For millions of people, a big part of the holidays is unwrapping presents. But as you loosen the ribbon and peel back the colorful paper, know that others may also get a gift — the ability to hack into your life.
Computers are common in products of all kinds. Processors regulate cars. Chips make toys talk and react. Miniature speakers and music players turn paper greeting cards into audio devices. The newest angle is putting all manners of products online in the so-called Internet of Things. Companies and consumers can monitor devices and even control them with the promise of great convenience.
Unfortunately, many of these products, including some you might get or give as a present, open doors for someone to wreak havoc. Hacked digital video recorders and home security cameras helped power a massive Internet outage in October through a so-called distributed denial of service attack, according to security journalist Brian Krebs. A similar attack, early in November, shut down the central heating in at least two blocks of apartments in the city of Lappeenranta, in the southeast of Finland, where it's currently a cold winter.
"[T]oasters and DVR’s are behind the [heating outage] and this is going to get worse before it gets better," David Cox, CEO of virtual private network provider LiquidVPN, told The Fiscal Times.
Consumers can also become individual targets. The Internet connection for many products has less security that computers, tablets and smartphones typically do.
"All it takes is one [design] screw-up for an attacker to find a [common security] flaw on an IoT device," said Jeff Williams, co-founder and CTO of security software vendor Contrast Security. "You can direct them to do things they weren’t intended to do, like heat the house to 120 degrees, or burn the toast, or drive the car through the back of the garage." An attacker might also ride the connection back to the smartphone app that controls the device and see what personal information is available on the phone.
"What makes IoT devices problematic is that they are almost never patched [with security updates] and are run by users who probably have little to no security savvy," said Tom Byrnes, CEO of security vendor ThreatSTOP. "The manufacturers of these devices have a low-cost, high-volume model, and so keeping them up to date is not part of their business plan."
Some devices also employ dangerous practices, like using the same password for access without the ability for a consumer to change it. Attackers who learn the password for one device get it for all.
Here are five connected gift categories that could cause a problem.
Some toys are connected to a cloud, enabling the ability to simulate conversation with kids. Last year, BlueBox Security and independent researcher Andrew Hay found it was possible to intercept communications between a child and a Hello Barbie. Mattel was reportedly responsive and worked with researchers to fix security flaws, but that doesn't mean the next popular toy will be secure. And if you can track the location of your child's teddy bear, and your child, someone else might be able to.
Baby monitors are audio and video communication devices. Many have security weaknesses that allow outsiders to listen in. The issue has been known for years. To demonstrate the danger, hackers have been known to redirect video feeds to websites and to broadcast music and audio messages to the parents over the monitors. In one case, someone played the Police song “Every Breath You Take” followed by sexual sounds over the monitor.
Last year, security experts proved a refrigerator that could display your Gmail calendar could inadvertently give someone access to your password. A slow cooker or coffee maker that can be controlled from a smartphone have made it possible for thieves to steal photos from the phone or even grab location-tracking information. That’s your location.
That's one great gift, with a great big potential issue. Put self-driving vehicles aside for a moment. Not only have hackers remotely disabled a Jeep on the highway (the driver in that case was part of an experiment), but they have also demonstrated that they could pull off other actions, like cause acceleration, slam on the brakes or turn the steering wheel. The new attacks can't work on Jeeps over the Internet — Chrysler listened and fixed those problems — but that doesn't mean they couldn't on some other model.
More and more people are flying drones, whether for the fun of remotely controlling them, using them for photographic projects or applying them to commercial applications. But there is little in the way of security standards for the devices. An IBM security researcher showed that with less than $40 in hardware, he could take over a police drone from almost 1.5 miles away. He was able to start the engines, have the drone take off, take control of the camera and potentially crash the device. And that was with a sophisticated drone that cost $21,000. Cheap consumer devices are unlikely to be better protected.