Woman Films Her New Internet-Connected Camera Whispering 'Hello' - ExtremeTech
The consumer Internet of Things is a sprawling ecosystem of hardware. For every well-made product, there are a dozen that raise serious concerns about basic security practices, or require the customer to risk paying top dollar for expensive equipment, only to discover it will be shut down one day. There are also vast categories of hardware that offer no appreciable benefit or are thinly-disguised DRM schemes, but for simplicity’s sake we’re sticking to security issues today. Many IoT devices combine the robust security of a broken chainlink fence with the product design skills of a drunken orangutan and leave it to the consumer to pick up the pieces. Even so, this latest exploit sets some kind of record for sheer creepiness.
According to TheNextWeb (via [H]ardOCP), a Dutch woman named Rilana Hamer bought a small Internet-connected camera from a local store, with the goal of keeping an eye on her puppy while she was away from work. “I thought I was going crazy,” Hamer said in a public Facebook post. “I suddenly heard sounds in the living room. I walked up there and saw my camera move.”
The camera, purchased from a discount chain store called Action, apparently claimed to offer password protection to protect its stream from being snooped on. But the implementation was clearly cataclysmically flawed. The person controlling the camera began speaking to her, initially in French. Shocked, she disconnected the device, but later decided to set it up again to see if the same thing would happen twice. Within a minute, it was. Hamer videoed this second conversation on her phone. We’ve embedded the video below; be advised it contains some cursing and may not be workplace-safe depending on your company’s policies:
DELEN ALSJEBLIEFT!!!!Even dacht ik dat ik gek werd. Ik kom thuis en doe mijn dagelijkse dingen. Boodschappen gedaan en deze even opruimen, zingend door je huis heen.. tot je ineens iets hoort rommelen in de woonkamer. Ik liep de woonkamer in en ik zag mijn camera bewegen. De camera die ik een maand of 2 geleden gekocht heb bij de Action en ik in mijn huis had staan. Je sluit hem aan via je WiFi en doet de stekker in je stopcontact. Met een wachtwoord erop en een veilige installatie, kon ik mijn huisje van binnen in de gaten houden (hoopte ik). Je kan hem bedienen via je telefoon en kunt meeluisteren wat er gebeurd in je huis. Dit was perfect, omdat ik net een pup had die alles op de kop zette. Het meest ideale was daarbij dat je ook kunt praten via de webcam en zo ideaal communiceerde.. maar nu, terug naar mijn verhaal.. De camera ging heen en weer.. mijn telefoon lag op bed en ik had geen idee wat hij deed. Was hij aan het updaten? Prima.. ik draaide me om en ging weer door met uitpakken van mijn boodschappen. Ineens hoor ik gerommel.. word ik nu gek?! Nee.. ik liep erheen, de camera draaide mijn kant op en ik hoorde: “Bounjour madame”. Ik reageerde geshockt: “hallo, is daar iemand?”… ik bewoog naar links en rechts en de camera draaide met mij mee. “Bonjour madame, tout bien avec vous?”Ik rende naar de camera, trok de stekker er uit en gooide hem in een doos.. ik was vol angst en dacht even dat ik gek werd. Ik word bekeken, maar voor hoelang al? Wat heeft die persoon gezien van mij? Mijn huis, mijn persoonlijke bezittingen.. tijdens het eten heb ik dit vol verbazing vertelt tegen een vriendin van mij, die zich afvroeg hoe dit mogelijk was.. we besloten de camera nog 1 keer neer te zetten met de lens naar de muur. Zou er gereageerd worden? Binnen 1 minuut was het raak…- Hello- Do you speak French?Ik: sorry?!- Do you speak French? Ik: no, Englisch!………Ik: What did you do?…- it’d good?Ik: no! Get the fuck out of my house, now!Shut the fuck of!- (geen idee?)Ik; shut the fuck of my house, go away!- hola senorita!Ik; ja, fuck you!- ohhhhhhh suck my dick!We haalden de stekker er uit en deden de camera weer in de doos.. Huilend, van slag..Mijn privacy, mijn huis, mijn persoonlijke spullen en ikzelf… ik ben bang.. doodsbang. Alsjeblieft Action, haal deze camera uit het assortiment.. alsjeblieft..
Posted by Rilana Hamer on Saturday, September 30, 2017
The voice again greets her in French before switching to Spanish with the aforementioned and deeply creepy “Hola Señorita.” Hamer promptly returned the camera to Action, which states that it’s investigating the situation. “It is being investigated by the supplier,” says Yvette Moll of Action. “The question is whether it’s in the camera or in the wrong use of passwords and Wi-Fi connection.”
Welcome to the Internet of Creepy , Shitty Things
With respect to Action, it’s really not a question of those things at all. No Internet-connected camera with modern security features should allow you to keep a default password like “Admin,” and it shouldn’t accept an insecure network connection by default, either. Modern computer security uses a concept known as defense in depth to guard against the risk of any single attack. Depending on your home network configuration, you may have a cable modem with a built-in firewall, a router with a built-in firewall, and then a PC with its software firewall. You’re also likely running at least one antivirus or spyware scanner, or at the very least have such an application that you trust and scan with periodically. Any well-designed IoT product should be robustly protected from attack, even when it connects to a local network via Wi-Fi.
The fact that the speaker in question spoke French and at least a few words of Spanish as opposed to English or Dutch suggests they aren’t a local, which implies the security in these devices is terrible. The short window of time it took for someone else to connect to the camera when Hamer re-enabled it also suggests the device’s security is third or fourth-rate. Even if Hamer misconfigured the product–something we acknowledge is possible–IoT devices that can be used to monitor a person’s home should be designed to insist on secure settings, save in instances where the end-user deliberately chooses to override them. The alternative is situations like this, where hackers (the term scarcely even seems to apply, given how quickly the camera was controlled) can watch you through your own so-called “smart home” devices.
The problem here, I’d argue, goes beyond the specific security protocols of any single product. Manufacturers have fallen over themselves to push “smart” devices to market, with a heavy emphasis on making those products accessible, as opposed to making them secure. On the one hand, this makes sense. The more secure a product is, the harder it typically is to use, though good UI and strong default choices can bridge the gap here.
But many of these same companies are also interested in extracting useful data from their own devices that they can monetize and sell. Even companies that never attempted to turn a profit on customer data, like Roomba, now plan to do so. This gives companies two reasons to downplay device security: They want to exfiltrate as much data as possible, and they want to make connecting to your internet camera as easy as possible. Both goals are exactly the opposite of what you want a design team to be thinking about when they implement the security on an IoT device.
In the long run, companies are going to have to grapple with this conundrum if they want to build successful IoT products or move the market past niche acceptance. Nobody wants a camera that someone else can take control of without their knowledge or consent. The fact that these people can also speak to unsuspecting users is the deeply creepy icing on this particular awful cake.
Now read: 20 Best Privacy Tips