Is Your Watch Or Thermostat A Spy? Cybersecurity Firms Are On It | WAMU 88.5 - American University Radio
Filed Under:

Is Your Watch Or Thermostat A Spy? Cybersecurity Firms Are On It

Play associated audio

There is a sharp divide in the technology world. One camp is racing to connect our devices to the Internet, to make everything — from the watch to the refrigerator — smart, so to speak.

The other camp is terrified of what that means: everyday objects that can be hacked, easily, to spy on us and hand off valuable data to cybercriminals. The cynics are gathered in Las Vegas this week, at the security conference Black Hat.

The Nest Hacker

People who hack for good have come to Mandalay Bay to share their research.

Meet Grant Hernandez, 21, who is an undergraduate security researcher at the University of Central Florida, and he hacked one of the smartest smart devices on the market: Nest. The home thermostat uses sensors to tell when you're home and adjust temperature accordingly. With a shiny silver rim and black center, it kind of looks like a big eyeball. And Hernandez says, it's pretty easy to turn into a spy.

Nest left the device on display at the conference unprotected. So by plugging in a USB, he can enter developer mode.

"Entering into that mode allows you to upload your own code, your custom code, which then allows you to attack the existing code, implant your own and reboot normally, but maybe have something else running in the background," says Hernandez.

If Hernandez wanted to, he could run to the Loews store, buy every Nest, reprogram it to shoot user data to him — and the customer wouldn't have a clue.

"We have access to the device on the highest level and we can send stuff that Nest sends to us as well," he says.

Nest, which is owned by Google, says security is "very important" and the company's "highest priority" is on remote, wireless hacks. This hack, which is to the hardware, does not compromise the security of the data that's inside the Nest servers.

Bluetooth and Apps: Careless Design

Another genre of smart device that is wide open to wireless hacking is the wearable – the watch or running shoe with sensors inside, that are connected to the Internet.

But surprisingly at Black Hat, hardly anyone is wearing one.

"No I'm not wearing fitness device," says Orla Cox. "I haven't actually used it since we, uh — since we did this study."

Cox is director of security response at Symantec. They just published a breathtaking audit of the top devices and self-tracking apps in the Apple Store and Google Play.

These apps peer deep into the human body and log very personal information. Not only heart rate and calories burned. But, for example, Spreadsheets tracks the frequency and loudness of sexual activity. Another one, Poop Diary, takes a look at bodily functions.

In the cyber-underground, experts say, hackers are building profiles of individual people. And any data that could eventually be sold — say to an insurance company or marketer — it worth stealing.

Cox says the apps make that theft really easy. The makers typically share private data with other sites. And they don't even bother to protect usernames and passwords with encryption.

"These are basic security practices that are not new and that should have been implemented straight away when these apps were developed," says Cox.

The Symantec report also looks at the most popular self-tracking devices, like FitBit and NikeFuel. They run on Bluetooth, which emits location data 24/7.

Cox's team built a machine, for $75, to sniff the GPS-coordinates of individual people wearing trackers. She says unlike smartphones, these well-known brands were designed without an off switch.

Cox says there is a unique ID that's comes from these devices, which allows you to track them more easily than you would be able to through a phone.

Smart Devices Are Attack Surfaces

Levi Gundert, senior threat researcher at CISCO, is asking the accountability question: When grandma's toothbrush or toaster starts participating in a denial of service attack, who's responsible?

CISCO just released a report estimating that by 2020, there will be 50 billion connected devices. That is a whole lot of surface area for hackers to attack and, Gundert says, for corporations to protect.

"I want to see an initial recognition that yes, our devices are capable of being used in an attack scenario," says Gundert. "There's a responsibility to not necessarily just sell things to consumers, but also sell them in a responsible way."

One of the biggest players in the self-tracking market, Nike, had a booth at the conference. Several attendees speculated that the company is looking for talent to help secure its devices. Nike declined to comment.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

NPR

Ladies Lead Whiskey Renaissance As Distillers And New Tipplers

Whiskey was long considered a man's drink. But as sales of whiskey soar, it's women who are leading the new boom, thanks to a vanguard of female distillers, blenders and tasters.
NPR

Ladies Lead Whiskey Renaissance As Distillers And New Tipplers

Whiskey was long considered a man's drink. But as sales of whiskey soar, it's women who are leading the new boom, thanks to a vanguard of female distillers, blenders and tasters.
NPR

Transcript: President Obama's Full NPR Interview

Steve Inskeep's wide-ranging interview with President Obama covers recent executive actions on Cuba and immigration, race relations in the U.S., health care and extending democracy in the Middle East.
NPR

Die-In, Vortex, Selfie Stick: What's The Word Of 2014?

In January, members of the American Dialect Society will vote on the 2014 Word of the Year. Linguist Ben Zimmer runs through some contenders — including words both old and new.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.