The consumer Internet of Things is a sprawling ecosystem of hardware. For every well-made product, there are a dozen that raise serious concerns about basic security practices, or require the customer to risk paying top dollar for expensive equipment, only to discover it will be shut down one day. There are also vast categories of hardware that offer no appreciable benefit or are thinly-disguised DRM schemes, but for simplicity’s sake we’re sticking to security issues today. Many IoT devices combine the robust security of a broken chainlink fence with the product design skills of a drunken orangutan and leave it to the consumer to pick up the pieces. Even so, this latest exploit sets some kind of record for sheer creepiness.
According to TheNextWeb (via [H]ardOCP), a Dutch woman named Rilana Hamer bought a small Internet-connected camera from a local store, with the goal of keeping an eye on her puppy while she was away from work. “I thought I was going crazy,” Hamer said in a public Facebook post. “I suddenly heard sounds in the living room. I walked up there and saw my camera move.”
The camera, purchased from a discount chain store called Action, apparently claimed to offer password protection to protect its stream from being snooped on. But the implementation was clearly cataclysmically flawed. The person controlling the camera began speaking to her, initially in French. Shocked, she disconnected the device, but later decided to set it up again to see if the same thing would happen twice. Within a minute, it was. Hamer videoed this second conversation on her phone. We’ve embedded the video below; be advised it contains some cursing and may not be workplace-safe depending on your company’s policies:
The voice again greets her in French before switching to Spanish with the aforementioned and deeply creepy “Hola Señorita.” Hamer promptly returned the camera to Action, which states that it’s investigating the situation. “It is being investigated by the supplier,” says Yvette Moll of Action. “The question is whether it’s in the camera or in the wrong use of passwords and Wi-Fi connection.”
Welcome to the Internet of Creepy, Shitty Things
With respect to Action, it’s really not a question of those things at all. No Internet-connected camera with modern security features should allow you to keep a default password like “Admin,” and it shouldn’t accept an insecure network connection by default, either. Modern computer security uses a concept known as defense in depth to guard against the risk of any single attack. Depending on your home network configuration, you may have a cable modem with a built-in firewall, a router with a built-in firewall, and then a PC with its software firewall. You’re also likely running at least one antivirus or spyware scanner, or at the very least have such an application that you trust and scan with periodically. Any well-designed IoT product should be robustly protected from attack, even when it connects to a local network via Wi-Fi.
The fact that the speaker in question spoke French and at least a few words of Spanish as opposed to English or Dutch suggests they aren’t a local, which implies the security in these devices is terrible. The short window of time it took for someone else to connect to the camera when Hamer re-enabled it also suggests the device’s security is third or fourth-rate. Even if Hamer misconfigured the product–something we acknowledge is possible–IoT devices that can be used to monitor a person’s home should be designed to insist on secure settings, save in instances where the end-user deliberately chooses to override them. The alternative is situations like this, where hackers (the term scarcely even seems to apply, given how quickly the camera was controlled) can watch you through your own so-called “smart home” devices.
The problem here, I’d argue, goes beyond the specific security protocols of any single product. Manufacturers have fallen over themselves to push “smart” devices to market, with a heavy emphasis on making those products accessible, as opposed to making them secure. On the one hand, this makes sense. The more secure a product is, the harder it typically is to use, though good UI and strong default choices can bridge the gap here.
But many of these same companies are also interested in extracting useful data from their own devices that they can monetize and sell. Even companies that never attempted to turn a profit on customer data, like Roomba, now plan to do so. This gives companies two reasons to downplay device security: They want to exfiltrate as much data as possible, and they want to make connecting to your internet camera as easy as possible. Both goals are exactly the opposite of what you want a design team to be thinking about when they implement the security on an IoT device.
In the long run, companies are going to have to grapple with this conundrum if they want to build successful IoT products or move the market past niche acceptance. Nobody wants a camera that someone else can take control of without their knowledge or consent. The fact that these people can also speak to unsuspecting users is the deeply creepy icing on this particular awful cake.
Now read: 20 Best Privacy Tips