Is your toothbrush watching you? Smart devices open homes to hackers

As our homes get smarter, new avenues of entry open up for hackers, keen to steal our personal information. The tech industry, does not seem terribly concerned.

Photo from CFP

Photo from CFP

By JIANG Jingling


Homes are connected in more ways than we ever imagined. Let your refrigerator call out for a takeaway. Turn on the air conditioning from the parking lot. Hook up a camera and watch your pampered dog relaxing at home while you work in the office, but are you the only one watching your pets’ feed?

With a decompiler, widely available online, a hacker can easily bypass passwords and take control of almost any device. In a case currently being tried at a Beijing court, the defendant gained control of 180,000 cameras worldwide, took photos of things the owners didn't want the rest of the world to see and sold them on the internet.

Walls have ears

“Once hackers find the backdoor to your device, they can manipulate it in any way they want and steal your information,” said XU Min, manager at a cybersecurity firm Xiaodun. There is a huge black market for private information – logins, IDs, and even nude pictures – which are in turn used for scams, fraud, and blackmail. Compromised cameras are also available.

Even your juicer might not be safe. Last year, researchers hacked into a robotic vacuum cleaner and turned it into a secret recorder by manipulating the Lidar system. The cleaner didn’t even have a microphone.

A team at RealAI used a pair of “glasses” to fool facial identification on 19 Android phones, including some high-end models.

RealAI told Jiemian News that the glasses could break into almost any facial recognition system, such as smart locks. YU Miao, a researcher at the cybersecurity firm Qianxin, said his team was able to obtain the highest level of control of almost every smart device out there. In some cases, access to one device will compromise all other wifi-connected appliances in a house.

People are often surprised at how much their devices know about them. Two years ago, a data breach at Wyze, a Seattle-based smart device maker, exposed the personal information of 2.4 million users. Not only were their names and emails leaked. Highly personal information such as height, weight and daily protein intake was also made public.

Despite the cautionary tales and horror stories, complacency is rampant. A cybersecurity researcher who asked to remain anonymous told Jiemian News about his exchange with two startups. Their devices were hacked during a cybersecurity conference and were offered free fixes. One begged to “keep it private” for fear of bad publicity. The other simply didn’t do anything. “The security loophole didn’t affect sales anyway, which was what they really cared about,” he said.

The increase in data breaches is correlated with the rise of IoT (Internet of Things). A foolproof security system often means worse performance and/or higher costs, of which IoT startups want neither.

“For many small companies, security is simply nonexistent. A hacker can break into their devices in less than twenty minutes,” said Xu Min, of Xiaodun. It is not such a problem for more established device makers, for whom it’s simply not worth risking the backlash.

The worst that can happen

A product manager at RealAI observed that clients react differently to the same issues. “It all comes down to cost-benefit analysis. The calculation is, what is the worst scenario if I don’t do anything, or if it’s required by law?”

Although the government has passed cybersecurity laws and cracked down on the sale of private information, regulations and industry standards are still lacking. But the market wants more secure devices, and tech companies, left to self-regulate, have made some progress.

Yu Miao observed that he could find vulnerabilities in 80 percent of the tested devices three years ago. Now a mere half of them can be easily compromised. “The standard is only going to get higher. Companies need to get better to survive,”  he said.