Last year it was revealed that the microphones on Samsung ‘smart’ televisions were always on, to enable the device receive voice instructions at any moment.
It is just one fascinating episode as ‘smart’ objects open up new avenues to access people’s private data.
We carry our smartphones and tablets everywhere (even to bed!) They are at every confidential executive and board meeting.
But these devices we carry with us are bringing risks that we should start to query. Every day, I find that I inadvertently press my iPhone home button, invoking Siri. While this is invariably dismissed, it demonstrates the fact that Siri can operate as a backdoor.
Voice as the backdoor
Assume someone can get physical access to your phone, then this Siri feature can allow you to bypass security features. When Siri is enabled on the lock screen you can ask it perform various functions.
Just give it a try! Siri search for: John Smith address and phone number. Then Siri will dutifully provide you your answer. Followed up with, Siri send Sandra Smith email and it also will accept gladly — just let your imagination run wild.
But it doesn’t stop there; late last year it was reported that both Android and iOS devices can be hacked using this approach, and when a headphone is connected the cord acts as like an antenna. Thus radio waves can stimulate voice commands and your hacker could be in the other table of the coffee shop!
It is a little frightening that these smart objects might be smart, but not that secure. Smart but not secure (watches) Also along this line you should note that smartwatches also may be watching and secretly reporting.
The Bsides SF smartwatch has been identified as having a backdoor that sends data to a China-based IP address. This companion product works with iOS and Android and allows to you connect via Bluetooth.Our old friend Siri is also used in this instance, and for Android Google Now is the attack vector.
While the watch is a bargain at $17 a pop, it might be a great market penetration strategy to be a loss leader.The opportunity for corporate data leakage and espionage is enormous. But don’t be surprised if this is not an isolated incident — there may be other brands that also have similar vulnerabilities.
US intelligence conspiracy?
The ‘good guys’ also want to keep an eye on your behaviour, and it was acknowledged in congressional testimony by James Clapper: We might use the internet of things to spy on you.
“In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment,” says James Clapper, US director of national intelligence.
Perhaps this has already started? Who really knows?
We at least suspect that the cyber criminals have started to exploit this arena. The fact that there are 1.5 billion smartphones in the world that contain valuable personal info is an attractive proposition.Why bother with the networked PC’s when there is no firewall on phones right now?
Smart objects will have to be secure by design; this is going to be a new area of both opportunity and threat.