/ Technology

Can you trust smart tech?

Fraud data theft

A new Which? investigation has revealed the potential security flaws in smart home tech. Luke Potter, Cybersecurity Director of SureCloud, and his colleagues teamed up with Which? to put this tech to the test. Luke joins us as a guest author to explain more…

I head up the cybersecurity practice at SureCloud and work with clients on their penetration testing and vulnerability management requirements, but I’m also a consumer. I buy products for my home and expect them to be well designed and secure.

Sadly, with many smart, or Internet of Things (IoT), products hitting the market, we’ve found that this isn’t always the case.

Smart home security

SureCloud was invited by Which? to investigate the security of IoT devices. Which? set up a real home of one of its employees with various smart gadgets – from a wireless camera, to a wi-fi coffee machine and smart toy. We then performed what is known as a ‘red-team’ engagement, essentially a simulated attack using techniques a hacker or cybercriminal might employ.

Which? only provided us with the name of its employee. Our team then set about identifying as much information as they could from online research.

Within a few hours, we had their home address, family and partner details, full employment history, corporate and personal email addresses, and an array of credentials that they’ve used online, including social media websites.

We also successfully ‘phished’ the target to further obtain user account credentials and access to their online life. It’s amazing what you can glean from just what we all share freely online.

Home hacking

Following the information gathering exercise, the next step was to visit the target’s property and perform reconnaissance from outside the house. Our attacks ranged from very basic and opportunistic approaches, to actually taking apart the sample devices to find exploits.

One attack vector involved fully compromising a smart coffee machine to flood it with boiling water. In another, we breached a smart toy so we could listen to all conversations within the home, and even speak through the toy remotely.

But sometimes, a low-tech approach gets results too – for example, we were able to place an order for items using the target’s Amazon Echo by simply shouting through a window.

When Amazon was approached for comment on this, it said:

‘To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a ‘yes’ response to purchase via voice. If you asked Alexa to order something on accident, simply say ‘no’ when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free return.’

Staying safe online

For consumers, there are a few key takeaways. Most critical is that you should always ensure that for every single system and service that you use, set a completely unique password. To help you remember them all, a ‘password manager’ tool can be a great way to make this process extremely simple and easy to manage.

Additionally, ensure that when you purchase IoT devices that you set them up fully, including changing passwords and not leaving them in their default state.

Finally, just like you’d install updates on your phone or laptop, IoT devices need to be updated, too. Ensure you apply these as soon as possible so that your security is always up to date.

Do you have IoT gadgets in your home? Or are you considering buying some? If so, how important is it to you that they keep your network secure and protect your privacy?

This is a guest contribution by Luke Potter, Cybersecurity Practice Director at SureCloud. All views expressed here are Luke’s own and not necessarily also shared by Which? or SureCloud.


Can you trust high tech ?? as the well known ex American tennis player/commentator repeatedly said to wide acclaim at Wimbledon—You CANT !!! be Serious !! If anybody has been following my perpetual posts on Which on this issue in every variation over the past year or two then if you trust the IoT-Cloud Storage then big companies no ;longer need the old subliminal messaging you used to get in cinemas in this country “making ” you buy lemonade/ice cream etc. NEVER-NEVER trust the Digital World every part of it is hacked in 5 minutes , every second YOUR Data is transmitted back to “headquarters ” by your computer , if its a Windows machine , every minute your printer “talks ” to its makers , your camera can be turned on ,your mike as well , its now been admitted every device you have can be used against you , there is even the latest case of your router if it is a well known American make sending data back to hackers ( change you default password ) its big news in the States million compromised . Why do you think I keep saying all three big countries national security services -UK/US/Israel are recruiting high tech employees , I have all the adverts for all three , because they are more intelligent than a lot of the staff they have now, America for example will even forgive good hackers who hack high security organisations if they go to work for them and I think the same applies here. I hope now with this convo the TRUTH will no longer be hidden by big business and government because of financial/commercial interest and that they will be honest with the British public.

Ian says:
23 June 2017

Can you trust smart tech?

Simple answer… NO.

There is a companion article in the July issue of the Which? magazine.

The first security problem mentioned is routers and today a problem with routers is in the news: http://www.bbc.co.uk/news/technology-40382877

Interesting Wavechange , I dont watch the BBC news for reasons I wont go into here but I changed my router password a year or two ago as it was news way beck then but on tech websites . Linksys /Netgear etc in the USA were hacked by the millions . If you are hacked by a hacker and not the CIA then your DNS setting will be changed to a malicious IP address , you should check this out . Its easy to check on the web what your IP address is but I have Wireshark installed you can then see all the traffic /packets that flow from your computer , there are apps that will block IP addresses /ports . An absolutely Marvelous app of USA origin that uses Windows firewall , that I used when I had Windows in addition to a paid for protection is Glasswire it has a coloured moving graph showing ALL the traffic in and out of your computer as well as the ability to block any or all data sent illegally . The problem is , as you would suspect , MS hate it and cause the software designers all sorts of problems , even though the website is pro Windows , I am a member but they haven’t made it compatible with Linux although its now compatible with Mac computers . Wavechange , its that good I am recommending it , if you can install it ,there is a free version and two paid for versions, in the time I have been on Which this is only the third app I have ever recommended , it really is genuine. ONLY download it from the makers website NOT CNET etc.

Thanks Duncan. I understand what you are talking about, which is not always the case on tech matters. I’ve had a lot to do with firewalls, IP addresses, DNS and ports, albeit mainly on Mac systems. When I get back from holiday I plan to do some work on my computers and look at security issues. It’s a very long time since I’ve been near CNET.

bishbut says:
24 June 2017

not everyone reads Which many people ignore any advice they are given they think they know it all you can try to help but many are beyond help They know nothing about security at all expecting others to do everything for them including keeping them safe and secure they do not care until it happens then they are the first to complain as loudly as they can To some no Tech should go wrong it cannot go wrong

Very profound Bishbut, it sounds like its taken from the Book of Laws of the Digital Age relating to the Social Interaction of the Human Species to a perceived “God LIke ” quality of the Word handed down from “Above ” , never thinking for a moment that this “Word ” was written not by a “god ” but by flawed Humans who are “Lesser Gods ” . It is the Automaton Effect of a religious transference of Spiritual Power from the infallible “God ” to the Fallible Human god of the BIT noted in a natural gathering together -as in I Robot -the Movie, of people in the supposed believe a common thought pattern will “Protect ” them . This is generated at an early age by indoctrination of everything “Digital ” being superior to the human race when in actual fact it is vastly inferior as admitted by those at the top in software design. Book of Laws- section one- Law number Three. This is more profound than you think its already been admitted read “the Thinkers Update “– the Dawning of the Digital Age, : http://www.intersperience.com/article_more.asp?art_id=46 and has been taken up by Big Advertising to good effect (see told you ) , if its human related , profit is involved.

bishbut says:
25 June 2017

Don’t understand a thing you are saying Plain simple English please

Basically its “intelligent sarcasm ” (blaming those controlling us ) on the way people are manipulated -crowd psychology- herd mentality -herd behavior , there are whole books on the subject on population control , I just thought the readers here would understand the overall concept , seemingly not . I was actually giving people credit for understanding the concept its in high gear in the west as we speak. I dont underestimate people Bishbut thats patronising maybe I overestimate but that is good strategy

Another security/personal detail problem has been emailed to me. Has anybody gone to a website and started filling in the details and then found they want very personal ones and not filled them in and abandoned the website ? I have and the following has occurred to me over the past year or so –I started getting emails saying I joined them even when I hadn’t filled it all in . That applied to usa.gov – the White-House + 2 security info websites of a higher caliber – quote- before you hit the “submit ” button the company already has all your personal details ? – they quoted -“Quick Loans Mortgage Calculator as one example , you fill in your details- have second thoughts and close the page –TOO LATE ! all your details have already been submitted to a server at “murdoog.com ” owned by NaviStone a company that advertises (in the USA ) as being able to UNMASK anonymous website visitors and find out not only their telephone number but home address , they quote a drug trial investigation about Acurian Health tracked down people who looked online for information a whole range of companies do this , its done by Javascript which I have disabled on many browsers to —sorry you cant use our website unless you activate java-script used by most hackers as well. . The company based in Ohio can match 60-70 % of anonymous website traffic to postal names+addresses . How do you think you get that letter from a heath company about your own ailments without you contacting them ? I have a lot more info on this . Now do people believe me when I say the internet is one big open book to your personal details and understand why I have so many types of blockers ?

I think it should be illegal to require prospective customers to provide information that is not both relevant and necessary for fulfilment of the transaction. If they need to carry out further checks that should be done after registration. That way people could decide not to proceed without leaving much more than their name, address, phone number, and e-mail address all of which are easily accessible anyway. It is an unfortunate consequence of doing things the internet way; avoiding use of the internet is becoming increasingly difficult as bricks-&-mortar businesses stop trading. One company I have bought from occasionally over many years has decided to stop sending out a printed catalogue; since they don’t have my e-mail address they have lost a ‘valued customer’. It will be interesting to see whether I have heard the last from them or whether they will wake up in a few months’ time and wonder why they are getting fewer orders. Firms that trade on impulse buying should think long and hard before they cut off their customer contacts.

Scots Don says:
8 July 2017

The SureCloud Hack: Can we put this hack into perspective? The SureCloud team spent 4 days in all, camped in someone’s drive, or in a passage outside their flat, or in another adjacent flat, or parked in the road outside their house (it doesn’t say where). In my case. it would have to be my drive and I might spot them maybe. They hacked the person’s wi-fi finally – doesn’t say how long. This was probably achieved by a brute force attack (chuck millions of passwords at the router), requiring a bit of computer equipment. OK, so when they finally crack the password, they can do all sorts of damage. BUT is this at all likely? Where I live, not a chance.

I understand that the real danger is Port Forwarding. This is where you take a brick out of your firewall, to let messages from OUTSIDE your home (the Wild West – well, the open internet) get through to a specific device, such as a security camera. This lets the owner view the camera from the other side of the world. The device has a password, and if this if left to the default, Bingo! A hacker can get in via the open port to the camera, view what the camera sees, and, worse, re-program the camera so it can do all sorts of harm on the owner’s network. The hacker doesn’t have to put a tent up in your garden, they can be in Australia if they want.

In my own case, I have a security camera, and also other devices that I want to use when away. I do not use port forwarding. My router’s port forwarding is turned OFF. So no gap in my firewall exists that way. My router allows an incoming VPN (Virtual Private Network) , which is effectively an encrypted route into my home network from the open internet. Note that many routers allow an outgoing VPN connection, so that you can talk to your office network for example, but fewer allow an incoming VPN, one reason being that you need to know your home’s IP address before using it, and most IP addresses are dynamic, set by your ISP, so you don’t necessarily know it when away. My router manufacturer provides a DDNS service (Dynamic Domain Name System) which I use when away to get onto my home network. This is all username/password protected and simple to use. Once connected, it is like using the computer at home on the Local Area Network, so the camera can be viewed as well as any other attached devices.

This method seems to me to be very much safer than Port Forwarding.

However, I would be interested to hear what other vulnerabilities I should look out for!

Yes port forwarding Scots Don , you do know there is a website that tells you how to do it along with all the default passwords for different types of routers and it tells you which ports too open for different servers . Do you know if LogMein is installed on your computer that can do it , you know the “India special ” its why I tell everybody who has downloaded it how to remove it completely. And thats pre supposing GCHQ hasnt “taken a fancy to you ” and are using your camera/microphone known as- CNE -computer network exploitation -aka -hacking , the Investigatory Powers Tribunal was told by lawyers for a civil liberty group –and they admitted it. Two of them are called Nosy Smurf + Dreamy Smurf also Tracker Smurf , but thats old hat they now have absolute control over all devices and listen, what GCHQ did yesterday “civil hackers ” do today its the old backdoors story of Windows , there is even an app that will do it for you . You can even download three data programmes that will port forward without using your router access I am looking at step by step instructions for doing it on a website on another browser . Scots Don I am now looking at a US website which tells you how to hack into a VPN and using it allows others access via VPN Tunnels so you need special firewall protection I am not saying VPN is not secure I am saying given the intelligence of a very good hacker it can be hacked. You notice I have not posted any URL,s on hacking and dont intend to do but if anybody doesnt believe me I can easily prove what I say.

Scots Don says:
10 July 2017

Duncan, scary stuff. But if I have port forwarding switched OFF in my router, will that not stop any port forwarding attacks?

I do keep an eye on what processes are running on my PC, though whether I would recognise a malicious one. I’m not sure. I don’t have LogMein, but I do have TightVNC Viewer, to remotely access a Raspberry Pi.

I keep my camera powered off when not needed!

Basically, I work on the principle of keeping my front and back doors closed, in my router. I rely on the router to not let remote messages get through. Maybe I have misplaced faith.

Scots Don , no you are doing the right thing and you should be better protected than a large amount of the population who haven’t done what you have done. I am just trying to point out its now nearly impossible to be “invisible ” on the web some people think I overdo the information but the only thought I have is to make the public aware of the need of making sure you are secure when surfing as Which website is filled with posters wondering why strangers know all about them.

I’ve just bought an Amazon Alexa. I wanted a new toy to play with. That’s not to say I’m not cautious of a. potential security holes. b. the benefits.

At the moment I plan to use it for music, ordering an uber, telling me the morning news, reading out recipes etc.

Hopefully no one in my building shouts out an Amazon order through the window…