Posts in IoT Privacy

While speaking at South by Southwest, President Obama used a striking metaphor to make the government's case for demanding Apple break into an iPhone used by one of San Bernardino killers. "Because if in fact you can’t crack that at all, and government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket," he said. Have smartphones really made more information inaccessible to law enforcement? Techdirt's Mike Masnick notes "there has always been information that was inaccessible -- such as information that came from an in-person conversation or information in our brains or information that has been destroyed." What's unique about this point in history, Masnick argues is that, there is "much more recorded evidence."  Some argue that the government already has nearly all the information that might be on the iPhone in question and is pursuing access to 12 other phones that may have nothing to do with terrorism. Cloud services, email and tons of metadata are all available with a court order. In fact, we are speedily heading to a point where it might be possible that everything that we ever do is recorded or captured in some way or another thanks to the Internet of Things. What if the government potentially had backdoor access to every smart device in your smart home? F-Secure Labs Security Advisor did a quick thought experiment about what could happen if the government used"All Writs Act to expand FBiOS development to include wiretapping functionality of a phone in use. " He concluded that what the government's proposing has huge potential for abuse: "...while your data in transit might remain fully encrypted, every device will now include the potential to be wiretapped unless you compile the OS yourself (or install from trusted sources) and maintain control of the update channel. History suggests that FBiOS wiretapping functionality would be too easily abused by multiple governments. And the creation of a spying potential of this sort would be a massive prize for hackers. "We shouldn't undermine our entire security setup just because there are some bad people out there," Masnick wrote. "In fact, that makes us less safe." These debates tend to circle around to the need to defend against criminals and terrorists, which is definitely true, and the fact that most of us consider ourselves law-abiding citizens with nothing to hide. But imagine if you did have something to hide, something you were born with and something you couldn't change. "LGBTQ people around the world depend on encryption every day to stay alive and to protect themselves from violence and discrimination, relying on the basic security features of their phones to prevent online bullies, stalkers, and others from prying into their personal lives and using their sexuality or gender identity against them," Cory Doctorow and Victoria Ruiz wrote. These dangers are not theoretical for millions of people around the world, which is why we at F-Secure we stand with Apple. It's important to make a case for the right to encryption now before it's too late.  

March 21, 2016

The insecurity of IoT devices is a common theme on this blog. Cool and novel yes, but smart “Things” often fall short on security and privacy. We’ve talked about the pitfalls of smart baby monitors, water kettles, cars, and Hello Barbie. Why do these connected things slip up so badly when it comes to security? Let’s look at it from another point of view – the view of the maker of an IoT device. Imagine you own a company that has been making cookie jars for 30 years. You make cute, classy and creative cookie jars to fit every type of kitchen decor. You know everything about them – the best materials, most popular designs, ideal sizes, the best-sealing lids for the freshest cookies, everything. You are an authority in making great cookie jars. Now you decide to get on the IoT train and introduce a smart cookie jar. It will be the first of its kind! This cookie jar will put an end to the age-old problem of kids sneaking treats before dinner and ruining their appetites. It will connect to an app in the user’s phone. The app will alert the user when someone is opening the cookie jar. From the app, the user will also be able to remotely lock and unlock the cookie jar. So even if Mom is away, she can still keep Billy out of the Chocolate Chunkies. You’ve been making cookie jars for three decades – you’re an expert. But when it comes to making a smart cookie jar, that’s another thing. Because you are not an expert in software tech. In fact, you pretty much know nothing about it. You’re excited about your new product. You’re thinking of new features you could build in, like password protection right on the jar, or a sensor that can tell how many cookies have been removed. You’re in a hurry to get the product to market. After all, you’ve heard that some new Silicon Valley startup is working on a similar product, and you don’t want to be upstaged. In all your excitement, security is forgotten. Or rather not forgotten, since you never had it in your mind to begin with. Because you, after all, are a cookie jar maker. You’re working with a few other companies on the technology. Your goal is to get the jar made as quickly and as inexpensively as possible. None of the other vendors stress about security. After all, it’s not going to be their brand name on the final product. It will be yours. You don’t realize that the software being used in your product is five years old. You’ve never thought about what might happen if a vulnerability needs to be patched. Is it even possible to patch, and if so, how will you alert your customers who purchase the jar? But these thoughts don’t enter your mind. Your main concern is that it will work, and that it will look cool, and have that “wow” factor. So you keep working. Eventually your cookie jar gets made and hits the market. It works. It looks cool. And it has that “wow” factor. But, oops. It leaks the password to the home Wi-Fi network. It’s really no surprise. You are, after all, a cookie jar maker.* Security is challenging enough to get right for the software industry itself – how much more so for those companies who are completely new to software and security. As security researcher Runa Sandvik put it, “When you put technology on items that haven’t had it before, you run into security challenges you haven’t thought about before.”   *No disrespect to cookie jar makers – I myself am a big fan of cookies of all kinds, and cookie jars are a great way to keep them accessible. I would trust my cookies any day to them, but I’d be more careful about my data. Banner image courtesy Personal Creations, Modified.  

March 4, 2016

  The U.S. Department of Defense played a "pioneering" role the development of technology now utilized by the IoT -- including the sensor and computer networking -- but today "few military systems leverage the full IoT stack." Why? "Security is the most significant challenge to broader IoT adoption across the military, with the large number of simple devices and applications raising unique vulnerabilities to electronic and cyber warfare." That's the main reason the Pentagon has been slow to adapt to the Internet of Things, according to a Center for Strategic and International Studies report on "Leveraging the Internet for a More Efficient and Effective Military (PDF)." In order seize the imperative to use machine learning to "revolutionize modern warfare," the report calls for developing "Common Standards and Protocols" along with "new security techniques that can be applied to commercial, off-the-shelf (COTS) devices and applications, including those hosted in the cloud, focusing on invest- ing in scalable security measures instead of securing individual systems." The problems of IoT security cut two ways for the U.S. military presenting outside risks and limiting adoption of new technology.  Lt. Gen. Edward Cardon, head of the U.S. Army Cyber Command, argues that national security requires increased monitoring and securing the internet wherever it exists to counter the risks that come from the end of any illusion of compartmentalization that is fading as the IoT emerges.   "What we're starting to realize is an event that happens in the commercial space could be happening in the government space and could be happening in the military space," Cardon said at the Institute of World Politics in Washington last month. "So it's not like it's all compartmentalized." A boundary-less internet presents a whole world of security issues and privacy issues for early adopters. And failing to address them is leaving the world's best funded military struggling to catch up.

February 1, 2016

It’s easy to be pessimistic about how the Internet of Things (IoT) could change the world. Some people might see it as just a gimmick to sell new TVs or other devices. Others might feel that it’s more of the same old thing, or just a bunch of new mobile devices. Many people are concerned about how safe these devices are, or if they’ll usher in a big brother type world where privacy is a thing of the past. But many people and companies are learning how to leverage new Internet-connected technologies in extremely positive ways. Here’s a few examples of how IoT devices are making life better for people all over the world. Keep an eye on things while you’re away Surveillance isn’t a bad thing when it’s not infringing on people’s privacy or personal space. And that’s exactly what one Australian man learned when he was able to use various smart gadgets to prevent his home from being destroyed in a bushfire. Professor Simon Maddocks from Charles Darwin University was able to spot the fire using his Internet-connected security cameras and a smartphone. Once he saw that the fire was approaching his home, he was able to use his smartphone to activate his property's irrigation system. Unfortunately, he was unable to save his crops. But his livestock and house survived the fire, which makes him quite lucky compared to some of his neighbors. Cases like these demonstrate how Internet-connected devices can help protect people. If Professor Maddocks wasn’t able to monitor his home he wouldn’t have understood the immediacy of the approaching threat – a capability F-Secure Director of Strategic Threat Research Mika Stahlberg has called the potential killer apps for smart homes. And being able to use his irrigation system to douse his property would have been much more difficult had he not been able to do this remotely. Information sharing made easy Many popular IoT devices are being developed for use in smart homes. But thinking that IoT devices are limited to innovating homes is a complete misconception. Wearables are a pretty big product category for IoT devices, and features well-known items like the Apple Watch and FitBit. One recent project, called Wearables for Good, was created with the intent to encourage companies to develop wearables that serve the needs of people in both developed and developing nations. The project was a competition that awarded two design initiatives with cash prizes, as well as support in launching the products. One of the winners was Khushi Baby – a wearable necklace designed to store immunization data to make administering vaccinations in the field easier for health care workers. The necklace can store medical data and then share it with mobile devices via NFC transmitters. Making this information more accessible to people responsible for administering vaccines will help them make informed decisions while they’re in the field, and make vaccinating large groups of people much easier and safer. The designers behind Khushi Baby are currently using the product in Northern India to prevent fatalities due to vaccine-preventable diseases. Monitoring the health of people that count on you People now have access to technologies that can help them keep track of their own daily activities, and make improvements like getting more exercise, monitoring sleeping habits, etc. And while this is a great way for people to keep themselves healthy, other manufacturers are now beginning to focus on how to use these technologies to monitor people that have trouble staying healthy without a little extra help. For example, a Boston-based company has developed a “wearable baby monitor” that allows parents to monitor things such as their baby’s breathing, heart rate, movements, etc. This gives them a more complete picture of their baby’s health so that they can take better care of newborns. Another company has developed a series of activity monitors that can be placed around the home to help monitor older adults that are living alone. These monitors can be placed throughout the home and monitor activities, and then make this data accessible online. The caveat of these home monitoring technologies is that they collect, store and exchange massive amounts of data – data that can easily be repurposed by hackers or criminals. Hacking has already been proven to be a serious risk for Internet-connected baby monitors. So everyone has a reason to be excited about what IoT devices can do, but remember to take steps to secure your new smart devices, and the data they collect and share online. [Image by Al404 | Flickr]

January 19, 2016

Even if you're not considering a Wi-Fi connected Barbie, you may be giving others or expect to get one of the 50 million smart home devices expected to be sold this holiday season. Given that this is the first holiday season when appliances offering internet-connected automation have hit the mainstream, a lot of people aren't sure what to look for when shopping for IoT devices. Making your home smart presents new security risks, but it can also save you or your family's lives. A Harris poll from earlier this year found that what IoT adoption is looking like in the U.S.: Speaker systems are proving to be the most widely adopted smart devices both for the practicality and relatively few security risks. Thermostats come in second, though hacking a net-connected central temperature device could give criminals details about your comings and goings. Wireless security devices require a lot of trust in the manufacturer -- but so do so "non-smart" security systems. Most of the risks the millions of smart home users face are largely theoretical at this point -- unless you're a high-level target. But that could change quickly after this holiday season puts tens of millions more people on the IoT. The Online Trust Alliance recognizes that many of us are just getting into the IoT's who new world of possibilities and vulnerabilities so it has put out a checklist of all the questions you should ask before buying a smart home device. It's quite comprehensive, so the group has boiled its work down to three concerns: Before purchase, confirm your ability to return the device for a refund if upon set up you find the security and/or privacy practices do not meet your personal requirements. If you cannot opt out of sharing data with third parties or are not provided the option of opting in, consider alternative products. Before purchase, review the device’s warranty and support policies and verify that security and software patches are provided for the life of the product, beyond that of the warranty offered by the manufacturer. Review the privacy practices of connected devices you own or are considering buying, including data collection and sharing policies with third parties. Reset permissions to reflect your preferences (for example – data collection and sharing, camera and microphone settings and other functions). If your settings cannot be modified, consider the “reset to factory settings” option to force a clean setup. If you're still shopping around Tom's Guide has put out a list of the best smart home devices it has found. As have Tech Crunch and Tech Hive. And if you're serious about security your new smart home, be sure to check out our F-Secure Sense, which will plug the security holes created by connecting your life to the net.

December 11, 2015

The New York Times calls it a "Wi-Fi Barbie Doll With the Soul of Siri" and for many kids it may be a dream come true: A doll that listens and responds to you. Mattel's Hello Barbie is one of the most buzzed about gifts of the 2015 holiday season. And thanks to an app that connects the toy to your Wi-Fi network, the world's most popular doll is now on the Internet of Things. Here's a look at how it works: [youtube] If you don't shop for kids' toys, you might not have not even realized that there is smart Barbie -- until news of the VTech hack broke. More than 6 million children's profiles have been exposed in the hack of the Hong Kong toymaker. Suddenly in the midst of the biggest toy buying time of the year, parents are forced to consider the security implications of connected toys they couldn't have imagined when they were kids. If there's a theme to this blog, it's that if it's smart, it's vulnerable. Researchers have questioned VTech's security before. And now some experts are raising similar concerns about Hello Barbie, which sends all of the voice data it hears into a cloud run by ToyTalk. Security researcher Matt Jakubowski was able to "access users' system information, Wi-Fi network names, internal MAC addresses, account IDs and MP3 files" And he said "it was only a matter of time" before he could hack the doll to speak directly to kids. Like many IoT threats, proximity is key. On the company's Tumblr , ToyTalk's Chief Technology Officer points out that the company isn't "aware of" anyone being able to use the doll to access "your WiFi passwords or your kid’s audio data." Given that it is the first Wi-Fi doll, the company is preparing for breaches and has a bug bounty program in place. Jakubowski told Global News, “Overall I think ToyTalk has done a outstanding job on the security protocols they have in place. The doll when in wifi mode requires a client-side cert to be valid in order to access any of the data, it also limits the data that it can accept thus limiting the attack surface.” He added, “ToyTalk also appears to be using HTTPS for all communications to ensure no eavesdropping of any kind can happen. These are all good levels of security that you don’t typically see in many IoT devices. ToyTalk has certainly taken many of the concerns and has addressed them as best as they could.” These are positive steps and completely necessary given the intimacy many children already feel toward Barbie. But some privacy experts are still skeptical. In the wake of VTech,'s Troy Hunt is warning against anything that expands your child's digital footprint. "Given the way children have been shown to interact with dolls, then, there’s a strong likelihood that they will tell Hello Barbie everything," Mary Emily O'Hara writes in The Kernel. Chances are that Hello Barbie won't be the last doll that's on the IoT and with the advances of artificial intelligence, toys will become even more immeshed in kids' lives. For criminals the attack is risky. "Is it worth staging a user-by-user attack against a child's doll?" Richard Chirgwin asked in The Register.   Since this is a whole new world, who knows for sure. For now, parents should start to think of Wi-Fi connected toys like smartphones or tablets. Parents should be observant of how kids use them, supervise their use and put them away when they're not being used. Also, make sure your child's password and your Wi-Fi network are unique, strong and unguessable, of course. [Image by Patrick Quinn-Graham | Flickr]

December 1, 2015

The old cliche "If these walls could talk..." is taking on new meaning in the world of the Internet of Things. Smart walls that actually talk aren't on the market yet. But your smart home is capable of listening, remembering and divulging more about you than you may have imagined, explains researcher Charles Givre, a data scientist at Booz Allen Hamilton. (Yep, the same company that employed whistleblower Edward Snowden.) In a talk at the Make Data Work conference in New York, Givre described what IoT devices Nest Thermostat, the Automatic Car dongle and the Wink hub learned about him as he used them as designed. His conclusion? "'Smart' devices collect and broadcast a lot of information beyond what you might expect. In aggregate, this information can reveal a great deal about the device’s owner." This information includes: Your Facebook and Twitter handles What other "smart" devices you have in your home and when they were connected Your home's location Your internet service provider When you are home All the trips you take in your car (depending on your privacy settings) Possibly your religion (if you, like Givre and Walter from The Big Lebowski, "don't roll on Shabbos") Givre pointed out that most of the information is transferred securely but is stored in the cloud. Anyone who has access to your email address and password could reach it all. At this point, smart homes are rare enough that it's probably more convenient for thieves to physically stake out your home to note your comings and goings. But given the explosion of smart home technology, it's just smart security to make sure your important passwords are unique, strong and unable to be guessed by anyone. This basic step -- and thinking ahead about securing your smart home -- is the best you can do, now that you're aware just how much your smart home knows about you. The makers of IoT devices also need to do due diligence to protect the sensitive data their devices are collecting -- especially since government regulation isn't erring on the side of consumers privacy. "The Federal Trade Commission put out a report this year with best practices about how companies should notify their customers about data retention," ProPublica's Lauren Kirchner reports. "Device makers say that customers can opt in or out of sharing their personal information with developers and third-party apps." So your smart devices may be talking to others without you even realizing you have the choice. "If these walls could talk..." shouldn't you at least have a chance to decide whom they talk to?  

November 24, 2015

Home automation has been a staple of science fiction stories for many years, and the Internet of Things (IoT) is slowly ushering in a world where devices are smart enough to handle tasks that used to require the attention of people. One part of the house ripe for such automation is the “man cave”. Man caves are a relatively new lifestyle trend that basically describe a room or area designed to cater to the tastes and lifestyles of guys, essentially allowing men to indulge in things away from the pressures or stress of the rest of the world. Workshops and garages have traditionally been seen as male-centric areas, but man caves are spaces where manliness is just as much about aesthetics as it is about more “male-oriented work”. Basements, garages, spare bedrooms, studies, and similar spaces are increasingly being converted into these man caves. According to Wikihow, setting up a man cave requires loads of home entertainment devices such as TVs, video game consoles, computers, and other gadgets, as well as decorations that emphasize the “manliness” of the area. Many will even include small appliances, such as mini refrigerators, to allow cave dwellers to remain in isolation for long periods of time. IoT devices are going to give home owners lots of new gadgets to put in their homes, making it a dream come true for tech enthusiasts. TVs will become smart TVs. Mini fridges will become smart fridges. Locks will become smart locks. Microsoft recently developed a smart air hockey table using their Windows 10 IoT core, so it seems fair to say the only limit for automating and “smartening” man caves is the imagination (and maybe a little bit of technical know-how). IoT technologies are going to give guys everywhere a whole new way to conceptualize and design man caves, as well as other rooms in their smart homes. But like many developments in home automation, there are significant security implications to using new devices. Here’s a few suggestion on what to do to keep smart man caves safe and secure. Get smart about protection: IoT devices are designed to make living more convenient. But sadly, many manufacturers are not building their smart devices to be particularly secure. Before you surround yourself with devices that connect your life to the Internet, you should give some serious consideration to how you can prevent people from using that connection against you. It’s already been demonstrated that hackers can use IoT devices to monitor and record what’s going on in your home, and security researchers say these problems will become more serious as IoT devices become more popular. Fortunately, security providers are beginning to offer smart protection for people to use to make sure they stay protected as they develop smarter lifestyles. Manage your devices: A lot of smart devices contain various sensors and transmitters so they can record data about you and share it with some kind of online service. Samsung’s smart TVs, for example, use voice activation to let you control your TV with your voice. Unfortunately, this means your TV records everything you say, and the company has acknowledged that this data can be shared with third parties. This kind of invasion of privacy could become a serious security risk in the event one of these companies has a data breach, so it’s best to control how devices work to make sure its not recording personal conversations, financial information, etc. Many devices allow you to adjust their functionality through the settings options, and F-Secure Labs’ Karmina Aquino recommends people use this to help protect their personal data. Make smart password choices: F-Secure Director of Strategic Threat Research Mika Stahlberg has said that one way hackers will try to hack smart homes is by simply guessing at the passwords used for various devices. This tactic is already being used by hackers to take control of routers used in homes and small offices. The reason for this is because many people will buy small devices, such as routers, and simply never change the passwords set at the factory. These factory-default passwords are readily available on the Internet, so all attackers need to do is match up the password with your device, and then you’re network is compromised. So take a few moments when you’re setting up new devices to choose a decent password. It might take a few extra minutes, but it’s worth it if it keeps hackers and Internet snoops out of your man cave. [Image by Christian Collins | Flickr]

November 20, 2015

The future is becoming smart. We hear about it all the time. Smart TVs are becoming as common as desktops. There’s smart thermostats, smart watches, smart baby monitors, and so on. But the spread of smart devices means security needs to get smarter too, so F-Secure has stepped up the security game by building F-Secure SENSE. SENSE is the first piece of security hardware designed entirely by F-Secure, and it’s setting a new standard for what security products are capable of delivering. SENSE was built to keep up with how technologies are changing what people actually want and need from security providers, so that they can stay protected as Internet-connected devices become a bigger part of their lives. [youtube] SENSE is a completely new way for people to protect their security and online privacy. It combines hardware and software to give people a single system that can secure all of their Internet-connected devices. Instead of using traditional security apps to protect one or two devices at a time, SENSE works by creating a private, secure network inside of people’s homes that protects the Internet traffic exchanged between the devices in this network and the rest of the Internet. This allows SENSE to protect things like PCs, smartphones, and tablets, but also Internet of Things (IoT) devices that are unable to run traditional security apps. SENSE also comes with the SENSE app, which can be installed on devices like laptops, smartphones, and tablets, so these devices can stay protected even when they leave the home. There’s no limit to the number of devices that SENSE can protect, so you don’t have to buy individual subscriptions for each device. This makes SENSE a completely unique way to protect people – and not just individual devices – from online threats. “The beauty of SENSE is that it is irrelevant whether you have 1 PC, 1 tablet, and 2 phones, or whether you have 3 PCs, 4 tablets, 3 phones, a smart TV, 2 game consoles, and a connected security camera,” says F-Secure Director of Product Management Mika Majapuro. “People don’t think about security and privacy on a device level – they want to protect all their devices in a smart way. This is what SENSE delivers, and it will continue to evolve as your needs and priorities change.” So SENSE is a completely new security product that delivers three key benefits that can help empower people to stop being afraid of using new technologies, and start enjoying a truly smart lifestyle. Smart Convenience According to Gartner, the average home could contain more than 500 connected devices by 2022, making it completely impractical to try and protect each and every device with a separate piece of software. Plus, many IoT devices won’t even let people install their own security apps. So the old way of protecting devices is dying, and SENSE is there to make it easy for people to get used to thinking about security in an entirely new way. SENSE’s app gives people an easy way to administer the security and privacy of their network and devices. It lets people see all the devices connected to the network, and their security status. It will also send notifications to people’s mobile device if it finds any issues with their devices or network. Plus, it provides people with general security tips to help them learn more about how to stay safe online, and lots of other information about online security and privacy. Smart Privacy People are more worried about their privacy now than ever before. One research firm found that 92% of Americans and Britons worry (at least sometimes) about their online privacy, with both nationalities citing the behavior of companies as the most common reason for their concerns. PEW’s research has produced similar findings, saying 91% of Americans feel that people have lost control over how data is collected and used by companies. And controlling privacy is going to be an ongoing challenge as more people put IoT devices in their homes. These devices contain all kinds of sensors and transmitters that collect and share information, and it’s been confirmed that one manufacturer’s smart TVs are constantly collecting data and sharing it with companies. So SENSE helps people keep control of their privacy by securing Internet traffic. It blocks the invasive technologies that companies use to monitor people’s online behavior, such as spyware and other tracking tools. Smart Security IoT devices are giving people exciting new ways to live smart lifestyles, but there’s certainly security risks involved with this. Mika Majapuro describes some of the security problems many IoT devices suffer from in this blog post. And you can read one family’s account of how their “smart” baby monitor had been hacked here. SENSE layers three kinds of security together to give people complete protection: local network security, cloud security, and local security software. It uses unique machine-based learning technologies in F-Secure’s Security Cloud to “sense” threats hidden within Internet traffic, so it actively learns about potential security threats before they hit devices. And it comes with software that can be installed on smartphones, tablets, and PCs, ensuring those devices receive the very best protection that’s made F-Secure famous. Mika says combining these three benefits helps SENSE strike a balance between offering sophisticated protection and ease of use, making it an ideal product for people to use as a foundation for building a truly smart lifestyle. “SENSE is a unique product because it was designed to let people grow and develop their own smart lifestyle without leaving their comfort zone. So even though it’s easy to use and can be set up in just a few minutes, it’s sophisticated enough for people to use the in-depth information it offers to customize the way it works with other devices. It’s really our first consumer product that makes next generation technologies, like machine-based learning, fully accessible and useful to home users.” F-Secure SENSE will start shipping in spring 2016, and is priced at 199 EUR/USD, which includes the hardware, software, and a 12-month subscription. It is currently available for preordering for customers in Europe, and the first 5000 customers will receive a 50% discount.

November 11, 2015