Internet of Things, Part 1: God's Gift to the NSA
The fact that IoT technologies are ripe for exploitation by the NSA is just the beginning. The agency now has equipment that lets it ravage the IoT. The Nightstand is a standalone x86 laptop running Linux Fedora Core 3 that can be used to attack PCs running various flavors of Windows. In field operations, it has been used to inject packets into targets up to eight miles away.
Feb 12, 2014 5:00 AM PT
The United States National Security Agency's salivary glands no doubt started working overtime when it became apparent that technological advances were moving the world toward an Internet of Things -- a world where everything would be connected to everything else wirelessly or over the Web.
Almost two years ago, David Petraeus, then director of the U.S. Central Intelligence Agency, enthused that the IoT would transform surveillance techniques, Wired reported.
The smart home, and smart devices in it, would send tagged data with geolocations that could be intercepted in real time. Items of interest could be located, identified, monitored, and remotely controlled through technologies such as sensor networks and tiny embedded servers, Petraeus said.
The mention of tiny embedded servers may have come to people's minds last month, when news that the NSA had surreptitiously embedded microphone-bearing circuit boards and USB cards into PCs to spy on their users made the headlines.
Cracking the IoT Nut
Getting into IoT devices is not at all difficult.
When consumers' washing machines, dishwashers, thermostats, lights and coffeemakers are all linked to the Internet, either independently or through the home entertainment center's routers, tracking just about every aspect of a target's life will be a breeze.
"Most home users buy a router and use the default settings," Tommy Chin, technical support engineer at Core Security, told TechNewsWorld. "Sometimes the settings are misconfigured by the manufacturer, and they will be exploited by hackers."
The NSA, of course, is the granddaddy of all hackers -- angrily described by Microsoft as an "advanced persistent threat."
Newer devices made for the IoT "usually run operating systems line Linux" and are deficient in terms of cybersecurity, remarked Ken Westin, security researcher for Tripwire.
Symantec in November found a new Linux worm, Darlioz, that appeared to have been built to target the IoT.
Hot Rod Blues
Automakers are pushing smart cars, and Microsoft, Apple and Google are fighting for a share of the in-vehicle infotainment and telematics market, which Accenture has predicted will exceed US$80 billion this year.
Samsung and BMW have jointly developed the "iRemote" application, which lets owners of Samsung's Galaxy Gear smartwatch monitor the doors and batteries of their i3 electronic car and change the vehicle's indoor temperature using the device.
Meanwhile, the auto insurance industry is pushing smart devices that plug into a standard car port and monitor how fast and far a car goes, and how it is driven. These devices also report on the car's location.
The amount of user data gathered on people in cars by telematics systems, personal navigation devices and smartphones has spurred an investigation by the U.S. Government Accountability Office, which in December submitted a report to the Senate on this issue.
No Place Like Home
On the home front, LG has rolled out its HomeChat service, which connects users to their kitchen products through the Line" smartphone messaging app.
Recollect that LG TVs could spy on their owners, and that the company in November was forced to address this issue.
Google recently laid out $3.2 billion for Nest, which makes smart thermostats and smoke alarms that come with a mobile app. The move sparked speculation that Google wanted to better track consumers for the purpose of serving up ads to them.
However, the purchase also could be useful to the NSA, as it would allow it to get even more information on targets when it serves Google with demands for information about them -- a fact not lost on security and privacy advocates.
Nest CEO Tony Fadell waffled when asked last month whether the company would provide information on user habits to Google, only denying that integration of both companies' data was then on the table.
Things will get even more up close and personal. At CES 2014 earlier this year, Intel talked about its plans for wearable devices.
Also, the French National Research Agency is funding research on cooperation in and between wireless body area networks in Project Cormoran.
Saving Us From Ourselves
The fact that IoT technologies are ripe for exploitation by the NSA is just the beginning. The agency now has equipment that lets it ravage the IoT.
The Nightstand -- one of the products in its 50-page catalog of spying devices -- is a standalone x86 laptop running Linux Fedora Core 3 that can be used to attack PCs running various flavors of Windows. In field operations, it has been used to inject packets into targets up to eight miles away.
The NSA also is reported to be harvesting millions of text messages worldwide daily.
The White House's Stance
Pressured by rising anger over the NSA's surveillance activities, President Obama in January outlined some measures to restrict the agency.
However, it was clear that the surveillance would not be terminated.
The U.S. needs to be able to collect data on potential terrorists' communications, Obama said.
Protect Yourself at All Times
Users should protect their home networks to prevent hacks through the IoT, Tripwire's Westin told TechNewsWorld.
They must change the default passwords on home routers; enable the built-in firewalls on the routers; and update their firmware when patches are available.
Sorin Mustaca, an IT security expert at Avira, lists cybersercurity recommendations here.
Manufacturers should use tamper-resistant licensing code for applications that sit at the operating system level, Mathieu Baissac, a security expert at Flexera Software, told TechNewsWorld.
Among other things, Baissac said, manufacturers also should ensure that applications on their devices, mobile device management systems and other products "have an easy, automated mechanism for getting the latest security patches and updates as fast as possible."