September saw one of the largest internet assaults of all time, when krebsonsecurity.com was the victim of a massive distributed denial-of-service (DDoS) attack, a 620 Gigabit per second attack that was designed to bring the website down. The incident is a reminder that the millions IoT devices in existence are vulnerable to hackers.
“You should make the assumption that anything that’s internet accessible is hackable. If it has a camera or a mic built in, it can be taken over,” said Kenneth White, a security researcher and director of the Open Crypto Audit Project, a nonprofit that promotes cybersecurity.
Amazon, Google, and Apple, for example, have all created apps and devices designed to provide users with a “smart home.” These products allow users to lock their doors, play a song on demand, remotely control thermostats, and more. But as convenient as smart homes are, they are not always secure.
Marcus, a 31-year old from Missouri, outfitted his home with smart devices. This included an August Smart Lock, which allowed him to control his home locks through Apple’s HomeKit. By putting an iPad Pro in his living room, the device was able to sense Marcus’ iPhone through Bluetooth, and unlock his front door upon his arrival home. All was great and convenient at first. But then Marcus’ neighbor discovered that if he stood near the house and shouted, “Siri, unlock the front door,” the iPad Pro would hear the command and unlock the door for anyone who said the phrase. Marcus could have used a passcode on his iPad to make it more secure, but that would have defeated the whole purpose of being able to automatically unlock his front door.
Both Amazon’s Alexa and Google’s soon-to-be-released Home have similar voice-command capabilities, but they have also prompted security concerns.
"The concern is that someone either accidentally issues an unlock command or someone outside the house gets heard by Alexa, which then opens the lock," said Rob Enderle, principal analyst at the Enderle Group.
Locks aren’t the only safety concern. Voice-command devices are “always listening;” a fact that could be easily exploited.
"There are plenty of privacy issues with this type of always listening technology," said Dan Olds, an analyst with OrionX, a technology analyst firm. "It's obvious that any device that is always listening could also be always storing and always analyzing anything that is within earshot of the receiver."
This could potentially mean that intruders could be breaking into your home by tricking smart locks. It could mean devices eavesdropping on your conversation about buying a new refrigerator, and seeing refrigerator ads in your web browser the next day. It could mean a hacker is using your IoT devices for Botnet armies. It could even mean stored conversations and sound clips being used in criminal and divorce cases, though there have been no legal cases as such yet.
So how do you protect yourself from these vulnerabilities while still enjoying the convenience of a smart home? Check back for our next blog post to find out!
(photo curtesy of Google images)