Friday, January 15, 2016

With the "Internet Of Things" you got no stinkin' security

The "Internet Of Things" is where companies stuff tiny computers with wifi into basically all consumer products - refrigerators, light bulbs, toys.  This allow them to add "value add" services, like, err, well I really can't think of much.

Maybe it would let you remotely turn off your refrigerator if you had left it on, or something.

The punch line, of course, is that companies collect all sorts of data on you using these.  I've posted about this before:

Your "Smart" TV spys on you

But wait, there's more!  Et tu, Barbie?  Et tu?
Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned.
Fortunately, the Black Hat hackers have a demonstrated track record of being respectful to those they hack.  Wh00t!

And it must be said: who ever would have seen this coming?

But wait - there's more!  Internet ads listen to you:
SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch.

Software secretly embedded in your computers, tablets, and smartphones picks up the signals, and then uses cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer.

Your computerized things are talking about you behind your back, and for the most part you can't stop them­ -- or even learn what they're saying.
Actually, you probably can stop this, but you'd have to use a desktop computer, unplug the built-in speaker, and make sure you haven't got a microphone plugged into the mic jack.  In other words, use 1990s technology.

Remember, if you're not paying for it, you're the product.


So what do you do?  Your mileage may vary, but I personally will never enable "smart" functions on things like TVs.  I won't use "smart" light bulbs.

But now for full disclosure: The Queen Of The World looks like she might like her some Netflix from the TV, which means that it's on the 'net.  Bah.

Short of blocking outbound Internet traffic from the TV to all but known locations, I'm not sure.  That wouldn't be simple.  That is a post for another day.

9 comments:

R.K. Brumbelow said...

Regarding Netflix, wouldn't it be better to use a dedicated box that you can whitelist rather than enable 'smart' features on the TV? At least then you can clip the microphone, if it even has one.

Borepatch said...

Yes, absolutely. And a DVD/Blueray player won't have a microphone.

We'll see how that discussion goes with the Queen ... ;-)

matism said...

As for the:
"If you're not paying for it, you're not the customer. You're the product being sold"
well that DOES ring true for MANY such products and services. But that does not appear to be the case for MOST Linux operating systems, from what I have been able to see. If you want to use that as "The exception proves the rule" of course, then that's fine.

R.K. Brumbelow said...

Borepatch said "Yes, absolutely. And a DVD/Blueray player won't have a microphone."

That we know of, I am starting to wonder how long it will be though. I hear of more and more devices where turning them off simply means one turns off an LED, but the device stays on. And more and more people seem to expect devices to respond to voice commands, so one has to wonder how long it will be before everything has an active microphone.

BTW everyone already knows that many wifi routers can be turned into sensory devices to track people's movements, even fine movements like hand gestures right?

Sigh, I a, to old for this -redacted-

ASM826 said...

"If you're not paying for it, you're not the customer. You're the product being sold"

That's healthcare in a nutshell. Whether it's an insurance company or the .gov, if someone else is paying the bills, you are the product.

Jake (formerly Riposte3) said...

Roku? It would be a dedicated box with no microphone, and they're not that expensive.

Ratus said...

Amazon Fire TV Stick? Has Netflix, Amazon Video, HBO, Hulu, Etc. only $40 (the microphone "Voice Remote" is an extra $10)

I got one and put kodi/XBMC on it. ;)

Also something IoT related:
https://hackaday.com/2016/01/14/inject-packets-with-an-esp8266/

Old NFO said...

IF you're connected to the net, you're screwed for privacy... Period...

JS said...

Not enabling smart features on TVs may not do the trick, as those units may be partially disabled (or even bricked) by the manufacturer: http://www.pocket-lint.com/news/130437-smart-tvs-are-watching-you-which-shares-your-private-data-most-samsung-lg-sony-and-more