When George Orwell envisioned the “telescreen” — the TV that keeps constant tabs on its viewers — in 1984, he predicted that governments would use technology to cross the threshold into our private lives. Confidential documents published by WikiLeaks this week purport to show that the Central Intelligence Agency created its own 21st century telescreen by hacking into smart TVs. You may be watching YouTube or Netflix, not forced military propaganda, but spies are still able to listen into your living room. Developers used vulnerabilities in Samsung TVs to ensure the products would capture conversations even when they appeared to be switched off. In what WikiLeaks describes as the first instalment of the “largest intelligence publication in history”, the CIA appears eager to exploit the new spying opportunities created by the internet of things — everyday objects that are connected to the web. Market research group Gartner forecasts there will be more than 20bn appliances, TVs and other devices connected to the internet by 2020.
The CIA’s engineering development group had a “to do” list for the smart TV that included the ability to record video and break into its browser and apps. Other documents seemed to show it had explored infecting vehicle control systems used by connected cars. “This is the most troubling WikiLeaks ever. We’ve learned the CIA has all the tools to spy on American citizens,” said John McAfee, the antivirus pioneer who is now chief executive officer of MGT Capital Investments. “And now it is in the hands of some unknown hacker organisation or nation state.” The CIA has refused to comment on the veracity of the documents. Samsung says it makes security a top priority and is looking into the matter. The basic vulnerabilities inherent in the internet of things — one of the biggest concepts being pursued in the technology industry — have been known for some time. Samsung even warned customers in 2015 that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition”.
Cyber security researchers have highlighted holes in everything from cars to cameras, robots to refrigerators. It was revealed last month that children’s conversations with WiFi-enabled teddy bears from one toymaker had been leaked online. Law enforcement has become interested in using audio collected by devices such as Alexa, Amazon’s voice-controlled personal assistant. A prosecutor in an Arkansas murder case has requested the data from Alexa. Amazon resisted the request until the suspect said the recordings could be handed over. Related article Tech groups push back at collaboration offer from Julian Assange WikiLeaks founder willing to work with Silicon Valley after leak of alleged CIA cyber weapons Cyber criminals are also targeting the internet of things, infecting systems with malicious software that demands a ransom, usually to be paid to an anonymous account in bitcoin. Hackers repeatedly struck a hotel in the Austrian Alps last year by attacking the electronic key card system. The hoteliers are returning to old-fashioned locks after being forced to pay €1,500 to allow guests back into their rooms. Last Christmas, one family in the US had their smart TV taken over by ransomware, disabling it for four days. Vulnerabilities in connected devices risk destabilising the entire web. A malicious network known as a botnet built from tens of millions of internet-connected cameras and DVR players was last year harnessed to attack Dyn, a domain-name services provider used by websites from the New York Times to Twitter. Millions in the US were unable to access services including Spotify and Airbnb as Dyn struggled to resist the distributed denial-of-service attack. Cesar Cerrudo, chief technology officer at cyber security company IOActive, says hackers from the CIA to less sophisticated cyber criminals will invest more in finding vulnerabilities in the internet of things. “We are getting extremely dependent on technology. We need to start understanding that cyber security is important,” he says. “We suffer the consequences, are attacked, hacked, lose information. And it has a big impact on our daily lives.” The enthusiasm to connect everything to the internet shows no sign of letting up: there is a kettle that messages instead of whistling, a rice cooker controlled by smartphone and shoe insoles connected to a map app that vibrate to push you toward your destination.
But cyber security has been sidelined in the rush. Security defences are often decades out of date — if they exist at all. Many lack passwords, or have a default password that cannot be changed. The signals that devices send to connect with a server are often barely encrypted. Mikko Hypponen, chief research officer of Finnish cyber security company F-Secure, says the attackers who created the botnet to target Dyn only tried 35 passwords before hitting on the right one. The lax security within the internet of things is repeating “the same mistakes we already fixed 20 years ago”, he warns. “It is a clear and present danger to the internet.” The most vulnerable products are produced by companies that specialise in making toasters or blood sugar monitors, not in software or security. The budding industry is fragmented, regulation has not kept pace and consumers either do not care or struggle to judge how secure a product is. Eric Ahlm, research director at Gartner specialising in security, says the these manufacturers have no incentive to spend time or money on security. “It is more of a question of economics than security,” he says. “A consumer buying a smart TV is probably going to buy the one with equivalent features at a lower price. It is almost a penalty for manufacturers of these smart consumer devices to go the extra mile.” Even if consumers wanted to, they could not buy additional protections because the devices are powered by tiny computers that security software makers cannot access, like those in fitness wristbands or vacuum cleaners. “You can’t put antivirus software on your Fitbit or Roomba,” Mr Ahlm says.
The idea is to prevent attacks like the data breach at US retailer Target in 2013, when hackers accessed the system through the air conditioning provider. He says it is a “myth” that manufacturers will be able to solve the security problem. But there is a large industry built around protecting smartphones and PCs, which are made by more sophisticated companies than those creating devices for the internet of things, Mr Abreu says. “Even those with the best profit margins cannot secure their devices; imagine the guy building the device in the garage next door from parts built in China,” he says. “But that should not prevent us from demanding manufacturers have better standards.” But a push to tackle serious flaws in device security has begun. Vizio, a manufacturer of smart TVs, paid $2.2m last month in a settlement with the US Federal Trade Commission and the New Jersey attorney-general after it was caught collecting viewer data and selling the information to advertisers without their permission. Terrell McSweeny, FTC commissioner, says she supports comprehensive data security legislation that would allow a “regulatory approach” for the whole sector. WikiLeaks documents, SoftBank’s Arm stake Play video The FTC has been putting more resources into prosecuting connected device makers and improving its in-house tech capabilities. It is also working on international co-operation for privacy enforcement as devices are often exported from other countries, and looking at whether manufacturers have an obligation to still secure a device once they have stopped making it.
US regulators are also taking an interest: the National Highway Traffic Safety Administration has created best practices for the car industry, and the Food and Drug Administration has issued guidelines for making medical devices secure. Other organisations are playing a role. The Mayo Clinic, a non-profit medical group, has written specific security measures into its contracts with medical device makers. Podcast Are you listening, Langley? What you need to know about state surveillance and the security of our smartphones The European Commission is pushing for a system of certification for devices and has set up a group called the Alliance for Internet of Things Innovation. In the US, the President’s Commission on enhancing cyber security, which reported in December 2016, said consumers should be informed about the security capabilities of devices. Beau Woods, deputy director of the cyber statecraft initiative at the Atlantic Council, says he hopes the commission’s work will lead to products coming with security labels or information sheets, which will in turn deter retailers from selling vulnerable goods. Consumers may be able to better protect themselves from everyday hackers demanding ransoms, but the manufacturers of internet-connected devices may never outrun the CIA. “My advice for people concerned is update everything and unplug things when they are not in use, if you don’t want them to have a surveillance capacity,” Mr Woods says.