The concept of the Internet of Things – and its main advantage – is at the same time the biggest potential security risk for all those who have accepted it and have joined the circus, so to speak. Yes, people like having all the information all the time on all of their devices – neatly segmented and contextualized to fit their needs and situation. And yes, most of them haven’t given a second thought to providing access to their personal data to all kinds of services and systems in order to have everything they could ever want at the tips of their fingers – from comprehensive weather reports and traffic warnings to their own houses recognizing them as owners and turning the lights on upon entering. It is an interesting world we live in, with technology constantly at our beck and call, but are we also slowly starting to realize just how much we are allowing it to rule our lives? One could argue that every time the tech misbehaves or someone else takes advantage of it – and by proxy, us – it has failed us on some level. In that sense, let’s see the 4 times it did just that in 2018.
1) SirenJack vulnerability
Many emergency broadcast systems in place today were designed in the 1980s, without the expectation that malicious actors would attempt to commandeer the systems. Even though the alert of a ballistic missile threat broadcast in Hawaii on January 13th was the result of human error, the 38 minutes between that broadcasted alert and retraction caused panic and anxiety among residents, especially since North Korea had been testing missiles in late 2017.
How that came to be? Bastille Security found a vulnerability in emergency broadcast systems produced by Acoustic Technology Inc. (ATI), which allowed for command packets broadcast over the air to be captured, modified and replayed. ATI deployed a patch to address the issue, though it is unclear if all of the affected systems were patched before the 90-day disclosure window or if all vulnerable systems were patched. Oddly, ATI’s public statement on the vulnerability claimed Bastille’s research is “largely theoretical” and “is against the law,” though ATI’s statement highlights public safety communications systems as being exempt from the statute they cited.
2) Malware in routers
VPNFilter, which apparently possesses capabilities that we have come to expect in a workhorse intelligence-collection platform – file collection, command execution, data exfiltration and device management, was found in routers manufactured by ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, UPVEL, and ZTE, as well as NAS devices by QNAP.
What is more, Cisco Talos reported finding 500,000 compromised devices across 54 countries, with evidence of the first infection dating back to 2016. The Ukrainian Security Service called out Russia as the originator of the attack. Initial reports indicated that rebooting the router was enough to clear the infection, but further updates found that to not be sufficient, recommending that users reflash the firmware as well. The malware is known to have code to target control systems using SCADA, but the aims of the attackers remain unknown.
3) LocationSmart data leak
An unsecured product demo from geolocation data firm LocationSmart allowed any user to look up the location of any mobile phone without needing to supply a password or any other credentials for any phone on the 4 major US carriers, as well as US Cellular, and the Canadian carriers Bell, Rogers and Telus. This vulnerability was found after Securus, a company that provides smartphone tracking tools for US law enforcement, was hacked. The backend data provider of that company was LocationSmart, according to a ZDNet report.
To make matters worse, mobile network operators were selling this personally identifiable data to LocationSmart. Verizon was the first to pledge to stop data sharing, with AT&T, Sprint and T-Mobile following shortly thereafter.
4) Amazon Echo conversation incident
A Portland couple claimed that their Amazon Echo smart speaker recorded a conversation and transmitted it to someone in their contact list (one of their employees) in Seattle. The original report is suspect, though Amazon confirmed to CNET that the incident occurred as described.
The model of the Echo Dot photographed in the original port is capable of outputting sound to an external speaker through a 3.5mm audio cable. If a speaker was attached to the Echo Dot, but turned off, the microphone in the Echo Dot unit would still be active, though it would have been impossible for the owners to hear an audio prompt through the speaker. The original report fails to mention this possibility, likewise, the report fails to correctly identify the device as an Amazon Echo.
Despite this, Amazon does have an Alexa problem and has made changes to how Alexa operates in March after a spate of reports indicating that Alexa-powered devices were randomly laughing, seemingly unprompted.
And there you have it – just some of the things that happened over the last year, that some of us haven’t given too much thought until now. These are also the things that we must work on preventing from happening in the future. To that effect, you can take a look at our infographic to see how to secure your IoT network in 6 steps.