InfoSec CTO: How To Improve The Privacy IQ Of Smart Devices

Infosec smart device security

When it comes to the world of cybercrime touching the connected smart devices that consumers are increasingly using, it is easy to come across some disconcerting thoughts. Unlike fraud that might lift one’s credit card number, or even swipe personal information out of a database, there is something particularly worrisome about hackers getting a hold of a smart speaker or baby monitor because it feels so much more personal.

That concern, InfoSec Global’s CTO Richard Henderson told Karen Webster in a recent conversation, is far from totally misplaced. There are many vulnerabilities out there. It’s a fact Henderson has come to appreciate more fully as of late since he and his fiancée are currently trying to buy a smart baby monitor — and are finding themselves talking more about security from third-party attacks than he ever imagined.

“A friend had told her that someone had gotten into the two-way communication on the device in their baby’s room, and had said some inappropriate things,” he explained to Webster.

Though he said he has doubts about that specific story (since it has something of an “urban legend ring to it”), the bigger picture is that security experts have to be worried about these types of events because they are real.

There have been major manufacturers accused of programming their smart TVs to “spy” on their owners, keeping track of their viewing habits in an attempt to target them with more relevant ads. Moreover, investigations and product breakdowns by security experts have shown that smart devices of all descriptions are often full of easy access points, and occasionally gather and transmit more information than even their makers are aware of, Henderson said.

So, how to tackle the security of smart devices in a world where more devices are becoming smart?

The first step, he noted, will involve the ecosystem getting real about digital security threats in general, and how to best address them as they emerge in context.

Some Incontrovertible Truths Of Security

The first, and most important, lesson to keep in mind when it comes to digital security, Henderson said, is that there is no magic invisibility cloak that will always keep a customer safe from the predation of cybercriminals.

“Things are going to happen, no matter how secure you are,” he said, noting that even he gets hit from time to time, and has to tell his bank to cancel a card because fraudsters somehow got to it. This is a reality of consumer life in 2019 — and it’s a story that is much bigger than the smart device marketplace.

“It doesn’t matter if you are using smart devices or not. The reality is cybercriminals will always find a way to commit fraud, no matter how easy or hard you make the access,” he added.

That said, Henderson noted, digital hygiene counts for a lot. When one is looking to protect their security online, it makes sense to stick to mainstream channels — sites one knows, or large entities that tend to be responsive to customer concerns and complaints.

The same rule applies to devices, he explained. Using channels that one can trust (such as laptops, iPhones, recently updated Android devices, smart speakers made by major players like Amazon and Google) can go a long way in helping to keep customers secure with functioning devices.

“If you do decide you want to use smart devices,” he said, “and the question is if you should use a no-name, third-party smart plug that is made by a Chinese manufacturer who then forgets them and never issues any kind of patch, it’s not a good idea for the average Joe who is not particularly technologically skilled. If you want to set it and forget it, and move on with your life, just spend the extra money and don’t front load your risk.”

After all, he explained, the risk with the “cheaper” devices  aside from security risk is just function period. For the high-tech user, that can mean all kinds of problems if a smart device in their network just (good old-fashioned) fails.

“Does it take down your entire network? If you don’t know, you don’t want to [find out] when it happens,” Henderson explained.

This can be particularly damaging in corporate environments, where security professionals spend much of their time looking for “rogue devices” that employees plug in, unaware that a single point of malfunction or attack can cause chaos in a corporate network.

“Control is always critical in these situations — and consumers and institutions can exert a lot of control with any of their digital devices, just with stronger use habits,” he said.

The Complex Relationship

Control can be a tall order with smart devices, Webster noted, because consumers don’t control the most basic function of a smart device: the on/off function. These devices must always be on and “listening” to do their jobs, which can make some consumers feel less in control and more under surveillance.

It is a complicated issue, Henderson added. Since these devices always need to be on and monitoring, some players like Amazon — to calm those consumer fears — have programmed them to listen without “paying attention,” unless they hear the magic words that clue them into reacting.

“They are not always streaming the background audio of your life for [Amazon Web Services (AWS)] and for processing,” he explained.

There are firms that might not be as trustworthy with consumer data. However, by and large, the major players in smart speakers and devices have demonstrably built devices that aren’t “always actively listening.”

Could exploits be found that would give outside third parties access to a smart speaker microphone, such that they could turn it on and listen to everything in range of that speaker? Yes, Henderson noted, it is absolutely possible that such an exploit could be discovered.

Will the average consumer be a target for that kind of attack? Probably not, he answered, noting that if someone is looking to listen in on someone else, they probably have a specific reason. They aren’t interested in just hearing random background noise in the hope that someone might say something valuable in front of Alexa.

“Could it happen to you? Yes. But it is more likely that someone is going to find an exploit to find a way to take over them so they can do things like use them to launch pay-for-use, denial-of-service attacks or for things like cryptocurrency mining,” he said.

Being Realistically Concerned

Today, the world is nearly unrecognizable from the pre-iPhone world of 10 years ago, Henderson told Webster. From a technological point of view, he believes the even bigger changes are steering us into the immediate future.

“I think we are at a dawn of a new era with quantum computing and technology,” he said. “That is going to be a lot of changes for everyone out there, [a] change that will feel like it is coming overnight. That change is going to come with a lot of great benefits, as well as a host of new threats no one has even thought of yet.”

However, he said, that is the nature of progress in the digital age — lots of possibilities, but also a host of reasons to be concerned at all times. Those concerns, though, need to be balanced against the gains that can be realized, and the possibilities to be unlocked.

“With the inevitable march of technological progress, I don’t want people to be stopped from embracing the future that is here,” he said.