make your family room the temperature you prefer, is stored in the cloud.

Of course, this information makes your life more convenient, but there is also the potential for abuse. In theory, virtual assistant devices listen for a “wake word,” before they activate, but there are instances when it might think you said the wake word and begin recording. Any smart device in your home, including gaming consoles and smart TVs, could be the entry point for abuse of your personal information. There are some defensive strategies such as covering up cameras, turning off devices when not needed and muting microphones, but none of them are 100% foolproof.

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper as part of his annual “assessment of threats” against the US. Given that surveillance capabilities are built into these devices from the get-go, it’s thus only a matter of time that our smart devices come together to create a surveillance grid that tracks our every move and digital inquiry.

The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone. The NSA’s hacking unit, Tailored Access Operations, has developed a whole range of hacking exploits. These enable the NSA to break into consumer electronics devices and IT systems as it sees fit. When the NSA finds a security hole in a popular consumer device, it does not fix the security hole, but instead exploits it. That leaves virtually every device vulnerable to hackers. Police have already been asking Google-owned company Dropcam for footage from cameras inside people’s homes meant to keep an eye on their kids. Fitbit data used in court against defendants multiple times.

Mitre Corp., a government-linked Skunk Works, has been making bleeding-edge breakthroughs for U.S. agencies for more than six decades. With its HQ housed in four towers atop a hill in McLean, Virginia, Mitre’s research centers employ some of the nation’s leading computer scientists and engineers to build digital tools for America’s top military, security and intelligence organizations. Among the government’s wilder Mitre orders: a prototype tool that can hack into smartwatches, fitness trackers and home thermometers for the purposes of homeland security; software to collect human fingerprints from social media websites like Facebook, Instagram and Twitter for the FBI; support in building what the FBI calls the biggest database of human anatomy and criminal history in the world; and a study to determine whether someone’s body odor can show they’re lying.

Mitre’s influence goes far beyond its vast tech development; it’s also a major consultant for myriad government agencies on how best to deploy tech and policy strategies. Its latest gig: helping the Centers for Disease Control and Prevention (the CDC) and Homeland Security’s ominously named Countering Weapons of Mass Destruction office craft sweeping plans for curtailing the Covid-19 pandemic. Forbes found as an elite institute that has proved a major boon to the U.S. government, providing tools for surveillance of criminals, diseases and immigrants illegally trying to enter the country. But some of the same projects are setting off alarm bells among human rights organizations and privacy advocates like the ACLU, which are concerned about surveillance overreach from Mitre’s sophisticated technology.

NSA shares advice on how to limit location tracking

The United States’ National Security Agency (NSA) has published guidance on how to reduce the variety of risks that stem from having your location tracked when using smartphones, IoT devices, social media and mobile apps. Despite being geared towards military and intelligence personnel, the advice can be useful for anybody who’s looking to limit their location exposure. “Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” according to the intelligence agency.

The guidance notes that a powered-on smartphone exposes your location – regardless of whether or not you’re actively using the device. “Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. This means a provider can track users across a wide area,” said the agency. On a related note, a smartphone can reveal its location even if both the Global Positioning System (GPS) and cellular service are offline or disabled – relying on Wi-Fi and Bluetooth connections to do the job. This could provide ample opportunity for adversaries to track their targets using wireless sniffers, even if their potential victims aren’t using any of the wireless connections actively, said the NSA.

The intelligence agency also stressed the need to distinguish between location services, which are services provided by devices to apps, and GPS. “Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure. Disabling location services only limits access to GPS and location data by apps,” according to the agency.

Similar risks are associated with other devices that send and receive wireless signals, including all sorts of Internet of Things (IoT) devices, fitness trackers, medical equipment, and smart home devices. However, staying safe while using these devices is easier said than done, not least because many of these gadgets don’t provide the option to turn their wireless features off. Indeed, the privacy and security of IoT devices in general leave a lot to be desired.

The agency also noted that many mobile apps request users’ permissions for location tracking although it isn’t necessary for them to operate. “Apps, even when installed using the approved app store, may collect, aggregate, and transmit information that exposes a user’s location,” said the NSA. ESET Chief Security Evangelist Tony Anscombe recently discussed the issue at length.

“While it may not always be possible to completely prevent the exposure of location information, it is possible – through careful configuration and use – to reduce the amount of location data shared,” said the NSA. To this end, the agency recommended a bunch of tips on how to reduce the amount of location data shared and so mitigate the risks of being tracked. They include:

disabling location services settings on your device.
disabling all the radio transmitters while you’re not using them (Bluetooth and Wi-Fi).
using a Virtual Private Network to help conceal your location.
giving apps as few permissions as possible.
being very cautious about what you share on social media; metadata on pictures, for example, could contain location information.