WASHINGTON, D.C. — Tens of billions of devices, ranging from coffee makers to cars to spacecraft, could someday be connected to global networks thanks to what’s known as the Internet of Things, or IoT, and cybersecurity experts say that could open up a whole new universe for hackers and eavesdroppers.
Consider the humble coffee maker, for example: University of North Carolina techno-sociologist Zeynep Tufekci suggested that if Chinese authorities wanted to, say, root out Muslim activists in the country’s far western Xinjiang region, they could watch for the telltale sign of coffee or tea being brewed before morning prayers.
“Your coffee maker has an IP [address], and it might be at risk of identifying these people, because if I wanted one piece of data from the region, that would be my thing. … It’s a very synchronized hour, that’s the whole point of it,” Tufekci said here last weekend during the annual meeting of the American Association for the Advancement of Science.
“Holy crap, we were just talking about coffee making, right? And now we’re talking about taking people to send to internment camps,” she said. “These lines are not as far apart from one another as one would think.”
The Internet of Things makes it possible to take action at a distance: It’s great to be able to turn on a coffee maker from your bedroom, using a smartphone app. Or turn off the bedroom lights using an Amazon Echo. That’s why analysts expect more than 75 billion devices to be part of the Internet of Things by 2025.
All those devices make the IoT a juicier target for computer attacks like the one that turned more than a million webcams into a network-jamming army of bots in 2016.
“We basically forgot to build security into the Internet of Things,” said Kevin Fu, a computer science and engineering professor at the University of Michigan.
Fu and his colleagues already have demonstrated how hackers could use sound waves to control the accelerometers on smartphones or self-driving cars … use ringtones to turn on stove burners … or fiddle remotely with medical devices. To address such threats, he co-founded a Seattle-based healthcare cybersecurity company called Virta Labs.
It’s even possible to transmit audio directly into someone else’s computer without making a sound, using a phenomenon known as intermodulation distortion. “You hear about the kid with the braces who can pick up AM radio stations?” Fu said. “This is the same concept, except we’re inducing it on things that didn’t want to hear us.”
Fu’s lab has even come up with an acoustic technique that turns a hard drive into a weird kind of eavesdropping microphone. “What we do is we pull off those errors from the hard drive, upload it to Shazam, and it tells us what music we’re playing in the room, which is kind of a fun parlor trick,” Fu said,
The Internet of Things could turn such parlor tricks into a serious matter.
Previously: Not even Congress can keep up with IoT security
“Computers have always been vulnerable to these kinds of physical problems since the dawn of computing,” Fu said. “The big thing that’s changing is the degree of connectedness and dependence. … We’re actually automating things with smart thermostats and smart locks to automatically open or close, or turn on heat and things of that nature. We are removing the human from the loop before solving a lot of the security challenges.”
Tufekci said there needs to be a high-level discussion about the “security of things,” ranging from baby monitors to voice-controlled devices.
“I just find it weirdly appalling that we do not have ‘off’ switches for microphones that are physical,” she said. “I just don’t trust any software to be foolproof. … We need to go back to some quite physical solutions.”
Fu said security-conscious consumers — and device manufacturers — might have to be more discriminating about things of the internet.
“Maybe it’s just not a good idea to put a computer in everything unless there’s a good reason,” he said.