Your gadgets are listening to you. Whether it’s an Amazon Echo, a Samsung Smart TV, a Wink Relay, or just Siri or Google Now on your phone, you are likely surrounded by machines waiting for the correct voice command so they can spring into action.
But if you have a device that isn’t secure, some stranger half a world away could also be listening.
Amazon Echo (Photo: Rob Pegoraro/Yahoo Tech)
This may sound like the plot of some cheesy Hollywood movie. It’s not. According to a report released Tuesday by enterprise security vendor Veracode, many “Internet of Things” devices lack fundamental security protections, which could allow them to be remotely controlled by attackers and — yes — used to eavesdrop on conversations in your living room.
Last December, researchers at Veracode purchased, tested, and reverse-engineered six always-on Internet of Things, or IoT, consumer devices: the SmartThings Hub, the Wink Hub and Wink Relay, Chamberlain’s MyQ Garage controller and Internet Gateway, and the Ubi.
Their conclusions: According to the report, information gathered from the Ubi could allow crooks to know when you’re not home. Security flaws inside the Chamberlain devices could allow thieves to know when your garage door is open or closed and control it remotely. Vulnerabilities inside a Wink Relay or Ubi could allow cybercriminals to “turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user’s employer.”
The only device to emerge relatively unscathed was the SmartThings Hub, which allowed limited access to an internal debugging interface but was otherwise perfect.
Not exactly household names
The report concurs with several others that have appeared over the last year pointing out fundamental flaws in IoT security. But the vulnerabilities it uncovered are unlikely to affect many consumers.
For the most part, the devices Veracode chose to test were fairly obscure. Apart from SmartThings (now owned by Samsung), none of the products are likely to be found in many U.S. homes. Missing from this report were better known IoT devices like the Nest Learning Thermostat, Dropcam cameras, and Belkin’s WeMo.
For some products — connected security cameras, for example — the vulnerabilities are well-documented, says Veracode security architect Brandon Creighton. Other devices, like the Nest thermostat, were a bit too popular for Veracode’s purposes.
“We wanted to look at emerging technologies, the hidden devices people aren’t necessarily thinking about,” he says.
Photo: Wink Relay/Wink.com
Another big caveat is that for most of these attacks to work, the hackers would need direct access to a victim’s home network. Frankly, if they’ve got that, you’ve got bigger things to worry about — like access to your financial records or banking log-ins on your computer.
And many of the risks detailed in the report are theoretical and based on breaches of the manufacturer’s website, where personal information collected by the devices would be stored. Veracode did not attempt to hack any sites or gain access to other users’ personal information in its testing.
And many of those flaws were due to a failure of the devices to deploy end-to-end encryption or to require strong passwords, Creighton adds.
In the case of the Ubi and Wink relays, both of which are based on Android, Veracode gained access to a device’s voice recordings via a standard Android debugging tool that is normally removed before a product ships.
Photo: Ubi - Voice of the Internet/YouTube
Leor Grebler, CEO of Unified Computer Intelligence Corporation, makers of the Android-based Ubi, says his company is no longer marketing Ubi as a mass consumer electronics product and is instead positioning it as a tool to help developers prototype voice interaction products.
“We made the choice several months ago to leave open some components of the Ubi to allow for developers to hack/build on it,” Grebler says. “There are instructions on our forum on how to access the device for controlling settings. A scenario where someone would hack into a network to record without someone’s knowledge is fairly low, and several layers of security would need to be compromised before this could happen. This is part of the risk of using an Android device for our development.”
Wink head of security Brian Knopf acknowledges that all IoT makers need to do a better job addressing security and privacy concerns, and calls for an industrywide ratings system for IoT devices. He says his company has recently launched a bug bounty program for all Wink products via the website Bugcrowd.
“The report underscores an important point as the IoT movement becomes more ubiquitous — that the industry needs to step up to the challenge and address security and privacy concerns head on,” he says.
Update: After this story was originally published, Chamberlain responded to our requests for comment, saying it had patched the vulnerabilities noted in the Veracode report and disagrees with some of its findings. A company spokesperson emailed us the following statement:
“Chamberlain takes the safety and security of the smart home very seriously. Our continuous security updates and processes include using industry standard encryption, applying the latest security techniques, and periodic security testing with respected outside services. This study is a good reminder to homeowners to keep their networks secure by using strong passwords and security settings.”
Send hacked audio files to Dan Tynan: ModFamily1@yahoo.com.