Is your refrigerator spying on you?

Updated: 2015-10-13 08:47

By Sylvia Chang(HK Edition)

  Print Mail Large Medium  Small 分享按钮 0

The network of embedded daily objects, or the Internet of Things, could be landing us in real trouble. Sylvia Chang investigates.

There's been a lot of talk these past few years about the coming of the "Internet of Things" (IoT), an idea that will see technologies become so integrated even your toaster will be online. But already, experts are warning, that kind of integration poses new threats, potentially dangerous, even deadly.

A cautionary note on similar lines set the tone for Agnes Mak's address. The executive director of the Hong Kong Productivity Council was speaking at a two-day information security summit end of last month.

Earlier this month, the century-old international think tank Chatham House released a report. Nuclear power stations connected by virtual private networks (VPN) are hackable, it warned. The report goes on to say that there is a distinct possibility of "serious cyber attacks", capable of releasing deadly radiation into the atmosphere.

If that isn't scary enough, on a personal security note, your television set, smart phone, kitchen appliances and even your laundry equipment are potentially capable of recording your personal details concerning likes, dislikes, times when you're likely to be at home, and even your most intimate personal details. In August, online dating service Ashley Madison was attacked by hackers, who then released customer data, including e-mails, names, home addresses, sexual fantasies and credit card information. The Ashley Madison clients, thus exposed, include important government officials, lawyers and high-ranking military officers. It was reported that two people committed suicide after their private information was disclosed.

Cyber security expert Joseph Steinberg wrote in Forbes Magazine, "Miss Teen USA was allegedly blackmailed by a hacker who took control of her laptop's webcam and photographed her naked when she thought the camera was not on." It was also reported that hackers used an online refrigerator to set off vicious e-mail attacks.

Open and uncontrolled

"Various types of data, including personal data, transaction data and environmental data of critical systems, are being transferred across the relatively open and uncontrolled Internet. Any error or breach of the systems may include physical damage to connected systems or affect our well-being or even survival," Mak told the assembly in late September.

The IoT consists of any objects with embedded systems, connected to the World Wide Web. The scope already includes mobile technologies, and wearable devices that monitor and manage health risks, household appliances, including TV modems, air conditioners, doors, and industrial control systems like water supply, power generation, etc.

Hikohiro Yen P. Lin, who manages the incident response section overseeing product security at Panasonic Corporation, presents three phases of the IoT evolution within Panasonic. First was the "rising phase" between 2002 and 2005, when products were equipped with basic IoT online connectivity. Systems became more complex during the evolutionary phase between 2005 and 2010. Functionality between these appliances became more integrated, allowing online devices to "talk to each other", as the saying has it. Since 2010, and progressively into the future, cloud integration poses the threat that hackers may be able to intrude into everything.

"Everything will be connected into the same world," emphasizes Lin. "The application of IoT will expand to various realms, ranging from medicine, public services and transportation, to community infrastructure and retail selling," he adds.

With the expanding of IoT applications, however, the risk of attacks has expanded to include any device connected to the online network, by opening the door to unauthorized access. "In the near future we are very sure that attackers will hack IoT devices," Lin warns.

"Imagine that our rice cooker is going to attack the Pentagon," Lin remarks, by way of illustration. When a rice cooker is connected to the Internet and is "vulnerable" to attack, Lin continues, it can send a data packet to target the Pentagon, as long as the (Pentagon's) IP address is known to the hacker. By vulnerable, Lin refers to the entire spectrum of insecurities, previously acknowledged on the Internet. These include insecure Web interface, inadequate authorization protocols, insufficient security configuration, insecure software, and lack of encryption.

Widely discussed Internet vulnerabilities include, denial-of-service (DoS) attacks, which occur when hackers take control of thousands of online computers, without the owners' permission or even knowledge, and direct those computers to call a single website, overloading its capacity until it crashes.

Potentially lethal

"IoT products are much easier to attack," Lin adds. The reason is that vendors of hardware and software and end users of those products are not well-educated enough on how important data security really is. The consequences of not knowing could be severe, Lin warns. "It's not as simple as stealing information but it may lead to life-threatening dangers."

He illustrates his point by imagining a situation in which "the air conditioner in one's home is connected to the Internet and can be remotely controlled from outside". In case it gets "reset to a high temperature during hot summer", deliberately or otherwise, and if the family dog happened to be there, it could come to serious harm.

Companies developing new technology for the trend toward the IoT are researching new ways to handle security issues. Zoom Eye, a search engine for cyberspace designed by Beijing Knownsec Information Technology Company Ltd, monitors the security status of IP addresses and Internet services.

"Zoom Eye supports both the Web fingerprint and the device banner," states the overview on the company website. The main page of the search engine shows a world map, against a black background. The engine tracks global, real-time Internet search activity. When the ZoomEye engine detects any Internet search, a small blue dot appears on the world map, like an eye monitoring the darkness of space, or rather, devices in the "cloud".

Anthony Lai, general manager in charge of the Hong Kong and Macao market for Knownsec, uses ZoomEye to demonstrate how a device having no security protection may be easily attacked.

"With an (available) IP address or simply by tapping in the brand name of a device, you can find any data related to the device," Lai says. He demonstrates his claim by keying in the name of a well-known manufacturer of computer printers.

Hundreds of IP addresses of companies using that brand of printer pop up on the screen, along with their locations, serial numbers, port information and Web service. By clicking on each address, more detailed information is revealed, including the printer status, ink level, wireless network status, the host name, setup information, etc.

Dangerous connections

"These devices are all connected to the Internet, but they're out of protection," Lai says. "You can easily change any of their settings," he says, as he remotely orders a printer test on a device located in Canada.

"The person using this device will find a test paper being printed and wonder if something might be wrong with the printer," Lai giggles. This is only a typical example of how hackers may create chaos remotely.

"If the hacker is skillful enough, he can take full control of the printer." The hacker could acquire complete data from the printer and then manipulate it. "And if this (data) affects the company's privacy, it could cause a lot of damage to that company."

Other examples, as Lai demonstrates, include lighting systems, online routers, international direct dial devices and the operating devices of power plants.

"From spying on a family to scamming on the phones and stealing confidential information from a government or an enterprise, a hacker could do any level of damage to vulnerable devices connected to the Internet," Lai says.

Statistics revealed by the Hong Kong Police Force show the number of local security crimes increased by 30 percent from 2013 to 2014. In 2014, security crimes resulted in losses of HK$1.2 billion. In the first eight months of this year, the number of incidents handled by the Hong Kong Computer Emergency Response Team Coordination Centre, under the Hong Kong Police Force, has risen again, by 38 percent compared to the figures for the same period last year.

At Panasonic the security team continues taking steps to reduce the risk of attacks, says Lin. "From planning and designing to product testing and after-sales service, through inspection and removal, maintenance and improvement, we try to respond throughout the lifecycle of our products."

"I believe we should all, vendors included, gather to discuss and develop new approaches to protect security of the Internet of Things," Lin proposes. "We just want to secure the lives of our customers."

Contact the writer at sylvia@chinadailyhk.com

Is your refrigerator spying on you?

(HK Edition 10/13/2015 page10)