Sometimes I feel like I’m the Grinch at a party when I talk shop about the latest massive data breach or horrible hacker story that is in the news. We say things like, “It’s not if, but when” there will be another data breach. Well, this week was no different, as we saw news reports of a family with a Nest wireless smart home camera that was hacked. The hacker threatened to kidnap their baby and terrified the family. So what happened, and should you return that smart home device you just bought for a holiday gift?

The answer according to Nest was that this family’s nightmare was not a data breach of company data but rather was the result of a bad actor who hacked into the family’s home wireless system.

For those who are like me and are fascinated with the latest gadgets and want to be able to use smart home technology, the answer is simple: change the default password that comes with the gadget and enable two-factor authentication.

  • First, make sure that you choose a complex password. Though this is hardly big news and is certainly not foolproof, it certainly beats using Password123 or the name of the family pet as your password.
  • Second, if you already bought, or you already own smart home technology, you can enable two-factor authentication. For the Nest application, go into the Account settings, go to Manage Account, then to Account Security and choose 2-step verification. After putting in a phone number, the system will send a code to the phone and the authentication process will be complete.

Two-factor authentication adds an extra layer of security to Wi-Fi enabled technology. The second layer of that security involves a text that requires the user to input a code or use a biometric confirmation of identity (such as a fingerprint). This verification is sent specifically to the individual. This feature can be enabled for other wireless smart home devices as well. For those of us who want the convenience and peace of mind that we love about our smart home devices, the minor inconvenience of responding to and entering a text code or thumbprint into our phone is a small diversion that can really make a difference. Not even the Grinch wants to come home to find a stranger talking to them on their smart home device.

While many consumers are aware of (and use) the Ring doorbell and security camera system to track who is at their front door, Ring now is offering a drone designed to capture video inside your house. The Ring Always Home Cam is an autonomous flying device (i.e., drone) with a built-in camera to record movement. As of today, this Always Home Cam is available for purchase by invitation only. You can visit Ring’s website and “Request an Invitation.” This in-home drone security system costs $250.

The idea behind the Always Home Cam is to alleviate the need to have multiple fixed cameras all around your house. Instead, you can just push a button and send the Always Home Cam drone flying around surveil your home’s interior. If you don’t want it flying all day, you can program it to identify certain activities during a specific timeframe. For example, you can program it to only surveil at night while everyone is asleep or while you are away on vacation. The drone can stream video directly to your smartphone or tablet and video clips are stored in the cloud for 60 days (with a paid subscription).

What does this drone look like? Well, it’s lightweight with plastic-tipped propellers and sits on a docking station designed to block the camera when the drone is not in use. It also has an onboard neural processing unit that enables it to identify different scenarios as well as objects throughout your home. This drone technology can identify windows and determine how light shining through the window affects the video input (and how the drone deciphers it), mirrors, chandeliers, children, animals, and other objects throughout a home; there is no universal home blueprint. The question here is: how can we leverage this technology to assist in the integration of drones into our airspace? Or on public roads for autonomous vehicles? There is no doubt that Ring will continue to address some of these navigational challenges in the technology as it collects data from the ”invited” customers, but what are the privacy implications?

This new Always Home Cam as well as Ring’s traditional doorbell security system use end-to-end encryption for video capture, and those captured videos will not be part of Ring’s partnership with law enforcement. However, could this constant in-home surveillance actually make our homes less safe? This has been a debate among both civil liberties and digital rights advocates, with their concern being that there is potential for abuse of this data collection or the possibility that devices like this will capture video of individuals who have not consented to such video capture. One thing is clear: as we have entered a world in which digital surveillance – and now, even in-home surveillance – is becoming more and more commonplace (and now, in-home drone surveillance), we should keep privacy and security of the data on the forefront as a key component to the development and use of this technology.

Mandiant, a division of FireEye, has reported that it has discovered a vulnerability in a software protocol that enables hackers to gain access to audio and visual data on smart devices including baby monitors and web cameras. The protocol was created  by Taiwanese Internet of Things vendor ThroughTek, and is incorporated in as many as 83 million devices.

According to reports, ThroughTek has confirmed that it has notified customers of the vulnerability and information about mitigating the gap.

According to Mandiant, the threat actor could exploit the vulnerability to communicate directly with devices to plan and deploy subsequent attacks. Mandiant stated that the Department of Homeland Security would be issuing an alert to raise awareness of the issue.

It is difficult as a consumer to stay abreast of vulnerabilities in component parts of products that use other companies’ software. However, the security of the component parts is crucial to the security of the IoT device.

Mandiant suggests that users of IoT devices, including baby monitors, web cameras, home security systems, personal assistants, and basically anything else that uses the Internet, to update their software (also known as patching) as soon as you receive notice. I would add to limit the use of IoT devices and to closely follow the device’s Privacy Policy and updates.

So this week’s blog article takes a page from my very own “smart” home devices. Monday morning at about 3:42 a.m. our entire household woke up because every “smart” lightbulb in the house came on at the same time! It was a bit distressing and once we got up and shut off all the lights, some of us (me!) couldn’t get back to sleep.

What if my “smart” light bulbs and/or home Wi-Fi somehow got hacked? Would someone try to spy on us? Buy items on the internet with my credit card? Was someone going to try to talk to us through our smart home device like the smart camera nightmare I wrote about a few months ago?

Needless to say, I was in a slight panic by the time Monday morning finally came around. I love all my smart devices and being connected, but I got a big scare when all the lights came on in the middle of the night. By 8 a.m., all our passwords were changed and I was about to consider pulling the plug on all my smart home technology.

Then a family member told me later that day that they were using an app and might have been the culprit. With great relief, I realized that my entire Wi-Fi and smart home systems were not hacked, but rather it was a family member who was playing around with the settings on the app, created a routine to turn on the lights, and forgot to turn the routine off.

So, I literally had my very own wake up call regarding my personal privacy. It was a great reminder to be ever-vigilant with passwords and smart devices and to make sure that I don’t make the number one password mistake,i.e., that all the passwords to different devices and accounts are the same. With all the news lately about how much data the big tech companies are collecting about us, I also pondered whether anyone really cares about my smart light bulbs or if I’m just getting a little paranoid. But when I thought I’d been hacked, it really hit home.

The BBC recently posted a story about one of its employees who had access through a mobile app to someone else’s video footage of their home security camera. The security camera was manufactured by Swann.

Following the story, a group of security researchers from Pen Test Partners decided to check it out and bought several cameras and started testing them. They were able to switch video feeds from one camera to another through the cloud service that was being used, which they said “provided arbitrary access to anyone’s camera.”

The researchers praised Swann in responding to their research and said Swann “took quick action to mitigate the attacks….Yes, there was a bug, but they dealt with it fast.”

The researchers stated that the cameras are battery powered and can stream video live or via a cloud service. The researchers identified the cloud service to the Swann cameras as OzVision. The serial number of the camera model is used as the primary identifier of the camera for the mobile app and is easily searchable in the mobile app. When the researchers logged into the system, they were able to switch the video feeds to each other’s camera by putting the serial number into the platform. They admitted this was pretty easy, but then they determined that because the serial numbers are not sophisticated, it would be relatively easy for a hacker or bad actor to determine serial numbers and gain access to people’s security cameras.

On top of that, the researchers indicated that OzVision, which reportedly has over three million smart cameras on its cloud platform, has a vulnerability in its tunnel protocol that does not properly verify that an app user is authorized to view certain material. According to the researchers, although Swann has fixed its vulnerability, other cameras that use OzVision, including the FlirFX smart camera, might be vulnerable.

The researchers recommend that if you have a Swann or other home security camera, “[U]pdate your mobile app and firmware…to the latest version. You’ll be a whole lot more secure then.”

‘Tis the season for gift giving. Smartphones and mobile devices are a hot item during the holidays. The first thing many people do when they get a new phone or device is to start downloading apps. Since there will be a lot of downloading over the next week, here are some tips to help you detect fake apps before you download them.

Some people aren’t aware that fake apps exist. They do, and if they are downloaded, they can be used by cyber criminals to take control of the device and ultimately steal your money and your personal information. A recent example is a fake version of WhatsApp was downloaded over 1 million times before it was discovered that it was fake. It was listed as Update WhatsApp Messenger. It was removed after it was reported by Reddit.

Fake apps can be very hard to detect. Here are some tips for basic app hygiene:

  • Only download apps that you will actually use and that you have confirmed are legitimate. It is not a badge of coolness to download every app made
  • Read the terms of use (yes, really read how the app is using your data, what it is capturing, and if it has access to your camera, microphone or location)
  • Carefully review the title of the app and the description of the app. If the title, or words in the description are misspelled or the grammar is off, it could be a fake app
  • Look at the app’s download count. If the count is relatively low, it could be fake
  • Review the permissions the app is requesting. If an app is asking for permission to access the camera, your contacts, the microphone and SMS messaging, and those permissions make no sense, it may be fake and trying to get as much access to your device as possible
  • Never allow an app to obtain administrator privileges over your device
  • Delete apps you no longer use

 If you download a fake app, delete it as soon as you can. If it does not allow you to delete it, then wipe your phone and start over.

Finally, review the apps that you have given permission to access certain portions of your device by going into Settings, then Privacy and check each listing to see which apps have access to your contacts, calendar, photos, Bluetooth, microphone, speech recognition, camera, health, HomeKit, media and motion & fitness. Yikes, when you think about it, that’s a lot of information being given to app developers. And don’t get me started on biometrics and facial recognition…

This holiday season, make educated choices about which apps you download and how much information you are allowing those apps to have access to on your phone.

Happy holidays!

By now, it’s pretty common knowledge that Alexa has been on a dollhouse shopping spree, and is also helping to solve a murder. Clearly, Alexa cannot be trusted and that’s why she has only limited trigger words, including options such as “Alexa,” “Amazon,” “computer,” and “Echo.” When you speak those words, or other “wake words” that you program yourself, Alexa starts to listen…and record.

Recordings are becoming a normal, but often unexpected, part of our daily routines. Urban legend has it that some smart televisions record your conversations. The same goes for smartphones; supposedly, some of your mobile apps can record every word that falls from your lips. Also questionable. Security cameras? Obviously.

The Nest camera only records and stores footage if you subscribe to an additional service, called Nest Aware. Absent this subscription, the only video clips available are those triggered by sound or motion, and those clips are kept for only three hours. If a customer is interested in storing footage, by subscribing to Nest Aware, clips can be stored for ten or thirty days in the cloud; important clips can even be downloaded. What is less obvious in the terms and conditions, though, is that when switching from free use to the subscription service, the level of monitoring also changes. What was previously triggered by sound or motion is now a continuous recording, which means that thirty days’ worth of conversations and activity are stored in the cloud, securely, but remotely. For some customers, the idea that thirty days of your home life are in the cloud might be an unpleasant surprise, and it could raise real concerns about the privacy you’re actually enjoying.

As a society, it’s safe to say that many of us have willingly given up our privacy for convenience and functionality but how much we’re willing to sacrifice may be an open question. At a minimum, we should be making conscious decisions about whether our devices are storing or streaming.

On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) issued guidance to nursing homes in a letter to state survey agencies (Letter) that addresses nursing homes’ obligations to protect residents. The Letter focuses on potential psychosocial harm to nursing home residents caused by the sharing on social media of demeaning photographs or recordings of residents taken by nursing home staff. The Letter appears to have been issued partly in response to a recent investigation by ProPublica, which found numerous instances of alleged abuse of nursing home residents connected to social media postings.

The Letter emphasizes in pertinent part that nursing home residents are entitled by law to:
  • personal privacy and confidentiality of their personal and clinical records; and
  • be free from verbal, sexual, physical, and mental abuse (which includes without limitation humiliation, harassment, threats of punishment, or deprivation).
CMS specifically cites, as an example of mental abuse, taking photographs or recordings (using cameras, smart phones, or other electronic devices) that demean or humiliate a resident and may be distributed through text messages or social media (e.g., on Twitter, Facebook, Instagram, Snapchat, or a combination of those and/or similar apps).
In the Letter, CMS reminds nursing homes of their ongoing obligation to protect residents, which includes implementing and developing written policies and procedures that prohibit all forms of abuse of residents and providing training on such policies and procedures to all staff that provide care or services to residents. Nursing homes must prohibit staff from using any equipment to take, keep, or distribute demeaning or humiliating photographs or recordings of residents. Nursing homes are also required to thoroughly investigate, respond to, and report allegations of resident abuse, and are expected to foster an environment that encourages reporting without fear of retaliation.
The Letter directs state surveyors, starting in September 2016, to request and review nursing home policies and procedures that prohibit staff from taking or using (including by texting or posting on social media) photographs, videos, or other recordings in any manner that could demean or humiliate the resident of a nursing home. Therefore, nursing homes would be well-advised in the coming weeks to review, update, and provide appropriate training to staff on resident abuse prevention policies and procedures in anticipation of heightened scrutiny from state survey agencies.

When I train clients’ employees on data privacy and security, I always mention the microphone on smartphones. They are powerful and if you allow apps access to your microphone, they can listen to every one of your conversations [see related privacy tip]. Do you want every one of your conversations to be accessible by someone who is not part of the conversation? I find that people still don’t understand how the microphone on their phone can pick up virtually every conversation if the microphone feature is on all the time. Take a look at the microphone setting on your phone and turn it off when you are not using the particular application that has requested access to the microphone.

News broke this week that the CEO of Facebook “tapes over his camera and microphone” on his laptop. Let’s just admit that the CEO of Facebook is pretty tech savvy.

Security experts say that hackers are able to gain access to devices, including laptops and smartphones through the use of remote-access Trojans—a process known as “ratting.” They gain access to the camera of your device and can literally watch you while you are at your computer. That’s pretty creepy. They then try to use the images for voyeurism to extortion. And it is a growing problem–especially for women.

Security experts say that taping over the camera and microphone of your device is a good security practice and will keep hackers from being able to spy on you. It is a cheap and effective security tool.

It is reported that not only does the CEO of Facebook tape over the camera and microphone, the head of the FBI does too. Hmmm….going to find some tape…

Of course, I couldn’t find any masking tape or electrical tape in our home, but I found weather-stripping, which did the trick. The camera and microphone on my laptop are now weather-stripped against hackers.

The California Privacy Protection Agency’s (CPPA) Enforcement Division is conducting a review of data privacy practices by connected vehicle manufacturers and related technologies. The CPPA, which was established by the 2018 California Privacy Rights Act, has been primarily focused on developing regulations. This investigation marks its first significant enforcement effort.

Connected vehicles, with features like location sharing, web-based entertainment, smartphone integration, and cameras, automatically gather consumers’ personal information and details about their daily lives. The review aims to ensure that these companies comply with the California Consumer Privacy Act (CCPA), which grants Californians privacy rights, such as knowing the personal information collected about them, the right to delete that information, and the right to stop its sale or sharing.

Besides being the only state with a dedicated privacy enforcement body, California is perhaps the most logical state to regulate the connected auto industry. As the CPPA noted in its press release, California is home to 35 million registered automobiles. California is also home to the Silicon Valley companies spearheading the industry – Google and Apple are two giants in the market, and many foreign innovators like Xiaomi based their US operations in the Valley as well. California regulators are uniquely situated to apply pressure to this burgeoning industry in a way that may translate to the broader US market.