Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Unsuspecting consumers, thinking they have found a bargain, or that they have joined the latest gadget trend, or both, can be unpleasantly surprised, according to recent revelations on how mobile and IoT (Internet of Things) devices can have built-in security issues.
Here is a recap of some if the issues found in consumer gadgets:
Smart TVs: A recent news report that Samsung “smart” TVs can listen to conversations in the room[1]. This became hot news during that week. Samsung published a “clarification” on its website[2].
The following language in Samsung’s privacy policy has led to confusion:
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
Samsung Smart TVs that offer voice recognition search functions have a microphone in the remote control which captures what is said (ex: “Recommend a good Sci-Fi movie”) and sends it to a server for processing. The server is hosted by a third party. So potentially, if you have this function enabled, the remote could be listening to sounds in the room and transmitting this to the server.
Wireless Doorbell: Researchers in the UK discovered that a smart doorbell can be made to reveal the wireless password for the homeowner [3]. The doorbell is only secured to its back plate by two standard screws. An attacker can gain access to the homeowner’s wireless network by unscrewing the unit, pressing the setup button and accessing the configuration URL. Once they have the password, they put the back on and there is no indication there was any tampering. A firmware update was released that fixes this issue, two week after it was reported to the company.
Wireless Home Alarm: A security consultant discovered that a wireless home alarm used unencrypted communications, so an attacker can listen to the signal and pick up the PIN from messages [4]. Once they have the password, when the owner is away they can shut off the alarm and burglarize the home. To make matters worse, the units are not fixable, since the electronics has a one-time programmable chip so the only recourse is to remove it and purchase a new alarm for a different vendor with hopefully a more secure design.
Cheap Tablets: In the midst of the 2014 Christmas shopping season, a security form reviewed the inherent security of some of the cheap Android tablets being sold by the big name retailers, and found “most of the devices ship with vulnerabilities and security misconfigurations; a few even include security backdoors”. Unsuspecting consumers who purchase these cheap tablets are likely inviting risks of mobile data & passwords theft [5].
Wireless Mouse Jacking: This week it was reported that most wireless mice and keyboards use unencrypted signals to connect to the USB receiver [6]. Thus is it is possible for someone up to 100 yards away to send commands into your computer (“mouse jacking”). While it may be difficult to physically get into position to attempt this, a determined hacker can easily spoof the mouse or keyboard to send signals into the computer. Some devices use Bluetooth, so it could be possible for someone to infect a Smartphone to be used to propagate the attack on the owner’s computer. Or if your computer is in located near a window.
The lesson here, is that once again buyer must be aware – but with technology items, how can the average consumer be aware if there are hidden risks? Do we need a ‘good housekeeping seal’ for cyber devices?
References
[1] Your Samsung SmartTV Is Spying on You, Basically
[2] Samsung Smart TVs Do Not Monitor Living Room Conversations
https://news.samsung.com/global/samsung-smart-tvs-do-not-monitor-living-room-conversations
[3] Steal your Wi-Fi key from your doorbell? IoT WTF!
https://www.pentestpartners.com/blog/steal-your-wi-fi-key-from-your-doorbell-iot-wtf/
[4] Using SimpliSafe Home Security? — You’re Screwed! It’s Easy to Hack & Can’t be Patched
http://thehackernews.com/2016/02/hack-home-security-alarm.html
[5] Santa or the Grinch: Android Tablet Analysis for the 2014 Holiday Season
https://bluebox.com/santa-or-the-grinch-android-tablet-analysis-2014/ – link no longer valid
[6] Countless computers vulnerable to MouseJack attack through wireless mice and keyboards
Leave a Reply