Are you watching your smart TV, or is it watching you?

More people are beginning to buy smart devices – like smart TVs, smart appliances, smart thermostats, smart baby monitors, and so on. And homes are getting smarter as more people adopt these devices to enjoy smarter lifestyles.

But are these “smart” technologies intelligent enough, or sensitive enough, to understand that you may not want to entrust them with information about everything that happens in your home? There’s probably nobody manufacturing a smart TV that will think to itself “perhaps my owners don’t want me to record this intimate moment, or this fight. Maybe I should just mind my own business until they’re ready to watch the next episode of The Walking Dead.”

This kind of scenario might seem outlandish, but it’s really not. Mikko Hypponen tweeted about this topic last year, warning that smart TVs may be recording and sharing conversations – something confirmed by Samsung. And as Internet of Things (IoT) devices, many of which are not being built to be sensitive to people’s need for privacy within their own homes, become more prevalent, the number of sensors and transmitters that collect and share data will increase.

“I think smart cameras and other home monitoring devices are the potential ‘killer apps’ that will sell the idea of smart homes to many people,” says Mika Stahlberg, F-Secure Director of Strategic Threat Research. “The idea of being able to keep an eye on your dog while you’re at work, or seeing when your kids get home from school, is going to be really appealing for people. Every square inch of a smart home can potentially be monitored using IoT devices that are quickly becoming more accessible and marketed to consumers.”

Essentially, the little cameras that come built-in to laptops, video game consoles, and smart TVs will only become more widespread. But how people can control how these devices function, or how companies use the information collected by these devices, is still unclear. Baby monitors provide an excellent example of how these devices can compromise people’s privacy, as one American family discovered the hard way that these devices can potentially be used to let anyone wiretap your home.

So as people graduate to using smart devices, they’ll need to keep these privacy considerations in mind. One quick fix they can use, as recommended by Karmina Aquino, Service Lead for F-Secure Labs’ Threat Intelligence team, is to change the settings on these devices. In the case of Samsung’s smart TVs, the settings can be adjusted to prevent the TV from recording absolutely everything.

But doing this for absolutely every device is impractical, and maybe even impossible. So F-Secure has developed a more comprehensive solution – F-Secure SENSE. SENSE is a unique combination of hardware and software that can be used to protect all of the devices people use in their home. This includes things like PCs, smartphones and tablets, but also modern smart devices like Internet-connected baby monitors and smart TVs.

SENSE’s software can be installed on devices like laptops and smartphones, allowing these devices to stay protected, even while they leave the home. But many IoT devices are unable to run user-installed apps, and that’s where SENSE’s hardware comes in. SENSE’s hardware is able to connect to any Internet-connected device people use in their home, which allows SENSE to create a private, secure network for those devices. It uses artificial intelligence capabilities in F-Secure’s Security Cloud to proactively “sense” threats hidden within Internet traffic, allowing it to find and neutralize threats to people’s security and online privacy before it has the opportunity to reach devices.

These capabilities allow SENSE to block potentially harmful traffic, such as data exchanged by spyware or unwanted tracking technologies. It can also prevent Internet traffic from being directed to potentially harmful websites without people’s knowledge. SENSE’s software also gives people a complete overview of their home network and the security status of their different devices, so they can always see what’s going on.

Mika says it’s time for people to recognize how important it is to keep private information inside their homes, as losing control over such personal information can quickly grow from a minor inconvenience or source of embarrassment into a security issue.

“A lot of these newer Internet-connected devices aren’t really common enough to make hacking worthwhile for criminals, but this will change as more people buy them,” Mika says. “Manufacturers will eventually phase out non-smart products, and that’s when the security implications will really start to hit home. These devices will let criminals learn a lot about their potential victims, so securing privacy within a smart home is going to be something people need to do to keep their homes and families safe.”

More posts from this topic


The IoT needs Vulnerability Research to Survive

F-Secure Senior Security Consultant Harry Sintonen appeared at Disobey last week in Helsinki to teach the audience a lesson in how attackers take advantage of insecure devices. Harry created the demonstration after he discovered several vulnerabilities in a QNAP network attached storage (NAS) device. And in order to verify that the vulnerabilities could be used to “hack” into the device, Harry developed a proof-of-concept exploit (a bit of code that uses vulnerabilities to compromise systems) that allows him to seize control of the vulnerable devices. I won’t get into the technical details here (you can see Harry’s presentation below for the technical nuances). But basically, Harry’s proof-of-concept (POC) manipulates the device while it tries to update its firmware. This process was an easy target for Harry because of problems with how the device updates (such as not encrypting the update requests). Harry’s POC allowed him to seize control of the device. He didn’t try to do anything more than that. But an attacker would. After seizing control of the device, an attacker could do things like access stored data, steal passwords, or even execute commands (for example, tell the device to download malware). Sound serious? Well, the good news is that attackers would need to position themselves to intercept the update process before they can manipulate it. “The extra step is enough to discourage most opportunistic or low-skilled attackers,” said Janne Kauhanen, a cyber security expert with F-Secure. But the bad news is that these kinds of problems are running rampant in internet-connected devices. In this case, Harry notified QNAP about these issues in February 2016. However, to the best of Harry’s knowledge, they’ve yet to release a fix (although QNAP claims to be working on one). Vulnerability Research is Vital if we want to Secure the IoT This isn’t Harry’s first time finding security issues in products. Last summer, he discovered a vulnerability in Inteno home routers that leave them exposed to hackers. "It's ridiculous how insecure the devices we're sold are," Janne said at the time. "We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack Internet traffic, steal information, and spread malware." Security researchers conduct these types of investigations because manufacturers and developers typically don’t have the resources available to do it on their own. And considering the global shortage of competent cyber security personnel, this shouldn’t come as a surprise. That’s why companies (not just security companies) invest in vulnerability research. One way they do this is with “bug bounty” programs. Microsoft, Facebook, and many other well-known IT companies (including F-Secure) offer money to anyone able to uncover vulnerabilities in their products. In fact, a 10-year-old received 10,000 dollars for finding a vulnerability in Instagram last summer. But sadly, most vulnerabilities go undisclosed until a user stumbles upon them. Or even worse, when an attacker gets caught using them to hack into devices. IoT devices are spreading. And security issues are spreading with them. So make no mistake: if we’re to avoid the next Mirai outbreak, or something even worse, it’ll be because someone took the time to find and point out security problems before they’re attacked. [protected-iframe id="c597820588130e91b942ae5b05aecdb7-10874323-81725797" info="//" width="595" height="485" frameborder="0" scrolling="no" allowfullscreen=""] [ Image by Tumitu Design | Flickr ]

January 17, 2017

The 5 Minute Guide™ to App Store Security and Privacy

Mobile devices have largely avoided the malware outbreaks that have plagued PCs for decades now for a simple reason -- app stores. Nearly all -- or even all -- the software that's on your phone or tablet now came through these official portals, where they endured some degree of vetting. But this doesn't mean it's impossible to have your security or privacy compromised by bad apps. Here's a quick run-through of the basics you need to know to keep the data on your mobile device safe and private. 1. Stick to the official app stores. If you have an iOS device, you can only use the official App Store, unless you "jailbreak" your device and take your security into your own hands. Android users, however, have more freedom. And with freedom, there's a little danger. "Anything ending in .apk might be malicious," Tom Van De Wiele, F-Secure Security Consultant, tells me. "So the official Google Play store is the only place you should get your apps." He offers a simple metaphor to remember this concept: "You don’t pick up shiny food from the street and put it in your mouth either, no matter what the promise is." In case you missed the point: The Play store is the clean table -- everywhere else is the grimy, filthy floor. 2. ANDROID USERS: Make sure to block downloads from "Unknown sources". "Phishing campaigns are focussing on providing .apk files to unsuspecting victims by email, SMS, MMS, Skype and other means," Tom says. He recommends you avoid these scams by blocking downloads from unknown sources. To do this, via Navigate to your Android phone’s home screen. Tap the Android "Menu" button. Choose "Settings". Open "Applications". Make sure there is no green check mark next to the Unknown sources item. If there is a green check mark next to Unknown sources, disable the setting. 3. ANDROID AND IOS USERS: Don't assume that your apps have been vetted for privacy. "It is not in Google’s interest to remove a lot of apps as they generate advertisement revenue for Google," Tom says, adding that the Play store doesn't do nearly as much vetting for malicious apps as the Apple iOS store does and instead opts for a “clean-up-as-you-go model." But that doesn't mean iOS apps are completely nuisance free. "Apple has the 'walled garden' of trying to control what they can when it comes to their application eco-system," he says. "This does not take into account apps that invade your privacy by asking you, for example if the app can 'access the address book', which will result in sending the contents of the address book to a remote location." You have to check the app permissions yourself to avoid these data-farming apps. 4. Look out for "bait ware." Both app stores have been plagued by what Tom calls "bait ware". These are apps "where the user is fooled into generating a lot of advertisement revenue by randomly popping up ads, fake buttons and other arbitrary functionality." New parents need to especially be on the lookout for these apps. "This is especially prevalent in baby and toddler applications which look very enticing to download and try but are merely empty husks with interwoven advertisement." Why do these apps prosper despite their dubious quality? Tom says, "Both Apple and Google are reluctant to remove them as it becomes a slippery slope on where to draw the line between sincere and malevolent behavior of an application." 5. "Walled gardens" aren't perfect solutions so check reviews and be suspicious of newer apps. Google's approach invites malicious apps to occasionally appear in its store. Often they're imitations or clones of much more popular apps. This is much, much more rare in the iOS App Store, but it has happened. To preserve your security, privacy and disk space, do some basic due diligence and check the reviews to see if they seem real and offer some substantive testimony that the app is legit. [Image by PhotoAtelier | Flickr]

January 17, 2017

5 Must-Read Online Privacy Articles from 2016

A great deal has happened within the online privacy sphere in the last 12 months. The subject has become a genuinely hot topic, and we have done our best to dissect relevant industry issues into an easily readable form while reporting directly from the eye of the storm, so to speak. Here are five essential reads to get you up to speed on the state of online privacy, VPN, and related topics. An Open Letter to Businesses who Block VPN on Their Wi-Fi Networks Ultimately, allowing the use of VPN on your Wi-Fi hotspot is your call. However, if you truly care about your customers, don’t be in the minority of businesses that forces them to give up their online security and privacy while browsing on your network. A Twitter user asked us a question that inspired our most viral article of the year, as well as the video response we produced as a follow-up. In the post and video, we emphasize the fact that companies end up shooting themselves in the foot by putting their customers’ security at risk. If you ever come across this consumer-unfriendly practice, we urge you to share the article and/or video! Read the full article here. How Does Encryption Work? “. . .It’s easy to forget that easy access to encryption greatly benefits even normal web users like you and me.” Our widely shared article on encryption exhibits a 360-degree view on encryption, providing readers with an overview of its history and a straightforward explanation of how modern VPNs ingeniously work to protect your privacy. If you’re interested in learning what’s under the hood of online privacy, this article is for you. 4 People Who See What Porn You Watch “A large majority of web users are lulled into a false sense of security by Incognito mode or private browsing, but this is only one of the steps needed toward becoming private online.” Many things take place “behind the scenes” on the Internet – these are things that we can’t see and therefore don’t think about. This admittedly attention-grabbing headline was meant as a wakeup call to the fact that adult content browsing histories aren’t as private as most people would like to think. Read up on a few people who have access to your porn browsing history, as well as some quick tips that can help prevent snooping. Privacy, Patriotism and PR: The Case of Apple vs. FBI “In this debate, privacy, patriotism and public relations are just some of the factors influencing a public discourse that has shifted to reflect new and often clashing attitudes towards encryption.” The Apple Vs. FBI case was the Clash of the Titans between privacy players that dominated mainstream news outlets throughout the first half of 2016, with ripples that are sure to affect the dynamics between companies and governments for years to come. We made a conscious effort to explore the issue from every possible angle, and the article is still a very relevant read. Why Do Newspapers Spy on You? “The longer something on the Internet is free, the harder it will be to make people start paying for it.” Who pays for a product that costs something to make but is free for the customer? In this article, we look at the idiosyncratic purchasing habits of modern web users and why these habits have lead news websites and other services to sacrifice their visitors’ privacy in order to stay in business. This piece is good food for thought for all consumers of online news.    

January 13, 2017