Your TV might be Binge watching you!

VIZIO is reportedly paying fines for using users TVs to track their viewing patterns in significant detail as well as associating this with  IP address data including age, sex, income, marital status, household size, education level, home ownership, and home values.

Presumably this might have been avoided if VIZIO had presented the users with a “privacy statement” or “terms of use” when they installed their TV.  But failure to have obtained the appearance of consent put them in this situation.

It has been clear that all “free” media (and many paid channels), for TV, Cable, Radio, Internet streaming, etc. all want to track this information.  On one hand they can use it to provide “a better user experience” (show you the ads/suggested programs that match your demographics) … and of course the flip side is also true, selling your data to 3rd parties (a.k.a. ‘trusted business partners’)  so they can be more effective at interacting with you is part of the game.

Now lets step it up a notch.  Your TV (or remote controller) may use voice recognition, often using the “mother ship’ resources for the AI analysis if what you have requested. That is, your voice is sent back to servers that interpret and respond.  This leads to another level of monitoring … some of your characteristics might be infered from your voice, and others from background sounds or voices, and even more if the recording device just happens to track you all the time.  “Seri are you listening in again?” — and then add a camera … now the fun can really start.

Who’s Monitoring the Baby Monitors?

Guest Blog entry by Cassie Phillips

With the recent, record-breaking distributed denial of service (DDoS) attacks carried out with hijacked internet-of-things (IoT) devices, the woeful state of IoT security and privacy finally is achieving some public recognition. Just recently, distinguished security experts testified to US House of Representatives subcommittees on the dangers of connected devices, and the rationale for government regulation to address the security risks.Baby Monitor

But regulation is at best a long way off, if coming at all. It is vital that owners of these devices understand that although they may see no direct consequences of hijacked IoT devices being drafted into zombie attack networks, there are many other security and privacy issues inherent in these devices. Simply put, when we introduce connected devices into our homes and lives, we are risking our privacy and safety. Just one of the horrific risks can be seen in the use of baby monitors, nanny cams, security cameras and similar devices.

There has been a sharp increase in incidents of hijacked baby monitors. Some of these hacked devices were abused to prank families by playing strange music. But too many have been used to spy on sleeping children—so much so that websites dedicated to streaming hijacked nanny cam views have sprung up, clearly serving the frightening hunger of some deeply disturbed predators. And in one particularly twisted case, a toddler kept telling his parents that he was frightened of the bad man in his baby monitor. To their horror, his parents discovered that it was no childish nightmare; a man was tormenting their son night after night after night through the baby monitor.

These cases demonstrate that the risks are not simply cases of anonymous breaches of privacy. The safety of children and families can be entirely violated. It is certain that eventually a predator will see enough through the eyes of a baby monitor to identify, target and hunt a child in the real world, with tragic consequences. And what is perhaps more tragic, is that only then will lawmakers wise up to the risks and demand action. And only then will the manufacturers of these products promise to fix the problems (though certainly not without defending that because everyone else made insecure products, they’re in line with industry standards and not really to blame).

In short, though we may demand action from lawmakers or responsibility from manufacturers, at this point only parents reasonably can take any actions at all to protect their families. The knee-jerk solution may be to throw all of these devices out, but that would entirely ignore the benefits of these products and the ways in which they can still save lives. The best solutions today are for parents to take charge of the situation themselves. They can do this by purchasing more reputable products, changing their default passwords and using network security tools. Secure Thoughts (where Cassie is a writer) has evaluated VPN technology that can be used to minimize this abuse in the home. Parents should also remain informed and vigilant.

With the rapid development of the IoT, we’re likely to encounter new risks on a regular basis. And until there is a global (or at least national) policy regarding the security specifications of these devices, we are going to have to secure them ourselves.

About the author: Cassie Phillips is a technology blogger at Secure Thoughts who’s passionate about security. She’s very concerned about the effect the rapidly-expanding IoT will have on our privacy and safety.

 

 

Who do you want listening in at your home?

The Wall St. Journal has a note today comparing Amazon’s Echo and Google Home as voice activated, in-home assistants.   This space is fraught with impacts on technology and society — from services that can benefit house-bound individuals, to serious opportunities for abuse by hacking, for commercial purposes, or governmental ones. To put it in a simple form: you are being asked to “bug your house” with a device that listens to every noise in the house.  Of course you may have already bugged your pocket with  a device that is listening for the magic words “hey, Siri” (or the person next to you in the office, train, or restaurant may be carrying that “wire”.)  Robots that respond to “OK Google” or “Alexa” are expanding into our monitored domains. (What to folks named Alexa or Siri have to look forward to in this world?) (Would you name your child “OK Google”?)

The immediate use cases seem to be a cross between control of the “Internet of Things”, and the specific business models of the suppliers; online sales for Amazon Alexa, and more invasive advertising for Google. Not only can these devices turn on and off your lights, they can order new bulbs …ones that blink subliminal advertising messages (uh oh, now I’ve given someone a bad idea.)

From our technology and society perspective we need to look forward to the pros and cons of these devices. What high benefit services might be offered?  What risks do we run?  Are there policy or other guidelines that should be established? …. Please add your thoughts to the list …

Meanwhile I’m trying to find out why my new car’s navigation system keeps trying to take me to Scotland when I ask “Find McDonald’s”.

 

IEEE World Forum on Internet of Things

12-14 December 2016 ; Reston, VA, USA
http://wfiot2016.ieee-wf-iot.org/

IoT: Smart Innovation for Vibrant Ecosystems
“We are literally moving this global work on IoT forward in our collaboration on emerging technologies such as 5G, software-defined IoT, and networked control for cyber-physical systems, as well as the unique applications of the IoT, including the Social Internet of Things, and the IoT as the driver for the co-created smart city. Hot button issues including standards, user-centric security and privacy, and ethics also figure prominently in the WF-IoT program.”
– Geoff Mulligan, WF-IoT 2016 General Chair

The time is now to register to attend the 3rd Annual World Forum on Internet of Things (WF-IoT) to experience industry leading keynote speakers, in-depth technical sessions, industry forum panels, workshops and tutorials, and a Doctoral Symposium. The forum will again convene industry leaders, academics and decision-making government officials from around the world to investigate and discuss aspects of this year’s conference theme, IoT: Smart Innovation for Vibrant Ecosystems.

Internet 3.0?

Steve Case, founder of AOL, has a new book out “The Third Wave: An Entrepreneur’s Vision of the Future“.  As a leader in the “First Wave” (remember dial up modems?… and getting a floppy disk from AOL every month in the mail? — that was SO last millennium) — Steve has some perspective on the evolution of the net.   His waves are:

  1. Building the Internet – companies such as AOL creating infrastructure, peaking circa 2000 (remember the dot-com bubble?)
  2. Apps and Services on top of the net. (the currently declining wave)
  3. Ubiquitous, integrated in our everyday lives — touching everything

This seems to ignore a few major ‘game-changers’ as I see it, including the introduction of the Web and Browsers, Altavista/Google for search, and Amazon for retail. But, that does not diminish the reality of the social impact of whatever Internet Wave we are on at this point.  You might tend to align his assertion with the “Internet of Things”, where very light bulb (or other device) has an IP address and can be managed over the net.  But Steve points to much broader areas of impact:
education, medical care, politics, employment and as promised in his title, entrepreneurial success.

Another way to look at this is “what fields, if any, are not being transformed by networked computing devices?” Very few, even technology that does not incorporate these devices (genetically modified whatever), they depend on networked computer technology at many points in their invention and production.

Steve suggests we need a “new play book” for this emerging economic reality.  I suspect he is only half right.  This was the mantra of the Internet Bubble, where generating income was subservient to new ideas, market growth, mind-share, etc.  What is clear is that it will be increasingly difficult for existing corporations to recognize, much less invest in the innovations that will disrupt or destroy their business. AOL and my past employer, Digital Equipment, are both examples of companies that had failed transitions, in part due to their momentum in “previous generations” of technology. (AOL continues as a visible subsidiary of Verizon, Digital has been subsumed into HP.)  What is happening is that the rate of change is increasing, The challenges associated with this were documented in the 1970’s by Alan Toffler in his book “Future Shock” and it’s sequels, “The Third Wave“, “Powershift” and most recently in “Revolutionary Wealth” (2006).  Toffler’s short form of Future Shock is: “too much change in too short a period of time” — a reality that has traction 50 years later.

What examples of disruption do you see coming? (But beware, it’s the ones we don’t see that can get us.)

Car Reporting Accidents, Violations

In addition to car’s using network connections to call for assistance, here is a natural consequence — your car may notify police of an accident, in this case a driver leaving a hit-and-run situation. My insurance company offered to add a device to my car that would allow them to increase my rates if they go faster than they think I should.  Some insurance companies will raise your rates if you exceed their limit (70 MPH) even in areas where the legal limit is higher (Colorado, Wyoming, etc. have 75+ posted limits).  A phone company is promoting a device to add into your car to provide similar capabilities (presented for safety and comfort rationale.)

So what are the possibilities?

  • Detect accident situations and have emergency response arrive even if you are unable to act — and as noted above this may also detect hit-and-run accidents.
  • Provide a channel for you to communicate situations like “need roadside assistance” or “report roadside problem”.
  • Monitor car performance characteristics and notify user (shop?) of out-of-spec conditions
  • Using this same “diagnostic port”, taking remote control of car
    • Police action – to stop driver from escaping
    • Ill-intended action, to cause car to lose control

So, in line with the season, your car  is making a list, checking it twice and going to report if you are naughty or nice —

====

One additional article from the WSJ Dec. 10th on the Battle between car manufacturers and smartphone companies for control of the car-network environment.  The corporate view, from Don Butler, Ford Motor’s Director of Connected Vehicles: “We are competing for mind-share inside the vehicle.”  Or as the WSJ says, “Car makers are loath to give up key information and entertainment links… and potentially to earn revenue by selling information and mobile connectivity.”  In short, the folks directing the future of connected vehicles are not focusing on the list of possibilities and considerations above.

 

Toys, Terrorism and Technology

Recent attacks on citizens in all too many countries have raised the question of creating back-doors in encrypted communications technology.  A November 22 NY Times article by Zeynep Tufekci: “The WhatsApp Theory of Terrorism“, does a good job of explaining some of the flaws in the “simplistic” – government mandated back-doors. The short take: bad guys have access to tools that do not need to follow any government regulations, and bad guys who want to hack your systems can use any backdoor that governments do mandate — no win for protection, big loss of protection.

Toys? The Dec. 1 Wall Street Journal covered: “Toy Maker Says Hack Accessed Customer Information“.  While apparently no social security or credit card data was obtained, there is value in having names – birthdates – etc for creating false credentials.  How does this relate to the Terrorist Threat?  — two ways actually:

  1. there are few, if any, systems that hackers won’t target — so a good working assumption is someone will try to ‘crack’ it.
  2. technologists, in particular software developers, need to be aware, consider and incorporate appropriate security requirements into EVERY online system design.

We are entering the era of the Internet of Things (IoT), with many objects now participating in a globally connected environment.  There are no doubt some advantages (at least for marketing spin) with each such object.  There will be real advantages for some objects.  New insight may be discovered though the massive amount of data available  – for example, can we track global warming via the use of IoT connected heating/cooking devices? However, there will be potential abuses of both individual objects (toys above), and aggregations of data.  Software developers and their management need to apply worst case threat-analysis to determine the risks and requirements for EVERY connected object.

Can terrorists, or other bad guys, use toys? Of Course!  There are indications that X-Box and/or Playstations were among the networked devices used to coordinate some of the recent attacks. Any online environment that allows users to share data/objects can be used as a covert communications channel.  Combining steganography and ShutterFly,  Instagram, Minecraft,  or any other site where you can upload or manipulate a shareable image is a channel.  Pretending we can protect them all is a dangerous delusion.

Is your employer considering IoT security?  Is your school teaching about these issues?

 

Auto(mobile) hacking – is it just a myth?

Scientific American ran a “Technofiles” piece  trying to debunk the idea that cars can be hacked.  The online version corrects errors made in their November 2015 issue where the variation of the article overstated the time required, understated the number of potentially ‘at risk’ cars, and mis-stated the proximity required to accomplish the feat.

This has been a topic here before – so I won’t repeat that perspective.  However, I will copy my reply to the article posted on the Scientific American web site, since I think that this effort to dismiss the risk does a poor service to both the public, and to the industry that needs to give serious consideration for how they manage software and communications that can affect the health and safety of consumers.

David, et al, are not getting the message.
Yes, some of the details are wrong in David’s article (I guessed they were without being party to the Wired article) … also wrong is the “Internet” connection required assumption — external communications that can receive certain types of data is all that is required. (OnStar does not use the Internet) and the “premium savings” device advocated by my insurance company (“oh no, our folks assure us it can’t be hacked”) connects to the diagnostic port of the car (i.e. ability to control/test all aspects of operation) and is cell-phone connected to whomever can dial the number.
This is not model specific since all OnStar and after-market components span multiple models and multiple suppliers. This is not internet specific, but truly remote control would require either the cellular or internet connectivity (WiFi and Blue tooth, which are also likely “bells and whistles” are proximity limited.)
This does not require purchasing a car… they do rent cars you know. And to the best of my knowledge no automobile manufacturers have licensed software engineers reviewing and confirming a “can’t be done” — even if they did patch the flaw that the U.S. DoD/DARPA folks exploited for Sixty Minutes. — Until 9/11 no one had hijacked a commercial jet to destroy a major landmark before, so the lack of examples is not a valid argument. We have multiple proofs of concept at this point, that significantly reduces the cost and time required to duplicate this. There are substantial motives, from blackmail to terrorism (a batch of cars, any cars – terrorists don’t need to select, going off the road after a short prior notice from a terrorist organization would get the front page coverage that such folks desire.) The issues here, including additional considerations on privacy, etc. are ongoing discussions in the IEEE Society for the Social Implications of Technology … the worlds largest technical professional society (IEEE)’s forum for such considerations. see http://ieeessit.org/?p=1364 for related postings”

I’m not sure the editors will “get it” … but hopefully our colleagues involved in developing the cars and after-market devices can start implementing some real protections.

A question for a broader audience: “How do cell phone or internet based services (such as On-Star) affect your potential car buying?”

IoT and Healthcare

The July/August Issue of IEEE Internet Computing is focused on applications in Heath care for the Internet of Things (IoT).  This morning, when I hit the Google.com home page, it had a birthday cake — and on “hover” – it wished me a “Happy Birthday Jim” — just in case you were wondering if your Google entry page might be customized for you — the answer is “yes”.   How do these two statements intersect? In some (near term?) future, that page may have suggested I needed to visit a doctor – either because I was searching a combination of symptoms, or because the sensors surrounding me (my watch, cell phone, etc.) indicated problematic changes in my health (or some combination of data from such diverse sources.)

Of course this might be followed by a message that my health insurance was being canceled, or my life insurance.

As this Internet Computing issue points out, there are many benefits to be gained from having a network of sensors that can continuously monitor and provide feedback on health data. The first paper addresses barriers — legal, policy, interoperability, user perspectives, and technological.  The second paper focuses on “encouraging physical activity” and the third paper considers “quality of life (QoL)” (physical health, psychological, social relationships and environment (financial, safety, freedom, …)) It is evident that IoT and health care have many points of overlap – some intended (monitoring devices) and some unintended (search analysis) — and all with significant personal and social impact considerations.

Besides my ingrained paranoia (will Google automatically apply for my retirement beneifts and direct the checks to their accounts?) and delusional optimism (“Your financial QoL is below acceptable norms, we have transferred $1 million into your accounts to normalize this situation – have a good day”) there are pros and cons that will emerge.

What issues and opportunities do you see?

Employee Cell Phone Tracking

An employee in California was allegedly fired for removing a tracking APP from her cell phone that was used to track her on-the-job and after-hours travel and locations.  The APP used was XORA (now part of Clicksoft).
Here are some relevant, interesting points.

  • Presumably the cell phone was provided by her employer.  It may be that she was not required to have it turned on when she was off hours.
    (but it is easy to envision jobs where 24 hour on-call is expected)
  • There are clear business uses for the tracking app, which determined time of arrival/departure from customer sites, route taken, etc.
  • There are more intrusive aspects, which stem into the objectionable when off-hours uses are considered: tracking locations, time spent there, routes, breaks, etc. — presumably such logs could be of value in divorce suits, legal actions, etc.

Consider some variations of the scenario —

  1. Employee fired for inappropriate after hours activities
  2. Detection of employees interviewing for other jobs,
    (or a whistle blower, reporting their employer to authorities)
  3. Possible “blackmail” using information about an employees off hour activities.
  4. What responsibility does employer have for turning over records in various legal situations?
  5. What are the record retention policies required?  Do various privacy notifications, policies, laws apply?
  6. What if the employer required the APP to be on a personal phone, not one that was supplied?

When is this type of tracking appropriate, when is it not appropriate?

I’ve marked this with “Internet of Things” as a tag as well — while the example is a cell phone, similar activities occur with in-car (and in-truck) monitoring devices, medical monitoring devices, employer provided tablet/laptop, and no doubt new devices not yet on the market.