Should you beware of wearables? Here’s what you should know about the potential security and privacy risks of your smartwatch or fitness tracker.

Smartwatches, fitness trackers, and other wearables are fast becoming almost as familiar to us as our mobile phones and tablets. These connected gadgets do much more than tell the time. They track our health, display our emails, control our smart homes and can even be used to pay in stores. They’re an extension of the so-called Internet of Things (IoT) that’s making all of our lives healthier and more convenient, while reducing smartphone screen time that reached nearly six hours for half of Americans this year.

Unsurprisingly, it’s a market set to grow by 12.5% annually over the next few years to exceed US$118 billion by 2028. But while wearables are reaching into more of our daily lives than ever, they’re also collecting more data and connecting to an increasing number of other smart systems. It pays to understand these potential security and privacy risks up front.

What are the main security and privacy concerns?

Threat actors have multiple ways to monetize attacks on smart wearables and the related ecosystem of apps and software. They could intercept and manipulate data and passwords and unlock lost or stolen devices. There are also potential privacy concerns over the covert sharing of personal data with third parties. Here’s a quick round-up:

Stealing and manipulating data

Some of the most feature-rich smartwatches provide synced access to your smartphone applications, such as email and messaging. That could provide opportunities for unauthorized users to intercept sensitive personal data. But of equal concern is where much of that data ends up being stored. If it’s not protected properly at rest the provider may be targeted by information thieves. There’s a thriving underground market for certain types of personal and financial data.

Location-based threats

Another key data type recorded by most wearables relates to location. With this information, hackers can build an accurate profile of your movements throughout the day. That could enable them to physically attack the wearer, or their car/household at times it is judged to be empty.

There are even greater concerns over the safety of children wearing such devices, if they are being tracked by unauthorized third parties.

Third-party companies

It’s not just security risks that users have to be alert to. The data your devices collect may be extremely valuable to advertisers. And there’s a roaring trade in such data in certain markets, although it should be tightly regulated in the EU thanks to legislation introduced in 2018. One report claimed that revenue made from data sold by health device manufacturers to insurance companies could reach US$855 million by 2023.

Some third parties may even use it to create advertising profiles on wearers and sell it onwards. If this data is stored by multiple other downstream companies, this presents a greater breach risk.

Unlocking the smart home

Certain wearables could be used to control smart home devices. They might even be set up to unlock your front door. This presents a major security risk in the event devices are lost or stolen and anti-theft settings aren’t enabled.

Where do device ecosystems fall short?

The device you wear is only one part of the picture. There are actually multiple elements—from the device firmware to the protocols it uses for connectivity to its app to its back-end cloud servers. All are susceptible to attack if security and privacy haven’t been properly considered by the manufacturer. Here are a few:

Bluetooth: Bluetooth Low Energy is typically used to pair wearables to your smartphone. But numerous vulnerabilities in the protocol have been discovered over the years. They could allow attackers in close proximity to crash devices, snoop on information, or manipulate data.

Devices: Often the software on the device itself is vulnerable to external attack due to poor programming. Even the best designed watch ultimately has been built by humans, and therefore could contain coding errors. These can also lead to privacy leaks, data loss, and more.

Separately, weak authentication/encryption on devices may mean expose them to hijacking and eavesdropping. Users should also be aware of shoulder surfers if viewing sensitive messages/data on their wearables in public.

Applications:  The smartphone apps linked to wearables are another avenue of attack. Again, they may be poorly written and riddled with vulnerabilities, exposing access to user data and devices. A separate risk is of the apps or even users themselves being careless with data. You may also accidentally download impostor apps designed to look like the legitimate ones, and entering personal information into them.

Back-end servers: As mentioned, the providers’ cloud-based systems may store device information including location data and other details. This represents an attractive target for attackers looking for a big payday. There’s not much you can do about this apart from choosing a reputable provider with a good track record on security.

Unfortunately, many of the above scenarios are more than theoretical. A few years ago, security researchers found widespread vulnerabilities in kids’ smartwatches that exposed location and personal data. Previous to that, a separate investigation found many manufacturers were sending unencrypted personal data from children using the products to servers in China.

Concerns persist to this day, with research showing gadgets susceptible to manipulation which could even cause physical distress to the user. Another study claimed that hackers could change passwords, make calls, send text messages, and access cameras from devices designed to monitor the elderly and children.

Top tips for locking down your devices

Fortunately, there are several things you can do to minimize the risks outlined above. They include:

• Switching on two-factor authentication
• Password-protecting lock screens
• Changing settings to prevent any unauthorized pairing

Protect your smartphone by:

• Only visiting legitimate app stores
• Keeping all software up-to-date
• Never jailbreaking/rooting devices
• Limiting app permissions
• Installing reputable security software on the device

Protect the smart home by:

• Not syncing wearables to your front door
• Keeping devices on the guest Wi-Fi network
• Updating all devices to the latest firmware
• Ensuring all device passwords are changed from factory default settings

Overall:

• Choosing reputable wearables providers
• Taking a close look at privacy and security settings to ensure they’re configured correctly

As wearables become a bigger part of all our lives, they’ll become a bigger target for attackers. Do your research before buying, and close off as many avenues for attack as possible once you boot up the device.

BEFORE YOU GO: Sports data for ransom – it’s not all just fun and games anymore 

It pays to do some research before taking a leap into the world of internet-connected toys

The Internet of Things (IoT) is changing the way we live and work. From smart pacemakers to fitness trackers, voice assistants to smart doorbells, the technology is making us healthier, safer, more productive and entertained.

At the same time, it has also provided opportunities for manufacturers to market flashy new toys for our children. The global market for smart toys is set to see percentage growth in the double digits, to exceed US$24 billion by 2027. But when connectivity, data and computing meet, privacy and security concerns are never far away.

Chances are that you, too, are considering buying one of these toys for your children and so encourage their learning and creativity. However, to protect your data and privacy (and your child’s safety!), it pays to do some research before taking a leap into the world of connected toys.

What are smart toys and what are the cyber-risks?

Smart toys have been around for several years. Like any IoT device, the idea is to use connectivity and on-device intelligence to deliver more immersive, interactive and responsive experiences. This could include features like:

• Microphones and cameras that receive video and audio from the child
• Speakers and screens to relay audio and video back to the child
• Bluetooth to link the toy up to a connected app
• Internet connectivity to the home Wi-Fi router

With this kind of technology, smart toys can go beyond the inanimate playthings most of us grew up with. They have the power to engage children through back-and-forth interaction and even acquire new functionality or behaviors by downloading additional capabilities from the internet.

RELATED READING: These things may be cool, but are they safe? 

Unfortunately, manufacturers can skimp on safeguards in the race to market. As a result, their products could contain software vulnerabilities and/or allow insecure passwords. They might record data and send it covertly to third-party, or they could require parents input other sensitive details but then store them insecurely.

When toys go bad

There have been several examples in the past of this happening. Some of the most notorious are:

• The Fisher Price Smart Toy Bear was designed for children aged 3-8 as “an interactive learning friend that talks, listens, and ‘remembers’ what your child says and even responds when spoken to.” However, a flaw in the connected smartphone app could have enabled hackers to gain unauthorized access to user data.
• CloudPets allowed parents and their kids to share audio messages via a cuddly toy. However, the back-end database used to store passwords, email addresses and the messages themselves was stored insecurely in the cloud. It was left publicly exposed online without any password to protect it.
• My Friend Cayla is a child’s doll fitted with smart technology, enabling children to ask it questions and receive answers back, via an internet lookup. However, researchers discovered a security flaw which could allow hackers to spy on children and their parents via the doll. It led the German telecoms watchdog to urge parents to bin the device over privacy concerns. Much the same happened with a smartwatch called Safe-KID-One in 2019.

In Christmas 2019, security consultancy NCC Group ran a study of seven smart toys and found 20 noteworthy problems – including two that were deemed “high risk” and three that were medium risk. It found these common issues:

• No encryption on account creation and log-in process, exposing usernames and passwords.
• Weak password policies, meaning users could choose easy-to-guess login credentials.
• Vague privacy policies, often non-compliant with the US Children’s Online Privacy Protection Rule (COPPA). Others broke the UK’s Privacy and Electronic Communications Regulations (PECR) by passively collecting web cookies and other tracking info .
• Device pairing (i.e., with another toy or app) was often done vie Bluetooth with no authentication required. This could enable anyone within range to connect with the toy to:
• Stream offensive or upsetting content
• Send manipulative messages to the child
• In some cases (i.e., kids’ walkie talkies) a stranger would only need to buy another device from a store to be able to communicate with children in the area with the same toy.
• Attackers could theoretically hijack a smart toy with audio capabilities to hack smart homes, by sending audio commands to a voice-activated system (i.e., “Alexa, open the front door”).

How to mitigate the privacy and security risks of smart toys

With smart toys representing a certain degree of security and privacy risks, consider the following best practice advice to counter the threats:

• Do your research before buying: Check if there’s been negative publicity or research done on the model’s security and privacy credentials.
• Secure your router. This device is central to your home network and talks to all of your home’s internet-connected devices.
• Power down devices: When not in use, power the device down to minimize risks.
• Familiarize yourself with the toy: At the same time, ensure that any smaller children are under supervision.
• Check for updates: If the toy can receive them, ensure it’s running the latest firmware version.
• Choose secure connectivity: Ensure that devices use authentication when pairing via Bluetooth and use encrypted communications with the home router.
• Understand where any data is stored: And what reputation the company has for security.
• Use strong and unique passwords when creating accounts.
• Minimize how much data you share: This will reduce your risk exposure if the data is stolen and/or the company is breached.

Smart toys can indeed be educational and entertaining. By ensuring first that your data and kids are safe, you’ll be able to sit back and enjoy the fun.

Further reading:

IoT security: Are we finally turning the corner?

Privacy by Design: Can you create a safe smart home?

To learn more about more dangers faced by children online, as well as about how technology can help, head over to Safer Kids Online.

As each new smart home device may pose a privacy and security risk, do you know what to look out for before inviting a security camera into your home?

UPDATE (November 2^nd 2022): This article was updated to add a statement from Ring.

Security cameras were once the preserve of the rich and famous. Now anyone can get their hands on one thanks to technological advances. The advent of the Internet of Things (IoT) has created a  major new market – for manufacturers of devices like connected doorbells and baby monitors, and more sophisticated whole-of-property systems. Connected to home Wi-Fi networks, these devices allow owners to watch live video footage, record video for later and receive alerts when out of the house.

Yet these same features can also expose households to new risks if the camera is compromised and/or the footage is leaked. Not all vendors have as big a focus on security and privacy as they should. That means you need to ask the right questions before starting. Here are some examples:

1. Do I actually need a security camera?

First up, it’s time to decide if a home security camera is really necessary or if you’re only interested in getting one because everyone else seems to. Part of this decision-making process may be working out what type of set-up to get: whether you need a full CCTV system requiring professional installation, or a cheaper connected camera that can be up-and-running quickly and is controlled via a smartphone app.

2. Am I aware of the security and privacy risks?

This is critical. While home security cameras are meant to protect the household, getting one might, in fact, unwittingly put the household at greater risk. In a worst-case scenario, remote or local hackers could access live feeds to spy on family members or case out the property to see if it’s empty. Both scenarios can be unnerving, especially as you would have little warning that this was happening.

One way hackers could gain access to these feeds involves accessing the home wireless network, perhaps by guessing or brute-forcing the Wi-Fi password. A more likely scenario, however, is an attack in which they guess or crack your account passwords or exploit an unpatched firmware vulnerability.

READ ALSO: D‑Link camera vulnerability allows attackers to tap into the video stream

3. Have I checked the security pedigree of the vendor?

With so many models on the market, it pays to research what’s on offer, and the reputation of different vendors. If you’re serious about security, you’ll want a reputable brand with a strong track record on building reliable products with good consumer ratings for security and privacy.

Things like prompt patching, strong encryption, enhanced log-in security and watertight privacy policies are important. And if engineers are required to fit a system, how much access are they granted? One US home security technician was able to spy on hundreds of homes over a four-and-a-half year period after adding his email on set-up.

4. Do I know what happens to footage and data?

Another potential element of risk is related to the vendor itself. Do you know if the video data is stored on-site or in the provider’s cloud datacenter? In its latest transparency report, Amazon-owned Ring claimed to have turned over an unprecedented volume of its customers’ footage to the US authorities last year, including in some cases without the consent of the device’s owner. Many camera owners may feel uncomfortable about such policies.

Statement by Ring from November 2^nd 2022
Police access to Ring videos + Emergency Law Enforcement Requests

1. Ring does not give police access to users’ cameras, devices, device locations or live streams.

2. If a customer wants to share video with law enforcement, they must have a Ring Protect Plan in place and download and share the recordings directly. Customers are in total control of the information they choose to share.

3. Like any other company, Ring may receive law enforcement requests, such as warrants, and we carefully review these requests. Ring’s Law Enforcement Guidelines describe our process for receiving and processing information requests from law enforcement.

4. Emergency requests are rare, and each request is closely scrutinized by trained specialists on the legal team. We hold a high bar for ourselves in these situations, and we only make these rare exceptions when time is of the essence and law enforcement can demonstrate an immediate threat.

5. Do I know how to secure the camera?

Once you’re aware of the major security and privacy risks involved, it’s worth familiarizing yourself with what’s needed to ensure these devices run safely. Default passwords should always be changed to something strong and unique. For added safety, use two-factor authentication whenever it’s available.

Also, devices should be regularly updated to the latest firmware. Choose a reputable vendor with a track record of manufacturing properly secured devices and shipping firmware updates. Switching off remote viewing of video footage will offer an added peace of mind and minimize the chances of a hacker accessing it.

6. Do I know how to configure the right smart home settings?

It’s not all about the settings on the camera itself. Your home router is the gateway to the smart home and could be a source of security risk if not properly configured. UPnP and port forwarding functions, which allow devices to find others on the same network, could be hijacked by hackers to access smart cameras. That’s why they should be switched off on the router, although it might prevent some applications and devices from working.

READ ALSO: Privacy by Design: Can you create a safe smart home?

7. Do I know how to check if the camera has been hacked?

As mentioned, it can be difficult to spot if a security camera has been hijacked. Two of the things to look out for would be abnormal movements of the camera or strange voices or sounds coming from it. If suddenly you can’t log in because the password to your account has changed, then that clearly isn’t a good sign either.

Another possible avenue to consider is increased data usage or poor performance. If the device is being accessed by an unauthorized user, your camera may run slower because of limited memory and CPU power. This isn’t a fool-proof check though – it may also be the result of something more mundane like a poor internet connection.

8. Am I aware of the impact on others?

Getting a home security camera is not just about your own security and privacy. It could also impact the rights of your neighbors, if a camera captures images of people outside the boundary of your property. Under the GDPR, these individuals also have privacy rights that must be respected. It’s a good idea to position cameras so as to minimize any intrusion, and to be as transparent as possible with neighbors. The UK government has a good guide here.

There’s plenty to consider before buying a home security system. And like any purchase, the more up-front research you can do on it, the better.

BEFORE YOU GO: These things may be cool, but are they safe?

Make sure that the device that’s supposed to help you keep tabs on your little one isn’t itself a privacy and security risk

We’ve probably all read horror stories online: a parent is woken in the middle of the night by strange noises coming from their child’s bedroom. They open the door, only to find a stranger “talking” to their baby through the monitor. While rare, such cases do happen from time to time.

Smart technology has provided us with numerous ways to keeping our houses safe(r), from smart locks and doorbells to home security cameras. But when gadgets are fitted with computing power and internet connectivity, they also become a target for remote hackers.

Fortunately, a few best practices can help to provide peace of mind that your baby monitor will be doing its job, and not the bidding of a stranger, and doesn’t itself become a security and privacy risk.

How can hackers hijack baby monitors?

Why would anyone want to hijack a baby monitor? Some are just looking to play a prank. Others may have more voyeuristic aims in mind. And some may even be looking to steal personal information overheard on the monitor, or confirming the house is empty so it can be burgled.

Whatever the reason, there are two main ways to hack a baby monitor. They depend on the kind of monitor it is:

Radio frequency monitors require an eavesdropper to be within range of the signal and know the frequency it is using. Both this, and the fact that most leading products of this type use encrypted communications, make these models a safer bet overall, albeit with more limited functionality.

Wi-Fi monitors are more exposed to hacking because they connect to the home router and, often, out to the public internet. The latter support functionality which allows parents to view the video feed via a mobile app, wherever they are. While this could provide peace-of-mind when out and about, it also opens the door to remote hackers, who might be scouring the web looking for unsecured cameras to hijack.

Even devices that don’t offer this functionality could theoretically be hacked if an attacker were able to hijack the home router. The simplest way of doing so is to guess or “brute-force” its password, although more sophisticated attacks may seek to exploit firmware vulnerabilities.

What could happen?

Either way, the potential repercussions are enough to alarm any parent. Hackers could use their access to eavesdrop silently on your baby, or even communicate with it if the device has a speaker. In some cases, footage from hacked cameras has even ended up on underground sites for others to watch.

Real-life examples of baby monitor hacking in the past include:

• An infamous 2014 case in which it emerged that a website in Russia was broadcasting live footage from homes and businesses all over the world, taken from smart devices secured only with default passwords.
• A 2018 case, in which a South Carolina mother noticed her baby monitor camera was being remotely moved to focus on the spot where she breast-fed her son.
• Another incident from 2018 in which a hacker broadcast messages through a hacked monitor, threatening to kidnap the family’s child.
• A 2019 incident in which a stranger hacked a Seattle couple’s monitor and began broadcasting creepy messages to the child.
• A similar case from earlier this year, when a stranger hijacked a monitor and terrorized a three-year-old with menacing messages using a voice changer.

How to keep your family safe

A British consumer rights group recently urged parents to take their security concerns over baby monitors direct to the manufacturers. It claimed that many of these firms will only change their ways once enough consumers demand changes.

“The more people ask, the more security will become their priority,” it claimed. There are also various efforts at a legislative level, for example in the United States and in the European Union, that are designed to improve the baseline levels of security offered by IoT and smart products.

RELATED READING: Privacy by Design: Can you create a safe smart home?

However, in the meantime, parents need advice they can trust. The good news is that a few best practice security tips go a long way towards keeping the hackers at bay. Here are a few examples:

• Research your options well, and aim to go with a well-regarded manufacturer that places a strong emphasis on security, and has good reviews.
• Install any updates to the device’s software (or firmware)
• If possible, choose a model that does not allow remote communication via an app. If it does, turn off remote access, especially when not in use.
• Setting up a strong and unique password, and enabling two-factor authentication if possible.
• Review monitor logs regularly to check for any suspicious activity, such as individuals accessing it from an unusual IP or at strange times.
• Secure your wireless router with a strong, unique password. Also, disable remote access to it, as well as port forwarding or UPnP. Make sure the router is kept updated with any firmware patches.

Baby monitor hacking is an alarming prospect for any parent. But as with any IoT device, it pays to understand where the risks are, and to take extra precautions to lock out any malicious third parties.

To learn more about more dangers faced by children online as well as about how technology can help, head over to Safer Kids Online.

Why not also watch ‘Hey PUG‘, ESET’s new animated series teaching kids to recognize online threats?

How your voice assistant could do the bidding of a hacker – without you ever hearing a thing

Regular WeLiveSecurity readers won’t be stunned to read that cyberattacks and their methods keep evolving as bad actors continue to enhance their repertoire. It’s also become a common refrain that as security vulnerabilities are found and patched (alas, sometimes after being exploited), malicious actors find new chinks in the software armor.

Sometimes, however, it is not “just” a(nother) security loophole that makes the headlines, but a new form of attack. This was also the case recently with a rather unconventional attack method dubbed NUIT. The good news? NUIT was unearthed by academics and there are no reports of anybody exploiting it for pranks or outright cybercrime. That said, it doesn’t hurt to be aware of another way your privacy and security could be at risk – as well as about the fact that NUIT can actually come in two forms.

How NUIT saw the light of day

NUIT, or Near-Ultrasound Inaudible Trojan, is a class of attack that could be deployed to launch silent and remote takeovers of devices that use or are powered by voice assistants such as Siri, Google Assistant, Cortana, and Amazon Alexa. As a result, any device accepting voice commands – think your phone, tablet or smart speaker – could be open season. Ultimately, the attack could have some dire consequences, ranging from a breach of privacy and loss of trust to even the compromise of a company’s infrastructure, which could, in turn, result in hefty monetary losses.

Described by a team of researchers at the University of Texas in San Antonio (UTSA) and the University of Colorado Colorado Springs (UCCS), NUIT is possible because microphones in digital assistants can respond to near-ultrasound waves played from a speaker. While inaudible to you, this sound command would prompt the always-on voice assistant to perform an action – let’s say, turn off an alarm, or open the front door secured by a smart lock.

To be sure, NUIT isn’t the first acoustic attack to have made waves over the years. Previously, attacks with similarly intriguing names have been described – think SurfingAttack, DolphinAttack, LipRead and SlickLogin, including some other inaudible attacks that that, too, targeted smart-home assistants.

Night, night

As mentioned, NUIT comes in two forms: They are:

• NUIT 1 – This is when the device is both a source and the target of an attack. In such cases, all it takes is a user playing an audio file on their phone that causes the device to perform an action, like sending a text message with its location.



• NUIT 2 – This attack is launched by a device with a speaker to another device with a microphone, like from your PC to a smart speaker.



As an example, let’s say you are watching a webinar on Teams or Zoom. A user could unmute themselves and play a sound, which would then be picked up by your phone, prompting it to visit a dangerous website and compromising the device with malware.

Alternatively, you could be playing YouTube videos on your phone with your loudspeakers, and the phone would then perform an unwarranted action. From the user’s perspective, this attack does not require any specific interaction, which makes it all the worse.

Should NUIT keep you up at night?

What does it take to perform such an attack? Not much, as for NUIT to work, the speaker from which it is launched needs to be set to above a certain level of volume, with the command lasting less than a second (0.77s).

Moreover, obviously you need to have your voice assistant enabled. According to the researchers, out of the 17 devices tested, only Apple Siri-enabled devices were harder to crack. This was because a hacker would need to steal your unique voice fingerprint first to get the phone to accept commands.

Which is why everyone should set up their assistants to only work with their own voice. Alternatively, consider switching your voice assistant off when it’s not needed; indeed, keep your cyber-wits about you when using any IoT devices, as all sorts of smart gizmos can be easy prey for cybercriminals.

The doctor’s orders

The researchers, who will also present their NUIT research at the 32^nd USENIX Security Symposium, also recommend that users scan their devices for random microphone activations. Both Android and iOS devices display microphone activation, usually with a green dot on Android, and with a brown dot on iOS in the upper part of the screen. In this case, also consider reviewing your app permissions for microphone access, as not every app needs to hear your surroundings.

Likewise, listen to audio using earphones or headsets, as that way, you are less likely to share sound with your surroundings, protecting against an attack of this nature.

This is also a good time to make sure you have the cybersecurity basics covered –  keep all your devices and software updated, enable two-factor authentication on all of your online accounts, and use reputable security software across all your devices.

RELATED READING:

Work from home: Should your digital assistant be on or off?

Alexa, who else is listening?

Mitigate the risk of data leaks with a careful review of the product and the proper settings.

Since the first model hit the market in the 2000s, robotic vacuum cleaners have advanced rapidly. They can swiftly clean every corner without much bumping around, and the latest versions are close to defeating their long-time nemeses: cables and shoelaces. 

They comes with a price, though, and we are not talking only about money. To deal with obstacles, modern robot vacuums are equipped with sensors, GPS or even cameras! Using powerful tools to collect your dust, your smart vacuum also gathers something else – your personal data.  

Cases like the leaked pictures of a woman sitting on toilet raise questions about how much your robot vacuum knows about you and – more importantly – what it is sending to someone else.  

Just how much does your vacuum cleaner know about you? 

A few well-known cases might give us some hints.  

In early 2022, the MIT Technology Review acquired personal photos of in homes and intimate photos captured from low angles. According to the publication, these pictures were taken by a development version of iRobot’s Roomba J7 series. 

iRobot – one of the world’s most prominent vendors of robotic vacuums – confirmed that these images were captured by its Roombas in 2020 as part of a product development process. 

The pictures were taken by the Roomba and then sent to Scale AI, which uses them for AI development and which, ultimately, helps iRobot to improve its products by recognizing more objects and obstacles. Unfortunately, in this case, a number of Scale AI gig workers did not respect their privacy agreements and shared the photos taken by the vacuum cleaners on private groups on social media. 

Show me your house, I’ll tell you what you need 

In August 2022, Amazon announced its intention to acquire iRobot. In a time of bigger regulatory concern over market competition and privacy, the deal sparked about what data could be collected by Amazon and how it could be used. In July 2023, the European Commission announced an official investigation into the deal to understand whether the deal it could give a company like Amazon a big advantage to its Marketplace business; i.e., if the images collected could be used to improve organic purchase suggestions and better tailored ads based on real personal data.     

For example, robotic vacuum cleaners can learn your daily routine based on the cleaning schedule you set. Likewise, saved house floor maps reveal a home’s size and design, which can suggest income levels and other information about one’s living conditions. And, of course, a data leak could potentially reveal images of your place, including ways of identifying who you are and where you live. 

Cold War-like espionage by your vacuum cleaner? 

Inspired by the eavesdropping technique, which has been in use since the Cold War, the 2020 research conducted by computer scientists from the National University of Singapore (NUS) and the University of Maryland (UMD), used the navigation systems of robot vacuums and converted them into laser microphones. 

This way, with an object such as a vacuum cleaner inside your house, it is possible to record changes in vibrations produced in response to the pressure waves created. These changes can, ultimately, be converted so that a conversation taking place in that room can be listened to. 

The more capable a smart device is, the more it knows about you 

Recent versions of robotic vacuum cleaners usually keep a map of your house and can be operated via a smartphone app. Many of these models also feature voice control, usually compatible with Amazon Alexa or Google Assistant. And most of the smart capabilities come from cameras, sensors and microphones. 

If you want a privacy-focused robot vacuum cleaner, consider those that rely on inertial measurement combining gyroscopes and accelerometers. The reason is simple: Such devices do not need cameras, lasers or mapping to work. However, the drawback is that they move less effectively than their high-end counterparts and may repeatedly run through some areas of your home.  

When it comes to phone control over a vacuum cleaner, use secure mobile apps instead of voice control.  

How to protect your data – points to consider before purchasing a new smart vacuum 

• Some models can operate offline without some features like remote control or scheduling. Others need to be specifically set not to send data to the manufacturer’s server.  
• Many cleaners also can be prohibited from entering certain rooms, such as a bedroom or a bathroom. This can be done through settings or by using virtual wall barriers.   
• Before buying your new little robot, also check out its manufacturer. Choose those that favor data encryption and require two-factor authentication to access the robot’s mobile apps. 
• Choose a vendor that offers regular updates to the mobile app and the vacuum’s firmware. 
• Always check the lifespan of the product you’re buying and for how long it is expected to receive manufacturer support. 

Trading privacy for convenience 

The evolution of smart vacuum cleaners is an example of people trading privacy for convenience. The more capable our smart devices are, and the more data they are allowed to gather, the more they intrude upon our lives; hence there is a lower guarantee of anyone keeping their privacy fully intact. 

However, for those who value their privacy and data protection over convenience, the best way to stay out of sight is to stick with good old “dumb” devices. Using a standard vacuum cleaner may require more time to finish a weekend clean-up, but at least it won’t take pictures of you sitting on the toilet. 

Nonetheless, if you still find robotic vacuum cleaners too convenient to avoid, then being selective with their settings and the data points they can gather is one way to retain some semblance of control over your privacy.  

When it comes to privacy, it remains complicated and near impossible for a consumer to make an informed decision.

16 Aug 2023
 • 
,
3 min. read

A presentation at DEF CON, 10 am on a Sunday morning in Las Vegas. My expectation was it would be poorly attended – I could not have been more wrong. A packed room greeted Dennis Giese, a renowned expert in “hacking” robot vacuum cleaners. The theme of the presentation was how to stop your robot vacuum cleaner from sending data back to the vendor, a discussion based on privacy and security.

Last month my colleague Roman Cuprik published an article on WeLiveSecurity detailing how these home vacuuming devices may be spying on their owners, so I will not get into the weeds of the potential issues of spying here but rather discuss the standout parts of Dennis’s excellently delivered presentation.

The researcher Dennis led had a simple goal – could they root the target device without disassembling it? Rooting the device in simplistic terms means gaining access to the underlying software used to control the device, and possibly modifying it. In the current case, this creates an opportunity not to make the device go rogue but rather for the software to be modified in order not to share personal data and to give ultimate control back to the owner.

A play on words 

I am assuming at this point you are either savvy enough to have read Roman’s article or that you have a grasp on the privacy issues, such as robot vacuums with cameras sending pictures back to the vendor’s cloud servers, potentially identifying all the things you have in your home.

One of the issues highlighted by Dennis is that vendor claims may not match reality: for example one company called out in the presentation claims it does not send any data back to the cloud, it never duplicates data, and that the cameras on its devices are only there to protect objects in your home from collisions. This sounds feasible, but another feature listed for the same device is that you can access the camera remotely and watch the device working. So how do they do that if the image or video stream is not shared through the company’s cloud servers that provide the functionality; maybe there is some genuine wizardry involved.

Another issue raised in the presentation was the wording used by companies to describe the functionality and features of the products. Due to bad press in recent years relating to devices with cameras on them, and especially the possibility of abuse, some manufacturers have reputedly removed cameras; their documentation instead says their devices utilize “optical sensors”. This is just a play on words; they are — of course — cameras and it was demonstrated in the presentation that they are capable of capturing images: they are cameras.

The presentation went into more details and examples that were all just as shocking; it also highlighted that many of the devices tested and found to have privacy and security issues are certified by some renowned testing labs; the examples of certifying authorities given were a respected German testing authority and, more broadly, the European Union certification of devices.

Statements versus reality 

In Roman’s blogpost, he recommends conducting pre-purchase investigation of devices, which I fully concur with in most instances had I not listened to this presentation at DEF CON. It’s clear that while security has improved in the firmware and operation of these dust-collecting devices, it remains complicated and near impossible for a consumer to make an informed decision.

A device that states it shares no data to the cloud, has no onboard cameras, and carries certification for security and privacy from widely respected testing labs would seem to meet all the requirements of a privacy-conscious consumer; in reality, though, what is happening under the hood may be completely different. The presentation was not about one manufacturer or model but listed numerous cases of both. Until there is clarity, I’ll stick to pushing my handheld vacuum around the house.

One last comment – a callout to Dennis Giese for delivering such a great presentation on a Sunday morning in Vegas. But I urge you not to divulge issues to a public audience and rather follow industry-coordinated disclosure standards. I am sure the robot vacuum cleaner companies would appreciate this, as would most consumers. No one wants to own a device with a vulnerability that has no patch due to disclosure not following industry best practices.

Outdated devices are often easy targets for attackers, especially if they have vulnerabilities that can be exploited and no patches are available due to their end-of-life status.

Hacks of outdated or vulnerable devices are an issue, but why would anyone attempt to hack discontinued devices or those running out-of-support software? To gain control? To spy on people? The answer is quite multifaceted.

The end of life is coming — for your device

There comes a time when a device becomes obsolete, be it because it gets too slow, the owner buys a new one, or it lacks functionalities compared to its modern replacement, with the manufacturer shifting focus to a new model and designating the old one as end of life (EOL).

At this stage, manufacturers stop the marketing, selling, or provisioning of parts, services, or software updates for the product. This can mean many things, but from our standpoint, it means that device security is no longer being properly maintained, making the end user vulnerable.

After support has ended, cybercriminals can start gaining the upper hand. Devices such as cameras, teleconferencing systems, routers, and smart locks have operating systems or firmware that, once obsolete, no longer receive security updates, leaving the door open to hacking or other misuse.

Related reading: 5 reasons to keep your software and devices up to date

Estimates say that there are around 17 billion IoT devices in the world – from door cameras to smart TVs – and this number keeps increasing. Suppose that just a third of them become obsolete in five years. That would mean that a bit over 5.6 billion devices could become vulnerable to exploitation – not right away, but as support dries up, the likelihood would increase.

Very often, these vulnerable devices can end up as parts of a botnet – a network of devices turned into zombies under a hacker’s command to do their bidding.

One person’s trash is another’s treasure

A good example of a botnet exploiting outdated and vulnerable IoT devices was Mozi. This botnet was infamous for having hijacked hundreds of thousands of internet-connected devices each year. Once compromised, these devices were used for various malicious activities, including data theft and delivering malware payloads. The botnet was very persistent and capable of rapid expansion, but it was taken down by 2023.

Exploitation of vulnerabilities in a device like an IoT video camera could enable an attacker to use it as a surveillance tool and snoop on you and your family. Remote attackers could take over vulnerable, internet-connected cameras, once their IP addresses are discovered, without having had previous access to the camera or knowing its login credentials. The list of vulnerable EOL IoT devices goes on, with manufacturers typically not taking action to patch such vulnerable devices; indeed this is not possible when a manufacturer has gone out of business.

Why would someone use an out-of-date device that even the manufacturer deems unsupported? Be it either lack of awareness or unwillingness to purchase an up-to-date product, the reasons can be many and understandable. However, that does not mean that these devices should be kept in use — especially when they stop receiving security updates.

Alternatively, why not give them a new purpose?

Old device, new purpose

A new trend has emerged due to the abundance of IoT devices in our midst: the reuse of old devices for new purposes. For example, turning your old iPad into a smart home controller, or using an old phone as a digital photo frame or as a car’s GPS. The possibilities are numerous, but security should still be kept in mind – these electronics should not be connected to the internet due to their vulnerable nature.

On the other hand, getting rid of an old device by throwing it away is also not a good idea from a security standpoint. Apart from the environmental angle of not messing up landfills with toxic materials, old devices can include treasure troves of confidential information collected over their lifetime of use.

Again, unsupported devices can also end up as zombies in a botnet — a network of compromised devices controlled by an attacker and used for nefarious purposes. These zombie devices most often end up being used for distributed denial of service (DDoS) attacks, which overload someone’s network or website as revenge, or for a different purpose such as drawing attention away from another attack.

Botnets can cause a lot of damage, and many times it takes a coalition (often consisting of multiple police forces cooperating with cybersecurity authorities and vendors) to take down or disrupt a botnet, like in the case of the Emotet botnet. However, botnets are very resilient, and they could reemerge after a disruption, causing further incidents.

Smart world, smart criminals, and zombies

There’s a lot more that can be said about how smart devices represent further avenues for crooks to exploit unsuspecting users and businesses, and the discussion surrounding data security and privacy is a worthy one.

However, the takeaway from all this is that you should always keep your devices updated, and when that is not possible, try to dispose of them securely (wiping old data), replace them with a new device after secure disposal, or find them a new, much-less-connected purpose.

Outdated devices can be easy targets, so by keeping them disconnected from the internet or discontinuing their use, you can feel safe and secure from any cyber harm through them.

Before you go: Toys behaving badly: How parents can protect their family from IoT threats