I’m just re-stating the obvious. But I think it’s worth re-stating because most of you are not cyber security researchers by day and may not remember the many reported examples of security and privacy violations over the years.
Let me paint you a picture, starting with the smart devices we willingly invited into our homes in recent years — Amazon Alexa, Google Home, and Apple HomePod with Siri. Indeed it is convenient to be able to ask “Alexa, what’s the weather today?” in the mornings, or “OK, Google, how many feet in a mile?” But are these cool, little conveniences worth the privacy tradeoffs? Oh, you didn’t know these smart assistants were constantly sending data to the cloud, in addition to listening to you all the time? Of course, these devices have to send some data to the cloud in order to return responses, but that should happen only after you activate it with your hot word. And all of that assumes the devices are working properly, and not hacked.
- Google Home Mini caught recording everything and sending all the data to Google
- Google Defends Listening to Private Conversations on Google Home
Assuming you’re comfortable with Amazon, Google, and Apple listening to you in your home all the time, let’s take a look at other devices you may have brought into your home — connected security cameras, speakers, light bulbs, refrigerators, televisions, photo frames, microwave ovens, bathroom scales, toothbrushes (yeah, there are connected toothbrushes), etc. — collectively known as the Internet of Things (IoT). Are they all honoring your privacy? Or are they collecting and sending data about you to the cloud, or worse, to servers in foreign countries? How would you even know?
Well, now we know, through some documented examples of privacy faux pas. Within the last week, we saw Xiaomi home security cameras “accidentally” sending video feeds to strangers’ Nest Hubs. They called it a “bug” — oopsies! Perhaps Vizio and Samsung smart TVs listening to your conversations were not oopsies; those were features! Further, we’ve seen repeated, documented examples of Ring camera hacks, where hackers gained access to video feeds inside and outside the home and in one-case, the hacker told an 8-yr old girl he was Santa Claus. Smart lightbulbs have been shown to leak Wi-Fi passwords and smart plugs have been documented being used as a jumping off point for hackers to get into your home or office networks. These security issues are not new at all. Everyone has heard of the examples of hacking home networks via connected printers, which have been around a lot longer than IoT devices.
- Many examples of Amazon Ring Camera hacks
- Security Vulnerability in Smart Electric Outlets (Belkin Wemo)
Are you still comfortable that a wide variety of IoT devices have been documented to have security “flaws?” What if I showed you some more examples of low-cost Android devices coming with pre-installed malware, bloatware, adware, or worse.
- 2019 – Xiaomi – https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html
- 2018 – ZTE, Honor, OPPO, Huawei https://www.engadget.com/2018/05/24/report-finds-android-malware-pre-installed-on-hundreds-of-phones/- and https://www.express.co.uk/life-style/science-technology/933477/Android-warning-smartphone-malware-Samsung-Huawei
- 2017 – BLU – https://www.theverge.com/2017/7/31/16072786/amazon-blu-suspended-android-spyware-user-data-theft
- 2016 – ZTE, Huawei – https://www.cyberscoop.com/android-malware-china-huawei-zte-kryptowire-blu-products
- 2015 – Xiaomi, Huawei, Lenovo, Alps, ConCorde, DJC, Sesonn and Xido – https://www.pcworld.com/article/2978120/bought-a-brand-new-phone-it-could-still-have-malware.html
Note that malware or adware that is pre-installed by the manufacturer cannot be uninstalled; also, it may not be detected by anti-malware software, and it basically has administrative access to everything on your device. Do you still think these are “flaws” or “bugs” and do you believe the manufacturers of these devices when they claim “oopsies, we didn’t know?”
Consider the following graphic, that shows you what your devices “know” about you — including passwords, credit card numbers, social security numbers, etc.