TOPICS > Science

Smart Devices That Make Life Easier May Also Be Easy To Hack, Says FTC

September 5, 2013 at 12:00 AM EDT
Wireless devices let us control our household appliances through the Internet with ease, but do they also make it easier for hackers to disrupt our daily lives? Hari Sreenivasan speaks with Kashmir Hill of Forbes on a recent finding by the Federal Trade Commission of inadequate security protections for some products.
LISTEN SEE PODCASTS

TRANSCRIPT

JEFFREY BROWN: Now: New technology presents new concerns over privacy in unexpected places.

An ever-expanding array of appliances and household devices has made our lives easier and sometimes safer. Now connected to the Web, they’re becoming known as the Internet of things, baby monitors with cameras, home thermostats, even refrigerators. These so-called smart devices are programmable and easy to access remotely, both by their owners and, as it turns out, by hackers.

Yesterday, the Federal Trade Commission cited one seller of Web-enabled video cams for its inadequate security protections. It found that a breach in the company’s software allowed hackers to post links to the live video feeds of its customers’ security cameras.

Hari Sreenivasan takes the story from there.

HARI SREENIVASAN: Kashmir Hill is a senior editor and writes the technology and privacy column “Not-So Private Parts” at Forbes.com.

Thanks for joining us.

Related Video

Let’s start with putting this case in perspective. The FTC ruling yesterday, is this just limited to one company, or are there are lots of other companies that have this weakens?

KASHMIR HILL, Forbes.com: It’s not limited to one company.

There are several device makers who are making products that are connected to the Internet now and there are many that have security vulnerabilities. Not only is TRENDnet not the only company that has vulnerable devices. It’s not the only camera company.

Just a few weeks ago, another company out of China called Foscam had a baby monitor in a Texas family’s home that was hacked by somebody who came in and started saying nasty things to a 2-year-old, until the father rushed in and unplugged the baby monitor.

HARI SREENIVASAN: That’s horrible.

Now, you said in one of your articles that there’s even a search engine to help people find this.

KASHMIR HILL: There is a search engine.

It’s called Shodan. It’s like Google. But where Google crawls for websites, this actually crawls the Internet looking for connected devices. And it’s found all kinds of things. It’s found cars that are connected to the Internet, the cameras that we have heard about, building control systems for Google’s headquarters in Australia and power plants and water filtration companies.

There are so many products now that are connected to the Internet, because it’s so useful to be able to check on them or control things from afar. But a lot of times, these products are being designed without good security, so that somebody can, one, see that they’re there, and in some cases even go in and control those devices or access their streams.

HARI SREENIVASAN: And you have been one of those people. You hacked into a smart home. Tell us a little bit about that.

KASHMIR HILL: I have been one of those people.

I was talking to security researchers about some research that they had done around home automation systems. And there was one particular product made by a company called Insteon that had no — once a person had connected it to their home, it actually has no authentication system. You didn’t need a password to be able to access it.

And in some cases, the systems were showing up in Google search results. You didn’t even need Shodan to get to them. And so I was able to do a very simple Google search. And I had a list of eight homes around the country where I was able to get in and turn on lights, turn water pumps on and off, potentially open garage doors.

And so, in one case, I called this man in Portland who had one of these systems, and I asked him, do you mind if I see if I can turn your lights on and off? And I did. And he was shocked. He had no idea that anyone on the Internet could get access to his system.

HARI SREENIVASAN: So, what can someone do? I mean, as you say, there are so many devices around us that are connected, most of us might not be as conscious about the privacy settings or the security settings on each of these devices and the services that we’re using through them.

KASHMIR HILL: Yes, these devices are really convenient and there are a lot of benefits to them. You know, the big responsibility is with the vendors and companies that make these products. They need to make them with good security, so that consumers aren’t put in this place where they’re vulnerable.

Things that consumers can do, one, make sure that if you have a device that connects to the Internet that you can access from somewhere else that it has some kind of username and password attached to it. If it comes with a default username or password, you should change that, because hackers can figure that out very quickly.

In one case, a hacker — an anonymous user went through and connected to 400,000 devices on the Internet using default usernames and passwords. So that’s just not secure. And if you’re a very savvy user, you can set up a virtual private network through which your device connects to the Internet, so that somebody who is searching the Internet can’t find it.

But I think that is above the technical levels of most consumers. 

HARI SREENIVASAN: So is this something where technology is far ahead of any legislation to protect us or regulations?

KASHMIR HILL: At this point, you know, when you buy — let’s say you get tires from a tire company, and those tires are defective in some way, and it causes you to crash, you have the ability to go after that company.

At this point, we’re not quite there with software. We’re still trying to figure out what the kind of privacy and security responsibilities are for companies that are providing and making these kinds of products. The decision by the Federal Trade Commission to, you know, go after an I.P. cam maker that created vulnerable devices is telling.

And so the hope is that companies will avoid making these kind of vulnerable products to avoid getting in trouble with the FTC. And the hope is that public shaming, appearing in negative news reports, will help.

But I don’t know that the law has really caught up with the possibilities here.

HARI SREENIVASAN: All right, Kashmir Hill, thanks so much for joining us.

KASHMIR HILL: My pleasure.

JEFFREY BROWN: And that was Hari appearing from our new New York studio.