Data Privacy Day, Mistaken Alexa and Weaponized Hot Tubs
Happy New Year! I hope you had a wonderful holiday break, and are enjoying all the presents you received. This month’s update brings us back to the Internet of Things, a topic we discussed several times last year. Specifically, we’ll talk about two instances in which “smart” devices that you might have received as gifts have proven to be vulnerable to security or privacy problems.
Our first example was reported broadly, including in this article. Personal assistants like Amazon Echo and Google Home record what you say to them, and much more of what they hear in your home: Remember that their microphones must be active at all times so they can hear you call out to Siri or Alexa. Recently an Amazon user in Germany asked Amazon to send all the recordings they had, and Amazon obliged, except that they sent 1,700 recordings of the wrong user. It’s actually worse than that, but I’ll omit some of the details to tease you into reading the article. I’m not singling out Amazon, but the incident shows that 1) much smart technology exists specifically to gather as much information as possible about users and 2) data breaches can come from careless clerical errors as well as from malicious hackers. Think about that before you plug in a personal assistant or allow apps to use the microphone on your cell phone. By the way, January 28th is International Data Privacy Day.
The second example comes from England. That hot tub you got over the holidays: maybe it’s Internet-enabled so you can start up the heater and jets on your way home. Researchers have demonstrated how attackers can break into the controller of the hot tub. In addition to being able to control your water temperature and jet strength, attackers can read your usage log to figure out when you usually come home, and also use it as a gateway into your wireless network. The most interesting thing is that the manufacturer was made aware of these security bugs, but chose not to fix them because of the expense and the perceived inconvenience of adding a few mouse clicks to the interface. If you want the geeky details, check out this article.
What can you do?
There are a couple of lessons to be learned here. First, understand that “smart” objects, from hot tubs to personal assistants, will become more ubiquitous and invasive. That genie is not going back in the bottle, but it is critical that each of us understands the privacy risks and controls, and makes informed decisions about what services we use and how we use them. Second, we should continue to demand that the products we buy have good security. It is only when manufacturers become convinced that weak security will cost them sales that they will put the time and money into protecting us.
About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.
-Walter Kerner
Assistant Vice-President and Chief Information Security Officer