THIS month has been an unnerving one in the world of tech. Revelations by Julian Assange’s controversial WikiLeaks website claim to show how devices in our homes, pockets and offices are being directly targeted by intelligence services for the purposes of covert surveillance.
Perhaps this shouldn’t come as a surprise. Intelligence services play an important role in upholding the security of our society and the deployment of bugs, wires and covert cameras is nothing new.
But if the good guys can find a digital back door into our smart devices, does that mean the bad guys can too? And are any of our connected devices safe?
Security versus privacy
Documents published by WikiLeaks allege that the US Central Intelligence Agency has been developing hacking tools and malware for the purposes of sophisticated digital surveillance. Devices the agency supposedly sought to exploit include Apple and Android smartphones and tablets, Windows and Apple PCs, internet routers and smart home devices. According to the WikiLeaked documents, some malware targeted Samsung smart TVs.
Dubbed ‘Weeping Angel’ after the statuesque Doctor Who villains, the code introduced a ‘Fake-Off’ mode to infected televisions that recorded audio from the built-in microphone even though the screen was powered off.
Weeping Angel is said to have been developed in collaboration with the UK’s own security services and targeted the F8000 range of Samsung screens.
While intelligence leaks like this suggest bountiful ways in which hackers – both the good guys and the bad – can crack our connected kit at will, the reality is not quite as straightforward. The case of Apple versus the FBI serves as a sobering reality check.
In 2015 the FBI wanted a reluctant Apple to help in bypassing the screen lock on a phone that might reveal crucial evidence in the case of a mass gun killing. The realisation that even the FBI was unable to unlock a common iPhone poured water on some of the myths about the hacking capabilities of law enforcement services. Eventually, the FBI had to pay security experts a sum thought to be around $1million to access the phone.
Gaining access to covert audio recordings from a TV wouldn’t have been simple, either. The hack would only have worked for a specific range of Samsung TVs running out-of-date software and would also have required perpetrators to have physical access to the TV so as to install the malware.
The exploits described in the WikiLeaks ‘Year Zero’ trove are less about mass surveillance and more about targeting individuals where the potential reward outweighs the effort and expense. So unless you suspect you might be the subject of an international espionage attempt, you and your smarthome can rest easy, right?
Hacking your home
James Lyne is global head of security research at UK-based internet security firm Sophos. Over the past couple of years, he has been investigating how resilient – or otherwise – the everyday devices we plug into our internet router are to a hack attack. He hasn’t been impressed.
‘Most of them are, frankly, terrible from a security point of view,’ he warns.
Lyne and his team played the role of a hacker to test internet-connected CCTV cameras, kettles, plant watering devices, central heating controls, wi-fi power plugs and more.
‘There are two perspectives: short-term flaws, meaning they can be attacked right now, and then fundamental resilience problems, making them vulnerable now and in the future,’ he says.
Lyne was particularly concerned by one of the devices he found. Wi-fi extender plugs are common in many homes but one he discovered was running ‘an eight-year-old version of Linux with no built-in security measures or controls, and a hard-coded username and password’. Devices like these are bread and butter for hackers’ software.
It might be reasonable to think a hacker gaining access to your kettle or wi-fi power plug isn’t a big deal. After all, it’s not where you store your credit cards or accounts. Think again, says Lyne.
‘They provide access to a network, a proxy into a zone of trust,’ he says. ‘Hacking a PC is tricky but a
device on the same network can intercept information.’
And it’s not just about eavesdropping. ‘These devices can be useful as an attack tool too,’ he adds.
That is exactly what happened one Friday in October 2016 when, without warning, many of the internet’s largest websites and services were forced offline by a 100,000-strong army of hijacked smart-home devices.
Twitter, Netflix, Airbnb, Spotify, PayPal, Pinterest and others were unavailable to large portions of the US and Europe for several hours as enslaved home security cameras, routers and DVRs brought the internet to its knees in the largest ever distributed denial-of-service (DDoS) attack.
The malware responsible was a worm known as Mirai. Spreading virally across the internet, it attacked vulnerable devices using little more than their default usernames and passwords.
While the WikiLeaks allegations into targeted CIA surveillance shouldn’t come as a surprise – after all, spies will always spy – many will argue that mass-market malware like Mirai pose a far more serious threat. The botnet attack of October 2016 wasn’t the first and it won’t be the last.
You, and your connected home, have been warned…