A Harvard report no sooner debunked the FBI’s “Going Dark” argument than the U.S. intelligence chief admitted the government might use your “smart” internet-connected devices to spy on you.
U.S. Director of National Intelligence James Clapper testified (pdf):
“Smart” devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.
Clapper’s prepared testimony about spying via IoT were included in the “Worldwide Threat Assessment of the U.S. Intelligence Community” report (pdf) delivered to the Senate Armed Services Committee on February 9. The Internet of Things was the first topic mentioned under “cyber and technology,” followed by artificial intelligence, although the report notes that the order of topics doesn’t necessarily mean the intelligence community views the topic as the most important.
While this is not the first time an intelligence chief has admitted the potential of spying on people via their internet-connected devices—since CIA Director David Petraeus said the same thing four years ago—the Harvard report pointed out just how widely IoT surveillance could be used.
The report included specific examples of potential surveillance via baby monitors, smart TVs, IP cameras, home automation products such as smart thermostats and smoke detectors, smart toys such as Hello Barbie or Elf on a Shelf, the Amazon Echo, connected cars and smartphones. But there are so many more when you consider fitness trackers, refrigerators, crock-pots, motion detectors, even pregnancy tests—although a fitness tracker might do double-duty as a Reddit user reported that his wife's Fitbit knew she was pregnant before they did.
“Appliances and products ranging from televisions and toasters to bed sheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables are being packed with sensors and wireless connectivity,” the Harvard report explained. “Law enforcement or intelligence agencies may start to seek orders compelling Samsung, Google, Mattel, Nest or vendors of other networked devices to push an update or flip a digital switch to intercept the ambient communications of a target.”
Could your smart LED bulb be enlisted in the government’s spying machine? Maybe or maybe not, but the U.S. did invoke “national security” to stop Philips from selling the Lumileds LED portion of its company to the Chinese. Those LEDs are used in one of every three cars made in the world, used in TV, mobile device and computer displays, used as a flash for smartphone cameras, and used in general lighting markets.
You’d think if companies adopting encryption by default in smartphones was really a threat to intelligence agencies that the “threat assessment” report would hammer the point home; yet Clapper mentioned encryption just four times in the 29-page report; once was in regard to attackers trying to change source code to break network equipment encryption. “Encrypting” was mentioned regarding ransomware developed by cybercriminals, a topic listed under “nonstate actors.” Violent extremists will “publicize their use of encrypted messaging apps” and terrorists will “take advantage of widely available, free encryption technology, mobile-messaging applications, the dark web, and virtual environments to pursue their objectives.”
However, when describing global threats, FBI Director James Comey did mention the FBI’s inability to crack encryption on a phone belonging to one of the San Bernardino shooters. Comey claimed, “I don’t want a backdoor…I would like people to comply with court orders, and that is the conversation I am trying to have.”
But who needs a back door when you can waltz right in the front door of a home with internet-connected smart devices or home automation? Not much time passes without hearing about some new security flaw in smart devices and how to exploit their protocols to take control of the device or steal information. Even the FBI has warned citizens about IoT risks and “to be aware of IoT vulnerabilities cybercriminals could exploit.” If hackers can exploit those devices, do you really think intelligence agencies can’t already do so?
The ENCRYPT Act
Meanwhile, Reuters reported that the bipartisan legislation “ENCRYPT Act” was introduced to the U.S. House of Representatives. The ENCRYPT Act would “prevent any state or locality from mandating that a ‘manufacturer, developer, seller, or provider’ design or alter the security of a product so it can be decrypted or surveilled by authorities.”
Now, if only manufacturers of internet-connected devices would deploy encryption. It might stop cybercriminals as well as government spies from using our IoT devices against us.