The Internet Of (Creepy Spy-ey) Things

I’m just stating the obvious. But I think it’s worth re-stating because most of you are not cyber security researchers by day and may not remember the many reported examples of security and privacy violations over the years.

Amazon Alexa, Google Home, Apple Siri

Let me paint you a picture, starting with the smart devices we willingly invited into our homes in recent years — Amazon Alexa, Google Home, and Apple HomePod with Siri. Indeed it is convenient to be able to ask “Alexa, what’s the weather today?” in the mornings, or “OK, Google, how many feet in a mile?” But are these cool, little conveniences worth the privacy tradeoffs? Oh, you didn’t know these smart assistants were constantly sending data to the cloud, in addition to listening to you all the time? Of course, these devices have to send some data to the cloud in order to return responses, but that should happen only after you activate it with your hot word. And all of that assumes the devices are working properly, and not hacked.

Further reading:

Assuming you’re comfortable with Amazon, Google, and Apple listening to you in your home all the time, let’s take a look at other devices you may have brought into your home — connected security cameras, speakers, light bulbs, refrigerators, televisions, photo frames, microwave ovens, bathroom scales, toothbrushes (yeah, there are connected toothbrushes), etc. — collectively known as the Internet of Things (IoT). Are they all honoring your privacy? Or are they collecting and sending data about you to the cloud, or worse, to servers in foreign countries? How would you know?

Security Cameras, Smart Speakers, Connected Light Bulbs

Well, now we know some examples of privacy faux pas, since they’ve been documented. Within the last week, we saw Xiaomi home security cameras “accidentally” sending video feeds to strangers’ Nest Hubs. They called it a “bug” — oopsies! Perhaps Vizio and Samsung smart TVs listening to your conversations were not an oopsies; it was a feature! Further, we’ve seen repeated, documented examples of Ring camera hacks, where hackers gained access to video feeds inside and outside the home and in one-case, the hacker told an 8-yr old girl he was Santa Claus. Smart lightbulbs have been shown to leak Wi-Fi passwords and smart plugs have been documented being used as a jumping off point for hackers to get into your home or office networks. These security issues are not new at all. Everyone has heard of the examples of hacking home networks via connected printers, which have been around a lot longer than IoT devices.

Further reading:

Are you still comfortable that a wide variety of IoT devices have been documented to have security “flaws?” What if I showed you some more examples of low-cost Android devices coming with pre-installed malware, bloatware, adware, or worse.

  • 2019 – Xiaomi –
  • 2018 – ZTE, Honor, OPPO, Huawei

EXPRESS.CO.UKAndroid WARNING – Own one of THESE phones? Your device could be loaded with malwareENGADGETReport finds Android malware pre-installed on hundreds of phones

  • 2017 – BLU

THE VERGEAmazon suspends sales of Blu phones for including preloaded spyware, again

  • 2016 – ZTE, Huawei

CYBERSCOOPChinese-authored spyware found on more than 700 million Android phones – CyberScoop

  • 2015 – Xiaomi, Huawei, Lenovo, Alps, ConCorde, DJC, Sesonn and Xido

PCWORLDYour brand new phone could still have malware

Note that when the malware or adware is pre-installed by the manufacturer on the phone, it cannot be uninstalled; it may not be detected by anti-malware software, and it basically has administrative access to everything on your device. Do you still think these are “flaws” or “bugs” and do you believe the manufacturers of these devices when they claim “oopsies, we didn’t know?” Further, what do your devices “know” about you — including passwords, credit card numbers, social security numbers, etc.

Mobile Apps You Voluntarily Download

Now, let’s consider some mobile apps that you voluntarily downloaded and installed on your own smartphone. And gave it permissions like record video and audio, send and receive SMS, connect to WiFi or change network state, etc. Of course, for your Instagram photos and videos, you need to give it permission to record video and audio; but is there any reason that superbright flashlight app needs to turn on and off microphone, send and receive SMS, read and write to device storage, prevent the device from sleeping, and connect and disconnect to networks? Probably not.

Further reading:

What about something as simple as tracking your location? You may not care if some company or many companies are tracking your location and selling that data. But what if your precise location was being constantly “leaked” such that a stalker could know when you are home, or at the library, or walking home alone?

And have you considered the broader implications of fitness tracking apps “accidentally” revealing the locations of secret military bases? The U.S. government seems to think this is important. In early 2019, the U.S. forced a chinese company to sell the gay dating app Grindr, citing “Chinese ownership of gay dating app Grindr is a national security risk.” In early 2020, both the U.S. Navy and the U.S. Army banned the popular app TikTok from all military devices over spying and privacy concerns.

Further reading:

Why Should You Care?

Let’s bring this full circle, and address why you should care. You may be OK with Amazon, Google, and Apple listening in on all your dinner table conversations at home; because you can ask about the weather, with your voice. You may still be OK with your microwave and light bulbs being constantly connected to the Internet; because you can remotely check if you left them on.

But are you still OK with connected security cameras that hackers can use to peer into your bedroom or your child’s bedroom? Of course, those were “oopsies” by the device manufacturers. Are you still OK with low-cost Android phones that have adware and malware pre-installed to continuously collect and send data back to the cloud? Or mobile apps that do the same? Perhaps you are still OK with everything so far — I’ve literally heard this from many young people (who are constantly on Instagram, Snapchat, and now TikTok) — they are cool with being tracked because they have “nothing to hide.”

Perhaps I am just scaring myself, because I’ve seen too much as a security researcher. Perhaps I shouldn’t be concerned that connected devices can be leveraged to gain access to networks that would have otherwise been secure. Perhaps I should not be afraid of the possibility of real-world loss of life when connected street lights are remotely controlled to all turn green at the same time or connected cars are remotely controlled to brake or accelerate.

Perhaps I should be OK with all of that. Are you OK with that?

Further reading:


Original post:


Leave a Reply

Your email address will not be published. Required fields are marked *