Originally posted by the Voice of America.
Voice of America content is produced by the Voice of America,
a United States federal government-sponsored entity, and is in
the public domain.


                   'Internet of Things' Carries Privacy Risks

   by Doug Bernard

   There's no need explaining to Adam and Heather Schreck how the Internet
   can threaten privacy in unexpected ways. They know first-hand.

   Last spring, the Cincinnati-area couple was asleep one night when
   Heather Schreck awoke to what sounded like a man's voice coming from
   their infant's bedroom.

   When she entered, Schreck found an unknown person was watching their
   daughter via the baby-cam attached to the crib, yelling "Wake up,
   baby!" again and again.

   When her husband entered moments later, the webcam swiveled up to look
   at the couple, with the user screaming obscenities at Adam Schreck
   until he yanked the camera's plugs.

   "Someone had hacked in from outside," Heather Schreck told a local TV
   station. Added her husaband, "you do feel kind of violated."

   The Schrecks are one of many Americans who are learning how
   the "Internet of Things" - that collection of everyday appliances users
   increasingly can manipulate via the web - can provide equal measures of
   convenience as well as challenges to our privacy and security.

   While their case grabbed headlines, stories like theirs are becoming
   more common.

   And, according to a new security report, the threats presented by the
   "Internet of Things" are likely even larger than previously thought.

   Insecurity of things

   "Back in the day, it used to be mass-mailing email worms [that worried
   us], but obviously things have changed," said Candid Wueest, a
   principal threat researcher with the Internet security firm Symantec.
   "It's clear everything's connected now. Unfortunately, connected also
   means `could be attacked.'"

   What Wueest is referring to is the rapidly expanding "Internet of
   Things," often referred to as the "IoT."

   While still relatively new, the industry analyst firm Gartner estimates
   that 4.9 billion "things", or smart-devices, will be in use by 2015,
   with that number skyrocketing to 25 billion things in just five years.

   These "things" increasingly touch on nearly every aspect of our
   personal and professional lives: Smart-TVs, closed-circuit cameras,
   heating and cooling systems, cars, refrigerators, ovens, and door
   locks.

   Chances these days are pretty good that if it can be built, someone
   will connect it to the Internet.

   The IoT promises a world of enhanced convenience.

   For example, you can turn up your air conditioning via your smart phone
   before you return from the beach or switch on and off your home lights
   and oven while still at work.

   But, Wueest said, every new device a user connects to their home
   networks or Internet creates a new path for hackers to break in. And
   this, he said, is not an issue many manufacturers are addressing.

   "We see people are buying these devices; the question is how secure are
   they? Does your neighbor see what you're doing at home? Could he
   actually switch off your lights?" he asked.

   Previous studies have suggested the answer is a qualified yes.

   A study in 2014 by researchers at HP Fortify found the average IoT
   device, such as home alarms, thermostats and garage door openers, have
   an average of 25 vulnerabilities per device, with a total of 70 percent
   of devices vulnerable to attack.

   HP Study Reveals 70 Percent of Internet of Things ... - HP Enterprise
   Business Community

   HP Fortify on Demand is pleased to announce the release of its Internet
   of Things State of the Union Study , revealing 70 percent of the
   most...

   Read more...

   Earlier this year, Wueest and his team at Symantec's Global Security
   Response Lab began looking more deeply into these connected devices.
   They explored 50 smart home devices already on the market to probe for
   security or privacy exploits.

   The report, "Insecurity in the Internet of Things" was recently
   published, and its results were alarming.

   Nearly every device Wueest's team looked at had one or more security
   vulnerability - most of them basic, and some as fundamental as not
   having password-protecting devices or requiring user authentication.

   "It's devastating and shocking to see that we still see so many devices
   with no proper authentication implemented," Wueest told VOA. "So for
   many of the devices we looked at, we actually saw that once you
   deployed them in your WiFi at home, your network, they don't' require
   any additional authentication. Anyone in that smart-home WiFi can send
   commands and do what they like."

   As just one example, the Symantec team identified one vulnerability in
   a popular smart door-lock that would have allowed them, with one
   command, to unlock thousands of doors across the country.

   Relearning from the past

   The report details a variety of different attack pathways and tactics
   hackers could use to gain control over a host of smart-things.

   While some of those include obvious holes such as password protection,
   Wueest's team found a range of back-end vulnerabilities nearly
   identical those home computer manufacturers identified and fixed a
   decade ago.

   "It's a beginner's mistake...it seems like history is repeating" he
   said. "We see the same mistakes like website vulnerabilities or not
   using passwords being repeated again and again. The question for us:
   are the manufacturers not doing it because users are requesting it?"

   The report doesn't directly ascribe blame for the security lapses, but
   researcher Wueest said both users and manufacturers share in the
   problems and the solutions.

   On the user end, he said that, even if offered robust password
   security, most users still opt for all-too-hackable passcodes such as
   "1234."

   Additionally, he said, once people get a device up and working, they're
   often unlikely to adjust the security settings or download software
   updates to patch security holes - exactly what lead to the Schreck's
   baby-cam being hacked.

   Such good "web hygiene" habits, he said, can go a long way to
   discouraging the bad guys.

   And while Wueest believes manufacturers should begin taking privacy and
   security more seriously, the only way that's likely to happen is if
   customers begin demanding it.

   "If you're thinking about buying these devices - and by all means, I
   use a few of these at home so we're not saying don't use them - you
   should check out the manufacturers website and see if they have a
   record of updating patches and fixes," he said.

   "If you don't see anything like this, this might be a good indication
   that they don't really look into the security," he said.

   So in the end, is the IoT something to be welcomed or feared? Should
   people begin worrying about the their toasters or coffee-makers?

   No, said Wueest, at least not yet.

   But it is time for everyone connecting up those five billion
   smart-things in their homes and offices to be aware that they can bring
   as much insecurity to life as they can convenience.
     __________________________________________________________________

   [1]http://www.voanews.com/content/internet-of-things-carries-privacy-ri
   sks/2691036.html

References

   1. http://www.voanews.com/content/internet-of-things-carries-privacy-risks/2691036.html