Saturday, 5 September 2015

How Vulnerable Is Your Home To Hackers?

How Vulnerable Is Your Home To Hackers?

More and more everyday devices can connect to the internet. While there are advantages to that, there might be some serious safety issues involved, too. Sarah Dobbs takes a look…

The idea of ‘the Internet of Things’ is a pretty exciting one. Forget the jibes about internet fridges that never quite took off – now we’re looking at a world where you can control your central heating and even the colour of the lighting in your living room from your smartphone via internet-connected devices, should you so choose. Almost anything and everything comes with an internet connection nowadays, and the days of only being able to go online from a landline-connected PC in one corner seem like a million years ago.


We’re not living in a perfect tech utopia yet, though. While there are plenty of benefits to linking up your various devices to the internet, there are also some pretty serious problems, too. Any device that’s hooked up to the internet is at risk from malware and cyber criminals and, while we all know how we should protect our computers from those threats, it’s not always obvious that your new shiny device needs to be protected. How do you install anti-virus protection on your boiler, anyway?

As the Internet of Things has become less of a snappy buzz-phrase and more of an everyday reality, we’ve started to see exactly how vulnerable it might be. So how worried should we be? Perhaps more importantly, how worried should manufacturers of wi-fi enabled gadgets be?

Trouble Ahead


One of the first examples of how some internet ‘things’ are easily exploitable was a silly prank. Someone noticed that they could see their neighbour’s wireless printer on their network, and sent a message to it. Half a dozen other people followed suit, some turning to Reddit or Tumblr to ask what they should send; sensibly, things that sounded like bomb threats were discouraged in favour of more absurdist documents, like an essay consisting only of the word “chicken”, repeated hundreds of times. No harm, no foul (or fowl), and the neighbour presumably got a quick lesson on why network security is important.

That prank serves to highlight such vulnerabilities, and there would be more to come. This year’s DefCon hacking conference held a competition that invited attendees to demonstrate exactly how secure internet-connected objects were in a designated “IoT Village”, and the results were scary. Hackers managed to remotely mess with smart scales, smart thermostats, baby monitors, and yes, smart fridges.

The most frightening hack of all, though, came when a pair of security researchers demonstrated that it’s possible to remotely access the on-board entertainment systems of certain Jeep models and take over the car’s functions, Including acceleration and braking. Journalist Andy Greenberg was behind the wheel when the hackers Charlie Miller and Chris Valasek took control, first changing the radio station he was listening to and switching on the air conditioning, then turning on his windscreen wipers, and finally immobilising the car altogether.

Chilling, no? The hackers were able to get into the car’s systems through its Uconnect feature, which is set up to enable internet access and navigation in over a million Chrysler (Jeep’s parent company) cars and trucks. Chrysler responded to the hack by issuing a safety recall on affected models, and installing software updates to patch the vulnerability that made the hack possible, but it’s still a frightening idea. After all, shouldn’t safety be a bigger concern than whether passengers can check Twitter on the go?

Serious Insecurity


Unfortunately, Chrysler isn’t the only company facing a headache over security issues. Last year, researchers working at Hewlett-Packard carried out a study into the Internet of Things. Through thorough analysis of a series of different devices – including televisions, sprinkler controllers, home alarm systems, and device hubs, all of which could be controlled using mobile apps – they found that 70% of the devices used unencrypted network connections, and 60% had insecure web interfaces.

Since almost all of them also collected and stored personal information about their owners, the idea that a hacker might be able to remotely turn your sprinklers off suddenly becomes even more menacing. When the devices in question could potentially be part of a home security system, it all starts to seem like a really, really big problem.

That’s not the only study to come to some worrying conclusions, either. Veracode, a security company specialising in cloud-based apps, also carried out some research into internet-connected devices, and found some serious security holes. Examining six different popular devices, Veracode found that five of them didn’t require strong passwords from users, making them vulnerable at the most basic level to would-be hackers. Five of them were also vulnerable to man-in-the-middle style attacks, where hackers could intercept data transmitted between the device itself and its online service – and three of them didn’t secure the most sensitive data they collected.

It’s all pretty shocking, really. We’ve come to expect that the online services we use will safeguard our data, and when there’s a breach it can have serious consequences – think back to 2012’s scandal over Dropbox’s insecurities, or eBay’s data breach last year that saw the service face a massive class action suit. The Internet of Things is in its infancy, but experts reckon that by 2020, there’ll be 25 billion internet-connected devices in use around the world. Should it turn out that 90% of them aren’t secured properly, we have a serious problem.

Specifically Speaking


Using a catch-all term like “the Internet of Things isn’t very secure” doesn’t really convey what the issues might be. There are some very specific risks associated with internet-connected devices that might never cross your mind, so it’s time to get paranoid.

Some smart televisions, for example, have already come under fire for their ability to listen in on your home life. Anything voice-activated obviously needs to come with microphones installed, and most voice-controlled gadgets transmit their recordings to a server to be processed and recognised. We’ve talked about that in this magazine before, amid fears that companies were using those recordings to invade our privacy. Though that might not be a major concern, there’s something else that might be – if recordings from smart TVs, or games consoles, or other voice-controlled devices like the Ubi can be accessed by criminals, they can be used not only to eavesdrop on victims’ opinions on Breaking Bad, but also to figure out lifestyle patterns. That could, conceivably, help burglars find the most opportune time to break in.

Gate and garage opening systems might carry similar risks. For starters, most of them use very simple access codes, which can be cracked by hackers within seconds. Last year, hacking consultant Samy Kamkar demonstrated how he’d used a modified child’s wireless gizmo to open the door to the garage in his apartment building, and those of several of his friends. The wireless openers gave an illusion of security that turned out to be about as secure as leaving the key in the door. What’s more, on top of being able to walk straight in through the garage, hackers have been able to intercept data sent back and forth between remote-access garage and gate doors and the apps that use them. That means, yet again, they can figure out when no-one’s home.

As well as exploiting the devices’ own functions, there’s another obvious evil thing malicious types can do with internet enabled white goods: recruit them into botnets. Just as your PC can be used without your knowledge to send out spam emails, so too can your internet fridge. One example of that happening is already on record – back in December 2013, hackers managed to create a botnet that included at least one internet-enabled fridge and used it to send out phishing emails. If it’s happened once, you can bet it’ll happen again.

Send In The Drones


Ready to feel seriously scared? A team of security engineers at Praetorian recently devised a way of mapping out all the smart devices in their city – by flying a drone over it. The drone carried a tracking device set up to sniff out ZigBee signals; not all internet-connected devices use ZigBee protocols, but a lot of Internet of Things-style devices do, and during one 18-minute flight over the city of Austin, Texas, the drone had found almost 1,600 such devices. The team at Praetorian also devised a kind of fingerprinting method that let them work out what each device was, or at least who its manufacturer was, and stuck all that info on an online map.

Hairs on your neck standing up yet? What if we tell you that ZigBee has been found to have some vulnerabilities, and those could potentially be exploited to let hackers take control of all the devices on a ZigBee network – from thermostats to alarm systems to door locks?

We’ve got a final bit of bad news before we leave you to ponder the pros and cons of all this, too. While there are some things users can do to secure their devices against external threats, like setting strong passwords, most of the currently known vulnerabilities are totally beyond the control of the end user. The only way to get they will get fixed is via updates by manufacturers. However, as the studies keep showing, nowhere near enough is being done to test and secure devices before they’re put on the market.

What does that mean for the Internet of Things? Well, sadly it looks like we all need to be careful before jumping in feet first. Though some web-enabled devices seem like the answer to all our problems, they might end up causing more issues than they solve. For now, our best advice is to do your research before handing over your cash to join this brave new world – we need to demand more thorough testing and responsibility taking from manufacturers before we commit to their latest technology, and that could mean voting with our wallets.


Careful Where You Point That Thing


As if a world where cars and front doors can be remotely controlled by hackers wasn’t a scary enough prospect, we might also have to worry about hackable guns. Yup, computer-assisted rifles exist, and they’ve been hacked.

Security researchers Runa Sandvik and Michael Auger demonstrated their terrifying work at the DefCon and Black Hat conferences. The TP750 sniper rifle has a wi-fi access point and a computer-guided system that, alongside the kind of ammunition loaded into it, is designed to make it incredibly accurate by taking into account wind and weather conditions. However, as Sandvik and Auger showed, it also makes it vulnerable to outside influence.

Here’s the bit that makes it less terrifying: in order to access the gun’s computer systems, they had to be within 100 feet of it, and while they were able to change the gun’s target and even prevent it from firing, they couldn’t make it fire itself. So hackers would need to be close by, and wouldn’t be able to cause the gun to shoot someone without the owner pulling the trigger. Still not sure we’ll sleep soundly tonight, though.

Who’s Watching You?


The whole point of wi-fi enabled security or ‘nanny’ cams is to make family members feel safer. Installing one means parents can check in on their kids wherever they are, whether they’re in the office or in another country. But – well, you can probably guess what the problem is. Some of these cameras have been found to be vulnerable to hackers, meaning that someone other than a doting parent can take a peek at what’s going on in the owners’ home.

The vulnerability was discovered when a family in Rochester, Minnesota, heard creepy music playing through their nanny cam. The music stopped when someone went into the room, and when they investigated they found a website containing images from thousands of similar cameras all over the world.

If you’ve got a streaming camera set up in your home, you don’t necessarily have to put tape over the lens just yet, but it’s worth taking some precautions. Make sure the camera’s firmware is up to date and that you’re using the most recent version of the software with it, since manufacturers will usually patch any vulnerabilities when they become aware of them. Also make sure you’ve got the biggest weakness covered – for heaven’s sake don’t use the default password! Make sure you change it to something longer and stronger as soon as you set up your device.