Future Crimes

by Marc Goodman

  Once your house goes fully online, there’s no reason to think hackers won’t consider it a viable target, and all evidence suggests they are already actively working on it. Each attacker will have his or her own motivation—the neighbor kid you told to get off your lawn, the ex-boyfriend with a jealous streak, the Peeping Tom who saw you once at the grocery store, or the foreign government intent on exploiting cyber-espionage capabilities. For Crime, Inc., however, it’s mostly about the money, and it will exploit weakness in your home’s IoT devices to gain access to valuable data stored on your network or for the purposes of everyday burglary. Oh, and remember CryptoLocker—the ransomware that seizes control and locks laptops and mobiles by encrypting them? Well, you can expect the digital underground to sell crimeware tool kits that lock you in or out of your home, forcing you to pay a Bitcoin ransom to get your house up and running again.

  Your kids may face similar threats while “playing house.” Major toy makers, such as Disney and Mattel, are already studying the IoT, and there are a slew of Wi-Fi-enabled dolls, stuffed animals, and miniature robots coming your way in this “Internet of Toys.” But toys too can be subverted, and at least one, the Karotz plastic interactive bunny, which can be controlled by a smart-phone app and includes a camera, microphone, and RFID chip, has been hacked, allowing an attacker to conduct video surveillance on your kid.

  Other technologies, including the 135-year-old lightbulb, are getting their IoT makeovers, and systems such as the Philips Hue LED lighting system allow consumers to turn lights on and off from their smart phones. They allow hackers to turn off your lights as well, exploiting a known security flaw in the Philips system, troubling given the obvious link between lighting and physical security. Additional systems, such as the LIFX energy-efficient smart lightbulb, actually leak your home’s Wi-Fi router password once plugged into a lamp, exposing it to any hacker who merely queried the “master bulb” on your home network. Lamps and lightbulbs can also have back doors built into them, similar to the Chinese irons discovered in Russia. In early 2014, hackers created an eavesdropping lamp capable of live tweeting your private conversations. The device, known as Conversnitch, costs less than $100 and resembles a standard lightbulb; the only difference is this one has a hidden microphone that listens in on all nearby chats. To prove a point, the creators of the device recorded a video showing themselves easily placing Conversnitch devices in libraries, offices, McDonald’s restaurants, and a bank branch—all without any interference or notice from company personnel—foreshadowing a powerful new IoT tool for industrial espionage.

  As smart devices proliferate, they will be controlled by centralized home automation gateways, the majority of which have already been compromised, allowing hackers to take over all the devices on your local network. It’ll be like Nightmare on Connected Home Street. Though we might sleep better at night believing we’re safe and sound in our IoT-enabled homes, home invasion 2.0 is way easier than you might expect, as proved by the Forbes reporter Kashmir Hill. While working on a story about the IoT, Hill merely Googled the term “smart homes” and was able to quickly uncover eight families using the popular Insteon home automation system, which controls appliances such as “lights, hot tubs, fans, televisions and garage doors.”

  Because Insteon did not require a user name or password and allowed its products to become crawlable by search engines, the Forbes reporter was able to find them without difficulty—yes, people can now Google your smart refrigerator and communicate with it from afar. Hill then contacted the innocent parties in question, introduced herself, and said, “I can see all of the devices in your home and I think I can control them.” She asked if she had their permission to give it a try, and freaked-out homeowners thousands of miles away reluctantly agreed as the reporter easily commandeered their appliances. The Insteon Hub was not alone, and a 2013 study found hackers were able to easily break into 80 percent of all the smart home hubs commonly available, including the VeraLite Controller, which is compatible with over 750 smart home products.

  The number of vulnerabilities in home automation systems is so great that the Department of Homeland Security’s Computer Emergency Readiness Team was forced in 2014 to issue a public alert to 500,000 users of Belkin’s popular WeMo smart home device, identifying five separate vulnerabilities in the product. The warning noted a “remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.” DHS added, “We are currently unaware of any practical solution to this problem.” A report into the incident noted that “once an attacker has established a connection to a WeMo device within a victim’s network[,] the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage.” The last admonition is an important one. Hackers are not going to try to break into the most secure device on your network, such as a locked-down encrypted laptop using a software firewall. Instead, they will always go for the weakest link, the trusted WeMo Internet-enabled coffeepot on your home network, the one with inadequate or absent security protocols. Once they’ve compromised the coffeepot, they’ve broken the virtual Maginot Line perimeter of your network: from there it’s just a hop, skip, and jump to infect and attack the more secure and profitable devices in your home.

  One of the most common online objects in many homes and businesses is their security alarm systems, and more than thirty-six million Americans rely on them to keep themselves and their families safe. But whether it’s the simple door sensors or the keypads, they too are readily hackable, just as we’ve seen in all those Hollywood Mission Impossible movies. The majority of the alarm systems, including those from companies like ADT and Vivint, used legacy wireless communications protocols from the 1990s that fail to encrypt or authenticate their transmission signals. As a result, their cameras that are meant to protect can be turned against their owners to spy on their activity and their alarms suppressed so that they fail to go off when an intruder enters the home.

  It’s not just older alarm systems that are vulnerable; newer IoT radio communications protocols such as Z-Wave can also be hacked, which is troubling, given that there are 160 manufacturers using the protocols, in use at thousands of companies, such as Las Vegas’s Wynn hotel, which has deployed sixty-five thousand Z-Wave devices throughout its guest rooms. Hilton Hotels too announced that it would allow guests to use their smart phones as keys to unlock their rooms at four thousand hotels worldwide by the end of 2014. As more and more home front door locks and dead bolts go online, they may be opening their doors to home invasion 2.0. Crooks will now be able to hack open your front door from their smart phones and kill your panic alarms, ensuring that in these homes nobody will hear your scream.

  Not only can centralized home automation hubs be attacked, but so too can individual “smart” devices such as televisions. Indeed, numerous reports indicate that as you sit there watching your smart TV, it may be watching you right back. The majority of mid- and high-range televisions today are IoT compatible and come preloaded with apps such as Netflix, Skype, Facebook, and Hulu, not to mention embedded cameras, microphones, and USB ports. Worldwide nearly ninety million smart TVs were sold in 2013, and soon legacy “dumb” TV sets will be hard to find, a potentially troubling trend for those who value privacy and security. Many brands have been found to contain security vulnerabilities, such as Samsung Smart TVs, which allowed hackers to remotely turn on the built-in camera meant for Skype calls and surreptitiously snap photographs and watch viewers in their living rooms and bedrooms.

  The hackers were also able to steal the log-in credentials and account details stored on the Samsung TV’s smart apps to take control of users’ Facebook and other social media accounts. For those unsuspecting consumers who had also used the TV’s USB port to attach an external hard drive so as to be able to stream music and video directly to their televisions, there was another nasty surprise. Hackers
were able to view, download, and erase those files via the TV, bad news for those who store any financial details or personal documents on their external hard drives. These additional in-home connections open users up to a Mat Honan–style attack where precious photographs and other data stored locally can be remotely erased by those with ill intentions.

  Crime, Inc., just like Silicon Valley, is experimenting with the best ways to monetize the Internet of Things and, in doing so, has updated its tried-and-true tactics for the era of ambient computing. In early 2014, hackers commandeered over 100,000 everyday “smart” objects—including home routers, burglar alarms, Webcams, multimedia boxes, and refrigerators—and united them to create the first-ever home appliance botnet. The attackers used the devices to send more than “750,000 malicious spam and phishing emails,” each one meant to turn a profit for Crime, Inc. Refrigerator spam (the nonedible kind) is troubling enough, but it is important to recall that smart devices are full-fledged computers and once compromised can do everything a hacked desktop can, from hosting child pornography to flooding targeted Web sites with vast volumes of useless data. Linking one million of today’s computers into a botnet army is bad enough, but adding the next fifty billion smart objects to the Net, each with poor or no security, will open up phenomenal opportunities for offensive computing attacks.

  Botnets will grow in size from millions of compromised machines to potentially billions, bringing with them new forms of WMD—weapons of mass disruption. Using these cyber arms, Crime, Inc. will have powerful new tools in its arsenal to extort businesses and individuals alike, keeping them off-line until a “tribute” is paid in Bitcoin. The computing power embedded in smart objects scattered throughout your home and office can be profitable to criminals in other ways as well. In early 2014, researchers discovered tens of thousands of Internet-enabled DVRs that had been hacked with the Linux.​Darlloz worm to use their processing power to mine for crypto currencies such as MinCoins and Dogecoins. In doing so, hackers can keep your appliances running at full speed, generating virtual currencies for them while sticking you with the electric bill for spinning your devices 24/7. In theory, the new smart meter in your home might catch the excessive electricity use, but of course it too can be hacked.

  What the Outlet Knows

  Smart meters will be at the core of the global IoT, and their two-way communications abilities will record and track details of electricity usage in homes and businesses in order to increase the overall efficiency and reliability of an outdated and overburdened electrical grid. As of mid-2013, smart meters had been installed in over forty-six million homes in the United States, and the U.K. anticipates their deployment throughout all of Britain by 2020. Smart-meter information, much of which is transmitted in an unencrypted format, can actually reveal details such as the brand and age of your appliances and when you are using them in which rooms of your home. Extrapolating such data reveals how much time you spend cooking and when you turn on the TV in the bedroom. But the deep granularity smart meters can provide on your activities extends far beyond simply knowing you used the microwave at 7:26 p.m. on Thursday.

  Researchers in Germany revealed that smart meters could also tell what television programs people were watching at what times, because of the specific electricity required in order to display the scenes of each show on your screen. By measuring these in the aggregate, the researchers were able to create individual profiles for all television programs, and it turns out episode 71 of Star Trek has a different power signature from episode 17 of Modern Family. Of course, there are potentially billions to be made selling all of these data to third parties. Indeed, in May 2014, WPP, the world’s largest advertising agency, announced it was teaming up with the London-based data analytics company Onzo to study ways to collect smart-meter data in order to finally “open the door of the home” to advertisers.

  The threats from smart meters extend well beyond their deep privacy implications, and criminals have attacked insecure smart utility devices for a variety of purposes, in particular financial fraud. In Puerto Rico, for example, Crime, Inc. employed large teams of techno-thugs to take advantage of the widespread deployment of smart meters on the island. Using software widely available in the digital underground and a simple laptop, criminal hackers began making “service calls” to both businesses and the general public. For fees ranging from $300 to $1,000 for residential customers and $3,000 for commercial clients, Crime, Inc. successfully reprogrammed the smart meters in order to save its “clients” up to 75 percent off their monthly electricity bills. According to an investigation into the incident by the FBI, the Puerto Rican electrical and power authority affected lost nearly $400 million in revenues annually as a result. Like all computers, smart meters are also vulnerable to malware attacks, and security researchers at IOActive devised a worm capable of rapidly spreading from one infected smart meter in a home to another, eventually infecting a whole neighborhood and plunging it into darkness.

  Working hand in hand with your smart utility meter will be your smart thermostat on the wall in your home, and one company above all others is revolutionizing the field: Nest Labs. Founded by two former Apple executives, Nest has completely reimagined the clunky old thermostat, which hadn’t changed much since the 1950s. Leveraging the profound design expertise garnered at Apple, the Nest founders created a beautiful Wi-Fi-enabled thermostat replete with cutting-edge sensors, including temperature, motion detection, humidity, and light. Nest employs adaptive artificial intelligence algorithms designed to learn what temperatures make you happy and when. Nest also has an auto-away mode that determines when there hasn’t been any motion or light near the device, correctly deducing when you are on vacation or not at home. Nest’s thermostats have been extremely popular with the public, and a hundred thousand units a month are flying off the shelves along with other Nest products, such as its talking multi-sensor IoT Wi-Fi-enabled smoke alarm. The widespread enthusiasm hasn’t gone unnoticed by other tech giants, and in 2014, just a few years after its founding, Nest was purchased by Google for $3.2 billion. Good news for Nest’s founders and the hundred or so employees, but why would an Internet advertising firm buy an IoT device maker?

  Google clearly sees the opportunities in the Internet of Things, and Nest is a powerful hardware product to anchor its ambitions in the battle for what it is calling the “conscious home.” But Nest thermostats and smoke detectors with all their embedded sensors are prodigious producers of data, and just as the Android mobile phones brought new advertising and data sales opportunities, so will Nest Labs products. Google, however, is far from done with its acquisitions, and in June 2014 it announced it was purchasing Dropcam, a large video camera security start-up, for $555 million. Dropcam makes high-definition Wi-Fi and Bluetooth security cameras that stream live video to mobile apps and send alerts based on predetermined activities sensed by the devices. With the purchase of Dropcam, Google now owns not only your Web searches, e-mail, mobile phone, maps, and location but also your movements inside your own home through live-streaming video feeds. As a result, your thermostat, smoke detector, and security system all come with lengthy terms of service. Could the privacy implications be any more obvious?

  Of course an insecure and accessible smart meter is a great way to tell when you are away from home for extended periods of time. Rather than search your Facebook postings, tomorrow’s burglars will just be able to tap into your video feeds, query your refrigerator to see when the last time its door was opened, or simply ask the smart thermostat if it is in extended vacation mode. Google’s Nest thermostat has already been successfully hacked allowing just that, giving hackers potential remote access to the device, including monitoring whether an owner is home via the embedded motion detector or even cranking up the heat full blast. Nest’s other main product, the Nest Protect smoke and carbon monoxide alarm, has also had difficulties, and 440,000 of the devices had to be recalled because of a software glitch that could delay the alarm from going off in cas
e of an actual fire. Dropcam cameras too have had their security vulnerabilities, which hackers can exploit to watch videos remotely, turn on the camera’s microphone, and inject fake video into the device’s online live video stream, in case thieves want to cover their tracks in an Ocean’s Eleven scheme. Needless to say, Crime, Inc. too is eager to learn what your outlets know: you may find that with each new Wi-Fi lightbulb and door lock you buy, you are unwittingly providing hackers all they need to find new ways to haunt your house from afar.

  Business Attacks and Building Hacks

  Businesses too are jumping on the IoT bandwagon to further drive cost savings, and though the majority of corporations do have chief information security officers, the technological battleground that is the office is proving extremely difficult to navigate. Unbeknownst to most, since 2002, nearly all photocopiers have come with internal hard drives that store every document copied or scanned. Because many of these devices are leased or eventually sold, the data they contain is wide open for pilfering, as a CBS News investigative report demonstrated. A visit to a warehouse in New Jersey found six thousand used copiers for sale, all loaded with penetrating government and corporate secrets. Researchers and reporters purchased just four used copiers to see what they might recover, and the results were scandalous. Using simple, widely available data recovery tools, investigators found “tens of thousands of documents,” including “95 pages of paystubs with names, addresses and social security numbers”; $40,000 in copied checks; “300 pages of individual medical records” from the Affinity Health Plan, including everything from drug prescriptions to cancer diagnoses; “detailed domestic violence complaints and a list of wanted sex offenders” from the Buffalo Police Department’s sex crimes unit and a “list of targets in a major drug raid” from its narcotics squad.