I’m just stating the obvious. But I think it’s worth re-stating because most of you are not cyber security researchers by day and may not remember the many reported examples of security and privacy violations over the years.
Amazon Alexa, Google Home, Apple Siri
Let me paint you a picture, starting with the smart devices we willingly invited into our homes in recent years — Amazon Alexa, Google Home, and Apple HomePod with Siri. Indeed it is convenient to be able to ask “Alexa, what’s the weather today?” in the mornings, or “OK, Google, how many feet in a mile?” But are these cool, little conveniences worth the privacy tradeoffs? Oh, you didn’t know these smart assistants were constantly sending data to the cloud, in addition to listening to you all the time? Of course, these devices have to send some data to the cloud in order to return responses, but that should happen only after you activate it with your hot word. And all of that assumes the devices are working properly, and not hacked.
- Google Home Mini caught recording everything and sending all the data to Google
- Google Defends Listening to Private Conversations on Google Home
Assuming you’re comfortable with Amazon, Google, and Apple listening to you in your home all the time, let’s take a look at other devices you may have brought into your home — connected security cameras, speakers, light bulbs, refrigerators, televisions, photo frames, microwave ovens, bathroom scales, toothbrushes (yeah, there are connected toothbrushes), etc. — collectively known as the Internet of Things (IoT). Are they all honoring your privacy? Or are they collecting and sending data about you to the cloud, or worse, to servers in foreign countries? How would you know?
Security Cameras, Smart Speakers, Connected Light Bulbs
Well, now we know some examples of privacy faux pas, since they’ve been documented. Within the last week, we saw Xiaomi home security cameras “accidentally” sending video feeds to strangers’ Nest Hubs. They called it a “bug” — oopsies! Perhaps Vizio and Samsung smart TVs listening to your conversations were not an oopsies; it was a feature! Further, we’ve seen repeated, documented examples of Ring camera hacks, where hackers gained access to video feeds inside and outside the home and in one-case, the hacker told an 8-yr old girl he was Santa Claus. Smart lightbulbs have been shown to leak Wi-Fi passwords and smart plugs have been documented being used as a jumping off point for hackers to get into your home or office networks. These security issues are not new at all. Everyone has heard of the examples of hacking home networks via connected printers, which have been around a lot longer than IoT devices.
- Many examples of Amazon Ring Camera hacks
- Security Vulnerability in Smart Electric Outlets (Belkin Wemo)
Are you still comfortable that a wide variety of IoT devices have been documented to have security “flaws?” What if I showed you some more examples of low-cost Android devices coming with pre-installed malware, bloatware, adware, or worse.
- 2019 – Xiaomi – https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html
- 2018 – ZTE, Honor, OPPO, Huawei
- 2017 – BLU
- 2016 – ZTE, Huawei
- 2015 – Xiaomi, Huawei, Lenovo, Alps, ConCorde, DJC, Sesonn and Xido
Note that when the malware or adware is pre-installed by the manufacturer on the phone, it cannot be uninstalled; it may not be detected by anti-malware software, and it basically has administrative access to everything on your device. Do you still think these are “flaws” or “bugs” and do you believe the manufacturers of these devices when they claim “oopsies, we didn’t know?” Further, what do your devices “know” about you — including passwords, credit card numbers, social security numbers, etc.
Mobile Apps You Voluntarily Download
Now, let’s consider some mobile apps that you voluntarily downloaded and installed on your own smartphone. And gave it permissions like record video and audio, send and receive SMS, connect to WiFi or change network state, etc. Of course, for your Instagram photos and videos, you need to give it permission to record video and audio; but is there any reason that superbright flashlight app needs to turn on and off microphone, send and receive SMS, read and write to device storage, prevent the device from sleeping, and connect and disconnect to networks? Probably not.
- Popular Apps In Google’s Play Store Are Abusing Permissions And Committing Ad Fraud
- Google Removed Dozens Of Android Apps From A Major Chinese Developer Due To “Deceptive Or Disruptive Ads”
- A Huge Chinese Video App Is Charging People, Draining Their Batteries, And Exposing Data Without Their Knowledge
- These Hugely Popular Android Apps Have Been Committing Ad Fraud Behind Users’ Backs
What about something as simple as tracking your location? You may not care if some company or many companies are tracking your location and selling that data. But what if your precise location was being constantly “leaked” such that a stalker could know when you are home, or at the library, or walking home alone?
And have you considered the broader implications of fitness tracking apps “accidentally” revealing the locations of secret military bases? The U.S. government seems to think this is important. In early 2019, the U.S. forced a chinese company to sell the gay dating app Grindr, citing “Chinese ownership of gay dating app Grindr is a national security risk.” In early 2020, both the U.S. Navy and the U.S. Army banned the popular app TikTok from all military devices over spying and privacy concerns.
- U.S. government says Chinese ownership of Grindr is a national security risk
- U.S. Military bans chinese-owned TikTok over spying concerns
Why Should You Care?
Let’s bring this full circle, and address why you should care. You may be OK with Amazon, Google, and Apple listening in on all your dinner table conversations at home; because you can ask about the weather, with your voice. You may still be OK with your microwave and light bulbs being constantly connected to the Internet; because you can remotely check if you left them on.
But are you still OK with connected security cameras that hackers can use to peer into your bedroom or your child’s bedroom? Of course, those were “oopsies” by the device manufacturers. Are you still OK with low-cost Android phones that have adware and malware pre-installed to continuously collect and send data back to the cloud? Or mobile apps that do the same? Perhaps you are still OK with everything so far — I’ve literally heard this from many young people (who are constantly on Instagram, Snapchat, and now TikTok) — they are cool with being tracked because they have “nothing to hide.”
Perhaps I am just scaring myself, because I’ve seen too much as a security researcher. Perhaps I shouldn’t be concerned that connected devices can be leveraged to gain access to networks that would have otherwise been secure. Perhaps I should not be afraid of the possibility of real-world loss of life when connected street lights are remotely controlled to all turn green at the same time or connected cars are remotely controlled to brake or accelerate.
Perhaps I should be OK with all of that. Are you OK with that?
- Hackers Remotely Kill a Jeep on the Highway—With Me in It
- Researchers are sounding the alarm on a little-known risk of connected cars
- Security researchers hack a car and apply the brakes via text