Smart homes might be right around the corner, but are you and your neighbors really ready for them? While research from firms like Gartner project demand for IoT devices to skyrocket over the next few years, the security implications of the IoT aren’t so rosy. Current online threats will become much closer to home as more people use IoT devices to “smarten” up their houses, and new security challenges are sure to emerge. This image was posted on F-Secure Labs’ blog by Mika Stahlberg, F-Secure’s Director of Strategic Threat Research. His post provides an excellent breakdown of how smart homes are networked together, and the different types of security that need to be considered. And while many people might not have networked light bulbs or locks just yet, nearly everyone is already using a router. Routers are the digital door to your home. IoT devices are designed to communicate directly with one another using communication protocols like Zigbee, so smart homes that have numerous devices networked together are essentially blanketed by these signals. And yes, hackers can use these signals to do all kinds of nasty things. However, the range of these signals is quite limited, so anybody attempting to use them to invade your home will need to be really close – basically lurking outside your window. Routers, on the other hand, are the gateways that connect IoT devices to the Internet. Any IoT device that has an online component, such as cloud computing, will be using data that passes through the router. Routers can be used to launch a number of attacks on unsuspecting people, and they make tempting targets because they give hackers access to all of the devices that connect to them. And while many people recognize that their phones, tablets, laptops, and desktops have security needs, fewer people are aware that routers and other devices also need to be protected. As IoT devices integrate people’s homes into online services, the potential for having a man-in-the-middle in your living room increases. 3 Tips to Lockdown your Router Having a hacker in your living room is a discomforting prospect, just like any kind of home invasion. That’s why people have locks on their doors. Every smart home should keep in mind that routers are like digital doors, and so you want to take some basic security precautions to make sure you can keep that door closed and locked when needed. Here’s three basic security tips to locking down your router to prevent hackers from inviting themselves into your smart home. Don’t Use Default Passwords Routers, and many IoT devices, rely on passwords as a security measure. Passwords prevent people from wantonly accessing whatever device they come across, and are a staple of account security. Many routers come configured with a factory default password, so people can plug the device in, power it up, and then start surfing right away. Unfortunately, many people don’t give their router, or its password, a second thought once it’s working. While many of these default passwords are strong and therefore more crack-resistant than something like “password” or “1234”, they’re not always unique, which means the same password can be used for an entire model or type of router. Many hackers know this, and default passwords are often published online. The point is that using default passwords is a bad idea. F-Secure Security Advisor Sean Sullivan says that many attacks leverage remote access privileges and weak passwords on routers in their attacks, so locking down routers is vital to securing your smart home. There’s some great advice on choosing and managing passwords online, but Sullivan says because router passwords are stored directly on the device, choosing a personal pass-phrase is usually sufficient (as opposed to a random string of characters like “uyg/&%/Tuhiu1229”). The technical ins-and-outs of changing your password will depend on the manufacturer and model of your router, but Netgear, Linksys, and D-Link (three of the largest router manufacturers) all offer online tutorials to walk you through the process, and there are several generic guides (such as this one) that you can use a general reference. Update your Router’s Firmware Updating software is vital to keeping devices protected, and this includes devices like routers. But updating routers isn’t always easy because they require “firmware” updates. Firmware is software that is so deeply embedded in computers and other types of technology that they tend to be inaccessible to end users. Outdated firmware can contain exploitable vulnerabilities, which is something that attackers can use to hack into routers. But updating firmware isn’t as easy as updating apps on your PC or phone. It’s something many people either don’t know how to do, or they simply aren’t aware when it’s required. Most routers can’t be updated automatically, or even directly online. People typically have to download the update to their PC first and then use that to install it on the router. There are some generic guides online that can give you an overview on how it works, but how to update and when depends on the manufacturer, so you should consult their website for specific instructions. It might also be worth simply buying a new router if yours is quite old and hasn’t been updated regularly. Manufacturers will often stop providing updates after a few years, even though the devices can last for a decade. Plus, many newer routers offer additional capabilities, and Sullivan admits that some of the newer features (such as guest settings) not only offer security benefits, but also allow them to work better with the diverse range of IoT devices used in smart homes. Check your Internet Configuration Another security issue with routers has to do with the way they’re configured to work with your computers and other devices. Attacks that change people’s Internet setting are generally referred to as DNS Hijacks, and typically work by changing your Internet configuration to point your traffic to rogue DNS servers. Doing this lets attackers manipulate Internet traffic in a variety of ways, and this can include things like tricking you into visiting malicious websites that steal personal data (such as account passwords). Fortunately, you can take measures to protect yourselves from these attacks. There are online protection packages that allow you to check your network to make sure your Internet configuration is safe, and F-Secure has an on-demand tool called Router Checker that lets you check your router to make sure its handling your Internet traffic safely. You should also disable the remote access privileges on your router, or at least the Universal Plug and Play (UPnP) and web management options. Doing so will prevent people from using the web to access your router and change the settings without your knowledge. [Photo by k rupp | Flickr]
Would you ever give someone permission to listen to all of your phone conversations, to sit in on every meeting you take, read all of your emails, review your genome scan, watch what you eat, keep track of your exercise and monitor every photo and video you take? Futurist Ray Kurzweil -- who is Google's director of engineering -- believes you will give access to all that and more to artificial intelligence because of the incredible improvements it will make to our lives. AI could turn the incredible computing power that comes from making every device smart into context that frees us up to live better lives. One common example proponents offer is a personal assistant that schedules your life intuitively while suggesting meals that fit your diet and giving you the ability to know every name and birthday of every person with a connection to you in every room you enter. Search engines already know us better than our family does, F-Secure Chief Research Officer Mikko Hypponen often notes. AI, it seems, will know us better than we know ourselves. Tim O'Reilly, the coiner of the phrase "Web 2.0", thinks teaching machines to read our minds is the whole point of what we call the burgeoning Internet of Things. To him, it's only the marriage of the IoT and AI that will make smart homes and offices useful. He expects our "devices to anticipate us in all sorts of ways”. Most of us automatically reveal ourselves to Google because of the radical convenience it offers. Are we willing to reveal our entire lives if the rewards are rich enough? Will our fears of our TVs listening to us soon be replaced by the fear that our machines have missed something we said that would have been useful later? And how do our conventional notions of privacy jibe with "things" that could develop consciousness? Kurzweil popularized the notion of "the singularity," which Nicholas Clairmont describes as, "the time when the exponential growth of the power of computers and technology hits such a speed that it fundamentally changes the world, and humans' role in it."  Kurzweil predicts that we should hit it in 2045. Many experts see it coming even sooner with CPU power progressing at an exponential rate and the numbers of sensors tracking human behavior beginning to hit exponential growth. Our Mika Stahlberg has laid out the complications of securing the IoT. But the question of which data gets shared voluntarily and what can be done with that data is just as complex. Technologist Limor Fried has suggested an "Internet of Things bill of rights” with the following core principles:  · Open is better than closed; this ensures portability between Internet of Things devices. · Consumers, not companies, own the data collected by Internet of Things devices. · Internet of Things devices that collect public data must share that data. · Users have the right to keep their data private. · Users can delete or back up data collected by Internet of Things devices. This proposed template clarifies a lot of the key issues we should be thinking about when we talk about privacy on the Internet of Things. But given the potential of computer consciousness, disclosing how data will used in a world where there are no limits to how data may be used presents the most vexing privacy issue of all. [Image by Flavio~ | Flickr]
Your smart home is "wide open for a burglar to remotely open the door, turn off the lights, and steal your valuables," PC Magazine's Neil Rubenking explains in his look at new research from Cognosec's Tobias Zillner and Sebastian Strobl presented at this year's Black Hat conference. While Zillner and Strobl were impressed with much of what they saw in the ZigBee, which along with Z-Wave is the most common mesh radio protocol used for smart home devices today. However, "their research found that only the fallback default key system was implemented, even for door locks. That gave them a way to connect to the automation system remotely to read data, send commands, and effectively own the system," Rubenking notes, before adding that to pull this off attackers "needed to capture the wireless traffic during a pairing event, and they needed to use it really, really fast." Their research gives a great overview of ZigBee's security architecture. Is this really a surprise? As my colleague Mikko Hypponen has said all over the world, "Smart means exploitable." (Mikko has also said, “You can’t spell idiot without IoT”.) The security challenges inherent in smart home devices include the following: 1) Most of the devices are cheap and lack a screen and keyboard. 2) Ease-of-use, especially during setting up, is critical for these kinds of products. 3) Devices use wireless protocols to connect to the home, so that there is no need to install wires into the walls. Hence, they and their signals are likely also reachable from outside the walls of the house. 4) Some of these devices, like garden sprinklers or porch lamps, are located outside and hence can be accessed physically without breaking into your house. 5) There are many manufacturers and many ways to buy the device: Devices don't come pre-installed with any secret code or certificate specifically for your home. 6) Many smart home devices use mesh networking where radios are low power and each device also acts as a relay station and thus devices need some way of communicating with all other devices in the network. ZigBee, like all Wi-Fi protocols, offers basic encryption for the transportation layer. The default key-exchange is pretty weak and would expose the network key if someone is sniffing the network during pairing -- though they may need to do a denial of service attack while they're at it. In order to create a secure communication channel the devices at home will have to exchange public keys or share symmetric keys. This is done over an insecure channel without expecting that the cheap plastic gadget in your garden has been compromised. It’s an obvious security weakness that the protocol uses a universal network encryption key -- much like we see to encode DVDs. All the manufacturers get it and embed it. If it leaks once, it cannot really be changed. While the standard does have some authentication mechanisms, it’s hardly surprising that device manufacturers don’t use them, as it complicates the out-of-box experience. This is not a problem that can be solved without complicating the user experience and increasing the cost of the devices by adding tamper resistance. Is this a good thing? Absolutely not. But don’t expect this to change anytime soon.  While smart home security might almost seem like an oxymoron at the moment, there is no reason to throw down the gauntlet and either give up on security or having a smart home. You will need to think about how you use IoT technology, though. As I explained this post about how to secure your smart home, you might want to consider if you really want to use smart locks. Disconnecting security and nanny cameras when you don't want them on also makes sense. Remember that attacks using a protocol like ZigBee or Bluetooth tend to only work from inside your home or very close to your home. This is also true for attacks where someone steals your garden sprinkler, opens it up, and sucks out the local ZigBee shared key. Earlier in human history, proximity was required for attacks: Only people nearby could burglarize your house and thus if you lived in a safe neighborhood, you were pretty safe. On the Internet, there are no safe neighborhoods; you can get attacked from anywhere in the World. Access to your home can be sold in dark markets. This means that, you're smart home is more likely to get attacked by someone guessing passwords to your smart home cloud backend or by old-fashioned "brick through the window" attacks then by someone physically tampering with smart devices in your backyard or eavesdropping on new device pairing to get access. If someone can gain access into your smartphone, perhaps through your Facebook account, s/he could then get access to your sprinkler without having to stake out your front lawn. So, yes, the cheap plastic things in your garden may be used to open your smart door. Worse yet, the attacker could open your front door lock by guessing your password and sell cheap access to local burglars in an underground forum. Accessing your sprinklers remotely does have a potential for causing water damage or inflating your bill, but it's not as concerning as someone hacking your car's brakes, which has also only been done by security researchers. [Image by Thangaraj Kumaravel | Flickr]
The Internet of Things promises to make almost everything we deal with "smart" and “smart means exploitable," as our Chief Research Officer Mikko Hypponen has said many times. Many people began to understand this for this first time in July of 2015 when Wired broke the news that it had successfully hacked a Jeep on the highway. Our Micke explains: The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Fiat Chrysler Automobiles NV announced a recall of 1.4 million cars to fix the vulnerability -- the first recall for a software patch in history. And since it was the first, it was also a bit of a mess, as The Verge's Russell Brandom reported: There was no way to update the cars automatically, so the company was reduced to in-person dealership updates and, in some cases, mailing USB sticks to affected customers. The result was a clear mismatch of offense and defense: UConnect makes the cars vulnerable to remote attack, but there's no way for Chrysler to remotely defend them by pushing out patches. Chrysler also made network-level changes that seem to have blunted the attack, but fixing the car's software still required in-person USB contact. And they may not be the only car manufacturer forced take such steps. “The supplier didn’t just supply radios to Chrysler but to a lot of other manufacturers," National Highway Traffic Safety Administration Mark Rosekind told reporters. "A lot of our work now is trying to find out how broad the vulnerability could be." Rosekind is hoping the industry sees this as a wakeup call. "This is the shot across the bow. Everybody’s been saying 'cybersecurity'. Now you’ve got to step up," he said. "You’ve got to see the entire industry proactively dealing with these things." It's science fiction come to life. But as Micke reminds us, we're a long way off before accidents caused by compromised computers are a bigger risks than accidents caused by people -- especially people texting on their computers while driving. [Image by davejdoe | Flickr]    
If the experts are right, your home today is like a computer in the early 1990s. Sure, you connect it to the internet, but it takes initiative and a willingness to embrace new technologies before your neighbor. But in the next five years, that should change radically. If the adoption curve for the Internet of Things (IoT), resembles what we've seen with internet-connected PCs and mobile devices, the homes and offices without multiple non-PC internet connected devices will be the exception by the end of the next decade. The cost saving potential for businesses, local governments and individuals will likely verge on being irresistible. And so will the potential to free us up to pursue lives most enjoyable activities by skipping the mundane. Why shouldn't our refrigerator make our grocery list, for instance? But to ensure that this new so-called "Internet of Everything" frees us rather than binds us, we must start thinking about privacy and security now. "You’re not secure if you can’t control the destiny of your private information," writes Cory Doctorow. "A system is not secure if it doesn’t give you the freedom to do what you need to do." The author and privacy activist warns that so-called "backdoors" build for ostensibly legitimate purposes like law enforcement present to attractive of a lure to be used illegitimately, given the unprecedented access that devices will have to our lives. This will require us to assume that every manufacturer, law enforcement official, customer service agent etc. maintain impeccably honest -- even though we already know that some of those who have to power to abuse such access will. Doctorow points to "kill switch laws" in California and Minneapolis that require manufacturers to enable over-the-air updates that render the phone useless that deter cell phone thieves as an example of a technology that is easily exploitable. Phones are getting cheaper and cheaper, as the worth of the data they hold becomes more and more invaluable as our entire life and finances becomes entangled with the devices in our pockets. "We don’t know how to make back doors that only good guys can go through," he writes. We have the time and opportunity to insist that these devices are designed with our digital freedom in mind. Even though there are cases of criminals already exploiting smart devices as part of zombie botnets, the technology is nowhere near pervasive yet to present an target for criminals or government surveillance agencies anywhere as attractive as PCs or mobile devices. At F-Secure, we're exploring security for the IoT. The threats we are seeing may be targeting Embedded Linux devices sooner than later. But we don't anticipate substantial Smart Home threats to materialize until 2017. "Imagine a user-centric, data-centric, freedom-centric version of this security measure: all devices would have to be sold with encrypted filesystems by default, so that users whose phones are lost or stolen can be sure that their data is intact, that their bank accounts won’t be raided, that the correspondence with their lawyers and doctors and lovers won’t be read, that their search history and photos won’t be exposed," Doctrow proposes. He then counters with the some of the flaws in such a system because "Good security measures anticipate countermeasures." These are the kinds of debates we should be having now, while our imagination is still shaping the future. Or else, the risk, is "an Internet of Things That Boss You Around." [Image by Ben Tesch | Flickr]
The exponential development of the Internet of Things (IoT) is difficult to put in numbers. But we have to try.< "Gartner, Inc. forecasts that 4.9 billion connected things will be in use in 2015, up 30 percent from 2014, and will reach 25 billion by 2020," a late 2014 report from the industry analysts summarized. It's difficult to imagine an industry that won't be affected by a network of connected devices that Cisco has estimated will generate $19 trillion in value by the end of the decade, which is more than the U.S. economy currently generates a year. "From an industry perspective, manufacturing, utilities and transportation will be the top three verticals using IoT in 2015 – all together they will have 736 million connected things in use," Gartner reports. "By 2020, the ranking will change with utilities in the No. 1 spot, manufacturing will be second and government will be third, totaling 1.7 billion IoT units installed." It expects 13 billion consumer IoT devices to be installed by 2020. The Guardian recently held a webchat about how businesses are thinking about the IoT. Of course, everyone is trying to figure out how to monetize this massive new network. For hardware and software makers this path is pretty intuitive: make things people need or want.But as we've seen with the development of the Internet, there will likely be a huge secondary market for data. "I think we’ve all envisaged a freely interconnected internet that really is a net rather than a hub and spoke design, but things aren’t really turning out like that," Neil Lawrence, professor of machine learning, University of Sheffield said. "One major reason is that in the end the value is probably not really in selling the devices but in obtaining data and providing services over a long period." Professor Lawrence notes that data collection is essential to improve translation. In our near future we're going to be doing a lot of speaking to machines, it seems. And improving the ability to understand nuance masses of data in combination with innovations in technology. Any time data is being stored about your intimate activities, it's a privacy risk. But if this data is used to market to you directly, that may be a bit freaky coming from your refrigerator. And the need for securing this data could create a lot of new jobs in security, Dr Emma Philpott, CEO, IASME Consortium Ltd suggests. "What would be the consequences if a hacker gained access to that device (baby monitor, camera on a TV, security camera in your home) and is that something you can live with?" she asks. Marketers will be wise to avoid raising users suspicions by sharing your private data with third-parties. "The worst thing the marketing industry could do is start throwing ads at anything smart that moves," Amy Kean, head of futures, Havas Media. So machines don't just have to get smarter; marketers do too. "For me, the real opportunity is in the data, and the new product development," she added. [Image via Kevin Krejci | Flickr]