Fears of Spying, Hacking Rise with Swell of Internet-Connected Devices

(TNS) — It might sound like a James Bond movie, but it’s happening in our homes: Devices with microphones and cameras are transmitting private images and conversations to the Web, and experts fear smartphones and watches could be used for spying, too.

The problem of digital eavesdropping gained attention in June, when a photo suggested that Mark Zuckerberg, the chief executive of Facebook, might have taped over the video camera and audio jack on his laptop. But the risk goes beyond corporate leaders. Devices ranging from webcams to children’s toys might be tapped for video or audio feeds. Last year, researchers said they could gain access to an Internet-connected Hello Barbie, which would allow them to listen to audio recorded by the doll at home.

The universe of objects connected to the Internet, many of them with cameras and microphones, is swelling rapidly. That fact alarms security experts, who note the seeming ease with which attackers took over poorly protected devices like baby monitors and digital video recorders last month. In that case, the devices were used to send errant signals that knocked Twitter and other Internet companies offline. But given control over the devices, hackers could do much more.

“You have a lot of companies that were not previously engaged with these technology areas, that never dealt with digital security before that are now designing devices that need those protections,” said Betsy Cooper, executive director of UC Berkeley’s Center for Long-Term Cybersecurity. “Those companies might not be as prepared as others.”

The number of Internet-connected devices with voice features shipped in the U.S. is expected to grow nearly 30 percent from 2016 to 2020, to more than 316 million, according to research firm IDC. In the past, some gadget buyers have dismissed the devices as too complex. But as Amazon’s Echo and Apple TV bring voice assistants like Alexa and Siri to living rooms, consumers have grown more comfortable with them.

Yet regulation of the devices hasn’t caught up with their proliferation. It’s up to consumers to assess the security reputation of the companies selling the products. Few members of Congress are familiar with the complexities of cybersecurity, making it more challenging for them to write laws on the subject, said Vince Houghton, historian at the International Spy Museum in Washington, D.C.

There are a few basic ways that microphones can be accessed. Hackers could take over the device through an unsecured connection, like a Wi-Fi router, analysts said. Malware on computers or smartphones can allow an attacker to take control of the device, sometimes including its microphone or video camera.

Experts warn that small vendors overseas may try to undercut larger competitors by skimping on security and testing. For example, low-cost webcams that sell for less than $150 often pose problems, said John Matherly, founder of Shodan, a site that lets people check to see if their video feeds are accessible online. His site shows that there are thousands of video feeds worldwide that don’t need a log-in to view. Plenty of webcams still rely on default user names and passwords, making them targets for hackers, Matherly said.

If strangers can access a webcam’s feed, they may be able to know when its owner is home. Audio files can be used for blackmail.

“Security has not been something that consumers care enough to spend more money on,” Matherly said.

The Internet-connected Hello Barbie doll, which speaks and listens to children, could be hacked to allow outsiders access to audio recordings, researchers with the San Francisco software company Bluebox Security found last year, according to CNET. San Francisco’s PullString Inc., which makes the software behind the doll, pointed to a November 2015 blog post in which its co-founder wrote that “we are actively engaging the security community to address any concerns.” The blog post, published in response to other reports of security worries and shortly before Bluebox circulated its findings, said no audio of children had been accessed.

As for smartphones and computers, it’s important to keep software updated in order to avoid malware. Since software can disable warning lights meant to show when a camera is active, taping over a camera is the only way to be certain images aren’t being transmitted. Microphones are harder to debilitate, but some people stuff the audio jack with a nonworking plug.

A microphone can not only listen to a conversation, it can also provide clues to passwords. In 2015, researchers from Stevens Institute of Technology, Rutgers University and Florida State University ran an experiment in which they were able to determine the passwords a user was typing on a keyboard by listening in via a smartphone placed near the keyboard. In a crowded space like an airplane, a hacker could place his own phone next to a keyboard and capture the keystrokes that way.

“While there is already considerable awareness of privacy risks associated with microphones, this awareness usually extends only to spoken words and not necessarily to keystrokes,” the study said.

It recommended that “microphone access on mobile devices should be tightly controlled.”

Yingying Chen, a professor of electrical and computer engineering at the Stevens Institute of Technology and an author of the study, said consumers ought to be informed of the risk of such snooping.

Google updated its operating system in the fall of 2015 to ask users for permission to give apps access to their microphones rather than automatically allow the access, an approach that is similar to Apple’s mobile operating system.

Some governments, including Australia’s, have strict rules for cell phone use at high-level meetings.

“It is standard practice, on both sides of politics, that no electronic transmitting devices be allowed in the Cabinet room for a range of reasons including security,” according to a spokeswoman from the Department of the Prime Minister and Cabinet in Australia.

Officials in the United Kingdom have been told to leave their Apple Watches behind before Cabinet meetings because of concerns that the devices, which have microphones, could be hacked and used to eavesdrop on conversations, according to the Telegraph. (A different security concern for smartwatches, Chen and other researchers have pointed out, is that their sensors could be hacked to reveal the watch owners’ hand movements, which could be used, for example, when someone is entering a personal identification number at an ATM.)

There are also worries about voice-activated devices listening to everyday conversations and sending the information to third parties. An attorney in New York raised that issue last year when he read the privacy policy on his Samsung TV. It said spoken words, including personal or other sensitive information, could be part of information “captured and transmitted to a third party.” California subsequently passed a law that would require smart-TV manufacturers to notify customers during set-up that the TV can listen in on their private conversations, and bars manufacturers from selling that information to third parties for advertising purposes.

“You have devices, once they are turned on and activated, that are capable of hovering over massive amounts of data and capturing lots of background conversations,” said Assemblyman Mike Gatto, D-Los Angeles, who helped author the law. “If that gets in the wrong hands, it’s not going to be a good thing.”

Amazon said the information collected on its Internet-connected home devices isn’t used for advertising purposes, though it does track purchases made through its Echo speaker. Apple said the information Siri collects is anonymized, encrypted and not used for advertising either. Google said it does not serve ads on Google Home but it “may use conversations with Google Home to make ads in other services more useful to the user.”

Despite the controversies, analysts don’t believe that people will stop buying Internet-connected devices. That’s because the gadgets can make life more convenient.

Houghton, the spy museum historian, lives in Washington, D.C., and says he has a webcam installed so he can keep an eye on his mother in Florida. It’s possible that the device could be hacked and people could see what his mom is doing in her home, but it is a risk he is willing to take because that technology also allows him to check up on her and make sure she’s OK.

“It’s the give-and-take we have in this modern world, where technology is redefining what we consider security and privacy,” he said.

©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.