WASHINGTON DC —
There’s no need explaining to Adam and Heather Schreck how the Internet can threaten privacy in unexpected ways. They know firsthand.
Last spring, the Cincinnati-area couple was asleep one night when Heather awoke to what sounded like a man’s voice coming from their infant’s bedroom.
There, Heather found an unknown person was watching their daughter via the video monitor attached to the crib, again and again yelling, "Wake up, baby!"
When her husband entered moments later, the webcam swiveled up to look at the couple, with the user screaming obscenities at Adam until he yanked the camera’s plugs.
"Someone had hacked in from outside," Heather told a local TV station.
Added her husband, "You kinda do feel violated."
The Schrecks are among many Americans who are learning how the "Internet of things" – the collection of everyday appliances that users increasingly can manipulate via the Web – can provide equal measures of convenience as well as privacy and security challenges.
While their case grabbed headlines, such stories are becoming more common.
And, according to a security report released earlier this month, the threats presented by the rapidly expanding Internet of Things, or IoT, are likely even larger than previously thought.
Insecurity of things
"Back in the day, it used to be mass-mailing email worms [that worried us], but obviously things have changed," said Candid Wueest, co-author of "Insecurity in the Internet of Things" and a principal threat researcher with the Internet security firm Symantec. "It’s clear everything's connected now. Unfortunately, connected also means 'could be attacked.' "
The industry analyst firm Gartner estimates that 4.9 billion "things," or smart devices, will be in use this year, with that number skyrocketing to 25 billion in just five years.
These things increasingly touch on nearly every aspect of our personal and professional lives: smart TVs, closed-circuit cameras, heating and cooling systems, cars, refrigerators, ovens and door locks.
Chances are pretty good that if it can be built, someone will connect it to the Internet.
The IoT promises a world of enhanced convenience.
For example, you can turn up your air conditioning via your smartphone before you return from the beach or switch on and off your home lights and oven while still at work.
'How secure are they?'
But, Wueest said, every new device connected to a home network or Internet creates a new path for hackers to break in. And this, he said, is not an issue many manufacturers are addressing.
"We see people are buying these devices. The question is: How secure are they? Does your neighbor see what you’re doing at home? Could he actually switch off your lights?" Wueest asked.
Previous studies have suggested the answer is a qualified yes.
A 2014 study by researchers at HP Fortify found the average IoT device – such as for home alarms, thermostats and garage door openers – has an average of 25 vulnerabilities, with 70 percent of devices vulnerable to attack.
Earlier this year, Wueest and his team at Symantec’s Global Security Response Lab began looking more deeply into these connected devices. They analyzed 50 smart home devices, already on the market, for security or privacy exploits.
Nearly every device Wueest’s team looked at had one or more security vulnerabilities: most of them basic, and some as fundamental as not having password-protecting devices or requiring user authentication.
"It’s devastating and shocking to see that we still see so many devices with no proper authentication implemented," Wueest told VOA. "So for many of the devices we looked at, we actually saw that once you deployed them in your Wi-Fi at home, your network, they don’t require any additional authentication. Anyone [accessing] that smart home Wi-Fi can send commands and do what they like."
For example, the Symantec team identified one vulnerability in a popular smart door lock that would have allowed a hacker, with one command, to unlock thousands of doors across the country.
Relearning from the past
The Symantec report details a variety of attack pathways and tactics hackers could use to gain control over a host of smart things.
While some of those include obvious holes, such as password protection, Wueest’s team found a range of back-end vulnerabilities nearly identical to those that home computer manufacturers identified and fixed a decade ago.
"It’s a beginner’s mistake. ... It seems like history is repeating," he said. “We see the same mistakes, like website vulnerabilities or not using passwords being repeated again and again. The question for us: Are the manufacturers not doing it because users are requesting it?"
The report doesn’t directly ascribe blame for the security lapses, but researcher Wueest said both users and manufacturers share in the problems and the solutions.
On the user end, he said that even if offered robust password security, most users still opt for all-too-hackable passcodes such as "1-2-3-4."
Additionally, he said, once people get a device up and working, they’re often unlikely to adjust the security settings or download software updates to patch security holes – exactly what enabled hacking of the Schrecks' baby cam.
Such good "Web hygiene" habits, Wueest said, can go a long way to discouraging the bad guys.
And while Wueest believes manufacturers should take privacy and security more seriously, the only way that’s likely to happen is if customers begin demanding it.
"If you’re thinking about buying these devices – and by all means, I use a few of these at home so we’re not saying don’t use them – you should check out the manufacturer's website and see if they have a record of updating patches and fixes," he said.
“If you don’t see anything like this, this might be a good indication that they don’t really look into the security."
So, is the IoT something to be welcomed or feared? Should people begin worrying about the their toasters or coffeemakers?
No, Wueest said, at least not yet.
But it is time for everyone connecting up those 5 billion smart things in their homes and offices to be aware that they can bring as much insecurity as they can convenience.