1989, 1990, and 1993 gave us movies whose claim to fame was listening in on the thoughts of characters who were babies. Of course the parents were unaware of this dialogue and that gave the movies their charm, I guess. The conversations were on a level of the one below:
Mollie: Dr. Spock does not just want to sell a book! Dr. Spock loves us. During the Vietnam War, Dr. Spock was out protesting in the streets!
James: God, I'm sorry I said anything about Dr. Spock, okay.
James: I can't believe she's getting that upset about a Vulcan. Big ears, no emotions, right?
Believe it or not, there were awards involved for these pictures. However, I digress. There are conversations going on all the time of which we are not aware. We don’t hear all the cell phones (unless you are a 3 letter government agency) or ham radios or wifi transactions. That is to be expected. However there are more and more conversations that you should be aware of, even if you can’t hear them. The IoT (Internet of Things) phenomenon proceeds unchecked and very much unregulated to the detriment of the end user.
Everyone loves convenience and most of us are not willing to spend the time and lose convenience to gain security. Recently the folks over at the Center for Information Technology Policy at Princeton announced that they were “ launching an ongoing initiative to study consumer IoT security and privacy, in an effort to understand the current state of smart home security and privacy in ways that ultimately help inform both technology and policy.”
They are even working on an open source tool that will monitor your environment for IoT activity. Why would you need this? Here is an excerpt from their web page on this tool:
We have found that many IoT devices communicate with third-party services, of which consumers are typically unaware. We have found many instances of third-party communications in our analyses of IoT device network traffic. Some examples include:
- Samsung Smart TV. During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.
- Amcrest WiFi Security Camera.The camera actively communicates with cellphonepush.quickddns.com using HTTPS. QuickDDNS is a Dynamic DNS service provider operated by Dahua. Dahua is also a security camera manufacturer, although Amcrest’s website makes no references to Dahua. Amcrest customer service informed us that Dahua was the original equipment manufacturer.
- Halo Smoke Detector. The smart smoke detector communicates withbroker.xively.com. Xively offers an MQTT service, which allows manufacturers to communicate with their devices.
- Geeni Light Bulb. The Geeni smart bulb communicates withgw.tuyaus.com, which is operated by TuYa, a China-based company that also offers an MQTT service.
That’s a lot of conversation that was not authorized. That is pretty bad when you consider that the average person will have no idea this is going on. What if you have some IoT devices on your company network? These devices are very chatty and, left to their own devices, they will give up all kinds of information and allow access to your network without you knowing about it. Security cameras, security DVRs, video door bells and the like are all built to be inexpensive and security is one of the areas picked for cost savings.
With cryptomining attacks overtaking ransomware as the main infection by criminals, these devices are low hanging fruit. The weak security makes them a prime target for building networks of slaves to mine cryptocurrency and still do the odd ransomware or spam attack job. They can also get recruited into botnets for DDoS (Distributed Denial of Service) attacks. Or they can just plain slow your network down to the point of lost productivity.
In any case, home or business, we know who is talking? Are you listening?