How The Internet Puts Your Connected Home at Risk

Hackers were never so powerful as they were in the 1990s movies. By furiously typing on their keyboards, they could decode any encryption, steal any amount of money from any person or organization, reveal any classified government secret… even travel back in time.

In the early days of the internet, hacking powers were sorely misunderstood. Internet technology made it seem like anything was possible. The general public didn’t understand the limitations of the new technology yet.

Today, the average person is a bit more tech-savvy. We know you can’t really make things explode at will with hacking, bring down the Hoover Dam with a bit of code, or battle other hackers with two people at one keyboard.

But maybe these over-the-top examples have made us a little too skeptical about the possibilities of hacking.

We’ll probably never be able to achieve time travel through hacking, but there are plenty of vulnerable systems in the present. Hackers may be more dangerous than you think.

It’s true, most hackers can be defeated by plain common sense. Using strong, unique passwords and using up-to-date software will thwart many of them.

But it’s not just your computer or smartphone that’s at risk.

Have you ever thought about having to protect your baby monitor from hackers? Hacking a baby monitor is easier than you might think, especially with modern versions that connect to WiFi and come with a smartphone app.

Ever get the feeling you’re being watched, even when you know you’re alone in the room? You very well could be under surveillance if a hacker gains access to your webcam without your knowledge.

Even hacking traffic lights isn’t quite as far-fetched as you might think.

As the Internet of Things expands and more devices are becoming “smart,” it’s more important than ever to make sure they’re secure, or your personal safety could be at risk.

Check out the graphic below for more examples of how hackers can control the world around us, and not just in the movies.

Is Your Home Safe From Hackers? (Researchers Say, “Probably Not”)

As computers get more complex, hackers find ever new ways attack us. And it isn’t just computers or even smartphones that are targeted. Hackers can even take control of baby monitors, refrigerators, and cars.

Your Webcam Could Be a Window for the World

• In 2014, Russian hackers posted hundreds of unsecured video feeds from webcams, baby monitors, and home security cameras online
  • Many devices use a default password
    • Users who don’t change their passwords allow hackers to access their devices
• IP-streaming cameras
  • These are web-connected cameras that stream their video to an IP address
  • Foscam
    • Cameras running the .54 version of the company’s firmware were accessible without a password or user ID
      • Just clicking the OK button in the dialog box would allow any user access to the camera’s feed
  • TrendNet had to settled with the FTC
    • Hundreds of their cameras were shown to have been accessible to anyone who knew the camera’s public IP address
    • TrendNet also “transmitted user login credentials in clear, readable text over the internet”
    • They were required to create a patch for the issue and notify its customers
      • They could only notify those that had registered their devices
        • Hundreds of the affected cameras are still vulnerable
• Remote Administration Tools (RATs)
  • RATs allow another user to access the device over the internet
    • Generally used for tech support
  • Case of the spying school
    • In 2010, a Philadelphia school district got caught spying on students
      • The students were issued laptops with built-in cameras for school usage
      • School district policy dictated that administrators were only allowed to turn on the cameras and take pictures if the laptops were stolen
        • Despite this policy, administrators took thousands of pictures of students whose laptops were not reported stolen
    • School was forced to pay $600,000 to settle lawsuits
• Most computer webcamS have indicator lights to show when they are active

Betrayed by a Battery

• PowerSpy is a tracking technique developed by researchers from Stanford University and Israel’s defense research group Rafael
  • It exploits the fact that Android apps have access to phone power consumption
    • Researchers were able to determine which of several routes a target had taken
    • They could even determine where the target was along the route
    • Currently only really works with pre-designated routes
• Georgia Tech researchers developed a hacking app that was transmitted through public charging stations
  • Users got infected with the app if two conditions were met:
    • They connected their phone to a compromised charging station
    • They unlocked their phone while it was charging
  • The app would then download itself onto the phone
    • Disguised as Facebook, the app allows the hacker to see everything the user can see
    • This could potentially net a hacker:
      • Passwords
      • Credit card information
      • Other sensitive data

Smartphone Spying

• A vulnerability in the Samsung Galaxy phone keyboard software allows hackers to send the phones fake updates
  • These false updates let hackers:
    • See through the phone’s camera
    • Listen through the phone’s microphone
    • Read incoming and outgoing texts
    • Install apps
• Flame virus
  • Primarily attacks PCs
  • But infected computers can search for any Bluetooth-connected smartphones nearby and steal information from them as well
• Gyroscopes to microphones
  • Modern phone gyroscopes are tiny vibrating plates on a computer chip
    • When the phone’s orientation changes, the gyroscope picks up this information
  • In 2014, researchers announced that they had developed a technique to convert Android phone gyroscopes into simple microphones
    • The gyroscopes are sensitive enough to pick up the vibrations in the air caused by human speech
    • Researchers developed voice-recognition software that allowed them to identify spoken numbers with 65% accuracy
      • This could allow a hacker to learn credit card information
• NFCProxy
  • This Android app can steal contactless credit card information
    • Contactless credit cards are those that are tapped on a payment device, rather than swiped
    • They store information on RFID chips instead of magnetic strips like regular credit cards
      • RFID stands for radio-frequency identification, and involves the reading and sending of information through radio waves
      • Phone apps like Google Wallet are able to transmit this kind of information, allowing them to function like contactless credit cards
  • Using NFCProxy, hackers are potentially able to steal information from credit cards, as well as company ID badges and mass transit passes
• PlaceRaider
  • Developed in 2012 by US Naval Surface Warfare Center it targets Android phones
  • The malware secretly takes control of the user’s camera and randomly takes pictures
    • PlaceRaider also
      • Notes the time, location, and orientation of the phone
      • Sends all gathered photos to a server
        • Has filtering software so it doesn’t transmit dark pictures of a user’s purse or pocket
  • Using the metadata attached to each picture, the server is able to combine them into a 3D model of where they were taken
    • This process allowed hackers to find sensitive data more effectively than with raw pictures alone

Compromised Cars

• In 2015, security researchers Charlie Miller and Chris Valasek demonstrated a vulnerability in the Jeep Cherokee
  • It hacked Chrysler’s Uconnect dashboard computer and took control of:
    • Steering
    • Transmission
    • Brakes
  • As a result, Chrysler recalled 1.4 million cars
• In 2015, BMW caught and fixed a software bug that could have allowed hackers to remotely lock or unlock the doors of 2.2 million BMW vehicles
  • Hackers just needed to create a fake cell network with their smartphones
    • Due to how BMW’s ConnectedDrive service worked, the car would be fooled into thinking that the hacker’s phone was its owner’s phone
• In 2010, researchers discovered that cars with wireless tire sensors could be tracked
  • Using radio sensors and special software, they were able to:
    • Feed faulty data to the system
      • This would cause false alerts to appear on the car’s dashboard
    • Learn the tire sensors’ ID, allowing researchers to track the vehicle
• Also in 2010, a disgruntled former employee of a Texas car dealership disabled over 100 cars
  • The dealership outfitted the cars with devices that allowed them to disable the vehicles’ ignition or trigger their horns remotely
    • The immobilization program was designed to let a dealership take action if a customer is delinquent in their auto payments
  • The former employee was able to access the remote system through someone else’s password
    • He pulled up a list of customers, and then started going down the list, triggering each vehicle’s immobilization system

Smart Device Slapdown

• The term “Internet of Things” (or “IoT”) refers to objects that wouldn’t normally be connected to the internet but are, such as:
  • Toasters
  • Lightbulbs
  • Thermostats
• HP published a report in 2014 on IoT devices and their vulnerabilities, and found that:
  • 80% of IoT devices allowed users to create weak passwords
  • 70% of IoT devices didn’t encrypt information sent to the internet and local networks, such as smartphone apps
  • 60% of IoT devices don’t have encrypted software updates
    • If software updates are not encrypted, hackers can write their own malicious “updates” and send them to IoT devices
• Proofpoint, a security-as-a-service company, discovered a cyberattack in 2014, in which over 100,000 common household devices became part of a spamming botnet
  • The attack targeted
    • TVs
    • Multi-media centers
    • Appliances
      • Even a refrigerator
  • Over a period of two weeks, the botnet sent out over 750,000 spam emails
    • More than 25% of the devices in the botnet were not traditional computers or smartphones
• In 2013, Kashmir Hill, a tech writer and researcher, was able to see and control Insteon home automation networks
  • She was able to see people’s:
    • Appliances
    • Devices
    • IP Addresses
    • Time Zones
    • Closest Major City
  • She would have been able to control:
    • Lights
    • Hot tubs
    • Fans
    • TVs
    • Water Pumps
    • Garage Doors
    • And more

Governments and hackers have so many ways to spy on us that it can seem overwhelming. Short of leaving the grid, however, there is no simple defense. But the fact that people have discovered these hacks should reduce our anxiety – as long as we don’t think too much about the hacks that still lay hidden…

Sources: makeuseof.com, huffingtonpost.com, mashable.com, cnet.com, theverge.com, krebsonsecurity.com, wired.com, technopedia.com, usatoday.com, independent.co.uk, forbes.com, technologyreview.com, betanews.com, news.samsung.com, arstechnica.com, hp.com, pando.com,

Sources

• How Easy Is It For Someone To Hack Your Webcam?
• Your Computer and Phone Cameras Are On — Beware!
• Russian website posting live video streams from hacked webcams
• Lower Merion School District Settles Webcam Spying Lawsuits For $610,000
• FTC and TrendNet settle claim over hacked security cameras
• FTC settles with Trendnet after “hundreds” of home security cameras were hacked
• Bug Exposes IP Cameras, Baby Monitors
• Spies Can Track You Just by Watching Your Phone’s Power Use
• Online Privacy: 10 Surprisingly Terrifying Ways Your Online Life Can Be Tracked
• iPhones can be hacked while charging
• Samsung Galaxy phone hack: SwiftKey vulnerability lets hackers easily take control of devices
• The Gyroscopes in Your Phone Could Let Apps Eavesdrop on Conversations
• Hacker Demos Android App That Can Wirelessly Steal And Use Credit Cards’ Data
• PlaceRaider: The Military Smartphone Malware Designed to Steal Your Life
• Information Regarding the Keyboard Security Issue and Our Device Policy Update
• Vulnerability could put up to 600 million Samsung smartphones at risk
• Samsung announces fix for Galaxy keyboard vulnerability
• BMW Update Kills Bug In 2.2 Million Cars That Left Doors Wide Open To Hackers
• Cars hacked through wireless tire sensors
• Hacker Disables More Than 100 Cars Remotely
• Hackers Remotely Kill a Jeep on the Highway—With Me in It
• After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
• Internet of Things (IoT)
• Internet of things research study
• When refrigerators, TVs, and cars attack: Hacking the Internet of Things
• When “Smart Homes” Get Hacked: I Haunted A Complete Stranger’s House Via The Internet