The Sleep Cycle alarm went off precisely at seven. From that point forward, Thursday was a day like any other – until the toaster attacked.
The flames greedily licked the underside of the cabinet, as tendrils of smoke curled this way and that. Flaming toast of death! Russia hacked my toaster. It was payback for the blatant meddling in the election – the blatant meddling by the US in the 1996 Russian election of Boris Yeltsin. A meddling so blatant that Time Magazine dedicated a cover towards it. Russia was not pleased. And now my hacked IoT toaster was toast.
Part of me has wondered at the rising trend in IoT devices. What’s that, you say? What is IoT? Why I’m glad I asked, then blamed it on you. Wikipedia says thus:
To say it differently, IoT refers to an everyday device that is connected to the Internet. The most common examples of IoT devices are Nanny Cams, thermostats, photocopiers, Smart TVs, and whatever new-fangled Amazon device happens to be out now. I had to be vague with that last one, as it seems like Amazon has a new Alexa-style device every few months. Oh, and toasters. Now there are Internet-connected toasters.
Having an IoT device affords you the luxury to use that device from wherever you are. You’re on vacation, and want to check on the progress of your contractor, who is doing remodeling work while you’re away? From the luxury of your beach chair, you can open an app and view the webcam sitting on top of the piano in the Dining Room. I actually did this a few years ago, after a pipe broke and we had water damage in our home. Our vacation was already booked, and we couldn’t back out without losing our money. So we left for vacation, knowing a gaggle of restoration experts would be tearing out some walls and drying things out (on the insurance company’s dime). The night before we left for the beach, I went to Lowes and picked up a hand full of Internet-connected cameras, as an insurance policy. And guess what? One of the contractors thought it would be hilarious to play a rousing song on the kids’ toy triangle instrument while grinning like the town dolt – right in front of the camera. I still have the video. When I called the company to complain, the manager gave me quite a bit of grief – until I offered to post the video on Youtube as some free publicity for their company (the employee was wearing a company polo shirt in the video). Funny how people suddenly get shy when you offer to make them famous on the Internet. Go figure.
So anyway, another use case… You’re laying in bed, roasting to death as your spouse snores happily by your side. Isn’t it interesting how in just about every marriage, one of the couple is always way too hot while the other is always freezing half to death? From your iPhone, you can turn down the thermostat to something more closely resembling the spawning ground for an Emperor Penguin. Internet-connected thermostats are all the rage nowadays. There is a makerspace in nearby Dillsburg, PA (home of the New Years Eve giant dropping pickle). And when I take my overeager 15-year old geek there on Friday evenings to 3d print plastic widgets and tear apart old ipods, I sit at a table near their Nest thermostat. And I stare at it, and it stares at me, and I feel quite certain North Korean hackers are watching me from behind the shiny screen.
And here’s another great one. You are laying in bed, wondering what to wear to that big social gala later that evening. You roll over, and ask your Amazon Echo Look what to wear – and the camera that happens to be watching you in your bedroom (nothing creepy there, honest) offers to let you try on outfits for some crowdsourced fashion advice on what looks best on you. Remember in a previous blog where I talked about the value of your metadata (everything that makes up your online footprint)? We give away this information about ourselves in exchange for something that we value. The amount of potential metadata given away via a camera in the bedroom is not worth all the free fashion advice in Italy. That, being my own personal conviction – and given the fact that this camera exists, I’m clearly not the only one who feels this way. Because if a technology such as a webcam exists in the bedroom as a legitimate fashion tool, there is no 100% foolproof method to ensure that tool can’t be used in a way not originally intended. That leads me to The Bad, but first, we need to clarify some terminology.
Do you know what a hacker is? I’ve asked this question quite a bit, and truth be told, I get a very frequent response. A hacker is the bad guy. A hacker steals our stuff. A hacker belongs in prison. On and on, it goes. Unfortunately, that view is not quite accurate. Read this:
According to Dictionary dot com, the classic view of a hacker is relegated to definition 3b, lower down on the list. That view of a hacker is highly influenced by pop cultural norms, though it is not the whole of the part. Maple syrup is not a tree – though some trees may contain maple syrup. Let me try a different analogy – some people that hack (to modify (a computer program or electronic device) or write (a program) in a skillful or clever way) circumvent security and break into a network with malicious intent. They are a subset of the hacker population, just as maple syrup is a small component within the tree community. Does that help? Hackers are typically required as drivers of innovation – they think outside the box, and push the limits of what something is capable of being used or modified for. Many hackers wear “white hats” and use their skills for good. Some hackers wear “gray hats” and use their skills for either good or bad, depending on their own moral compass. And some hackers wear “black hats” and use their skills for ill gotten gains – typically, to steal money. Not all hackers are “black hats”. For technological innovation to occur, hackers are needed. We need people who find new and creative ways to solve problems with technology. When society fosters innovation, much good can come as a result. And yet CS Lewis, in his masterful creation Mere Christianity, wrote this:
Education, like hacking, is neither good nor bad. Likewise, we must fostering innovation simultaneously within a positive ethical framework – or we run the risk of creating more clever devils. Any American education about computer hacking must always begin with a comprehensive understanding of cyberethics and cyberlaw. Just because something CAN be done in cyberspace does not make it right or beneficial or legal – American prisons are full of casualties to situational ethics. I’ll stop here and move on.
I’m currently reading a rather excellent book by Richard A. Clarke, called Cyber War. In it, Clarke provides a fantastic amount of information and research indicating that our nation is not at all prepared for an all out cyberwar. An individual sitting behind a computer in a far corner of Eastern Europe could bring down large portions of our national infrastructure, from power grids to trains to clean water to traffic lights. All the way down to your Internet Connected Toaster. Remember – if you can access the Internet from your device, the Internet can connect to your device. And because each of these Internet connected devices (remember the term IoT?) is running software, which may have bugs in the code, these devices can – and often are – weaponized. Viruses like Mirai and Reaper were designed to find and weaponize your unsecure IoT devices. Some moons ago, I blogged about Denial of Service attacks. In this specific case, a bad guy (threat actor) can control an entire army of unsecured IoT devices, and point them all towards a target on the Internet, and bring it down. These attacks are fairly common these days, and can cause harm and loss of revenue to businesses.
But wait – it could get more personal. A threat actor could utilize bugs in the code running on your NEST IoT Thermostat – or the code running on ALL NEST IoT Thermostats – and tweak the code. Remember the blog about Ransomware? Imagine one morning, waking up because the temperature in your house is unbearably hot. You go down to the NEST Thermostat, only to find a message that it has been hijacked. You are forced to pay a ransom to the hacker, or your thermostat will increase by one degree every minute, until your furnace overheats and your house burns down. It’s possible. Or in the dead of winter, reverse the scenario – your heat shuts off until you pay a ransom. Pipes freeze. People freeze. These kinds of attacks could directly result in the loss of live.
How many of you have a photocopier at work? They run code and can be hacked. In 2016, a hacker remotely accessed about 29,000 printers, and had them all print offensive racist fliers. Photocopiers have, within the fuser assembly, a heating element that is used to dry toner on a page. It could be possible for a hacker to remotely encourage all the heating elements to overheat and catch on fire. Don’t think this approach to weaponizing equipment is a new concept. In 2010, a virus research company identified a new virus (code named Stuxnet) that was able to infect industrial control systems in a nuclear plant. The virus was designed to modify the code that ran centrifuges – it either sped the centrifuges up slightly, or slowed them down slightly, then hid the alarms so the operators never noticed they were malfunctioning. The result was that about 1,000 of Iran’s nuclear centrifuges malfunctioned and tore themselves apart. This attack set their nuclear program back by several months. To this date, no one has claimed credit for the Stuxnet virus, though it is believed that the US and Israel jointly developed the virus to use against Iran. What prevents Iran’s hacking team to retaliate and overheat all the Internet Connected Xerox printers in America? It’s certainly possible.
These days, cameras are built into just about everything. As I mentioned earlier, I bought some IoT Cameras to watch my home while on vacation. The make many different types and flavors of Nanny Cams, that let you secretly spy on the Nanny while you’re supposed to be enjoying date night with the spouse. One of my coworkers had a watch with a built in spy camera, that let him take photos from his wrist, James Bond style. I mentioned Amazon’s fashion advice camera, though they also have a different model designed as an alarm clock substitute. Newer Smart Televisions have webcams built into them, so you can Skype with the relatives from the comfort of your couch. Laptops, iPods, iPhones, Android phones, iPads, tablets…. the list of camera-enabled devices goes on, and on, and on. And remember this – if you can access the camera, who else can?
One of the most enjoyable classes I ever took was for the Certified Ethical Hacker material. The entire course is designed around teaching you how the bad guys can get into systems, and the damage that can be done. How best to protect yourself against the bad guys, if not learning their tricks? As part of the course, they provided an isolated sandbox environment where you could play with dangerous things without fear of harming anything. Once you were done with a particular lab, it nuked itself and everything within it. It was very much like keeping an ugly bug in a glass jar to study. One of the labs involved crafting, installing, and using a RAT (Remote Access Trojan virus) that could run a keylogger (capturing everything that was typed), take screen shots of what was on the computer’s screen, and access and capture from the onboard webcam. To be honest with you, I was shocked at how simple it was. Ben Makuch is well known for his series on Viceland called Cyberwar, which by the way is absolutely fantastic. In this video, Ben Makuch explains about Webcam safety and security. I highly recommend watching it and educating yourself. Because if you can use it, someone else could potentially access and use it, too. And I recommend covering your laptop webcam with a C-Slide webcam cover (or something like it). If you cover it with tape or something sticky, it could gunk up and ruin the camera forever.
So now that I’ve freaked you all the way out, let’s put a bow on this. If your widget can connect to the Internet, you don’t know who could be accessing it without your knowledge. And if they can access it, they can weaponize it for profit (ransomware) or to cause harm. Lock down all your Internet connected devices with very strong passwords. Be safe!