“Alexa, can I trust you?” Connect with caution in the IoT era
By Molly Gluck
In Part One of Boston University’s National Cyber Security Awareness Month Medium series, security experts weigh in on the top threats associated with connected devices and share best-practices for protection
Equifax. Yahoo. Facebook. What do these companies have in common? They all suffered a breach that exposed the personal data of millions of users. Unfortunately, these aren’t isolated incidents. For businesses, governments and consumers alike, it is just a matter of time. Our hyper-connected world has incited great innovation, yet also widened the attack surface and created new incentives for nefarious actors to capture and monetize sensitive data and information. In fact, according to the Gemalto Breach Level Index, in the first six months of 2018 over four billion records were compromised and 945 security incidents were reported in industries ranging from healthcare, to financial services and government.
To address the cyber threat landscape, the Department of Homeland Security (DHS) instituted National Cyber Security Awareness Month (NSCAM): an annual initiative to raise awareness about the importance of cyber security, ensure every American has the resources they need to stay safer and more secure, while increasing the resiliency of the Nation against cyber-attacks.
In honor of NSCAM, Boston University professors David Starobinski, Manuel Egele and Ari Trachtenberg from the Department of Electrical and Computer Engineering, and Ran Canetti, professor of Computer Science and director of the center for Reliable Information System and Cyber Security, shared their expertise for a three-part series focusing on the most important cybersecurity issues today — starting with IoT (Internet of Things) security. Kaspersky analysts recently reported that IoT attacks are showing no signs of stopping; instead, they’re becoming more widespread and complex. Read below to find out what you need to know about staying secure in an IoT world.
Q1: Smart devices are increasingly ubiquitous — Gartner predicted that there will be over 20 billion connected things by 2020. Recent examples include Audi’s integration of Alexa voice control in its e-tron SUV and Amazon’s new Alexa-integrated microwave. Is the rapid adoption and integration of smart devices and ecosystems opening consumers up to new safety and privacy risks?
“There is no doubt in my mind that our rapid adoption and integration of smart devices is opening up consumers, business, and even governments to safety and privacy risks that we have not yet fully comprehended — much less tamed. We are deploying these devices in our most privacy-sensitive locations (i.e. bedrooms, offices, even bathrooms); smart devices are also infiltrating within our core democratic systems (i.e. West Virginia will be allowing mobile phones for voting) — and as part of the critical infrastructure upon which our daily lives depend (i.e. cars, planes, hospitals, energy delivery, etc.). However, neither the average consumer nor even the technical security experts fully comprehend the various ways that these devices can leak this sensitive information, and how this information might be utilized for harm.” — Ari Trachtenberg
“The rapid deployment of smart devices definitely creates new challenges for security and privacy. Smart devices that sense their environment (i.e. smart assistants) collect information around them and it is not always the case that this data is handled with the necessary care and protection. Equally important are smart devices that actuate in their environment. These actuators have effects in the physical world and hence allow threats from ‘cyberspace’ to interact with the real world.” — Manuel Egele
Q2: Can you provide an example of a smart-device-specific cyber risk?
“In today’s world, the same smart TV that is listening for your verbal commands could also be sending all your household conversations to third party processors. These processors, in turn, could be selling your audio voice print to financial institutions (for extra security) or accidentally leaking it to hackers who could reconstitute various sentences, in your voice, to convince neighbors or friends to provide them with even more access to your life.” — Ari Trachtenberg
Q3: In your opinion, what are the most vulnerable areas within smart city ecosystems?
“Most cities have a control and command center (or an operating room). The greatest threat in my opinion is if an attacker can render such a center non-operational (i.e. by disrupting its communication channels).” — David Starobinski
The recent ransomware attack in Atlanta brings David’s example to harsh reality. This past March, Atlanta fell victim to one of the most severe cyberattacks targeting a major American city. The government’s desktops, hard drives and printers were left inaccessible for five days, residents were unable to pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. These types of attacks can damage the environment, operations, and physical safety.
Q4: Any advice on how we can protect ourselves from IoT-related vulnerabilities?
“For a user to protect his or her data there are various best practices that can be followed. For example, data minimization, or sharing only what’s necessary, implies that third parties cannot lose, share, or misuse the user’s data. Granted, this approach is tedious to apply and requires dedication.
Accounts for online services (e.g., social media, online banking, etc.) contain and manage some of the user’s most personal data. Protecting these accounts should hence receive high priority. Some good practices in that regard are the use of two-factor-authentication and the use of password managers. These are easy to use tools that significantly reduce the risk of getting the user’s account compromised by an attacker.” — Manuel Egele
Stay tuned for National Cyber Security Awareness Month Series Part Two. In the meantime, connect with caution.
You can follow Boston University College of Engineering at @BUCollegeofENG, Boston University Department of Computer Science at @BUCompSci and Boston University Hariri Institute for Computing at @BU_Computing on Twitter.
