Tech Friday with Dave Hatter- February 21st 2020 - SPONSORED BY INTRUST IT


  • Another IoT security issue, this time, "smart" lighting:
    • Kaspersky recently warned that attacks against "smart" home devices have increased nearly 700% over the last year
    • Every time you add a new "smart" device to your network, you are adding additional risk and increasing the surface area for attack
    • One of the latest examples is an issue Check Point found in the Philips Hue smart lighting system
    • Hue is a very popular lighting system that allows you to control it from software
    • Hue uses the Zigbee low-power wireless protocol to connect devices
    • Check Point reported that is possible to infiltrate home/office networks via a flaw in ZigBee
    • Once breached, attackers can take control of a bulb and then trick users into allowing an attacker to access the network
    • Once Philips was aware of the bug, they quickly patch it. The fix is available here:https://www2.meethue.com/en-us/support/release-notes/bridge
    • If you have a Hue, apply the patch now!
    • This is yet another example demonstrataing that better security is necessary for IoT devices
    • The best bet is to avoid "smart" devices until the industry gets serious about privacy and security
    • If you just can't help yourself, there are something you can do to improve security:
      • Install patches
      • Change the default credentials
      • Use a strong password
      • Put the device(s) on a separate network
      • Eliminate any device that is inherently insecure
  • Feds work around 4th Amendment thanks to technology:
    • In 2018 the Supreme Court ruled that the Fourth Amendment protects cellphone location information
    • Thanks to that ruling, law enforcement agencies are required to get a warrant before obtaining location data
    • The Wall Street Journal (WSJ) recently reported government lawyers have argued that a warrant is not required because the data is commercially available
    • Department of Homeland Security (DHS) has reportedly been accessing phone location data on millions of Americans by buying it straight from private firms
    • There are many data brokers that aggregate information acquired from phone apps
    • WSJ reported that DHS uses the information to generate law enforcement leads and search for undocumented immigrants, and has bee doing so as far back at 2017
    • Venntel is a company that has been selling the data to the government. According to their website, their platform “merges, categorizes and interprets disparate location data.”
    • Venntel provides "global coverage" and "historical data."
    • WSJ reported that this data was recently used to track the phones of people suspected of smuggling drugs into the US from Mexico
    • A Customs and Border Protection official told WSJ that the data is not "ingested in bulk" and "doesn’t include cellular phone tower data." It also does not include the cellphone owner's name
    • Researchers have repeatedly demonstrated that so-called "anonymized" can nearly always be identified
    • Imperial College of London researchers recently published a study indicating they could accurately re-identify 99.98% of Americans in anonymized datasets
    • The ACLU and other organizations have raised concerns about this practice
    • Yet another reason to limit your digital footprint
  • IoT devices have normalized our surveillance society:
    • Internet of Things (IoT) aka "smart" devices like Ring, Nest and other Internet-connected cameras have millions of Americans spying on each other
    • These cameras are inexpensive and provide the capability for 24/7/365 surveillance
    • It's important to understand that these are a portal outside, but also inside
    • Sales have surged amid falling prices and rising acceptance. There are now millions of cameras online
    • The Washington Post (WaPo) surveyed US owners these systems in regards to how the systems are impacting their lives
    • WaPo found users monitored their kids, guests, neighbors and visitors
    • They used the cameras to monitors the performance of workers, often without letting them know they were under surveillance
    • In some instances, police have asked homeowners for video. The number of police agencies accessing these devices has more than doubled to nearly 900 agencies across 44 states
    • "Ring believes when communities and local police work together, safer neighborhoods can become a reality," Ring spokeswoman Yassi Shahmiri
    • These types of devices have been notorious for security and privacy issues, for example, hackers have peered into children's bedrooms, shouted racist slurs and broadcast pornography
    • One Google Nest user saw footage recorded inside other people's homes
    • Ring fired employees who abused access to customers' video data
    • Some users told of strange noises and ghostly apparitions captured by their systems
    • Most said those concerns weren't enough to persuade them to turn off their cameras
    • Ring and Nest representatives have implemented new privacy and security measures to help protect customers
    • Matthew Guariglia from Electronic Frontier Foundation (EFF) said the widespread home cameras are chilling of free speech and the speeding the erosion of privacy
    • Amazon software engineer Max Eliaser wrote that the mass deployment of Internet-connected cameras was "simply not compatible with a free society". It will be interesting to see how long he remains an Amazon employee