No Sooner do we Secure Our iPhones Than the Home Invasion Begins

The pace of personal security continues to accelerate. First, we spent years learning how to secure our routers and Macs. Then we focused on our  iPhone security and got that pretty much under control. Now, a new wave of home automation devices is poised to enter our residence, and they're not made by Apple. Danger is lurking once again.

______________________

The modern customer who surfs on top of the blue waters of the Internet generally has no idea of what's going on under the water. The enormous layers of complexity and software abstraction mean that we can no longer understand what's going on under the hood ouf our devices with the time we have available for study. There are sharks near the surface of those waters.

What that means is that 1) All devices tend to look and operate alike because the market leader is copied 2) The various settings and preferences presented to us are a mere shadow of the complex technology underneath and 3) In their rush to compete in the consumer market, excruciating, expertise-based attention to security detail is unprofitable. As a result, we have to place a lot of trust in the companies we buy Internet enabled products from.

We have a natural human tendency, a weakness, to think that incursions will leave telltale signs.  But they don't. Our Internet devices just sit there quietly and look like they're doing nothing when, in fact, a lot is going on underneath the hood.  That deception leads to complacence.

There was a time, not long ago, when the only device the family had on the Internet was perhaps a family Mac or PC and maybe a PowerBook belonging to a student in the family. Today is different. Recently, I had to upgrade to a new router because the number of devices in my house with IP addresses had gone into the range of 30. When we had guests at Christmas, they couldn't get on the Internet with their iPads. We had to shut stuff down.

Things are about to get dramatically worse for all of us. In a few short years, with home automation on the upswing, it wouldn't be crazy to think about several hundred devices in the home with IP addresses. And everyone of these devices is a potential target or entry point into the privacy and security of the household.

In the past, as I recall, household electrical devices were certified by Underwriters Lab. There was a "UL" label on the power cord that affirmed that the devices met electrical safety standards and could be used with confidence. It would be nice if we had something similar for Internet devices we install in our home. But this time the certification would be for a high level of consumer security. But I don't see it coming.

Meanwhile, it's the wild, wild west, and it's a free for all. Never has it been wiser for the consumer to be beware of the vulnerabilities of the devices they buy. This week's tech news debris is 100 percent devoted articles which address all that.

Next: the tech news debris for the week of Aug 11. VNC free-for-all, badly designed firmware, tricking the smartphone's gyroscope into being a listening device, and whether Apple can once again save us from The Internet of (insecure) Things.

Page 2 - The Tech News Debris for the Week of Aug 11

 

We've already seen how tech giants who have great financial and tech resources remain challenged when it comes to building devices that protect our security and privacy. Now, with the Internet of Things and home automation taking off, companies without a lot of serious expertise in security are looking to place an Internet connected device in our homes. That's going to create a host of new problems.

Here's a sampling of the related articles I found this week.

First, Internet scanning the Internet at Schmoocon 2014 for services that are not well designed was one session. In this session there was a demo of scanning the entire IPv4 space, port 5900 (VNC) servers, in just 12 minutes, and then acting on the results. It's sobering to see the good guys "white hats" doing it and even more sobering to think about what the bad guys "black hats" do for a living. This is an entertaining, educational and pleasantly geeky video that reveals what kinds of things go on beneath the surface of our tech lives. In fact, it's a must watch video.

All the way through.

Next up is an analysis at CSO on a "Study finds firmware plagued by poor encryption and backdoors." The tagline: "Firmware within the 'Internet of Things' could pose opportunities for hackers, researchers find." Jeremy Kirk writes:

Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin.

They found a variety of security issues, including poorly-protected encryption mechanisms and backdoors that could allow access to devices. More than 123 products contained some of the 38 vulnerabilities they found, which they reported privately to vendors.

Next, is a sobering technique to — are you ready — use the gyroscope in a smartphone to listen in on a mobile phone conversation. "The Gyroscopes in Your Phone Could Let Apps Eavesdrop on Conversations." Notable:

In this case, the researchers say mobile operating system makers like Google could prevent the gyroscope problem by simply limiting the frequency of access to the sensor, as Apple already does.

Yet more. Jonny Evans wraps up the whole discussion with an observation that The Internet of Things is "the biggest test yet for corporate responsibility." Mr. Evans asks, "Can Apple keep us safe in the Internet of Things?" Notable quote:

All the tech players are getting into the space but that doesn't mean they know what they are doing. All they seek is a way to keep revenue rising, some by selling you things, others to learn more about you so they can sell you. And in their rush they're selling problems not solutions.

Finally, The Washington Post, quotes several experts in its article, "Why surveillance companies hate the iPhone." The implication in the article: Android users aren't paying attention.

Clearly, these days, it can be helpful to keep your technical life simple, don't turn on (or leave as default) system services unless you need them, try to understand what you do elect to implement, and develop some expertise with defensive tools.

And try to Apple use products when you can.

__________________

Teaser image via Shutterstock.