As if it’s not outrageous enough that the government, assisted by complicit corporations, is spying on our Internet usage, our phone calls, our Facebook “chats“, and our email, now comes news that “hackers” (government or freelance) can watch us watch TV!
[emphasis added to quotes]
Today’s high-end televisions are almost all equipped with “smart” PC-like features, including Internet connectivity, apps, microphones and cameras. But a recently discovered security hole in some Samsung Smart TVs shows that many of those bells and whistles aren’t ready for prime time.
The flaws in Samsung Smart TVs, which have now been patched, enabled hackers to remotely turn on the TVs’ built-in cameras without leaving any trace of it on the screen. While you’re watching TV, a hacker anywhere around the world could have been watching you. Hackers also could have easily rerouted an unsuspecting user to a malicious website to steal bank account information.
Samsung quickly fixed the problem after security researchers at iSEC Partners informed the company about the bugs. Samsung sent a software update to all affected TVs.
But the glitches speak to a larger problem of gadgets that connect to the Internet but have virtually no security to speak of.
Security cameras, lights, heating control systems and even door locks and windows are now increasingly coming with features that allow users to control them remotely. Without proper security controls, there’s little to stop hackers from invading users’ privacy, stealing personal information or spying on people.
Who believes that the Myrmidons at the NSA don’t similarly avail themselves of the same entry points? No wonder the head of the NSA is speaking to conventions of hackers and trying to recruit them! Birds of a feather.
Time to return to the days of “dumb” electronic devices, like the TV set illustrated above.
Long ago, I taped over the “eye” on my computer, after learning how school administrators in Pennsylvania stealthily activated webcams on laptops, so that teachers could spy on students at home. Who knew?
Can they listen in, too? Why not? Mics are installed in many devices that connect to the Internet, including laptops.
How about a speakerphone, connected to a DSL?
I’m not tech savvy enough to know the answer. Others are, however, and they say that the possibilities are endless: smart locks, smart appliances, smart cars, you name it. But how “smart” is it is for us to possess these “smart” items? Not very, apparently.
Can “they” watch and listen to us through our cell phones, even follow us around? Why, yes they can:
Our cellphones have almost unlimited access to our daily lives—not just because we use them to talk, text, and search the Web, but because it’s really easy to turn on the GPS, microphone, or camera secretly from another location. If you’ve ever lost an iPhone, you may have used Apple’s “Find My iPhone” feature to remotely activate your phone’s GPS signal…. If Apple really is working with the NSA as part of PRISM, the technical requirements to locate a person through their phone would be no more difficult than that. For spy agencies, it’s no more difficult to activate your phone’s microphone the same way, letting them listen in on your conversations even when you aren’t making a phone call.
If we have “smart locks”, then hackers (or the government) can open them up!
If we have “smart security cameras”, then they can use our own cameras to make sure we’re not home before entering.
Thieves can even scope out the premises in advance. What a deal! They can identify what we have worth stealing, and then devise a map to make their “visits” most efficient. Needless to say, they can turn off our security alarms first.
If we have “smart appliances”, the possibilities for mischief are limited only by a hacker’s evil imagination. Crank that oven on full blast or turn that fridge up to the maximum? Why the heck not? What fun!
Got a “smart” thermostat? How’d you like your furnace on in the summer or the A/C on in the winter? Pity the poor pets.
Got a disgruntled former spouse, partner, or employee? Be afraid. Be very afraid, because it’s easy for a determined person:
It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.
“It’s a massive security failure,” said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes.
A quick search for “default password” reveals countless printers, servers and system control devices that use “admin” as their user name and “1234” as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them. In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.
If you have a “smart car”, you’re at risk, too.
You’re driving in your car and suddenly the wheel turns. You know you didn’t do it, but suddenly you’re in oncoming traffic and scramble to pull the vehicle back into your lane. …
Theoretically, a hacker could get you to connect your car’s Bluetooth to a rogue device and be able to daisy-chain his way into your car’s system.
What he can do from there is scary stuff. …
Do we have to disconnect every device from the Internet to be secure in our houses and effects?
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Wow. How easy for them to describe “the place to be searched, and the persons or things to be seized,” when they can have a “look see” first by hacking into our own devices and turning them against us.
What we need now is a good dose of old-fashioned capitalism (coupled with freedom, of course). There are billions of dollars waiting to be made by entrepreneurs who will develop privacy features for us ordinary citizens.
But will those features themselves be resistant to hacking? Or will those companies get leaned on in turn by this government, forcing them to give up the knowledge necessary to circumvent our own devices (again)?