Google Home’s data leak proves the IoT is still deeply flawed
The Internet of Things (IoT) security problem isn’t going away. The connected network of billions of devices – from smart doorbells to office printers – is regularly found to have privacy problems and be open to attack by potential hackers.
The latest of these incidents? Google’s artificial intelligence Home speaker and the Chromecast, the firm’s streaming device, have been found to reveal a user’s precise physical location. Revealed by Tripwire security researcher Craig Young, the bug can make a person’s location known to an accuracy of around 10 metres.
“I’ve only tested this in three environments so far, but in each case, the location corresponds to the right street address,” Young told Brian Krebs in an interview published at the same time as Young’s research. Locations could be extracted as some commands the Home and Chromecast devices receive are transmitted across unsecured HTTP connections and without any form of authentication.
There are some caveats to the privacy issue which mean it would be unlikely to be exploited by those with malicious intents. An example of the attack created by Young requires an individual to open and remain on a webpage for around a minute. While this is happening the Wi-Fi network is scanned and any connected Google devices are highlighted – their specific location data can then be gleamed.
“The real issue with this data leak is that home networks can no longer be considered “trusted” environments,” says Noah Apthorpe, from Princeton University’s computer science department. He explains that many devices and software may not seek authentication for sending communications on the same Wi-Fi or Bluetooth networks.
“This data leak indicates how the IoT necessitates the hardening of previously trusted environments to protect against an influx of potentially vulnerable or malicious IoT devices,” Apthorpe continues. Young’s blog post adds that people should “assume that any data accessible on the local network without credentials is also accessible to hostile adversaries”. He argues that all requests issued by devices should be authenticated and if they aren’t as little information should be included as possible.
After Young initially reported the issue to Google it replied saying the action was the “intended behaviour” and it wasn’t planning on fixing the bug. However, after Krebs contacted Google the company changed its mind. A patch will be issued towards the end of July.
Nobody is safe from Russia’s colossal hacking operation
The Google Home and Chromecast may have been operating as they were intended to do so but the privacy issue is just another in the ever-growing list of security and privacy concerns over the IoT. Just in June an “unbreakable” smart lock was could be opened in two seconds by security researchers using an Android app, a baby monitor was found to have issues, and other security cameras were issued with fixes for bugs.
In October 2016, the Mirai botnet took control of insecure IoT devices and launched a giant Distributed Denial of Service (DDoS) which took down large parts of the internet. The botnet was the starkest warning to IoT device creators about the potential damage that could be caused through security issues. Elsewhere, UK and Russia governments have admitted Russia has targeted “millions” of connected devices including IoT gadgets. Other malware has been found on 500,000 routers and has had the potential to turn them off.
Security researchers are trying to improve the IoT’s security problems though. Google’s Android Things operating system for IoT includes automatic security updates for developers that will operate for three years. MIT academics have created a chip that allows IoT devices to be easily encrypted and officials in the US have mooted security laws for IoT devices.
But these efforts to increase IoT security will take time to have an impact due to product cycles. “While new devices come with more updated security primitives however old devices remain vulnerable,” says Theophilus Benson, an assistant professor in the Computer Science Department at Brown University. “Additionally, while many large players are actively tackling security issues, there is a subset of manufactures that are sluggish because of a lack of security expertise or a lack of sufficient resources to effectively tackle security related problems.”
So, what should smaller manufacturers be doing? David Alexander, digital trust and cyber resilience expert at PA Consulting says products shouldn’t be rushed out by manufacturers and the should be thinking about “security by design”.
“Smaller manufacturers should focus on getting the recipe of security and quality over cost right,” Alexander says. “This will not only give the consumer confidence and trust in their devices but it will set smaller manufacturers apart from their competition.”