How criminals could be spying on you – INSIDE your home
. . . through your TV, wi-fi router, baby monitor, even your kettle. And with ever more household devices linked to the web, it’s terrifyingly easy
MIDDAy on an industrial estate in North yorkshire and a van pulls up outside a furniture - making company to be loaded up ready for a delivery. Meanwhile, 250 miles away in London, workers check the till and stock the shelves at a high-end shop selling cigars and whisky. At much the same time, children emerge from a school in the Midlands, ambling through the playground as they move between lessons.
They may all be mundane, everyday activities, but that makes it all the more chilling. Because these three scenes were recorded on private security cameras at those locations in england, only to end up being streamed, live, via a website in russia that anyone, anywhere in the world, can access at the click of a button. Around the clock, day and night.
The footage is among that taken from more than 500 sites in the UK — from cameras in businesses, churches and even inside homes.
one stream features four views from a British house labelled as ‘car’, ‘door’, ‘path’ and ‘patio’. Another shows a garden, littered with toys. recently — via the russian website — a man could be observed walking along the path by his house, but it could have easily been his kids caught on camera.
Not that he will have known his family’s comings and goings were being broadcast around the world. Because while the cameras were installed to improve security, what they show is how easily modern technology can do the very opposite.
The cameras in question were either not password protected or they used pre- set passwords that are known to hackers. As a result the footage, which is broadcast via the internet, and is meant to be viewed only by the cameras’ owners, can be accessed by anyone with a modicum of technological savvy.
And so it has ended up on one of a number of voyeuristic websites dedicated to collating such footage.
Those
whose privacy is being violated had no idea — something that became all to apparent when the Mail informed them. But what is even more worrying is that this is just the tip of the iceberg.
Because like never before, consumers are adopting a new range of technologies that have connectivity to the internet built in to them — the so-called ‘internet of things’.
And these gadgets are now commonplace in our homes. By 2025 it is estimated that globally there will be 75 billion internet-connected items.
Many of these devices are ‘always on’ — monitoring, filming or recording in our homes around the clock. But like webcams and CCTV cameras, their vulnerabilities are now becoming apparent.
As well as exposing our personal data, cyber- criminals are able to take control of these gadgets and use them to launch co- ordinated ‘attacks’ on organisations and infrastructure, flooding them with data.
‘The internet of things is one of the scariest parts of the security landscape at the moment — it is the soft underbelly,’ says Professor Alan Woodward, a cyber-security expert at surrey University.
‘No one will attack the strongest part of the wall, but the weakest. As a cyber-criminal, why take on something protected, such as a laptop, when you can far more easily attack a fridge or toaster?’
Take a turn around a 21st-century house and it is hard to find a room not touched by technology. Upstairs, for parents wanting to keep an eye on their young children, there is the new generation of baby monitors. These are connected to the web, allowing for remote listening or viewing via smartphone.
There may also be a high-tech soft toy or two — believe it or not, parents and children can use them to send messages to one another.
The landing, meanwhile, is ideal for a smart lightbulb. Connected to the home’s wi-fi, these can be dimmed or their colour changed with the swipe of a smartphone.
Downstairs in the hallway, modern thermostats such as the ‘ hive’ are increasingly popular. These allow homeowners to monitor and change the temperature remotely, rather than having to change the settings manually on a box fixed to the wall.
In the sitting room, smart TVs are commonplace. These are also connected to the internet, so they can stream programmes. Many have a voice-control option, doing away with the need for the remote.
Then there is the new generation of virtual personal assistants, with Amazon’s echo leading the way.
echo is a wi-fi-connected, handsfree, smart-speaker fitted with seven sensitive microphones. sit it on your kitchen table and tell it what you want. In response, it will read out a recipe, check a train time, help with homework or even crack a joke.
It can also connect wirelessly to smart-home appliances to control lights, ovens and security systems without homeowners having to access an app. At its heart is ‘Alexa’, its voice and artificial brain.
As for the kitchen, connected gadgets can include everything from the kettle to the toaster and the fridge. Polish off your last pint of milk or can of beans and a smart-fridge can automatically arrange a grocery delivery to re-stock.
The theory is that these innovations make life easier, more efficient and (when it comes to thermostats and lighting) even save you money.
But at what cost to privacy? Last month, a survey of 15 devices by Which? found that eight were vulnerable to hacking. having set up a home with gadgets, the consumer group invited a team of security researchers, sureCloud, to hack it.
one of their most disturbing discoveries involved a range of toys by CloudPets. These include cuddly cats, unicorns and bears costing as little as £5.99. Not only could the hackers use the toy to listen to what was going on in the room, they could also use it to send messages.
‘Building on a recently published flaw, sureCloud hacked the toy and made it play its own voice messages,’ Which? reported.
‘While our test was harmless, in the hands of someone with malicious intentions, the same hack could enable a stranger to speak to your children directly from outside your house. To give them instructions, perhaps. or to ask them to come to the front gate to “meet Daddy”.’
PreVIoUsLy,
baby monitors have been accessed in a similar way. Two years ago a nanny in Texas reported how as she changed the nappy of her one-year-old charge she was startled by a man’s disembodied voice talking to her and commenting on her actions. ‘he kept telling me it was a cute baby,’ the woman said. ‘I thought, my goodness, are they watching me right now?’
It turned out that the baby monitor had come with a pre-set password that had not been changed.
That particular issue is a worrying one which homeowners would do well to heed. For example, the Which? investigation exposed a weakness in a Virgin Media router box where the default password had not been changed.
As a result, last month Virgin warned more than 800,000 customers to change their password
immediately after the security exercise found that hackers could access and steal their personal details. The fact is that once a cyber- criminal cracks the password to a router, they will have access to the house’s wi-fi network and can control devices that don’t require a password.
Perhaps the most disturbing Which? finding was the ability of hackers to take control of the internet-connected CloudPets toy.
The team found that having taken it over, they could use it to send commands to the Amazon Echo home hub. This included using its ‘voice purchasing’ system to order cat food online.
While Amazon points out that users can switch off the shopping function on the Echo so you can’t make purchases by voice command alone, experts fear such gadgets are obvious target for hackers.
Dr Jason Nurse, from Oxford University, says crooks could make the devices record all the time — without the owners knowing.
‘They could hear you discussing your holiday plans, so they know when you are away and could burgle you,’ the cyber- security expert recently told the Cheltenham Science Festival.
‘ They may hear you buying something on the phone, giving away your credit card details. You should think twice about what you say in front of these devices.’
The ease with which routers and other devices such as smart TVs can be hacked has also been charted in a series of documents leaked by the website Wikileaks.
These suggest they could be — indeed already have been — exploited by domestic and foreign security services. In March, the Wikileaks documents indicated Samsung TVs had allegedly been hacked by MI5 and the CIA so their built-in microphones could be used to monitor suspects. It is alleged MI5 created a ‘fake off-mode’ which let owners think the device was off, when it was actually bugging them through a microphone used in voice-activated control.
Then, last month, a further cache of leaked CIA documents appeared to show the agency has been hacking into people’s wi-fi routers and using them as covert listening points for up to a decade.
The routers could then be used to spy on the activity of internetconnected devices such as smartphones, tablets and computers.
Returning to the Which? investigation, it also found a flaw in home CCTV camera systems, increasingly popular with families who use them to keep an eye on their property when they are out. It said: ‘This a real privacy concern and we found thousands of similar cameras available for anyone to watch the live feed over the internet. Worse still, the hacker can even pan and tilt the cameras to monitor activity in the house.’
The ease with which these cameras can be compromised matched the Mail’s own investigations.
We accessed a Russia- based website which aggregates footage around the world. It calls itself the world’s largest directory of online surveillance security cameras. In
the past it has come under fierce criticism for broadcasting webcam footage that included everything from sex in private homes to children sleeping.
It now claims to filter the footage so that ‘none of the cameras... invade anybody’s private life’. Locations attributed to the cameras, it says, are accurate only ‘to a few hundred miles’.
But in reality it took only minutes to identify a number of firms whose cameras had been compromised. One camera, attached to an exterior wall at the business in North Yorkshire, showed the comings and goings of staff and goods into its workshop.
A reporter was sent to the firm to alert them to what was going on. As he approached the business he could be watched, live, on the website in real-time.
The owner of the business, which the Mail has chosen not to name, said he had no idea that the camera was being used in this way. ‘Obviously it is a massive safety and security concern for us,’ he said. ‘I’m shocked by it really. We will have to sort it out and change the password or something.’ EqUALLY
surprised was the company in London selling cigars and whisky. This time the camera was located with a clear view of the till. Again, the firm was completely unaware of the footage.
But CCTV cameras are now just the tip of the iceberg when it comes to connected devices.
Last October, a major cyber offensive used the ‘internet of things’ to target internet giants Twitter, PayPal and Netflix. It is believed the disruption was caused by hackers hijacking hundreds of thousands of internet-connected webcams, baby monitors and cameras, and spreading malicious code to the vulnerable devices. They then used them to swamp websites with so much traffic that they became overwhelmed and froze.
Such attacks can be used to threaten businesses and force them to hand over cash ‘ransoms’.
‘No one is suggesting that hackers will want to break into your toaster or kettle to steal personal data,’ says Professor Woodward.
‘But your internet- connected kettle has quite a lot of processing power in there. So what is happening is they are being co-opted to attack other things. Your kettle could be damaging someone else’s computer without you knowing it.
‘Each gadget might send a small amount of data. But put them all together and it is like insects, it is a swarm, it is overwhelming.’
To protect yourself, Professor Woodward has two bits of advice. First, change the default log-ins and passwords to connected devices. Second, where possible, place sticky tape over cameras and microphones to prevent them recording what you are doing.
Which, for a high-tech problem, is a rather low-tech solution.