the latest technologies: tricks or treats? · according to miami dade police, criminals “can pull...
TRANSCRIPT
The Latest Technologies: Tricks or Treats?
Inside this issue
Technology Expansion ................ ..2
Laser Pointer Warning…..….....…....2
Bluetooth Vulnerabilities...............3
Alexa Glasses…………………......….…..3
Home Deliveries.………………………...4
Smart Keys for Homes….…..…........4
Medical/Genealogy …....………….....5
Lithium Ion Batteries….….......……..6
Insurance & Litigation...……………...6
Password Keeper…………….............6
Safer Cameras…………………………….7
Recommendations...……..…...…..….7
Introduction We can probably all agree that new technology, new gadgets and better automation are emerging everyday. It seems like there is something new and awesome coming out every week, from intelligent thermostats and WiFi enabled door locks to smart eye goggles connected to the “cloud.” But all of these modern conveniences are connected to the Internet, which puts them at risk of being manipulated or hacked.
At this point, the technology has evolved too quickly for safety and security regulations to keep up and in many ways the technology industry is unregulated. Without proper security checks in place, there is no way to know whether or not your device, and your home, can be compromised. So is all of this technology really a treat? Or is it just a trick to get you to buy the latest and greatest gadgets?
While there are so many positive benefits to technology, it is so important to understand both the functionality of the new technology and its potential to put you or your family at risk. Most people are not that concerned that hackers are going to get into your refrigerator and find out that you need to buy fresh carrots or more milk. The real threat is that your ‘internet of things’ refrigerator and other devices are all plugged into the same network and that is what provides cyber-criminals with a back door into your home network. Several IT experts have warned that household appliances may often be linked to bank details. For example, the refrigerator alerting you to buy milk may also automatically send a shopping order online with your purchase data in tow.
And, it is not just hackers who are interested in your personal information and your data. In February 2017, The Federal Trade Commission fined TV maker Vizio $2.2 million for monitoring the content users watched without their consent and selling the data to advertisers. Soon enough our voice enabled devices will be actually talking to us—when Alexa hears you and your spouse discussing dinner plans, a voice may interject your conversations with ad suggestions, such as, “why don’t you two go to Johnny’s Pizza for dinner?”
In this report, Mindstar focuses on some of new technologies that may be considered more of a “trick” than a “treat.” In each case, both the utilization of the technology should be evaluated along with its relative safety and security features. Technology is great and is getting more sophisticated, so no one is advocating to stop using your smart devices. But, everyone should do their own cost-benefit analysis, and at the very least be knowledgeable about the potential vulnerabilities. More and more new devices and gadgets will be flooding the market, and that is the reason the smart home industry is forecasted to become a multibillion-dollar industry over the next several years.
Concierge Security Report October 2017
Volume 3, Issue 10
Laser Pointer Warning
Many people use laser pointers for
presentations. Laser pointers are
given out at trade shows with
company logos and when free items
are available, everyone grabs one!
However, some of the laser pointers
sold online or given away at expos
are not safe.
For example, the laser pointer
marketplace on eBay is littered with
severely overpowered lasers that
are being marketed as safe. The
limit on laser power in the United
States S is 5 milliwatts, low enough
for your natural blink reflex to help
you from hurting your retinas.
Remember, retina damage never
heals.
Recent tests have shown that many
of the laser pointers on eBay that
claim to be five milliwatts or less are
as much as ten times stronger than
that, which is easily enough to cause
serious retina damage. You do not
want to hurt anyone by accidently
pointing the beam at yourself or at
your audience members during a
presentation.
Some of these lasers have been
featured in the news as they are
sometimes pointed at airplanes and
can severely interfere with the
pilots’ vision and could damage
their eyesight. It is illegal to aim
laser pointer beams at any aircraft
or their flight path and if caught the
offense can result into up to 5 years
in prison and a $250,000 fine.
If you are in need of a laser pointer,
forgo eBay and purchase one from a
company licensed to sell them in
the United States. Spending an extra
few dollars is worth avoiding serious
retina damage.
The Expansion of Technology
2
New technology is always being introduced to the market. But it seems as though, over the last year, there has been a new explosion of available gadgets, wifi enabled contraptions, Bluetooth gizmos, and voice enabled assistants. Keeping up can actually be a bit exhausting and overwhelming for the consumer. But, there are several reasons this technology expansion is happening now and includes: 1) advancement in smaller devices; 2) reduced production costs; and 3) global market opportunity. Right now, there are approximately 6.4 to 13 billion IoT devices in use. In 2016, IoT devices generated $19 trillion in profits; by 2020 it is estimated to be $50 trillion. The continued increase in technology is somewhat attributed to the growth of the home market. Currently 2/3 of consumers say they want a connected home or a “smart home.” It is estimated that within 3 years 43% of homeowners in the United States will actually have numerous connected devices in their homes. According to a recent study called “The Internet of Hackable Things” from a group of international researchers at the Technical University of Denmark: 90% of devices collected at least some information via the device;
80% of devices and their cloud and mobile components required no password or the passwords that were required were not complex enough;
70% of devices and their cloud and mobile components enabled an attacker to identify valid user accounts through enumeration;
70% of devices used unencrypted network services; and,
6 out of 10 devices that provided user interfaces were vulnerable to a range of weaknesses, such as persistent cross-site scripting and weak credentials.
Therefore, when the expansion of technology is entering your house, you must consider how a multitude of connected products that can control, automate and optimize your home (e.g., lights, electrical outlets, thermostats, windows, fans, locks, doorbells, appliances, vacuum cleaners, lawn mowers, curtains, pet feeders) not only work in isolation, but how they may present vulnerabilities when working in unison or because they ride off a similar platform. Having so many interconnected devices that rely on the same third-party providers or cloud services for critical infrastructure puts all those gadgets at risk when one link in the chain stops functioning. The best advice is to truly evaluate each product for what it is—and if you truly need it. Some gadgets are just trendy or cool to have as they enter the market. Others are definitely worth having and make a huge difference in making your life easier, better, and more efficient.
Alexa Glasses
According to an Associated Press
article from last month, Amazon is
currently working to develop
glasses that pair with Alexa and
would allow users to access the
voice-activated assistant outside
the home.
Wearable technology, glasses
specifically, is already being used
to some extent. The device is
reminiscent of Google's failed
Glass eyewear, which was deemed
too expensive and creepy by
mainstream consumers.
Companies including Facebook,
Google and Microsoft have all
expressed interest in creating
smart glasses in the past but the
only company to bring a product to
market is Snapchat. Snapchat has
been selling glasses that take short
videos and post them to their
social media app.
Amazon's smart assistant will
apparently sit within a regular
spectacles frame that has a
bone-conduction audio system,
according to the Financial Times.
The advanced technology would
mean users can hear Alexa without
having to wear headphones.
Like most of the “listening” devices
currently on the market, we have
some serious reservations about
this product. Specifically, what will
be done with the data, how it will
be stored, and who will have
access to it?
Another thing to keep in mind is
that companies in this space often
rush to be first to market, often at
the expense of security.
Bluetooth Vulnerabilities
In addition to Bluetooth malware impacting personal devices, ATM skimmers (bank hackers) are now taking advantage of Bluetooth technology. The traditional ATM skimmer requires the thief to return to the “scene of the crime” to retrieve the device and the data. Returning to the compromised ATM does put the would-be thief at risk to be seen or caught. However, with Bluetooth enabled skimmers, banking data such as user accounts, PINs, and information from the bank card’s magnetic strip are sent wirelessly directly to the thief. The thief only has to be within a certain distance to connect to the device—sitting comfortably in a car or coffee shop. While not widespread yet, the technology is being found by several police departments on ATMs and gas pumps.
According to Miami Dade Police, criminals “can pull up, download this data and it could be a month or two before they even use the data…We have tracked teams that have gone from Miami, Dallas, to Oklahoma City, on to Las Vegas and California. These teams, they’ll send out the first team that will install these skimmers. Then another team will come behind them, pull the skimmers off of the gas pumps, then a third team will actually do the ‘spend.”
Since we are all probably using some type of Bluetooth technology, it is important to keep current on device updates and if need-be, shut down the Bluetooth devices until patches and fixes are made available.
Bluetooth is everywhere - headsets, garage door openers, speakers, trackers, routers, household items, appliances, and toys. The benefits we get from the connectivity is fantastic. But, similar to the threats we know exist by using computers and laptops (i.e., malware, viruses, phishing attacks), Bluetooth devices are not immune from attack.
Researchers at Armis Labs have found "BlueBorne,” a new malware that targets devices via Bluetooth and over 5 billion such devices globally are at risk. BlueBorne allows attackers to take control of devices, access corporate or home data and networks, penetrate secure "air-gapped" networks, and spread malware laterally to adjacent devices. It poses threat to major mobile, desktop and IoT operating systems that includes Android, iOS, Windows and Linux and the devices using them. Patches and updates have been released, however, this type of attack is likely to increase and morph since it has been a very successful attack vector.
One reason this type of attack works so well is because of Bluetooth meshing. Bluetooth meshing allows low-power Bluetooth devices to create and act like a mesh network. This is particularly useful for smart home tech, because it allows a device in one corner of the home to send a message that reaches smart devices in all the far nooks and crannies of a house. So a garage door opener, for example, could send a message to turn on the upstairs bedroom lights when you arrive home from work, with the message hopping from one smart light to another in order to reach the distant bulbs.
3
Smart Keys for Homes
Many manufacturers are offering
smart keys for homes. These smart
keys are basically locking devices that
you can access by using an app or
through a Bluetooth device.
In their short history, smart locks have
been pretty fickle devices. Because
they are supposed to be securing your
front door, you want something that is
both durable and reliable, as well as
something that makes your life easier.
A lot of the smart locks that first hit
the market were prone to issues like
difficult installations and hit or miss
performance of their apps.
Recently, a startup called August
released a second generation Smart
Lock and it appears to have outgrown
a lot of the common issues with other
locks on the market. The August
Smart Lock is strong, looks good, and
the app is very easy to use. The lock
works with Nest, Logitech, Harmony,
Comcast’s Xfinity Home, and Siri. This
product also received CNET’s Editors’
Choice award.
If you would rather have a lock that
can communicate with your Amazon
Alexa for voice control, the Kwikset
SmartCode Touchscreen Electronic
Deadbolt is available on Amazon.
However, these newer better smart
locks still have the vulnerability of
having to use an app, wifi, or
Bluetooth to gain access. While they
do offer convenience, if the issue is to
have access to your home without
worrying about lost or forgotten keys,
try a dual function more traditional
lock that includes a keypad or a
biometric fingerprint.
Brands that offer traditional, keypad,
and biometric locks include: Schlage,
Westinghouse, Kwikset, and NextBolt.
Home Deliveries Last week, Amazon announced the launch of Amazon Key, a service that allows the company's delivery people to unlock your door—yes, the door to your home—and place packages inside your home. While Amazon appears to be offering this as an alternative to the “porch pirate” issue of people stealing Amazon packages off of front porches. The Amazon Key has perhaps created an even more dangerous situation for both homeowners and Amazon delivery personnel. Walmart has been testing a similar service whereby Walmart workers bring grocery deliveries all the way into your kitchen and even unload the items into your refrigerator and freezer in your absence. Wow.
Mindstar highly recommends that you think twice about using Amazon Key or Walmart Grocery at this time. The services are too new and have too many unmanageable risks at this time.
4
Issues with Amazon Key:
Who is making these deliveries? Amazon says they are "some of the same professional drivers who you trust to deliver your Amazon orders today." Even if they are professional drivers, you still do not know them. They may be Amazon employees, they may be contracted drivers.
If you have a security alarm system, you must turn it off on delivery days. Turning off your home’s
protection and alarm system defeats the whole purpose of having one.
If you have pets, you cannot use this service. Amazon states, “if your pet has access to the front door, you should not use the service.”
Wifi enabled “smart locks” have had problems in the past – and there is no reason to believe that Amazon’s smart lock will not at some point experience some of the same issues. The issues included: 1) not being able to open the locks; 2) not being able to re-secure the locks after they were opened; 3) hacked Wifi access; and, 4) software updates sent to the locking devices which froze them rendering them unusable.
In addition to these basic issues, it would not be surprising to read about reports of home burglary, the disabling of the Amazon cameras (which are supposed to watch the delivery personnel – and are also live cameras operating on the interior of your home), thieves following Amazon drivers and gaining access to homes forcibly during the delivery, surprising home owners who are actually home, and assaults. On the flip side, Amazon is also potentially placing its drivers in danger – not everyone who orders Amazon has good intentions. The drivers could also be at risk for robbery or assault, or fraudulently be blamed for burglarizing a home.
Source: Blackpoint Cyber – https://www.blackpointcyber.com/ (September 2017)
The face of medicine is changing every day. Wifi and Bluetooth technologies are leading the way in medical monitoring advancements. People want to control and manage their own health, and a standardized wireless approach for communication between devices gives them that ability. Just about every new health tracking platform—including Apple HealthKit and Google Fit—uses Bluetooth or some other wireless technology to ensure device and data interoperability. Wireless gadgets include: blood glucose monitors, pulse oximeters, heart rate monitors, asthma inhalers as well as recreational monitors such as FitBits.
While these devices are literally life savers, users should at least be knowledgeable about the potential exposures. The FDA confirmed in September 2017 that St. Jude Medical's implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks. In this case, St. Jude has developed a software patch to fix the vulnerabilities, but not all technology providers are that responsive or that responsible for device defects. If you are using a medical monitor, make sure you implement all provided device updates and ask your physician about the potential risks with online health monitoring as they are associated with your particular device.
5
DNA Testing Researching your family’s genealogy is a growing trend and one tool people are using to do this is genetic testing. A number of genealogy sites have been created to process genetic data including 23andMe, AncestryDNA, FamilyTree, and MyHeritage. Within a decade, global sales of genetic tests are expected to hit $10 billion. Direct-to-consumer companies such as 23andMe and FamilyTree have proven particularly popular, with tens of thousands of people purchasing at-home testing kits every year. This new technology is awesome. People can actually learn about their ethnicity as well as get indicators for inherited diseases or predispositions to medical issues. But the industry's rapid growth rests on a dangerous delusion: that genetic data is kept private. Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse. According to Forbes (2017) -
“For instance, 23andMe has sold access to its database to at least 13 outside pharmaceutical firms. One buyer, Genentech, ponied up a cool $10 million for the genetic profiles of people suffering from Parkinson's. AncestryDNA, another popular personal genetics company, recently announced a lucrative data-sharing partnership with the biotech company Calico. Customers are wrong to think their information is safely locked away. It's not; it's getting sold far and wide. Many testing firms that generally don’t sell patient information, such as Ambry and Invitae, give it away to public databases.”
Whatever the privacy policies of any given company may say, you have no way of knowing whether they are being adhered to or what may happen to your sample as companies are bought and sold in the future. Most of the terms and conditions of DNA testing allow the companies to re-use your DNA results as data for research. An example of the vague language used includes, “As disclosed in our policies, DNA samples are stored without personally identifying information at either a testing laboratory or other storage facility and may be kept by us unless or until circumstances require us to destroy the sample, or it is no longer suitable for testing purposes.” Do remember that once you put your cheek swab in the mail, you risk permanently losing control over a complete copy of your genetic data, linked to your real identity. So what should an individual do? Like any other decision about digital privacy, the answer really comes down to your own comfort level, and how you perceive the trade-off between attaining historic family information now and a potential privacy breach in the future.
Medical Devices and Genealogy DNA
“...23andMe has sold access to its database to at least 13 outside pharmaceutical firms. One buyer, Genentech, Paid $10 million for the genetic profiles of people suffering from Parkinson's.” - Forbes, 2017
By now we all probably know that the Samsung’s Galaxy Note 7 has had two recalls due to smoldering lithium ion batteries and are banned on airplanes. There have also been major issues with hoverboard batteries exploding and even some instances of washing machines and laptops incidents. By their design, lithium ion batteries are potentially dangerous. Inside the battery is a thin lining of polypropylene that keeps the electrodes from touching. If that lining is compromised, the electrodes touch and the battery becomes extremely hot. While heat alone does not cause the problem, the batteries are also filled with a flammable substance that can be combustible under enough heat and when exposed to oxygen. These batteries are put in countless devices and they are used because they are very efficient and take up very little room in their respective devices.
Given the number of these batteries on the market, which is in the billions, the number of accidents is quite small by comparison. While the probability of a fire is still low, the impact can be catastrophic if it does occur. It appears that the charging process is what makes these gadgets more vulnerable. During the normal charging process the lithium ion cell should not become hot. If the cells are overcharged, heat will build up and can cause the cell to ignite. The risk of fire or explosion also increases if the battery is exposed to hot conditions or is compromised, such as being punctured after the product is dropped.
Since we all have devices and appliances with these batteries, it is important to charge your devices in a place where papers or other flammable materials are not nearby. A hard surface like granite or tile would work best for charging stations. It is also important to make sure you have working fire and smoke detectors at home in case there is an incident. If you have a private aircraft or boat, make sure you have the proper fire suppression equipment to deal with a lithium fire.
Lithium Ion Batteries
6
As technology increases, so may insurance claims and litigation. Just as many of the technology producers are only concerned with product functionality and do not take into consideration security issues or safety concerns, these same producers are not necessarily considering possible insurance claims or lawsuits resulting from their new gadgets. As people adapt and adopt these new technologies for their own uses, issues are arising.
There have already been claims for data breaches and privacy violations. While at this point there is a split in jurisdictions whether this loss is something a plaintiff can recover, the trend is for courts to say that privacy has monetary value and you can sue when privacy is lost.
Currently the FTC has jurisdiction to investigate and penalize unfair and deceptive business acts including inadequate cyber security protections and practices. It has brought enforcement cases against manufacturers of IoT products used in homes, such as cameras and routers, alleging that they were not adequately secure from data breach. Some other vulnerable technologies include:
Driverless Cars - claims related to bodily injury and property damage.
Wearable Technologies - may expose companies to invasion of privacy claims that may not be covered by general liability.
Drones - companies that use drones in their businesses or for personal use may have to protect themselves for property damage, bodily injury as errors and omissions.
3-D Printing - reproducing copies may present issues with the use of trade secrets, patents, logos and create intellectual property liability.
Password Keeper
Keeping all of your data and different
online accounts secure can be a
challenge even for the most security
conscientious among us. Passwords
are hackable and forgetting to log out
of your device is a mistake that we
have all made. Luckily, the market is
starting to address this problem with
Smart USB Keys that do away with the
constant need of having to log in and
out of your computer. One of these
products is called the GateKeeper 2.5.
The GateKeeper is a small device, just
a bit larger than a USB key. When you
carry the key in your pocket, it will
automatically log you into your
computer when you are near it and
logs you off the computer when you
get up and walk away, effectively
eliminating the need to constantly log
in and off every time you are called
away from your device.
Your credentials are encrypted with
military-grade encryption and stored
on the computer, so none of your
private information is stored on the
key. The range at which the key will
unlock your device can be adjusted
from 3 to 30 feet.
This device may be a great alternative
for families that want to make sure
the children login and logout
effectively.
Of course, with every great device or
solution are some risks. The most
obvious it that you do not want to lose
or misplace the GateKeeper.
Therefore, if you opt for this type of
device, you should still maintain a hard
copy of your login credentials and
passwords (stored in a secure location)
so that if you have to manually login
due to a lost or malfunctioning
GateKeeper you can still access your
computer.
Insurance and Litigation
The proliferation of technology will continue—and it will become more complicated, more interconnected, and thus, more vulnerable. We cannot stop using these new innovations and we cannot stop the flow of new devices. But we can, to the best of our abilities, at least understand what these new technologies do...and decide if we actually need them. Everyone should be conducting a cost-benefit analysis to ascertain whether that new lighting system linked to the garage door and the coffee maker is really something valuable or just really cool.
1. Change the admin password associated with the device — and make sure it is hard to guess (i.e., do not just change it from “admin” to “password”). However, some security experts have indicated that the password(s) is hard coded into the firmware, and the tools necessary to disable it or change it are not present. Make sure you have control over the devices you purchase and use.
2. Change the password on your home router in order to better protect the devices using your home Wi-Fi connection. You should also make sure your router has the latest firmware update installed — you can check for any updates by going to the manufacturer’s website and check for any available downloads.
3. Update your software regularly. These updates often include patches for security and can help address vulnerabilities in the system. Some software programs will offer automatic updates which can be scheduled when you are not using your device or when it is charging.
4. Reconsider whether you actually NEED this new technology. Do not purchase connected devices simply for the sake of having the latest gadget. Maybe your refrigerator does not have to be smart. Read the manufacturer’s user manuals and other users’ reviews.
5. Entrust your home security with experts. Rather than setting up unsecured consumer webcams around your home and property, work with a residential and commercial security expert to install cameras that are designed by trusted security companies. Likewise for your WiFi-enabled doorbells, deadbolts, and thermostats.
6. Do your own research. Once you know you want the new technology, do your homework. Most people read consumer reports, look up safety/crash results and test drive several cars before making a new car purchase. Apply the same vigilance and time when assessing new technology. Know what you are buying – both the benefits and the risks.
7. Take control of your own data and devices – and backup devices – don’t rely on “the cloud” to do all of the work for you. We recommend the control of data storage to be in your hands and not depended on a third party, especially considering that storage companies can also be hacked or otherwise infiltrated. Mindstar recommends using both external hard drives and flash drives in order to assure that you are always covered, even if one of them fails.
8. Do not jump on the new release bandwagon—new technologies and services like Amazon Key are potentially very dangerous and not recommended. Make sure that new technologies do not negate the ones you already have and rely upon to keep you safe and protected.
Recommendations Safer Cameras
Google recently announced a new
device that we like because of what
it doesn’t do - share your data
without your permission. The
Google Clips is designed to sit on
your computer (or table/desk/etc.)
and when its internal artificial
intelligence (AI) senses a good
photo opportunity, it snaps a
picture.
Unlike devices like Alexa or Google
Home that collect data and store
them elsewhere such as in the
cloud, Google’s Clip camera stores
the data within the camera itself.
This is thanks to its Google’s new AI
processing chip. There are two
main advantages to this: it will work
even if you do not have an Internet
connection and second, if you do
not actively chose to do so, the data
on the camera will never reach the
Internet. Everything is processed
and stored right on the camera.
In a world where everything seems
to be online and we are all
becoming more and more
comfortable with technology that is
ALWAYS watching and listening, it is
nice to see a new product provide
us more of a choice in how our data
is stored and who stores it.
7
Mindstar Security & Profiling specializes in security solutions for family offices, high profile/high net worth executives, and their families. Our customized focus includes the security trifecta of Internet/Social Media Safety, Physical Security and IT Security. 1001 Sycolin Rd SE, Suite 1A Leesburg, VA 20175 Phone: 703-404-1100 Fax: 703-404-5549 www.mindstarsecurity.com E-mail: [email protected]