'Even a Barbie has the ability to spy on you' - cybersecurity expert

Household items like digital ­recorders and webcams were used in last weekend's huge cyberattack. Our reporter looks at the dark side of the rapidly expanding and entirely unregulated 'Internet of Things'

John Meagher

John Meagher

Homes under attack: Hackers are turning Wi-Fi connected gadgets into veritable weapons in the cyberwars
Homes under attack: Hackers are turning Wi-Fi connected gadgets into veritable weapons in the cyberwars
Warning: Leading cybersecurity expert Paul C Dwyer. Photo: Tony Gavin

It was a cyberattack that may spell the shape of things to come. Last Friday, several of the world's leading websites, including Facebook, Twitter and PayPal, were disabled. Spotify, The New York Times and the Guardian were also affected in an outage that was mainly felt along the US east coast, but also in parts of Europe.

All are customers of Dyn, an infrastructure company in New Hampshire that acts as a switchboard for internet traffic. What made this particular attack remarkable was that the hackers used everyday devices like webcams and digital recorders.

Rather than prey on desktop computers and laptops, they had targeted the sort of 'smart' devices that have become increasingly commonplace in our homes. It captured the popular imagination because it illustrated the security vulnerabilities of all those Wi-Fi connected TVs and video cameras, fridges and weighing scales, that have fuelled so much of the consumer spend this decade.

Put simply, such gadgets - and many others set to be snapped up this Christmas - can be vulnerable to viruses and malicious software that can turn them into veritable weapons in the cyberwars. And all without their owners' knowledge.

Last weekend's attack saw hundreds of thousands of hacked devices being exploited to jam and take down internet computer services. Hackers used internet-connected devices that had previously been infected with a malicious code - known as a 'botnet' - to force an especially potent distributed denial of service (DDoS) attack.

The aim of a DDoS attack is to overwhelm an online service with traffic from multiple sources, rendering it unavailable. In layman's terms, it's the equivalent of calling every phone in an office building simultaneously. Dyn said attacks were coming from millions of internet addresses, making it one of the largest attacks ever seen.

If it was a surprise to the general public, there was no shock for Conor Flynn, a leading cybersecurity expert.

"We've been banging the drum about this for a number of years," he says. "Many of these consumer devices don't have the correct protections in place. There's been a rush to create smart products, as inexpensively as possible."

It is, for now, an entirely unregulated market.

And it's a market that is growing rapidly. The clunky descriptor, Internet of Things (IoT), came into the vernacular less than 10 years ago but now it's estimated that there are in the region of 6.5 billion such devices worldwide.

Flynn, MD of Information Security Assurance Services, says that while many of these products help to make our lives better, they can be all too vulnerable to being hacked.

"People go into high-street retailers and buy big-name products and assume there won't be a problem with security, but that's not a good assumption to make."

Not that many consumers give such detail a second thought. In his experience, there's widespread ignorance about how easy it can be for IoT devices to be abused in the wrong hands.

It's a sentiment echoed by Paul C Dwyer, MD of Cyber Risk International.

"There are search engines," he says, "where you can look up details of your neighbour's video cameras. It doesn't take great technical know-how to be able to hack into someone else's devices."

Amateurs are already interested in easily compromised hardware with computer programmer John Matherly running a controversial search engine, Shodan, which indexes thousands of completely unsecured web-connected devices.

The US hack-attack demonstrated just how vulnerable we have become thanks to unregulated technical progress.

"The Internet of Things has become everything you can think of," Dwyer says. "Cat-litter trays, baby-cams, fridges, coffee makers... the list goes on. People buy them and don't think about their capabilities or how connected they are.

"The internet was designed as a resilient network," he adds, "but not a secure one. These latest attacks highlight the vulnerability and dependency we have on the internet in today's world."

Dwyer believes we're only in the infancy of how IoT can play a part in the hackers' warfare and says it's expected that a quarter of all cyberattacks will involve such devices by 2020.

Cybersecurity specialist Brian Honan of BH Consulting says Samsung TVs are a case in point.

"Their privacy policy basically says it can share anything you say with a third party. Google it. It's effectively a case of your TV listening to you."

According to the Korean giant's user policy, if purchasers of its smart TVs opt to use the voice-recognition feature, your spoken words - including anything of a sensitive nature - can be passed on to a company, Nuance, which specialises in voice recognition.

"Please be aware," reads its policy, "that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through voice recognition."

Trevor Timm, director of the US-based Freedom of the Press Foundation, points out that several other gadgets and devices boast similar capabilities. "While Samsung took a bunch of heat, a wide array of devices now act as all-seeing or all-listening devices, including other television models, Xbox Kinect, Amazon Echo and General Motor's OnStar program that tracks car owners' driving patterns.

"Even a new Barbie has the ability to spy on you," he adds. "It listens to Barbie owners to respond but also sends what it hears back to the mothership at Mattel."

Honan says burglars of a more sophisticated hue have attempted to hack into cameras in order to help them with robberies, and their cause can be helped by the fact that consumers sometimes neglect to change the default password to one of their own.

That was partly the case in the US last weekend, although Conor Flynn points out that several of the products had in-built passwords that could not be altered by the consumer. Some of these have now been subject to a recall by their manufacturers.

He says the EU's General Data Protection Regulation (GDPR) will help to regulate the industry when it comes into effect in May 2018, but in the meantime, products are coming on the market that have the potential to be easily hacked. "In some respects, what happened in the US was bland in terms of outcome, but it shows what can be done."

And it's not just hugely disruptive hacks that concern him. On a micro level, people are leaving themselves vulnerable to crime thanks to their dependence on smart products. "Cameras can easily be taken control of," he says, "and in some cases, the hacker can access the PTZ [pan, tilt and zoom capability] to enable them to 'look around'."

The irony, he points out, is that the very tool that people feel is helping to make them feel safe and secure, can - in the wrong hands - be turned against them.

In what sounds like the stuff of an Orwellian nightmare, many seemingly benign products that we buy to entertain us, keep our fitness on track or simply make coffee, could yet be used to spy on us. Earlier this year, the head of US intelligence, James Clapper, admitted that such smart devices could prove invaluable to certain agencies, presumably the CIA.

"In the future, intelligence services might use the Internet of Things for identification, surveillance, monitoring, location tracking, and targeting for recruitment," he told a congressional testimony in February.

His words echo those of Gus Hunt, the CIA's chief technology officer: "You're already a walking sensor platform. As you walk around - and remember, I told you mobile is not secure - you are aware of the fact that somebody can know where you are at all times because you carry a mobile device - even if that mobile device is turned off. You know this, I hope. Yes? No? Well you should...

"You guys know the Fitbit, right? We like these things. Just simply by looking at the data, what they can find out is with pretty good accuracy - what your gender is, whether you're tall or you're short, whether you're heavy or light, but what's really most intriguing is that you can be 100pc guaranteed to be identified by simply your gait - how you walk."

Meanwhile, it is still not known who was behind last Friday's attack, although a tweet from WikiLeaks implied that some of its supporters may have been responsible. Others believe the attack may have been orchestrated by a country keen to cause disruption in the West. One of the world's foremost security experts, Bruce Schneier, last month wrote that "China or Russia" was "learning how to take down the internet".

He claimed "a large nation state" had been testing increasing levels of DDoS attacks against unnamed core internet infrastructure providers in what seemed like a test of capability.

What's certain, Conor Flynn believes, is that there will be new and more severe cyberattacks. "It's not a case of if, but when. There aren't many certainties in life, but that's one, unfortunately."

Conor Flynn and Brian Honan will be among the speakers at the inaugural cybersecurity conference, Dublin Info Sec 2016, at the RDS, on November 15.


Short history  of hack attacks

1988: The Morris Worm was one of the first computer viruses spread through the embryonic internet

1998: The 'Solar Sunrise' attack of the US government was thought to be the work of Iraqi operatives but turned out to be three Canadian teenagers

1999: Jonathan James, a 15-year-old schoolboy, caused embarrassment when he hacked NASA and the US Defence Department

2000: Another 15-year-old, Michael Calce, aka MafiaBoy, caused an estimated $1bn worth of damage when he unleashed a DDoS attack on Amazon and CNN

2008: The Anonymous group hacked the Scientology website, causing it to be down for several days

2009: Miami hacker Gonzales was responsible for one of the biggest fraud cases in US history when he stole millions of credit card details after hacking the payment network from companies including 7Eleven.