Thursday, December 12, 2019

Consumer Electronics and Security for the holidays

People are buying presents for the holidays and so here is a smorgasbord of security news that can help you pick more secure electronics.

Some important bad news: Ring video device in 8 year old girl's bedroom remotely hacked:
Any smart device is also a gateway to everything in your home connected to the Internet.  A "smart speaker" is no exception - and many of them contain video now, not just audio.  Just yesterday, it was reported that a hacker had accessed a Ring video camera and speaker in a little girl's bedroom.  Go read that report - it's spine-chilling.  What if that were your daughter?  Would you want nude images of your 8-year-old, undressing for bed or getting dressed in the morning, spread all over child pornography or pedophilia Web sites?
This is no joke.  I would not allow ANY video or audio devices in a child's bedroom because of the long history of lousy security in these devices.  This means webcams of all sorts (including Ring), Amazon Echo/Alexa, Google Home, Apple Homepod, or Facebook's new Portal device - which has pretty compelling TV commercials (but it's from Facebook who doesn't give two hoots about your - or your kid's - privacy).

The same thing goes for "Smart" TVs which increasingly have both cameras and microphones, and which have a terrible record for both security (easy to hack) and privacy (they upload basically everything about you to the 'Net).

I would go farther and say that none of these should be in your house, period but for the love of everything that's holy especially not in your children's rooms.

Some good news: Toy manufacturers are getting generally better about security:
Back in 2017, the consumer group found toys with security problems relating to network connections, apps or other interactive features. The results of its latest round of testing show manufacturers are struggling to improve standards.
Working with security researchers NCC Group, Which? found a karaoke machine that could transmit audio from anyone passing within Bluetooth range because of its unsecured connection. It found walkie-talkies from VTech which anyone with their own set of similar equipment could connect to over a 200-metre range. It also found a Mattel-backed games portal which appeared to be unmoderated, allowing users to upload their own games with content inappropriate for children.
Now this sounds bad, but the good in the bad is that most of the problems require close physical proximity to compromise - generally its done via Bluetooth which while it has a nominal range of 30 feet in practice is maybe half of that.  I've worked professionally with NCC Group in the past (I hired them to do a security test) and they know their stuff.  The fact that they only found these problems is very reassuring.  I wouldn't think twice about giving one of these toys to my grandkids, although I'd want them supervised when they download content.

More Bad News: KeyMe "Smart" lock can be trivially bypassed and there's no fix coming:
File this one under "not everything needs a computer in it". Finnish security house F-Secure today revealed a vulnerability in the KeyWe Smart Lock that could let a sticky-fingered miscreant easily bypass it. 
To add insult to injury, the device's firmware cannot be upgraded either locally or remotely. This means the only way to conclusively remediate this problem is to rip the damned things from your door and replace them with a bog-standard lock. 
The KeyWe Smart Lock is primarily used in private dwellings, and retails for circa $155 on Amazon. It allows users to unlock their doors through a traditional metal key, via a mobile app, or with Amazon Alexa.
The communication protocols really didn't think much about security - yes, there is encryption but it seems like it was broken from the very beginning.  A Bad Guy can remotely (say, from across the street) extract the encryption key and use that to open the lock any time he wants.

Even worse, there is no way to update the firmware so people who bought this have basically blown $155 on a lock that won't stay locked.  If you have one of these turkeys, get on down to Home Depot and buy a new dumb (key) lock, tout suite.  Like it said, not everything needs a computer.

Bad news for health nuts: Antitrust review of Google Fitbit acquisition:
The FTC is keen to have a piece of Google, in part because it has just set up a new technology task force specifically to monitor tech giants for anti-competitive behavior. But the agency also wants to rebuild its reputation following an embarrassing climbdown in 2012, when its staff found that Google was rigging the search market, but the agency’s commissioners cut a deal and tried to hide the staff report (it is still hiding part of it.) 
But the DoJ reportedly called dibs on Fitbit because it has an ongoing investigation into Google.
There's a huge amount of Orange Man Bad in the linked article but it's good to see the Fed.Gov getting serious about the single greatest privacy violating company on the planet today.  Remember, if you give a fitbit to someone for a holiday present, you're giving Google their private health data as another holiday present.


Old NFO said...

Don't have any of that crap, and no plans to add any... But I do wonder about the microwave sometimes...

LindaG said...

Hubby and I say the same. If it uses the internet, we don't want it. Too easily hacked.

Jerry said...

I've wondered what would happen if one stuck Alexa in a box with an interent radio playing old time radio programs?

Eric Wilner said...

A few weeks from now, I'll be setting up things in the New Location... including network management features for segregating guest devices and Internet Doohickies from the trusted network. The "smart TV" can, as before, be a small Linux box plus a projector; no mic nor camera required.
I do want video doorbells, but, since I've been unable to find one that can be configured to work with a private server, I'll just have to roll my own starting with an ESP32 dev kit (and open-source software).
If I'm happy with the results, I'll probably publish some moderate level of detail, release the firmware as open source, etc.

Weetabix said...

I have a couple of TV's that may or may not be "smart" - not sure how to tell.

Is there a way to tell whether your TV has a camera or microphone?

Murphy(AZ) said...

^Old NFO: My niece, who is visually impaired (but certainly not restricted,) just this week took delivery of a microwave oven that she can talk to. Temperature, time settings, you name it, if a microwave oven can do it, this machine can, too.

But in order to communicate with it, however, you need to wire your house for one of those spy devices. Not too sure if I like that, but if it helps make her life easier, so be it.