3 in 4 Broadband Households to Acquire a Security or Privacy Service in Next 12 Months

A new report by Parks Associates shows that 62% of these U.S. consumers would opt to pay an additional fee for these services.

   Jump to Comments
3 in 4 Broadband Households to Acquire a Security or Privacy Service in Next 12 MonthsAccording to Parks Associates, with increased device ownership consumers show greater levels of interest for all types of data privacy and security solutions, though there is a significant deficit between interest and adoption.

DALLAS — A large majority of consumers in the United States are expressing greater levels of interest for all types of data privacy and security solutions, according to new research by Parks Associates.

The report, “360 Deep Dive: Consumer Privacy: My Smart Home, My Castle,” found that 75% of heads of U.S. broadband households intend to acquire a security or privacy service in the next 12 months. Almost 40% of these consumers rank receiving these services bundled with their broadband service at no additional charge as most desirable, while the remaining 62% would opt to pay an additional fee for these services, either through a subscription, warranty, or one-time fee.

“Security and privacy services include parental controls, malware detection, and network activity monitoring. While interest is high, consumers still show a reluctance toward recurring fees — only 27% of data security/privacy intenders would opt for a subscription model,” says Lindsay Gafford, research analyst, Parks Associates.

Gafford continues, “The challenges to securing the smart home will intensify as consumers acquire more devices, creating ample business opportunities throughout the value chain for security solution providers. Vendors can differentiate by providing security expertise and flexible solutions that keep pace with changing security requirements.”

With increased device ownership, consumers show greater levels of interest for all types of data privacy and security solutions, though there is a significant deficit between interest and adoption. Among all U.S. broadband households, 63% are interested in a solution preventing identity theft, but only 19% actually use identity theft solutions.

“Consumers are struggling to understand what services are available to them, which service will actually protect their data, and which services fit into their payment preferences,” Gafford explains. “The service potential is immense, and broadband service providers are entering this space by partnering with data security solution providers to provide value-added services for consumers.”

“360 Deep Dive: Consumer Privacy: My Smart Home, My Castle” provides consumer data on current attitudes around data privacy, the value of data, privacy controls, and preferences for how companies collect and manage their data.

Additional results from the study:

  • Nearly 40% of consumers do not take any action to protect themselves from unauthorized access to their connected devices.
  • Only 15% of consumers strongly believe they receive a lot of benefit in sharing access to their data.
  • 63% of U.S. broadband households use at least one data security service for any purpose.
Posted in Main | Leave a comment

SimpliSafe DIY Security System Can Be Bypassed With $2 Emitter

The $2 wireless emitter fools the SimpliSafe security system by mimicking the frequency of its door and window contact sensors.

   

DIY home security systems continue to soar in popularity. However, they also continue to show why they are not always as reliable as professionally installed security systems.

SimpliSafe, one of the first major DIY security companies, has faced scrutiny over the past several years for vulnerabilities in its smart security system.

In 2016, the SimpliSafe system was found to be “inherently insecure and vulnerable to even a low-level attacker.” Later that year, SSI contributor and forensic alarm expert Jeffrey Zwirn analyzed SimpliSafe’s DIY offering and found disturbing results.

The latest person to find a flaw in the SimpliSafe system is a YouTuber that goes by the name “LockPickingLawyer.” He recently posted a video that demonstrates how the system can be fooled by a $2 wireless emitter that mimics the frequency of its door and window contact sensors.

This is possible because the DIY security system’s base communicates with its sensors on the 433.92MHz frequency, which is used by many other electronic consumer products.

The system can be fooled by using the emitter the same time as opening a door or window (breaking the contact of the sensors). The emitter is apparently powerful enough to block the sensor’s communication back to the base, preventing the alarm from sounding.

However, if the emitter is close enough to the alarm base, the end user will be notified of wireless interference. You can watch the demonstration in the video above.

Tech website The Verge reported on this video and received the following response from SimpliSafe:

The video is misleading, and it doesn’t apply to how security systems work in real life.

As the video demonstrates, SimpliSafe systems are engineered to detect this kind of interference.

In this video, the videomaker finds a precise frequency, signal strength, and orientation of system components in which they can thread the needle of blocking system communication without triggering an alert.

In real life, this is unlikely. Because signal strength degrades unpredictably depending on distance and landscape, it would be very difficult for anyone to hit on the “right” strength without triggering an alert.

In addition, the setup the videomaker demonstrates (in which the sensors, base, keypad and “jammer” are all close together) does not resemble the setup of an actual home. In other words, prior knowledge of the layout of the motion sensors, door sensors and base station in the customers home and a rehearsal of how to move about the home would be necessary to confidently select a strength that will both jam and not be detected. In order for a real bad actor to effectively interfere with the system in this way, they would likely have to already be inside the home and have had ample practice.

We take very seriously anything that might interfere with our mission of keeping every home secure. We have the ability to tune the detection parameters and regularly release security and usability updates, making it increasingly difficult for anyone to use this type of attack.

The Verge then reached out to LockPickingLawyer to get his comment on SimpliSafe’s statement. He says he didn’t have to tune the $2 device in any way to get it to reliably bypass the alarm system and it was able to do it right out of the box. He also said it sometimes triggered an interference notification, though never an alarm.

He said:

The farthest from the base station I tested was about 60 feet (through two walls), and it worked the same as shown in my video.

SimpliSafe takes issue with the system components being arranged close together during the video. That was a necessity of filmmaking, not a physical limit of the exploit. In my testing, I carried sensors away from the base station to the far reaches of my home, then conducted the same tests with the same device and obtained the same results. If anything, testing at realistic distances showed a more significant problem insofar as the SimpliSafe system was less likely to detect the interference.

SimpliSafe’s other criticism is that someone would need prior knowledge of the system’s arrangement to avoid the detection of interference. The company is attacking a straw man. What is necessary to avoid detection of this exploit was outside the scope of my testing. In fact, my video explicitly notes that SimpliSafe may detect the interference. Detection of interference, however, never triggered an alarm in my testing. It only sent an “alert” that the resident may or may not investigate. As such, my video specifically advised owners of this system to take these alerts seriously regardless of how many prior alerts they’ve received as a result of non-malicious interference. It’s also important to note that if the system owner doesn’t have security cameras with which to investigate, the alert is of very limited usefulness. This is why I recommend the system be used in conjunction with security cameras.

As more DIY solutions hit the market, it’s important for security professionals to educate consumers about the dangers of going DIY. Though no solution is 100% bulletproof, it is important to choose a solution that can’t be compromised with something as simple as a $2 wireless emitter.

Posted in Main | Leave a comment

Alerts from Amazon Ring are often false alarms

www.cnet.com
ring-door-view-cam-22Residents with Ring doorbells have been frequently pinging police with footage that doesn’t contain any crimes.

Chris Monroe/CNETIn May, police in Hammond, Indiana, got a suspicious-person alert from a concerned resident. She could see a man, she told officers, through her Ring smart doorbell.

The resident had already sent police another message, along with footage from her internet-connected video doorbell, about an earlier incident. Now the resident was even more frightened, having watched a new incident unfold on her phone through a live feed from her Ring app.

She sent police the video recorded from the doorbell. Police immediately knew the man wasn’t a criminal.

“It was one of our detectives. He was going there to interview the person for whatever the situation was,” said Steve Kellogg, a public information officer for Hammond Police, adding that the cop was wearing plain clothes but had a badge around his neck. The badge was out of the Ring camera’s line of sight, but the resident would have spotted it immediately had she gone to the door, the officer added.

“He’s clearly on the camera saying he’s with the police department,” Kellogg said.

The incident is among the growing number of false alarms involving Ring cameras, which have spread around the country as police departments partner with Amazon’s smart doorbell company. False alarm calls are nothing new, but police say the Ring doorbells make it easier for citizens to report anything they find suspicious and send video for law enforcement to review.

Ring and police have promoted these partnerships on social media, often demonstrating their value by highlighting incidents in which Ring has stopped package thefts.

“The more people involved in your neighborhood watch, the safer our neighborhoods become,” Ring says on its website. “Ring connects citizens with each other and local law enforcement to make a true impact on your community.”

Ring’s limitations, however, aren’t prominently featured.

Once you start having all of these cameras and start linking them to automatic notifications, the public may get the sense that crime is on the rise when it actually isn’t.Dave Maass, senior investigative researcher at the Electronic Frontier Foundation

In towns where police have signed up for Ring, officers told CNET that having the extra sets of eyes in neighborhoods doesn’t mean the police are solving more crimes. In some cases, it simply means there’s more worry among residents.

At the International Association of Chiefs of Police conference in May, police from Chandler, Arizona, said apps like Ring’s Neighbors have prompted residents to believe crime is prevalent even though violent crime is at historic lows in the city, according to notes provided by Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation, who attended the conference.

“Once you start having all of these cameras and start linking them to automatic notifications, the public may get the sense that crime is on the rise when it actually isn’t,” Maass said.

Detective Seth Tyler, a Chandler police public information officer, told CNET that the department has received an average of two alerts a day from residents through the Neighbors app since the department partnered with Ring in April. Typically, the footage is of cars driving in neighborhoods, people walking or strangers at doorsteps, Tyler said. These aren’t crimes, but Chandler police will still investigate those leads, the officer said.

“Some people are better than others at determining crimes,” Tyler said. “But from our perspective, I can tell you that we would be more than happy to investigate all of those.”

The department’s crime prevention unit has three officers responsible for watching footage from Ring’s app and investigating leads. Last December, Ring CEO Jamie Siminoff and Neighbors general manager Eric Kuhn told CNET that roughly one in three posts shows crimes or public safety issues. About 65 percent of posts on Neighbors are “suspicious behavior” or solicitors and strangers on people’s property.

“Ring is proud of how engaged our users are within their communities, which includes alerting local law enforcement if something seems out of the ordinary,” a Ring spokesperson said in a statement. “Reaching out to local law enforcement for help is exactly what the public has been taught to do and gives local law enforcement the chance to decide if further action is needed. This is a key part of the community’s relationship with law enforcement, and that is not exclusive to owning a Ring device or engaging on the Neighbors app.”

Amazon doesn’t disclose how many police departments it works with, but a CNET investigation found more than 50 law enforcement agencies had developed relationships with the Ring business over the last two years. Fight for the Future, a tech-focused nonprofit, has created an interactive map to identify where police have partnered with Ring. Motherboard reported that Ring told police it’s partnered with 200 law enforcement agencies in the US.

Amazon purchased Ring in 2018 for $839 million, according to SEC filings. At the time, analysts forecast that more than 3.4 million video doorbells would be sold that year.

Some Ring trueNot all calls to Ring are false alarms.

The cameras have helped solve plenty of crimes, including a double homicide in Gary, Indiana. Prosecutors in a murder case in Texas used Ring footage to show an alleged killer entering a home. In Bloomfield, New Jersey, an entire town covered in Ring cameras, the system has helped solve an armed robbery as well as car thefts, according to Capt. Vince Kerney, Bloomfield’s detective bureau commander.

Still, there’s often more footage of innocent behavior than there is of actual crime, police say.

Kerney recalls an incident in which his department received footage from four homes about a truck suspected of following a child around. They were able to identify the truck based on the video provided. After investigation, it turned out to be a false alarm.

“There was no crime that was being committed. It was just a coincidence that this person pulled over in front of a kid, and he got scared and ran away,” Kerney said.

It’s unclear how many false alarms have been sent to police. Amazon doesn’t provide overall statistics on usage of the device.

In February, The Outline detailed an incident in which a resident called police after seeing footage of someone walking through her front door in California. The dispatcher helped the caller realize she was watching footage of herself entering her home.

Though Ring has helped police solve some crimes, it’s unclear if the technology has any significant effect on crime rates. Amazon says it does, citing a 2015 pilot program in Los Angeles that found Ring doorbells helped to more than halve burglaries. Last October, MIT Technology Review looked at crime data and found the study wasn’t as accurate as its authors claimed.

In some cases, police don’t get information from Ring or Neighbors quickly enough to be useful. In Hampton, Virginia, police put out an alert for a missing person on Neighbors, asking residents to send any footage they could. The missing person was found before any footage was received, police said.

More footage, more problemsIn March, Eric Piza, an associate professor at the John Jay College of Criminal Justice, released a study that found surveillance cameras were mostly effective when they were being actively monitored. They did little to reduce crime rates if police were receiving footage after an incident.

With Ring, police are receiving even more footage, and Piza found that officers often don’t have resources dedicated to watching it all.

“What my research has found is that police can have too many videos to actively monitor,” he said. “If police plan on integrating Ring footage into their operation, technology requires manpower to be effectively used.”

Because Ring partnerships give citizens a direct line to police through the Neighbors app, Piza is concerned about overreporting of innocuous activities. In February, Motherboard reviewed more than 100 Neighbors posts, the majority of which were reports of people of color going about daily life.

We’ve seen from research that people are not the best judges of criminal behavior.Eric Piza, associate professor at the John Jay College of Criminal Justice

Often, the footage simply captures people walking through a neighborhood. They aren’t engaged in any activity that could be considered suspicious, Piza said.

Ring’s relationship with police has created more cameras in residential neighborhoods and more opportunities to find footage to solve crimes, but it’s also opened up the pipeline for unfounded concerns.

“We’ve seen from research that people are not the best judges of criminal behavior,” Piza said. “Especially recently, with white citizens reporting black citizens for innocent and innocuous behavior.”

Posted in Main | Leave a comment

Vivint’s Solicitation Permit Revoked in N.C. Town After Breaking Door-Knocking Rules

Huntersville, N.C. police say residents complained about Vivint door-knockers “being pushy, argumentative, sometimes cursing and coming late at night.”

   Jump to Comments
Vivint’s Solicitation Permit Revoked in N.C. Town After Breaking Door-Knocking Rules 

HUNTERSVILLE, N.C. — Door knockers present a bit of a quandary for the security industry. On one hand, door-to-door sales can be an effective marketing tool. On the other, a public nuisance.

Huntersville police have kicked Vivint door-to-door salespeople out of its town after hearing complaints from residents.

“We received a lot of complaints from residents throughout Huntersville about them being pushy, argumentative, sometimes cursing and coming late at night,” Officer Odette Saglimbeni told WBTV.

Huntersville Police say it ran background checks on the employees who would be soliciting in the town when Vivint applied for the solicitation permit.

The permit was granted after everything came back okay. The permit was issued with the understanding that the workers would operate under the usual door-knocking parameters, including a town ordinance that bans soliciting between 8 p.m. and 7 a.m.

However, police say the workers broke the rules within two weeks. Because issues persisted, even after being warned, police decided to revoke the solicitation permit.

“If they’re being pushy and argumentative causing an issue with residents that’s not what we want. If they want to go out there and solicit business that’s fine but they need to do it in a professional manner that does not cause people to be concerned, doesn’t scare people or feel like they’re being pressured,” says Saglimbeni. “We felt that they were enough complaints and they were pretty consistent with everybody that was complaining that they were being pushy, argumentative, and trying to get into homes, not leaving when asked to leave – so we felt best interest of the public we should revoke that permit.”

Posted in Main | Leave a comment

How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in

Reed Albergotti, The Washington Post

 Published 

Tara Thomas thought her daughter was just having nightmares. “There’s a monster in my room,” the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realized her daughter’s nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their Novato, California, home. Hackers, whose voices could be heard faintly in the background, were playing the recording, using the intercom feature in the software. “I’m really sad I doubted my daughter,” she said.

SHOCKING FIND: Opossum lived in 7-year-old’s room for 3 days before anyone noticed

Though it would be nearly impossible to find out who was behind it, a hack like this one doesn’t require much effort, for two reasons: Software designed to help people break into websites and devices has gotten so easy to use that it’s practically child’s play, and many companies, including Nest, have effectively chosen to let some hackers slip through the cracks rather than impose an array of inconvenient countermeasures that could will detract from their users’ experience and ultimately alienate their customers.

The result is that anyone in the world with an internet connection and rudimentary skills has the ability to virtually break into homes through devices designed to keep physical intruders out.

As hacks such as the one the Thomases suffered become public, tech companies are deciding between user convenience and potential damage to their brands. Nest could make it more difficult for hackers to break into Nest cameras, for instance, by making the log-in process more cumbersome. But doing so would introduce what Silicon Valley calls “friction” – anything that can slow down or stand in the way of someone using a product.

At the same time, tech companies pay a reputational price for each high-profile incident. Nest, which is part of Google, has been featured on local news stations throughout the country for hacks similar to what the Thomases experienced. And Nest’s recognizable brand name may have made it a bigger target. While Nest’s learning thermostats are dominant in the market, its connected security cameras trail the market leader, Arlo, according to Jack Narcotta, an analyst at the market research firm Strategy Analytics. Arlo, which spun out of Netgear, has around 30 percent of the market, he said. Nest is in the top five, he said.

Nik Sathe, vice president of software engineering for Google Home and Nest, said Nest has tried to weigh protecting its less security-savvy customers while taking care not to unduly inconvenience legitimate users to keep out the bad ones. “It’s a balance,” he said. Whatever security Nest uses, Sathe said, needs to avoid “bad outcomes in terms of user experience.”

Google spokeswoman Nicol Addison said Thomas could have avoided being hacked by implementing two-factor authentication, where in addition to a password, the user must enter a six-digit code sent via text message. Thomas said she had activated two-factor authentication; Addison said it had never been activated on the account.

JOHN CORNYN CHALLENGED: A Texas Democrat has launched a campaign 

The method used to spy on the Thomases is one of the oldest tricks on the Internet. Hackers essentially look for email addresses and passwords that have been dumped online after being stolen from one website or service and then check to see whether the same credentials work on another site. Like the vast majority of Internet users, the family used similar passwords on more than one account. While their Nest account had not been hacked, their password had essentially become public knowledge, thanks to countless other data breaches.

In recent years, this practice, which the security industry calls “credential stuffing”, has gotten incredibly easy. One factor is the sheer number of stolen passwords being dumped online publicly. It’s difficult to find someone who hasn’t been victimized. (You can check for yourself here.)

A new breed of credential-stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. Netflix and Spotify both said in statements that they were aware of credential stuffing and employ measures to guard against it. Netflix, for instance, monitors websites with stolen passwords and notifies users when it detects suspicious activity. Neither Netflix nor Spotify offer two-factor authentication.

But the potential for harm is higher for the 20 billion Internet-connected things expected to be online by next year, according to the research firm Gartner. Securing these devices has public safety implications. Hacked devices can be used in large-scale cyberattacks such as the “Dyn Hack” that mobilized millions of compromised “Internet of things” devices to take down Twitter, Spotify and others in 2016.

In January, Japanese lawmakers passed an amendment to allow the government to essentially do what hackers do and scour the Internet for stolen passwords and test them to see whether they have been reused on other platforms. The hope is that the government can force tech companies to fix the problem.

PRO TIP: Stop using these same dumb passwords everyone is using 

Security experts worry the problem has gotten so big that there could be attacks similar to the 2016 Dyn hack, this time as a result of a rise in credential stuffing.

“They almost make it foolproof,” said Anthony Ferrante, the global head of cybersecurity at FTI Consulting and a former member of the National Security Council. He said the new tools have made it even more important to stop reusing passwords.

Tech companies have been aware of the threat of credential stuffing for years, but the way they think about it has evolved as it has become a bigger problem. There was once a sense that users should take responsibility for their security by refraining from using the same password on multiple websites. But as gigantic dumps of passwords have gotten more frequent, technology companies have found that it is not just a few inattentive customers who reuse the same passwords for different accounts – it’s the majority of people online.

Credential stuffing is “at the root of probably 90 percent of the things we see happening,” said Emmanuel Schalit, chief executive of Dashlane, a password manager that allows people to store unique, random passwords in one place. Only about 1 percent of Internet users, he said, use some kind of password manager.

“We saw this coming in late 2017, early 2018 when we saw these big credential dumps start to happen,” Google’s Sathe said. In response, Nest says it implemented some security measures around that time.

It did its own research into stolen passwords available on the Web and cross-referenced them with its records, using an encryption technique that ensured Nest could not actually see the passwords. In emails sent to customers, including the Thomases, it notified customers when they were vulnerable. It also tried to block log-in attempts that veered from the way legitimate users log into accounts. For instance, if a computer from the same Internet-protocol address attempted to log into 10 Nest accounts, the algorithm would block that address from logging into any more accounts.

But Nest’s defenses were not good enough to stop several high-profile incidents throughout last year in which hackers used credential stuffing to break into Nest cameras for kicks. Hackers told a family in a San Francisco suburb, using the family’s Nest Cam, that there was an imminent missile attack from North Korea. Someone hurled racial epithets at a family in Illinois through a Nest Cam. There were also reports of hackers changing the temperature on Nest thermostats. And while only a handful of hacks became public, other users may not even be aware their cameras are compromised.

The company was forced to respond. “Nest was not breached,” it said in a January statement. “These recent reports are based on customers using compromised passwords,” it said, urging its customers use two-factor authentication. Nest started forcing some users to change their passwords.

This was big step for Nest, because it created the kind of friction that technology companies usually try to avoid. “As we saw the threat evolve, we put more explicit measures in place,” Sathe said. Nest says only a small percentage of its millions of customers are vulnerable to this type of attack.

According to at least one expert, though, Nest users are still exposed. Hank Fordham, a security researcher, sat in his Calgary, Alberta, home recently and opened up a credential-stuffing software program known as Snipr. Instantly, Fordham said, he found thousands of Nest accounts that he could access. Had he wanted to, he would have been able to view cameras and change thermostat settings with relative ease.

While other similar programs have been around for years, Snipr, which costs $20 to download, is easier to use. Snipr provides the code required to check whether hundreds of the most popular platforms, from League of Legends to Netflix, are accessible with a bunch of usernames and passwords – and those have become abundantly available all over the Internet.

Fordham, who had been monitoring the software and testing it for malware, noticed that after Snipr added functionality for Nest accounts last May, news reports of attacks started coming out. “I think the credential-stuffing community was made aware of it, and that was the dam breaking,” he said.

Nest said the company had never heard of Snipr, though it is generally aware of credential-stuffing software. It said it cannot be sure whether any one program drives more credential stuffing toward Nest products.

What surprises Fordham and other security researchers about the vulnerability of Nest accounts is the fact that Nest’s parent company, Google, is widely known for having the best methods for stopping credential-stuffing attacks. Google’s vast user base gives it data that it can use to determine whether someone trying to log into an account is a human or a robot.

The reason Nest has not employed all of Google’s know-how on security goes back to Nest’s roots, according to Nest and people with knowledge of its history. Founded in 2010 by longtime Apple executive Tony Fadell, Nest promised at the time that it would not collect data on users for marketing purposes.

In 2013, Nest was acquired by Google, which has the opposite business model. Google’s products are free or inexpensive and, in exchange, it profits from the personal information it collects about its users. The people familiar with Nest’s history said the different terms of service and technical challenges have prevented Nest from using all of Google’s security products. Google declined to discuss whether any of its security features were withheld because of incompatibility with Nest’s policies.

Under Alphabet, Google’s parent company, Nest employed its own security team. While Google shared knowledge about security with its sister company, Nest developed its own software. In some ways, Nest’s practices appear to lag well behind Google’s. For instance, Nest still uses SMS messages for two-factor authentication. Using SMS is generally not recommended by security experts, because text messages can be easily hijacked by hackers. Google allows people to use authentication apps, including one it developed in-house, instead of text messages. And Nest does not use ReCaptcha, which Google acquired in 2009 and which can separate humans from automated software, like what credential stuffers use to identify vulnerable accounts.

Sathe said Nest employed plenty of advanced techniques to stop credential stuffing, such as machine learning algorithms that “score” log-ins based on how suspicious they are and block them accordingly. “We have many layers of security in conjunction with what the industry would consider best practices,” he said.

When asked why Nest does not use ReCaptcha, Sathe cited difficulty in implementing it on mobile apps, and user convenience. “Captchas do create a speed bump for the users,” he said.

The person behind Snipr, who goes by the name “Pragma” and communicates via an encrypted chat, put the blame on the company. “I can tell you right now, Nest can easily secure all of this,” he said when asked about whether his software had enabled people to listen in and harass people via Nest cams. “This is like stupidly bad security, like, extremely bad.” He also said he would remove the capability to log into Nest accounts, which he said he added last May when one of his customers asked for it, if the company asked. Pragma would not identify himself, for fear of getting in “some kind of serious trouble.”

That’s when Fordham, the Calgary security researcher, became concerned. He noticed the addition of Nest on the dashboard and took it upon himself to start warning people who were vulnerable. He logged into their Nest cams and spoke to them, imploring them to change their passwords. One of those interactions ended up being recorded by the person on the other end of the camera. A local news station broadcast the video.

Fordham said he is miffed that it is still so easy to log into Nest accounts. He noted that Dunkin’ Donuts, after seeing its users fall victim to credential-stuffing attacks aimed at taking their rewards points, implemented measures, including captchas, that have helped solve the problem. “It’s a little alarming that a company owned by Google hasn’t done the same thing as Dunkin’ Donuts,” Fordham said.

A spokeswoman for Dunkin’ declined to comment.

According to people familiar with the matter, Google is in the process of converting Nest user accounts so that they utilize Google’s security methods via Google’s log-in, in part to deal with the problem. Addison said that Nest user data will not be subject to tracking by Google. She later said that she misspoke but would not clarify what that meant.

Knowing that the hack could have been stopped with a unique password or two-factor authentication has not made Thomas, whose daughter’s camera was hacked, feel any better. “I continuously get emails saying it wasn’t their fault,” she said.

She unplugged the camera and another one she used to have in her son’s bedroom, and she doesn’t plan to turn them on again: “That was the solution.”

Posted in Main | Leave a comment

Resolving Smart Home Device Problems: Growing Opportunity for Support Services

There is a growing opportunity open for security integrators to address the support needs of connected consumers and their smart home devices.

Resolving Smart Home Device Problems: Growing Opportunity for Support Services 

 

As the connected home ecosystem continues to grow and the technical complexity of broadband households increases, the technical support needs of consumers change. Currently consumers own an average of 10.5 connected devices, including an average of 1.4 smart home devices.

Smart thermostat and smart security cameras lead the smart home market in reported adoption, with 11% of US broadband households owning a smart thermostat and 10% owning a smart camera.

With these connected devices come technical issues, and consumers take a range of actions after experiencing problems. These actions include seeking to resolve the problem, either on their own or with professional help, as well as returning or replacing the device.

Self-Help versus Professional Support

Among self-help support options, consumers are slightly less likely to use self-help applications on their devices than other support resources. This is likely driven by lower availability of the self-help applications compared to other self-help resources.

Among professional support resources, consumers are least likely to email a device manufacturer or contact an independent support provider. Compared to other resources, email is a less popular means of support, especially for computing device owners.

Ultimately, the decision to use self-help versus professional support resources will depend on competence and convenience.

  • Competence – Consumer familiarity with devices in the market helps to drive perceived competence.
  • Convenience – Seeking professional support, via phone, in-store services, or even a truck roll, can be inconvenient regardless of the channel. Consumers can be frustrated by long wait times to connect to remote support services through the phone or chatbots. Also inconvenient are trekking to a store for in-store support and scheduling a time for a tech to provide support at home.

The most extreme option, from an industry perspective, is to return or replace the device, but this is generally the least likely option, although consumers are slightly more likely to return smart home devices than computing or entertainment products.

Consumers are more familiar with the latter, more mature category of products and more likely to consider them essential. One in five consumers who found the smart home device setup process “very” difficult returned their device, so product returns are a threat to industry growth for the smart home.

As the smart home industry increases market penetration rates, minimizing product returns will be critical, and doing so will require increasing consumer perceptions of product familiarity and convenience when setting up, using, and troubleshooting these devices.

Premium Support

Just over one-half of smart home device problems resolved by a professional technician are resolved for free. This represents a slight increase over the past year and corresponds with a significant decrease in the percentage of consumers covering the cost of services using one-time fees.

The falloff in one-time fee payments also corresponds with a slight increase in the percentage paying for services with an existing support and warranty service.

Traditionally, companies offering premium support services for smart home devices, such as HelloTech and Amazon Home Services, did so for one-time fees. However, existing subscription support service providers — including Best Buy (Geek Squad) and Verizon — have expanded their device coverage to include smart home devices.

Support Subscriptions

While adoption of premium technical support services experienced slight growth in 2016, adoption has remained fairly constant over the past few years. Approximately 20% of broadband households report having a technical support subscription. The primary factors influencing adoption in the US market are as follows:

Top 4 Barriers

  1. Increasing device reliability – Just over 40% of consumers who do not have a technical support subscription report that they have not subscribed to a service because their devices usually perform well. If consumers perceive that they will not need support, it is highly unlikely that they will pay monthly or yearly for a support subscription.
  2. Consumer ability and desire to resolve technical problems – More than half of the technical problems consumers encountered with their devices over the past year were resolved without professional help. Among consumers who do not have technical support subscriptions, approximately one quarter report that they do not have a service because they do not need help resolving technical problems.
  3. Lower-cost technology – Given that the cost of consumer technology is declining, some consumers may choose to replace a problematic device, rather than acquire a subscription service to resolve its problems.
  4. Consumer preference to pay when they have a problem – When given the option to pay for technical support services per incident or use a monthly or annual fee, the majority of consumers (70%) prefer to pay for each incident. More than 40% of consumers who do not have a technical subscription report that they do not have one because they prefer to pay for technical support services only when they encounter a problem.

Top 5 Drivers

  1. Increasing technical complexity in the home – As consumers attempt to enable complex use cases within the smart home, interoperability issues can emerge, prompting the desire/need for support subscriptions.
  2. Connectivity issues – Maintaining reliable WiFi connectivity throughout the home is complex, and monitoring is required to prevent service interruptions.
  3. Device innovation and emerging devices – Consumers’ lack of familiarity with new products drives enablement support needs, including assistance with product setup and use.
  4. More devices in the home – Consumers with more devices in the home experience more technical problems on average, making them more likely to acquire a support subscription.
  5. Increased security concerns – Nearly two-thirds of broadband households report concerns about security and privacy when using their connected devices. Protecting consumers from ongoing threats requires ongoing monitoring – a model best served by a subscription service.

The market for support subscriptions remains fairly fragmented. A number of consumer technology brands, including security software companies and independent companies like HelloTech, all capturing a small share.

With the increasingly competitive market for consumer technology products and services, providing robust technical support services is a competitive differentiator. There is a growing opportunity open to all players to address the support needs of connected consumers, and the smart home industry in particular is making investments in technical support resources.

  • Ayla Networks, a proven smart home platform offering Cloud services to smart home device manufacturers, recently partnered with PlumChoice to offer enhanced technical support services to its device manufacturer partners.
  • Puls Technologies, a San Francisco-based company providing smart home support, recently received $50 million in funding, an indication of an anticipated need for support services in the industry.

The consumer decision process regarding support solutions in the face of device problems depends on their perceptions of the devices and the convenience of the available options. As the number of services increase, consumers will have multiple options to choose from, so convenience being a key factor in determining their success. Support services with intuitive self-help solutions, which can be scaled up to more robust and engaging services when necessary, will find a receptive customer base among today’s smart home households.

Posted in Main | Leave a comment

Lowe’s to Shut Down Iris Smart Home Platform After Failure to Sell Off the Business

Lowe’s will shut down the Iris smart home platform on March 31, but allow customers to be reimbursed for certain devices.

Lowe’s to Shut Down Iris Smart Home Platform After Failure to Sell Off the Business 

MOORESVILLE, N.C. – Well, you can’t say they didn’t give it the ol’ college try. After failing to find a new owner for its Iris smart home business last fall, Lowe’s has announced it will shut the platform on March 31, according to an email sent to subscribers last Thursday.

Customers with eligible products that exclusively work on the Iris platform are able to redeem them for a prepaid VISA gift card. So if a device works with Iris in addition to another hub, such as SmartThings, you’re out of luck. Customers also no longer have to pay for the service and can use it until their account is deactivated.

Considering there’s nothing worse than investing money in a platform only for it to shut down and leave users with useless devices, this isn’t a terrible deal.

A Lowe’s spokesperson told Digital Trends, “After carefully evaluating a range of options, the decision was made to shut down the Iris platform once it was determined that none of the alternatives would allow Iris to continue to deliver the experience our customers have come to expect of us. Lowe’s remains committed to carrying the breadth and depth of smart home products and brands to meet our customers’ needs now and in the future.”

Posted in Main | Leave a comment

“5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack

www.mercurynews.com

 

ORINDA — Laura Lyons was preparing food in her kitchen Sunday when the lazy afternoon took a turn for the absurd. A loud squawking — similar to the beginning of an emergency broadcast alert — blasted from the living room, the Orinda mother said, followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio.

“It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate,” Lyons said Monday. “It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”

Lyons and her husband stood slack-jawed in the living room, terrified but also confused because the television continued airing the NFC Championship football game. As their scared 8-year-old son crawled underneath the rug, the couple realized the apocalyptic warning came from their Nest security camera atop their living room television.

After many panicked minutes and phone calls to 911 and to Nest, the couple learned they likely were the victims of a hacker. And that panic turned to anger when they found out that Nest knew that there had been a number of such incidents — none involving nuclear strike scenarios — but failed to alert customers. Lyons said a Nest supervisor told them Sunday they likely were the victims of a “third party hack” that gained access to their camera and its speakers. The company did not return a request for comment Monday.

The Lyons are not alone.

Reports from across the country indicate a growing problem of hackers accessing the WiFi-enabled cameras from Nest and other similar companies. In December, a Houston couple rushed to their infant’s room when a hacker began screaming over the family’s Nest camera baby monitor that he was going to kidnap their child. The same month, a benevolent Canadian hacker began speaking to a Nest camera user in Arizona, warning him that his system was ripe for hacking and how to protect it.

 

Adwait Nadkarni, an assistant professor of computer science at the College of William & Mary, was a lead investigator in a December study on the vulnerability of Nest and similiar technology.

“Our recent study of the Nest platform shows that it is reasonably secure, in comparison with other similar platforms,” Nadkarni said. “In such cases, the problem most often lies in how the devices are configured and used in the smart home, especially in terms of setting the account password.”

Nadkarni said there have been other hack attacks, but he had not heard of a nuclear hoax.

For the Orinda family, the incident began around 2 p.m. Sunday and froze Lyons in her tracks. She initially anticipated an Amber Alert warning, but the detailed nuclear war message claimed to be from Civil Defense and provided details down to the fact President Trump had been taken to a secure facility.

As the frightening message repeated a second time, Lyons’ young son asked, “Mommy, is there a missile coming?”

As she tried to calm her son, Lyons’ mind raced.

“My first thought was which car are we going to get into now because the Bay Area would be such an obvious target,” Lyons said. “I was thinking we can stop at our friends in Napa. I was disappointed I didn’t have much cash on me. I was going right down the rabbit hole.”

Lyons switched to CNN and other news stations but found no discussion of a nuclear threat. She called 911 and the dispatcher told her she had heard of no other calls.

Lyons didn’t even realize the pair of surveillance cameras the family installed a couple years ago for home security had speakers. The couple began to get more and more suspicious and eventually Googled “Nest and hack” but found nothing about a nuclear attack. Nest is owned by Google.

Posted in Main | Leave a comment

For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching Too

theintercept.com

The “smart home” of the 21st century isn’t just supposed to be a monument to convenience, we’re told, but also to protection, a Tony Stark-like bubble of vigilant algorithms and internet-connected sensors working ceaselessly to watch over us. But for some who’ve welcomed in Amazon’s Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring’s dismal privacy practices.

Ring has a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging to any person: a live, high-definition feed from around — and perhaps inside — their house. The company has marketed its line of miniature cameras, designed to be mounted as doorbells, in garages, and on bookshelves, not only as a means of keeping tabs on your home while you’re away, but of creating a sort of privatized neighborhood watch, a constellation of overlapping camera feeds that will help police detect and apprehend burglars (and worse) as they approach. “Our mission to reduce crime in neighborhoods has been at the core of everything we do at Ring,” founder and CEO Jamie Siminoff wrote last spring to commemorate the company’s reported $1 billion acquisition payday from Amazon, a company with its own recent history of troubling facial recognition practices. The marketing is working; Ring is a consumer hit and a press darling.

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring’s security lapses, reported on these practices last month.

At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable,” owing to the expense of implementing encryption and lost revenue opportunities due to restricted access. The Ukraine team was also provided with a corresponding database that linked each specific video file to corresponding specific Ring customers.

“If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.””At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home. Although the source said they never personally witnessed any egregious abuses, they told The Intercept “if [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.” The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates. Although the engineers in question were aware that they were being surveilled by their co-workers in real time, the source questioned whether their companions were similarly informed.

Ring’s decision to grant this access to its Ukraine team was spurred in part by the weaknesses of its in-house facial and object recognition software. Neighbors, the company’s disarming name for its distributed residential surveillance platform, is now a marquee feature for Ring’s cameras, billed as a “proactive” neighborhood watch. This real-time crime-fighting requires more than raw video — it requires the ability to make sense, quickly and at a vast scale, of what’s actually happening in these household video streams. Is that a dog or your husband? Is that a burglar or a tree? Ring’s software has for years struggled with these fundamentals of object recognition. According to the most recent Information report, “Users routinely complained to customer support about receiving alerts when nothing noteworthy was happening at their front door; instead, the system seemed to be detecting a car driving by on the street or a leaf falling from a tree in the front yard.”

Computer vision has made incredible strides in recent years, but creating software that can categorize objects from scratch is often expensive and time-consuming. To jump-start the process, Ring used its Ukrainian “data operators” as a crutch for its lackluster artificial intelligence efforts, manually tagging and labeling objects in a given video as part of a “training” process to teach software with the hope that it might be able to detect such things on its own in the near future. This process is still apparently underway years later: Ring Labs, the name of the Ukrainian operation, is still employing people as data operators, according to LinkedIn, and posting job listings for vacant video-tagging gigs: “You must be able to recognize and tag all moving objects in the video correctly with high accuracy,” reads one job ad. “Be ready for rapid changes in tasks in the same way as be ready for long monotonous work.”

ring-redacted-1547070465Image: Ring

A never-before-published image from an internal Ring document pulls back the veil of the company’s lofty security ambitions: Behind all the computer sophistication was a team of people drawing boxes around strangers, day in and day out, as they struggled to grant some semblance of human judgment to an algorithm. (The Intercept redacted a face from the image.)

A second source, with direct knowledge of Ring’s video-tagging efforts, said that the video annotation team watches footage not only from the popular outdoor and doorbell camera models, but from household interiors. The source said that Ring employees at times showed each other videos they were annotating and described some of the things they had witnessed, including people kissing, firing guns, and stealing.

Ring spokesperson Yassi Shahmiri would not answer any questions about the company’s past data policies and how they might be different today, electing instead to provide the following statement:

We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.

We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.

It’s not clear that the current standards for which Ring videos are accessed in Ukraine, as described in Ring’s statement, have always been in place, nor is there any indication of how (or if) they’re enforced. The Information quoted former employees saying the standards have not always been in place, and indicated that efforts to more tightly control video were put in place by Amazon only this past May after Amazon visited the Ukraine office. Even then, The Information added, staffers in Ukraine worked around the controls.

Furthermore, Ring’s overview of its Neighbors system provides zero mention of image or facial recognition, and no warning that those who use the feature are opting in to have their homes watched by individuals in a Ukrainian R&D lab. Mentions of Ring’s facial recognition practices are buried in its privacy policy, which said merely that “you may choose to use additional functionality in your Ring product that, through video data from your device, can recognize facial characteristics of familiar visitors.” Neither Ring’s terms of service nor its privacy policy mention any manual video annotation being conducted by humans, nor does either document mention of the possibility that Ring staffers could access this video at all. Even with suitably strong policies in place, the question of whether Ring owners should trust a company that ever considered the above permissible will remain an open one.

Posted in Main | Leave a comment

Family traumatized after home monitoring system hacked by stranger

fox4kc.com
LONG ISLAND, N.Y. — A mother in Long Island says a stranger hacked her family’s Nest camera and tried having a conversation with her five-year-old son, according to WPIX.

Nest ads will show you beautiful images of mother nature captured on their outdoor cameras, life’s silly moments and even those moments when your child is up to no good.  But for this Long Island mother, the Nest cam she and her husband set up around their home to act as a nanny cam became a full-on nightmare.

“My son came running out of the playroom and found me in the kitchen and said ‘it’s not daddy talking to me. It’s not daddy.’”

Nearly every day, after school, this mother, who asked PIX11 to hide her identity, said her 5-year-old son chats with her husband through the Nest cam, a home monitoring system users can connect through their cell phones.  This time, however, it was a complete stranger on the other end.

“He asked my son if he took the school bus home and he was asking him about the toys he was playing with and when my son said ‘mommy, mommy,’ he told him to shut up,” she recalled.

When she walked into her child’s playroom, the ominous voice addressed her directly.

Now she is frightened and wonders how long a complete stranger was watching her family. Since this frightening violation, this mother called police, who, while sympathetic, said there was little they could do.

As for Nest?  She was simply told to change her password and switch to a two-factor verification when logging on, but for this mom it’s not enough. She wants to speak out to warn others about this potential danger lurking in their home.

A Nest spokesperson responded to our request for comment and issued this statement:

“We have seen instances where a small number of Nest customers have re-used passwords that were previously exposed through breaches on other websites, and made public. None of these breaches involved Nest. This exposes these customers to other people using the credentials to log into their Nest account. We are proactively alerting affected customers to reset their passwords and set up two-factor authentication, which adds another layer of account security. Customers can reach out to Nest customer support with questions or report anything suspicious to security@nest.com.”

Posted in Main | Leave a comment