Adding Sound to Raspberry Pi

I had a Raspberry Pi 3 running an Asterisk phone server.  I wanted to make use of the “console” functionality of Asterisk.  By setting up an audio console, I would be able to make a phone call to the console from any extension, and have whatever audio I speak from the extension play over the console speakers (sort of a paging function).  In addition, by connecting a microphone, I would also be able listen to sounds in the room where the console is located from any extension.

On a regular Linux PC, the Asterisk console is automatically created using the sound card.  However, the Raspberry Pi does not have built in sound.  I considered a couple of different solutions to add sound.  Dedicated hardware is available to add sound to a Raspberry Pi.  However, since that solution is not a standard sound card, I figured it might be difficult to get working with Asterisk.  And the hardware involved costs more than the Raspberry Pi itself!  High-end sound would be overkill for my application.  I still had 3 of the 4 USB ports available on the Raspberry Pi, and USB sound cards are cheap, so I decided to go that route.  I needed to purchase a USB sound card that was compatible with Linux.  I went with the UGREEN USB Audio Adapter.  This particular USB audio card also has a short cable connected to the USB plug – thus ensuring that there is physical room left for existing and future USB hardware.

Using information mainly from the following tutorial, I was able to get sound (both speaker and microphone) working from the Linux command line.

Once this was done, I needed to get Asterisk to recognize this sound card.  I edited the modules.conf file for Asterisk to enable Alsa sound.  However, there was an issue with the load order of the modules.  The module that handles the console driver was getting loaded before the the sound modules were loaded.  Eventually, I figured out that what I needed to do was pre-load the Alsa module, using the following command in modules.conf:

preload => chan_alsa.so

I found it was also necessary to use the “plughw:” Alsa device for the console, instead of the normal “hw:” device.  This is because Asterisk requires certain specific sampling rates.  My inexpensive usb sound card did not offer these specific rates, resulting in distorted and choppy audio.  Using the “plughw” device allows the Raspberry Pi itself to resample the audio going in and out of the sound card to match the sampling rates required by Asterisk.

Results

I connected a standard set of amplified PC speakers and a standard PC microphone to the USB sound card.  In the Asterisk extensions.conf file, I programmed an extension to connect to the console device.

This results in a working setup.  I can dial the extension of the Asterisk console from any phone on my system, and make paging announcements over the connected speakers.  I am also able to hear sounds in the room where the console is located through the phone.

While the sound quality of the paging audio is fine, I was disappointed in the quality of sound picked up from the microphone.  There is a noticeable amount of hum present.  Not enough to make the setup unusable, but enough to be annoying.  I suspect that the hum is coming from the USB power supply that I am using to power the Raspberry Pi.  Even though I am using a high-current USB supply designed specifically to power a Raspberry Pi, I suspect it still does not have as good of filtering as the power supply in a regular PC.  Though too small to be noticeable in the strong signal associated with the speaker output, the ripple from this power supply is likely enough to be significant for the small audio signal associated with the microphone.  A possible solution would be to use a USB power supply with better filtering to power the Raspberry Pi.

 

 

Setting up an OpenVPN Server

In last week’s blog article, I discussed what a VPN is, and why you might want to install a VPN client on your computer.  This week, I will be discussing the other side of things – installing a VPN server on a Linux computer.

We discussed how a VPN can help with security.  The assumption was that you have a server – provided by either an employer or a commercial VPN provider – that you connect to.  But what if you yourself provided the server that your remote PCs connect to?  Why would you want to do that?  There are several reasons.

Why Run a VPN Server?

  1. You do not trust the VPN provider.  By running your own VPN, you can secure your traffic from public WiFi networks by redirecting it through your home network, without being concerned that the VPN provider itself might be monitoring your traffic.
  2. You wish to save on the cost of a VPN.  If you already have a server running all the time at home, why not make it a VPN server instead of paying a commercial VPN provider for one?
  3. You wish to access applications running on your home network remotely, but don’t wish to open up a bunch of holes in your firewall to allow you to access them remotely.

I recently faced #3.  I wanted to be able to use my Asterisk server – on my home network – while traveling with my laptop computer.  As well, I wanted to be able to access a telephony database running in MySQL.

Just Forward the SIP Protocol Through the Firewall?

The usual way to allow remote access to an application on your home network is have your router forward the ports used by the application to the machine running the application.  While this is an okay solution for some simple protocols, I felt doing this with the SIP protocol used by my VoIP phone would be problematic.

First of all, allowing the SIP protocol through a firewall requires opening not just one port, but several different ranges of ports.  And because the application generating SIP packets (Asterisk in this case) includes the IP address in the metadata of each packet, arrangements also have to be made to have this address translated from the internal IP address to the external address on the other side of the network firewall.  Doing this requires additional configuration not only of the firewall, but of the application itself.  Once the call itself is set up, a separate protocol caries the audio for a phone call, again requiring more ports to be opened in the firewall, and additional IP address translation in the application.  Getting SIP to work through a firewall is known by many to be a time-consuming and often frustrating ordeal.

But even neglecting the difficulty in getting SIP to work through a firewall, opening a firewall to SIP traffic can result in a high volume of hacking attempts.  I once opened up a single SIP port (5060) on a commercial server in order to make VoIP services available externally.  Within hours of opening this port, I had received hundreds of hacking attempts.  These attempts, which came from multiple locations, continued in subsequent days.  While I did secure the server well, and there were no successful hacks, having hackers constantly pounding on the server trying to get in is not a good thing.  It consumes bandwidth, wastes processing power, and there’s always the chance the a hacker eventually succeeds in gaining access.

In fact, SIP services are among the top targets for hackers at present.  This may seem counter-intuitive.  With even international phone calls dirt-cheap these days, why would there be so much effort made to gain access to a phone system to commit toll fraud?  I think what the hackers are looking for is not so much saving money on phone calls, but instead gaining anonymity.  They wish to make “spam” calls that cannot be traced back to them.

No – Use a VPN Server Instead

Based on both the difficulty of setup, and the attractiveness to hackers, I decided it would not be a good idea to allow direct access to my telephony server.  But what I could do is run a VPN server on my network.  This would allow me to connect to applications such as Asterisk (my SIP server) and MySQL (my database server) remotely just as easily as if I was at home (once the VPN connection is established).  By running OpenVPN, I would also only need to open access to a single network port – not the multiple ports required for SIP and other applications.  And since OpenVPN makes use of certificates, hackers not possessing such a certificate would not be able to hack into the server – no mater how many passwords they tried.

Setting up OpenVPN Server

Since there are plenty of good tutorials already online, I won’t go into the details of setting up the OpenVPN server, other than to briefly note how I resolved a couple of issues I ran into.  The OpenVPN site itself has a good tutorial.  I also found this article helpful.

The setup went pretty much as described by the above sources, with the exception of two issues.

The first issue was that, although I could connect to the OpenVPN server itself, I was not able to connect to other machines on my home network.  The articles mention the need to turn on IP Forwarding, which I had done.  However, another thing not mentioned directly in the articles that is necessary is to add a route to other machines from the VPN server by using iptables.  Adding this route allowed me to connect to any machine on my network.  However, changes made to iptables are lost upon system reboot.  So the first time I rebooted the VPN server, I was again no longer able to connect to other machines on my network through the VPN.  I found a package called iptables-persistant (this is the package name for Debian Linux – other Linux distributions may have a similar package with a different name) that makes iptables changes persist between reboots.  Once I re-added the route to other machines and installed this package, access to other servers on my home network again works, and continues to work even after rebooting the VPN server.

Results

I am now able to connect to my home Asterisk VoIP server from a soft phone client on my laptop.  I am able to make an receive calls without any issues.  I even found an OpenVPN client and a soft phone that run on my iPhone, so I am able to use the full functionality of my home VoIP setup no matter where I travel.  I am also able to connect to MySQL Server, and to other applications located on other machines on my home network.

Best of all, if I later wish to connect to new servers or applications on my home server, no additional setup will be required.  And I only have a single port (one that runs a protocol that requires a certificate to successfully access) exposed on my home network.

 

Why would you need a VPN (Virtual Private Network)?

According to a PC Magazine survey of 3000 US consumers conducted in late 2018, just over half had used a VPN.

Consumer VPN Usage in US (late 2018)

 

Uses for a VPN

What do you think of when you hear the term Virtual Private Network (VPN)?

Many of us think of a VPN as being a method to connect to our workplace network in order to work from home.  Using a company-provided VPN connection, the worker is able to connect to their work PC and access all its software through programs such as Remote Desktop.  Thus the worker is able to do just about everything they could do on their computer in the office while remaining at home.  Although it uses the internet to carry the network traffic, a VPN connection uses strong encryption, making it (at least in theory) impossible for someone to intercept proprietary corporate data.

A second popular use for a VPN is to secure communications when accessing an unencrypted WiFi network, such as a public hot spot.  Public WiFi hot spots, such as those found in restaurants, motels, etc. are often unencrypted.  Since data is transmitted “in the clear” over radio waves, it is fairly easy (and fairly likely where a large number of people are gathered together in one place) for a malicious third party to monitor.  A decade ago, most web pages, and even some email services, used unencrypted (http) connections to transmit data.  All someone would have to do is login to their Facebook account (for example) from Starbucks and have someone else within range of the WiFi network running a monitoring program.  Their password would be instantly stolen.  These days though, almost every social media and email site uses the secure http (https) protocol – at least for the exchange of login information – if not for the entire session.  Thus there is less reason to use a VPN on a public network these days, although doing so does not hurt anything.

A third use for a VPN is to get around restrictions put in place by an Internet Service Provider (ISP).  A residential ISP may throttle certain types of internet traffic (for example, sharing of large files such as videos).  Using a VPN, the traffic is encrypted, that preventing ISP from knowing that it is a protocol that needs throttling.  Another example would be an ISP that offers land line phone service as an add-on package to internet service.  This ISP may block telephony traffic for VoIP protocols such as SIP, in order to get more customers for their land line service.  Using a VPN, the protocol itself, as well as the content, is encrypted, thus allowing the provider’s restrictions to be bypassed.  This is also important for users in countries such as China where access to certain sites may be blocked by the government.  If the user is able to connect to a VPN located outside their country, they can browse the internet with all the freedom of a user located in the country where the VPN is located.

A fourth reason to use a VPN is anonymity.  Let’s say someone observes an unsafe practice in their workplace, and they wish to report it.  However, they feel they may be subject to retaliation if the comments can be traced back to them.  If they attempt to send an “anonymous” email from home, that email will likely have their IP address in its headers.  Knowing the IP address often allows the location of the sender to be narrowed down to a specific neighborhood.  It may even reveal their complete identity, if they have ever identified themselves on the destination site before.  It might be safest to use a public computer (such as one at a library for example).  However, an acceptable layer of safety might also be provided by using a VPN service from home.  Some people are just annoyed at personal data collection.  They wish to remain anonymous to marketers, so when they search for information about the latest new gadget their friend is talking about they don’t start getting bombarded by ads for this product on the web going forward.  By using a VPN, marketers are no longer able to correlate their IP address to someone potentially interested in the product.

VPN Providers

Many employers (particularly in Information Technology jobs) provide a VPN for their employees.  Perhaps the employee is expected to be able to investigate problems that occur outside regular working hours (i.e. be “on call”).  Perhaps it is a perk to the employee to be able to “work from home” on certain days of the week using the VPN.

Commercial providers cater to other VPN needs described above  by selling access to VPNs.  A typical rate is from $5 to $20 a month.  Most providers allow the user the choice of dozens or even hundreds of servers, located throughout the world, in order to keep their location and identity private.

Connecting to a VPN

In order to connect to a VPN network, you will need a VPN client.  This is generally provided by the company providing the VPN access (employer or commercial provider).

Many commercial VPN providers allow the use of OpenVPN.  This is a good thing, as the software is open-source, which means anyone can examine the code to look for possible security holes.  There is much incentive for a student or security researcher to “make a name for themselves” by discovering and reporting any security problems that exist in a widely-used product.   Open-source software also makes it very difficult to hide any “back doors”, since a lot of people look at the code.  The OpenVPN client is fairly easy to install and get running on a PC or laptop.

Some employers use proprietary VPN software.  Proprietary VPN clients can be more difficult to install and get working.  I remember once spending almost an entire day with the support desk of one company I worked for trying to get connected to the company’s network using the proprietary VPN product that they used.  Security holes are also more likely in to surface eventually in proprietary products.  However, even the worst commercial VPN products usually can prevent eavesdropping by “casual” hackers.

Running your own VPN

What if you could set up your own VPN server, and connect to it when on the road?  Why would you want to?  And how would you do it?  In the next blog article, I will discuss why I set up my own VPN server on my home network, and how I did it.

 

 

Review of Qotom Mini PC j1900

Qotom Mini-PC (right), next to AT&T UVerse Router, Phones, and ATA.

Recently, I was running out of processing power on my Raspberry Pi 3.  I was running Asterisk PBX, OpenVPN Server, and several sensor monitoring and MQTT applications.  I wanted to add MySQL Server, but figured that might be pushing things.

My first thought was to run an old desktop PC.  However, I was a bit short on physical space, and didn’t really want a large desktop box.  So I started researching mini-PCs.  I wanted something as powerful as a low-end PC.  Something that didn’t take up much space, and with as few mechanical parts as possible.  After researching what was available, I decided to go with a model made by Qotom.  The model I purchased has an Intel quad-core processor, and 8GB of RAM.  Just like a desktop.  A big plus is that is has 4 Ethernet ports.  That could be useful if I decide to make my own router some day.

This mini-PC consumes a maximum of 10W of power.  This is significantly less than a classic desktop.  I had an old quad-core desktop with comparable specs.  I measured its power consumption – it varied from just over 40W when idle, to over 80W when running CPU-intensive tasks.  The Qotom has no moving parts.  There is a large heat sink in place of a fan, and the hard drive is solid state.  I wondered, though, if a heat sink and no fan would actually keep the device cool.  Turns out, it does.  Here is a thermal picture:

Thermal Image – Qotom Mini-PC (right), next to AT&T UVerse Router and phone.

 

 

 

 

 

 

 

 

 

As you can see, the temperature of the mini-PC (while running Asterisk, OpenVPN, MySQL Server, and several other applications) is around 86 degrees.  This is about 15 degrees warmer than the ambient room temperature, and is comparable to the temperatures of other electronics such as the router and phone.

I created installation media for Ubuntu Light Linux (Lubuntu) using a standard USB thumb drive.  The operating system installation process was almost identical to that of an ordinary PC.  I connected a monitor and Ethernet cable, plugged in the USB keyboard, mouse, and thumb drive, and proceeded with installation.  Because of the SSD hard drive, it actually went faster than on an ordinary desktop PC.  In under an hour, the software, as well as all live updates, was installed.  Initially, the machine booted up to the desktop GUI.  Once I installed OpenSSH to allow me to access the computer through secure shell, I disabled the GUI, and disconnected the keyboard, mouse and monitor.  I then proceeded to install the other software I needed using the command prompt on a remote terminal.

This machine has performed flawlessly for me over the past week and a half.  Not only does it save space over a desktop, but it also saves money on electricity.  If you assume (conservatively, based on my measurements above) that a desktop PC consumes an average of 50W, this setup saves 40W.  That adds up to about 30KWh saved in a month.  If electricity costs 10 cents per KWh, that is a savings of around $3 a month, or $36 a year.

A mini-PC such as this is too specialized to be just walk in and buy at retail stores like Walmart and Best Buy.  It is available on Amazon, for around $200.  If you are an Amazon Prime member, it probably makes the most sense to buy it there, so you can get it in two days.  Actually, in my part of the US there is free one-day delivery for this item.  In fact, I ordered this on Sunday evening and had it by noon on Monday.  If you don’t have Amazon Prime, then eBay may be your best bet for purchasing this.  Some computer specialty stores may also be able to custom-order it, but this would likely be the slowest option.

Disclosure: I am not associated with the manufacturer of this mini-PC, nor any of the retail outlets mentioned above.  I am not being paid by anyone for this blog post – I simply wanted to share my findings and recommendations.

 

How to tell if your IoT devices are vulnerable to hacking

How can you tell if your IoT devices are vulnerable to hacking, despite your best security efforts when setting them up?  There is no way to be 100% sure.  But there are a couple of checks you can do easily that will detect many common issues.

Shodan

First, there is a site called Shodan (shodan.io).  Much like search engines such as Google and Bing do for web sites, Shodan regularly scans the internet for exposed IoT devices, and makes the results searchable from a web page.

To see what Shodan has for your home network, you first need to know your IP address.  For the sake of this article, we will concentrate in IPV4.  Although hacking though IPV6 addresses is possible, it is presently not widespread for technical reasons.  You can get the IP address of your home network by browsing to the following site: ip4.me.  When you visit this site, you will see an IP address in the format “111.111.111.111” displayed.  You should write down this address, or, better yet, copy it to your clipboard.

Now visit the shodan.io site.  Type or paste in the IP address you found above, and click the “magnifying glass” to search.  Hopefully, you will see results that look like this:

 

 

 

 

 

The above shows that no information was found for the IP address entered.  That is a good thing.  If you see something else, such as the following, there may be a problem.

 

 

 

 

 

 

 

 

If you see something like the above, there could be a problem.  I say “could” because there are legitimate reasons that services can sometimes be exposed.  But it’s certainly something that may warrant further investigation.  Talk to your “geek” friend, or someone else knowledgeable about IoT security if you see something like this.

One thing to keep in mind is that Shodan does not scan sites in real time.  Just like it may take days or even a week or more for a new web site to appear on Google or Bing, it may take a similar amount of time before Shodan is updated.  So when connecting a new IoT device to your network, it’s good to check Shodan again in a week or two to make sure it still shows no results found.

HaveIBeenPwned

Another useful site is haveibeenpwned.com.  This site allows you to search for your email address to see if it appears in any publicly released (such as by the company that was compromised) list of addresses. As I mentioned before, you could have a perfectly secure IoT device. But if the company that operates the device is hacked, or another company you do business with is hacked and you used the same password, your device is still vulnerable. Most people have had at least one of their accounts exposed at one time or another. For example, here is what I see for myself when I enter one of my email addresses:

 

 

 

 

 

 

As you can see above, two business sites I have accounts with were hacked.  Fortunately, I never re-use passwords, so the only thing I needed to do was change my passwords on the affected sites.

Good results from the above two sites does not guarantee that your IoT setup is secure.  But it is a good first check.

 

 

Is Microsoft Spying on Word Document Content?

Something Strange

Last fall, I was monitoring outbound traffic from IoT devices on my home network using Wireshark.  When I looked at the captures later, I noticed something strange.  There appeared to be web browsing activity to https sites.  I had deliberately avoided any web browsing during the testing period, so why was I seeing what appeared to be web browsing activity?

When I checked the IP address the traffic came from, I noticed it was my Windows 10 desktop computer.  I knew I had not browsed the web there.  The only thing I had done during the monitoring time was to edit a document with Microsoft Word.  So I decided to investigate whether perhaps Microsoft Word itself was doing the “web browsing”.

I started Wireshark on my desktop PC.  The only traffic I saw was the normal background noise of any network – neighbor solicitation, ARP requests, and the like.  Then I opened up a document using Microsoft Word.  Suddenly there was a flurry of activity, including https traffic!  Here is a screenshot of a portion of what I captured (here is a link to the full-size image):

 

 

 

What is going on here?

This is just a small portion of data exchange that occurs when I open a document in Word.  As you can see, a significant amount of data is being exchanged.  In one packet alone, over 6kB of data is being sent to the site “prod.roaming1.live.com.akadns.net”.  We can’t tell what data is being sent, because it is encrypted with Transport Layer Security, the same technology used to exchange information with secure web sites (those that have a URL beginning https://).

Research reveals that “akadns.net” is Akamai Technologies, a Content Delivery Network (CDN).  Such networks allow for high performance distribution of content.  Companies needing to provide efficient data exchange for high-traffic applications can pay a CDN to host their data, much as an individual or business often pays a third-party company to host their web site.  The “live.com” portion of the site provides a clue as to who this hosting is being done for.  Looking this up using the standard “whois” command (in Linux) reveals the following:

Registrant Organization: Microsoft Corporation
Registrant Street:
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Phone: +1.4258828080
Registrant Phone Ext:
Registrant Fax: +1.4259367329
Registrant Fax Ext:
Registrant Email: domains@microsoft.com

This makes perfect sense.  I am opening up a document in Microsoft Word, and data is being exchanged with an a CDN that is serving Microsoft.

So is Microsoft spying on me?

I can’t know for sure, because the data being exchanged is encrypted.  I do know that a significant amount of data (measured in kilobytes) is sent every time I open a Microsoft Word document.

There are certainly other valid reasons why data could be being exchanged.  My first thought was a license check.  Microsoft might be verifying that my copy of Word is properly licensed.  However, the data is exchanged each time I open Word.  Presumably, a license check would only need to be run say once a day at most.

Perhaps Word is just checking for software updates.  Data would need to be exchanged in both directions to do this.  However, I would again question why a software update check would need to happen every time Word is opened.  As with a license check, it would seem that once a day would be more than adequate.

Perhaps someone else knows more

I’ve done a fair amount of searching on the web, and have been unable to find much discussion of what data Microsoft Word exchanges over the internet when it is opened.  I have seen a few discussions from network administrators who describe how things break when access to the CDN site is blocked, but that’s about it.

If any of my readers know more, I’d be interested in hearing from you.  Or perhaps you have a different setup, and the ability to capture network data.  I am running Office 365.  It would be interesting to compare notes with someone running, say, the stand-alone version of Microsoft Word.  Please use the comment feature of this blog so others can see the information as well.

Conclusion

I’m certainly not saying that Microsoft is spying on the content of my Word documents.  I don’t know what they are doing, because the data exchanged is encrypted.  I do know that a pretty large exchange of data (many kilobytes sent and received) occurs each time I open Microsoft Word.

 

Connected Device Security – What could go wrong?

 

Let’s say you’re about to connect a new IoT device to your network.  It could be a smart TV, a camera, a remote doorbell, or even a drone.  How can you know if it is secure?  What are some ways that security can fail?  In this article, I will list the most common reasons for security failure.

Failure Reason #1 – The device itself is insecure.  Even the best-written software, by large companies with huge budgets for security testing, will contain exploitable security holes from time to time.  That’s why large software companies, such as Microsoft and Apple, regularly issue security updates.  Unfortunately, the companies that develop connected devices may not have nearly as many resources to devote to security testing.  And unlike your computer or iPhone, software updates might not be automatic.  In fact, some IoT devices may not even be update-able at all!  Once security flaws are found, hackers quickly write programs to exploit them, and share these programs with other hackers.   As discussed in a previous article, these hackers are then able to hijack the device in a variety of ways – ranging from denial of service to spying to creating a remote hacking platform that cannot  be traced back to them.

Failure Reason #2 – The device is improperly set up.  Perhaps the latest software updates have been installed on the device, and there are no known security vulnerabilities with the software.  It could still be hacked if care is not taken in setting it up.  Perhaps you forget to change the default password.  Or you pick a password that is easy to guess.  Hackers have written software that can try hundreds of different passwords a minute.  So if you use something obvious – including names of sports teams, personal information such as a phone number or street name, or any word that is found in a dictionary or other public document, your device is still at risk.  As mentioned in a previous article, your password may also have been stolen from another, less-secure, device or account.  So if you use the same password (or a similar one) for more than one device, your security is still at risk regardless how secure the device itself is.

Failure Reason #3 – Insecure data storage.  Even given a secure device, properly set up, it could still be possible for the device to be compromised.  Perhaps the company that is hosting your device’s data “in the cloud” is hacked, as is described in this news article about Ring Cam credentials being leaked on the web.  And keep in mind too that other data besides that captured by the device could be leaked as well.  Including, but not limited to, your email address and WiFi password.

Failure Reason #4 – dishonest or disingenuous vendor.  All of the above scenarios assume that the vendor is reputable and honest.  But what if they are not?  In the worst case, the company could have dishonest intentions.  While that article is about smart phone software, the same principle applies to IoT devices.  Or perhaps the company is not blatantly dishonest.  However, maybe they have something buried in the middle of a multi-page User Agreement that says you agree to the collection of personal data.  For example, that you agree to allow the use of audio captured by a voice assistant as training data, or even to target ads for things you mention within earshot of the device.  Or you agree to have data about which TV shows you watch sold to media firms.  Not a big deal?  Perhaps.  But remember,  your room audio or video or the list of TV and movies you watch is likely stored in the cloud someplace, on the company’s servers.  Suppose these servers are hacked.  Are you comfortable with the hackers publicly posting your home audio or video footage, or your TV and movie viewing habits, along with your full name and email address?

Failure Prevention.  So what steps can be taken to minimize the chances of something going wrong?  First, make sure software for the device is updated regularly, and that you have the latest updates installed.  Second, be careful in setting up the device.  Particularly when it comes to picking a good password – not one that is easy to guess or is the same as a password you are using elsewhere.  Third, check the company’s reputation for security – both for the device and their internal data security.  Perhaps do a web search on the device name along with words such as “security” or “hacked”.  Fourth, understand the company’s use of data.  Make sure you are okay with the data that is being collected.  Make sure you would still be okay with it if this data should fall into the hands of hackers.

 

Security for IoT Home Devices – It really is a big deal!

Last week, I saw several news stories about dramatic hacks of home IoT devices.  One involved  a hacker using a home security camera to talk with an 8-year-old girl.   Another showed a hacker taunting a family with loud noises and racial slurs.

It might seem obvious that a webcam is something that needs to be secured from hackers.  But what about all the other IoT devices connected to one’s home network?  I often hear comments like “okay, so someone hacks my smart light bulb.  They can change the color of the light in my room.  Big deal.  And besides, why would someone target a light bulb, when they could be hacking banks and credit card accounts?”

Think again!  The most humble IoT device, such as a smart light bulb, likely has full access to your home network.  That means it can access every computer, storage device, and every other IoT device on your network.  Any confidential bank information backed up on the network storage device?  Any confidential documents from work?  A hacker who successfully compromises the smart light bulb has full access.  In the case of the Ring cameras that were the subject of the above news stories, it appears that the cameras themselves were secure, but passwords revealed by hacking other home IoT devices were used to log into them.

A compromised device can also be used to hack anonymously, since the hacking attempts will appear to originate from the victim’s network instead of that of the hacker.  In some cases, the victim may not even be aware that the device has been hacked, since it may appear to be functioning normally.  In late 2016, hacked thermostats and other smart devices were used for denial of service attacks that crippled a large portion of the internet.

We all love to hate Windows updates, which seem to occur right when we need to get something done right away.  But such updates serve a valuable purpose.  They fix newly-discovered vulnerabilities before hackers have a chance to exploit them.  They are supported by Microsoft – a huge company with vast resources.  Will a company that makes a $15 smart light bulb have similar resources to ensure that vulnerabilities are patched?  Even if they do, how will these updates be deployed?  When was the last time you updated the software in your smart light bulb?  How many smart light bulbs even have the capability of having their software updated when critical vulnerabilities are found?

This all assumes, of course, that the company that made the IoT device is honest, and does not have ulterior motives.  But even that is not always the case.  Does the company that made your smart TV have a known reputation for honesty and transparency?  Or is the reason they are able to sell the products at a “bargain price” perhaps that they make money in other ways besides the sale price?  For example, a smart TV that collects information on your viewing habits and sells them to a marketing agency?  Or a drone that uploads its captured footage not only to your social media accounts, but also to a foreign government’s servers?

This is not to say that IoT devices are “evil”, and should not be used.  They can provide significant value when used with due consideration of security, and full understanding of how any collected data is used.  But many people don’t think twice.  They assume that since they only paid $15 for a smart light bulb, or $60 for a security web camera, that their risk is limited to $15 and $60 respectively.  And that is far from the truth.