What is Acceptable Risk?
I just watched a couple of guys open someone’s garage door by shining a laser through the window of the house at the family’s Google Home Hub…
Let me explain why this is important.
A lot of paranoid posts are circulating through social media about the smart home devices and how governments are listening to you, etc. A lot of people have smart home devices such as Google Home, Amazon Echo, Siri, etc. Even if you don’t have one in your house, you likely have the feature on your phone. Another major concern is, what if it gets hacked, or what if it is already hacked and I’m being spied on.
Well, I’ve done some real world tests to investigate the vulnerability of a few of these systems and I’ve been considering the security implications of these smart home devices. I hope this is helpful. First, I’m not saying that these devices are evil, and you should burn your phones or cancel your internet subscription. With everything there is risk of compromise or loss of privacy. The goal is to determine your accepted level of risk in exchange for whatever service or convenience the product offers you. This should be made based on many factors such the sensitivity of your conversations, the confidentiality requirements of your work, etc.
While it is true that some of these devices are just inherently insecure, I wouldn’t say that is the case for most of them. Generally speaking, the bigger the brand, the higher the likelihood that there is some good security testing and hardening behind the product but do your homework.
There are two main ways for compromising these devices. The complexity and difficulty vary for each.
- Breaching the Network
These devices are connected to a network. They may be plugged into your switch/router or they may be connected to your Wi-Fi. Either way, if a threat actor can get on your network it makes it a lot easier for them to start messing with or accessing your smart-home devices which may compromise other systems such as personal computers, smart phones, etc. Best thing here, change your default credentials for your router. Enable firewall services and features. Put smart home devices on a separate network segment dedicated for these devices. Don’t give out your Wi-Fi password, hide your SSID, and make your credentials complex.
- Spoof the Inputs (SCARY!!)
This attack type is fairly new and kind of freaks me out. In my opening, I mentioned opening someone’s garage by shining a laser at a Google Home Hub from outside their house, through the window! Crazy! I hadn’t thought about this, but I understand how it works and I have some ideas on what to do about it. This reminds me of doing experiments in school. (really geeky part starts here) The experiments would transmit voice via a laser to a sensor on the other side of the room and the sensor would send the signal to a speaker and play the sound. This is the same concept here. Each smart home device has what is called a MEMS (micro-electromechanical system) microphone. You usually see it as a tiny little hole on the device maybe with some screen mesh over it. They’re usually very small though. That is the microphone that receives your voice and converts it into a digital signal for the device to interpret. They’re either made with piezoelectric crystals that convert the sound into electricity or they’re made with a capacitance diaphragm. In either case, the vibrations of sound are converted into electricity. With the laser, instead of using audio waves to create electricity, the theory is that the temperature fluctuations of the pulsating laser distort the MEMS diaphragm or piezoelectric membrane. The system converts those distortions into electricity just as it would from picking up voice, but, in this case, no one ever said a word… if someone were doing this to your device, you wouldn’t hear anything unless the device responded back audibly. Even more scary, this can be done with infrared lasers so you wouldn’t even see the light shining! (really geeky part ends here)
Okay, so what do we do about it? Well, if someone is setup near your house trying to use a laser to open your doors, listen to your conversations, or even turn off your Christmas lights then something is wrong… either you have some very sophisticated enemies, you are a government spy in a foreign country, or your friends are high-tech nerds with a good sense of humor. Since we’ve seen that it can be done, I guess we should take appropriate precautions so here’s what we do about it.
First, device placement is key. If you can see it from a window (or in a mirror through a window) then someone could hit it with a laser. Place these devices in obscure locations not visible from the outside.
Second, study your devices and find the microphones. On the echo dots the microphones are generally facing towards the ceiling so it would be hard to hit the microphone directly with a laser, but with the tablet type devices (Google Home Hub, Amazon Show, etc.) The microphone is usually facing out with the screen. Those microphones are much easier to hit so keeping them away from windows is important. Also, the laser doesn’t shine well through cloth or fabric. If you put a little foam square or a piece of denim over the microphone, it would be extremely difficult for the laser to interact with the microphone.
Reality, people will keep inventing new ways to hack stuff and other people will keep inventing new ways to catch and stop them, but most cyber-attacks happen because of lack of awareness or carelessness. To protect yourself, do the simple steps mentioned previously. You don’t have to live under a rock. Just be diligent.
In comparison, there is always a risk of someone breaking into your car and stealing stuff, so you do the simple things like lock your door and don’t leave your valuables out in the open in your car. Just because someone “might” break into your car doesn’t mean you don’t drive anymore… You know that if they really wanted to get into your car, they would… but you’re taking the right precautions to make it more difficult for them and to not make it look like a valuable target. If your car is a valuable target, then you probably have an enhanced security system. You park it in more protected areas. You may have vehicle tracking enabled, etc. You can do the same thing with your digital devices. The same principle applies… the difference is that the threat isn’t a guy with a crow bar and a hammer, it is “a ghost in the wires” as Kevin Mitnick would say… (or a guy in front yard with a giant laser and some fancy computer equipment hooked to it.)
Jamie Ginn is the Chief Technology Officer of Intuitus Corp.