IoT

There seems to be something of a generational divide as to how important is your personal privacy. Folks under, say, age 40, have lived such a large fraction of their lives with Facebook and Amazon and Google and Twitter logging and analyzing and reselling information on what they view and listen to and say and buy, that they seem rather numb to the issue of internet privacy. Install an Alexa that ships out every sound in your home and a smart doorbell that transmits every coming and going to some corporate server, fine, what could possibly be the objection? So what if your automobile, in addition to tracking and reporting your location, feeds all your personal phone text messages to the vehicle manufacturer?

For us older folks whose brain pathways were largely shaped in a time when communication meant talking in person or on a (presumably untapped) phone, this seems just creepy. Polls show that a majority of Americans are uneasy about the amount of data on them being collected, but “do not think it is possible to go about daily life without corporate and government entities collecting data about them.”

There are substantive concerns that can be raised about the uses to which all this information may be put, and about its security. Per VPNOverview:

Over 1,800 data leaks took place last year in the US alone, according to Statista. These breaches compromised the records of over 420 million people.” . With smartwatches having access to so much sensitive information, here’s what kind of data can fall into the wrong hands in case of a data leak:

Your personal information, including name, address, and sometimes even Social Security Number
Sensitive health information collected by the smartwatch
Login credentials to all the online platforms connected to your smartwatch
Credit card and other payment information
Digital identifiers like your IP address, device ID, or browser fingerprint
Remote access information to smart home devices

Several times a year now, I get notices from a doctor’s office or finance company or on-line business noting blandly that their computer systems have been hacked and bad guys now have my name, address, birthdate, social security number, medical records, etc., etc. (They generously offer me a year of free ID fraud monitoring. )

The Internet of Things (IoT) promises to ramp up the snooping to a whole new level. I took note four years ago when Google acquired Fitbit. At one gulp, the internet giant gained access to a whole world of activity and health data on, well, you. The use of medical and other sensors, routed through the internet, keeps growing. One family member uses a CPAP machine for breathing (avoid sleep apnea) at night; the company wanted the machine to be connected on the internet for them to monitor and presumably profit from tracking your sleep habits and your very breath. And of course when you don a smart watch, your every movement, as well as your heartbeat, are being sent off into the ether. (I wonder if the next sensor to be put into a smart watch will be galvanic skin response, so Big Tech can log when you are lying).

According to a senior systems architect: “The IoT is inevitable, like getting to the Pacific Ocean was inevitable. It’s manifest destiny. Ninety eight percent of the things in the world are not connected. So we’re gonna connect them. It could be a moisture sensor that sits in the ground. It could be your liver. That’s your IoT. The next step is what we do with the data. We’ll visualize it, make sense of it, and monetize it. That’s our IoT.”

When my kids were little, we let them use cassette tape players to play Winnie the Pooh stories. With my grandkids, the comparable device is a Yoto player. This also plays stories (which is good, better than screens), but it only operates in connection with the internet. The default is that the Yoto makers collect and sell personal information on usage by you and your child (which would include time of day as well as choice of stories). You can opt out, if you are willing to take the trouble to write to their legal team (thanks, guys).

There are cities in the world, in China but also some European cities, where there are monitoring cameras (IoT) everywhere. Individuals can be recognized by facial features and even by the way they walk; governmental authorities compile and track this information. These surveillance systems are being sold to the public with the promise of increased “security.” Whether it really makes we the people more secure is heavily dependent on the benevolence and impartiality of the state powers. Supposing a department of the federal government with access to surveillance data became politicized and then harassed members of the opposing party?

I’ll conclude with several slides from Timothy Wallace’s 2023 presentation on the Internet of things:

The dystopian novel 1984 by George Orwell was published in 1949. It describes a repressive totalitarian state, headed by Big Brother, which was characterized by pervasive surveillance. Ubiquitous posters reminded citizens, “Big Brother is watching you.” Presumably the various cameras and microphones used in the mass surveillance there were paid for and installed by the eavesdropping authorities. It is perhaps ironic that so many Americans now purchase and install devices that allow some corporate or governmental entity to snoop them more intimately than Orwell could have imagined.

For my birthday this year, someone gave me a “smart” plug-in power socket. You plug it into the wall, and then can plug in something, say a lamp, into the smart socket, which you can then control via the internet. Yay, I am now a part of the Internet of Things (IoT). What could possibly go wrong?

However, my Spidey-sense started to tingle, and I chose to give this device away. At that point, I was thinking mainly of the potential for such devices to get hacked and then recruited to be part of a vast bot-net which can then (under the control of bad actors) conduct massive attacks on crucial internet components. For instance,

Mirai [way back in 2016] infected IoT devices from routers to video cameras and video recorders by successfully attempting to log in using a table of 61 common hard-coded default usernames and passwords.

The malware created a vast botnet. It “enslaved” a string of 400,000 connected devices. In September 2016, Mirai-infected devices (who became “zombies”) were used to launch the world’s first 1Tbps Distributed Denial-of-Service (DDoS) attack on servers at the heart of internet services. It took down parts of Amazon Web Services and its clients, including GitHub, Netflix, Twitter, and Airbnb.

But it turns out the hazards with smart devices are widespread indeed. IoT devices are so useful for bad guys that that they are attacked more than either mobile devices or computers. One layer of hazard is the hacking of specific, poorly-secured devices in a home or institution, with subsequent control of devices and infiltration of broader computing systems. This will be the focus of today’s blog post. Another layer of hazard is the use to which masses of (sometimes private and personal) data snooped from “unhacked” smart devices are put by large corporations and state actors; that will be considered in a part 2 post.

Here are results from one study from nearly three years ago:

https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/magazine/internet-threats

A study published in July 2020 analyzed over 5 million IoT, IoMT (Internet of Medical Things), and unmanaged connected devices in healthcare, retail, manufacturing, and life sciences. It reveals an astonishing number of vulnerabilities and risks across a stunningly diverse set of connected objects….

The report brings to light disturbing facts and trends:

Up to 15% of devices were unknown or unauthorized.
5 to 19% were using unsupported legacy operating systems.
49% of IT teams were guessing or had tinkered with their existing IT solutions to get visibility.
51% of them were unaware of what types of smart objects were active in their network.
75% of deployments had VLAN violations
86% of healthcare deployments included more than ten FDA-recalled devices.
95% of healthcare networks integrated Amazon Alexa and Echo devices alongside hospital surveillance equipment.

…Ransomware gangs specifically target healthcare more than any other domain in the United States. It’s now, by far, the #1 healthcare breach root cause in the country. …The mix of old legacy systems and connected devices like patient monitors, ventilators, infusion pumps, lights, and thermostats with very poor security features are sometimes especially prone to attacks.

So, these criminals understand that stopping critical applications and holding patient data can put lives at risk and that these organizations are more likely to pay a ransom.

I know people in organizations which have been brought to their knees by ransomware attacks. And I have read of the dilemma of the guy who was on vacation in the Caribbean or whatever, and got a text from a hacker instructing him to deposit several hundred dollars in a Bitcoin account, or else his “smart” refrigerator/freezer would be turned off and he would come home to a spoiled, moldy mess.

What brought all this IoT stuff to my attention this week was a talk I ran across from retired MIT researcher Timothy Wallace, titled “Effects, Side Effects and Risks of the Internet of Things”, presented at the 2023 American Scientific Affiliation meeting. The slides for his talk are here. I will paste in a few snipped excerpts from his talk, that are fairly self-explanatory:

(My comment: 10 billion is a really, really big number…)

(My comment: this type of catastrophic compromise of computer systems being enabled by hacking some piddling little IoT device that happens to be in the home or institution local network is not uncommon. Which is why I am reluctant to put IoT devices, especially from no-name foreign manufacturers, on my home wireless network).

Many of these vulnerabilities could in theory be addressed by better practices like always resetting factory passwords on your smart devices, but it is easy for forget to do that.

And just to end on a light note (this cartoon also lifted from Wallace’s slides):