Is Your Watch Or Thermostat A Spy? Cybersecurity Firms Are On It
There is a sharp divide in the technology world. One camp is racing to connect our devices to the Internet, to make everything — from the watch to the refrigerator — smart, so to speak.
The other camp is terrified of what that means: everyday objects that can be hacked, easily, to spy on us and hand off valuable data to cybercriminals. The cynics are gathered in Las Vegas this week, at the security conference Black Hat.
The Nest Hacker
People who hack for good have come to Mandalay Bay to share their research.
Meet Grant Hernandez, 21, an undergraduate security researcher at the University of Central Florida. He hacked one of the smartest smart devices on the market: Nest. The home thermostat uses sensors to tell when you're home and adjust temperature accordingly. With a shiny silver rim and black center, it kind of looks like a big eyeball. And, Hernandez says, it's pretty easy to turn it into a spy.
Nest left the device on display at the conference unprotected. So by plugging in a USB, Hernandez can enter developer mode.
"Entering into that mode allows you to upload your own code, your custom code, which then allows you to attack the existing code, implant your own and reboot normally, but maybe have something else running in the background," says Hernandez.
If Hernandez wanted to, he could run to the Lowe's store, buy every Nest, reprogram it to shoot user data to him — and the customer wouldn't have a clue.
"We have access to the device on the highest level, and we can send stuff that Nest sends to us as well," he says.
Nest, which is owned by Google, says security is "very important," and the company's "highest priority" is on remote, wireless hacks. This hack, which is to the hardware, does not compromise the security of the data that's inside the Nest servers.
Bluetooth And Apps: Careless Design
Another genre of smart device that is wide open to wireless hacking is the wearable — the watch or running shoe with sensors inside that are connected to the Internet.
But surprisingly, at Black Hat, hardly anyone is wearing one.
"No, I'm not wearing a fitness device," says Orla Cox. "I haven't actually used it since we, uh — since we did this study."
Cox is director of security response at Symantec. They just published a breathtaking audit of the top devices and self-tracking apps in the Apple Store and Google Play.
These apps peer deep into the human body and log very personal information. Not only heart rate and calories burned, but, for example, Spreadsheets tracks the frequency and loudness of sexual activity. Another one, Poop Diary, takes a look at bodily functions.
In the cyber-underground, experts say, hackers are building profiles of individual people. And any data that could eventually be sold — say to an insurance company or marketer — is worth stealing.
Cox says the apps make that theft really easy. The makers typically share private data with other sites. And they don't even bother to protect usernames and passwords with encryption.
"These are basic security practices that are not new and that should have been implemented straightaway when these apps were being developed," says Cox.
Cox's team built a machine, for $75, to sniff the GPS coordinates of individual people wearing trackers in public places. She says unlike smartphones, these well-known brands were designed without an off switch.
Cox says a unique ID comes from these devices that allows them to be tracked more easily than a phone.
Smart Devices Are Attack Surfaces
Levi Gundert, senior threat researcher at Cisco, is asking the accountability question: When grandma's toothbrush or toaster starts participating in a denial of service attack, who's responsible?
Cisco just released a report estimating that by 2020, there will be 50 billion connected devices. That is a whole lot of surface area for hackers to attack and, Gundert says, for corporations to protect.
"I want to see an initial recognition that, yes, our devices are capable of being used in an attack scenario," says Gundert. "There's a responsibility to not necessarily just sell things to consumers, but also sell them in a responsible way."
One of the biggest players in the self-tracking market, Nike, had a booth at the conference. Several attendees speculated that the company is looking for talent to help secure its devices. Nike declined to comment.
MELISSA BLOCK, HOST:
We're going to spend the next several minutes talking about the security of our personal data online. Even the devices we wear and use around the house can be at risk, and we'll hear more about that coming up, but first, a massive hack by a Russian crime ring. According to the security firm that discovered the breach, Russian hackers who call themselves Cybervore have swiped 1.2 billion usernames and passwords. They were apparently stolen from hundreds of thousands of websites. If those numbers add up, it would be the largest hack ever. NPR's Aarti Shahani is at a computer security conference in Las Vegas called Black Hat where this hack is a big topic of conversation, and she joins me now. And Aarti, we should say this story of the hack was broken by the New York Times. Beyond that massive number of stolen credentials, what else did they report?
AARTI SHAHANI, BYLINE: Well, we know the security firm - it's called Hold Security - says that a small group in a small city in south-central Russia pulled off this huge theft - again, 1.2 billion usernames, passwords and other information. But it didn't happen in one fell swoop. The firm says that hackers did it over time and that they got their data from many websites around the world - everything from Fortune 500's to small mom's and pop's.
BLOCK: So they've amassed all this data, and what are they doing with it?
SHAHANI: We don't know what they're doing with it yet. Quite frankly, here at Black Hat the response isn't so much shock and awe as it is kind of dud. The crowd here expects this kind of hacking to happen to some extent.
BLOCK: Even on this scale?
SHAHANI: Yes. Yes, and I'd actually broadly categorize the reactions into a few groups. There are the defeatists who say listen, cyber criminals are winning. The battle is lost. Then there are people who are experts in the underground who are waiting to see if the personal information that got stolen is added to databases that are being amassed right now in the underground to build profiles on individual people - so not just credit card numbers. And finally, there are cynics here who've pointed out that Hold Security is pretty light on details like how old the stolen data is, but the firm was quick to offer a service to help victims for the bargain price of $120.
BLOCK: OK, NPR's Aarti Shahani at the cyber security conference Black Hat in Las Vegas. Aarti, thanks.
SHAHANI: Thank you.
BLOCK: And another thing Aarti's learning about at that conference - vulnerabilities and devices connected to the Internet, like fitness tractors and smart thermostats. Here's her report.
SHAHANI: People who hack for good have come to Mandalay Bay to share their research. I'm in a quiet hotel room with one so-called White Hat.
GRANT HERNANDEZ: I'm Grant Hernandez. And I'm undergraduate security researcher at the University of Central Florida.
SHAHANI: 21-year-old Hernandez hacked one of the smartest smart devices on the market, Nest. The home thermostat uses sensors to tell when you're home and adjust temperature accordingly. And Hernandez says it's pretty easy to turn into a spy. Nest left the device unprotected. So by plugging in a USB, he entered developer mode.
HERNANDEZ: Entering into that mode allows you to upload your own code, your custom code which then allows you to attack the existing code, implant your own and reboot normally but maybe have something else running in the background.
SHAHANI: If Hernandez wanted to, he could run to the Lowe's store, buy and hack every Nest to shoot user data to him and return the devices. The next buyers wouldn't have a clue.
HERNANDEZ: We have access to the device on the highest level.
SHAHANI: Nest, which is owned by Google, says the company's highest priority is on preventing remote wireless hacks. Hernandez's hack may grad data from the hardware, but it does not go into the Nest servers. Another genre of smart device that is wide open to wireless hacking is the Wearable - the watch or running shoe with sensors inside connected to the Internet. And as I roam through this tech conference, I notice hardly anyone is wearing one. Take Orla Cox.
ORLA COX: No I'm not wearing a fitness device. I haven't actually used it since - since we did the study.
SHAHANI: Cox is director of security response at Symantec. They just published a breathtaking audit of the top wearables like that Fitbit and NikeFuel. These devices run on Bluetooth, which emits location data 24/7. Cox's team built a machine 75 bucks to sniff the GPS coordinates of individual users in public places. She says unlike smartphones, the designers behind these big brand names didn't even make an off switch.
COX: There is a unique ID that's coming from these devices which allow you to more easily then track them than you would, say, through a phone.
SHAHANI: Symantec also looked at smartphone apps. Some get very personal, not just logging heart rate, but even things you might not expect like the frequency or loudness of sexual activity. Hackers could steal that data and sell it down the line to a marketer. And Cox says many of the top apps make that theft really easy because they don't bother to protect usernames and passwords with encryption.
COX: These are basic security practices that are not new and that should have been implemented, you know, from, you know, straightaway when these apps were being developed.
SHAHANI: Cisco just released a report estimating that by 2020, there will be 50 billion connected devices. That is a whole lot of surface area for hackers to attack and for corporations to hopefully protect. Aarti Shahani, NPR News, Las Vegas. Transcript provided by NPR, Copyright NPR.