TOPICS > Nation

When smart devices are always on, vulnerability may be a trade-off of convenience

March 9, 2017 at 6:35 PM EDT
WikiLeaks' release of a trove of documents about the CIA's ability to breach smartphone and TV encryption was a revelation of potential vulnerabilities that surprised many. Hari Sreenivasan separates fact from fiction about their capabilities to take advantage of those devices with Brian Barrett, news editor of Wired, and how to be mindful about the reality of today’s “internet of things.”
LISTENSEE PODCASTS

HARI SREENIVASAN: The WikiLeaks release earlier this week showed the CIA could use hacking tools to break into cell phones, computers and Internet-connected televisions. We should say there is no evidence the CIA used this against Americans. But the revelations surprised many.

It raises the concerns for the increasing number of Internet-connected devices all around us, and what they’re monitoring and who has access to it.

In fact, in a recent murder case, law enforcement is trying to gather recordings from an Amazon Echo in order to see if it might have picked up evidence surrounding the crime.

Brian Barrett covers these issues for Wired. He joins me now.

Brian, let’s separate the fact from the fiction a little bit here. What have we learned from these leaks? What are these devices capable of recording?

BRIAN BARRETT, Wired: Well, you know, it’s interesting.

What we learned from the leaks is more of a confirmation that the CIA is hacking into a lot of devices. You would sort of expect that, but what it shows is that these devices can be used in ways that we might not have expected.

So, a smart TV, for instance, has a microphone on it because sometimes remote controls are voice-activated now. But the CIA has found a way to use that to listen to you. Your smartphone, which the CIA knows how to, whether it’s an iPhone or Android phone, compromise, those, too, the microphones can listen to you. They can access the camera. They can look through all of the documents that you have.

It’s really full access to your digital life.

HARI SREENIVASAN: Unlike the Snowden revelations, this isn’t about mass surveillance, bulk collection of information. This is in the targeted sense.

But there’s kind of a violation of a sense of privacy here.

BRIAN BARRETT: Yes, well, I think that’s an important distinction to make.

There is nothing in these leaks to indicate that the CIA is looking at anyone that they shouldn’t be or that you wouldn’t expect them to be. What it does say is that there are a lot more vulnerabilities out there than we may have thought and that people other than the CIA may have access to them as well.

The CIA doesn’t necessarily have the only access to, say, an IOS exploit that allows them to get into everybody’s iPhone, especially when you consider that these documents, according to WikiLeaks and other reports, have been out for two months circulating in sort of the underground channels that you would expect.

So, the real danger here isn’t necessarily from the CIA. It’s that these tools exist and that other people may have access to them and may be using them.

HARI SREENIVASAN: And the fact the government didn’t necessarily come clean and tell the tech companies that, hey, there is this hole, there’s this backdoor, there’s this side door that you can go through, does that mean that essentially since the vulnerabilities were discovered until now or until whenever these tech companies are made aware of it, that we have kind of been at greater risk?

BRIAN BARRETT: Well, you know, I want to be cautious there, because we don’t know for sure if the CIA talked to tech companies or not. The companies themselves, understandably, don’t want to talk a lot about it. The CIA is very quiet about it.

But I think that’s true, and especially when you consider there is a framework that has been in place for a few years developed by the Obama White House where intelligence agencies agreed in certain circumstances to give up these so-called zero day patches, if they are not as useful as they need.

So, this indicates that there are hundreds of these vulnerabilities that both the CIA uses, presumably the NSA — presumably, the FBI has their own as well — that are not being disclosed. And that lack of disclosure, yes, does mean that people could be at risk at large.

HARI SREENIVASAN: This isn’t necessarily the privacy vs. security false dichotomy, but there seems to be some privacy that we exchange for convenience, when we get objects in our home, whether it’s a smart TV or one of these Amazon Echo or Google Home devices that’s perpetually on and just waiting for us to say something.

I guess we trade in the fact that there is something listening to us if it’s waiting for us to say something.

BRIAN BARRETT: That’s true. And I think that’s more evident than ever before, especially as we start to connect more and more devices to the Internet.

There is nothing in the CIA leaks to indicate that they had any access to an Amazon Echo or a Google Home, for instance, but these are devices that have microphones on them and listen to you. The Internet of Things, almost everything has some sort of Internet connection, which isn’t to say that your dishwasher, Internet-connected dishwasher, is going to be spying on you, but maybe it gets enlisted in a botnet.

I think the most important takeaway is for people at home realizing that every time you let one of these devices into your house, you’re creating a new entry point potentially for hackers. That’s not to be alarmist.

And I think it is, as you said, a trade-off, one that most people are happy with and one that most people won’t run into a problem with, but it is something to be mindful of.

HARI SREENIVASAN: All right, Brian Barrett of Wired, thanks so much.

BRIAN BARRETT: Thank you.

SHARE VIA TEXT