It’s no surprise that the U.S. National Security Agency
and presumably other spy agencies around the world are investigating how
they might take advantage of the new generation of Internet-connected
devices in homes and offices for spying purposes.
What is surprising is how willing Richard Ledgett,
the NSA’s deputy director, was to talk about it in remarks at a
conference in Washington on Friday. “As my job is to penetrate other
people’s networks, complexity is my friend,” he said of the growing mass
of common household and office items that are increasingly likely to be
logged in to a nearby Wi-Fi network. “The first time you update the
software, you introduce vulnerabilities — or variables, rather. It’s a
good place to be in a penetration point of view.”
He means these items are easy to hack, and there’s a lot of evidence to back up that claim. A study last year
by the software security firm Veracode found numerous basic security
vulnerabilities in devices like garage door openers and some widely sold
hubs used to build a home IoT network. And as another study in 2014
by the security arm of Hewlett-Packard found, those devices often leave
the factory with default passwords like “12345” enabled and no
requirement to change them.
Finally, in a comment that sounds awfully like a plot point from the TV series “Homeland,” reported by The Intercept,
Ledgett said the agency’s research extends into potentially exploiting
biomedical devices like pacemakers as a possible “tool in the toolbox.”
He went on to say, though, that it’s easier to keep track of foreign
spies and terrorism suspects through other means.
Ledgett is the latest to elaborate on the U.S.
intelligence community’s thinking about the potential for IoT spying. In
comments during a U.S. Senate hearing
earlier this year, James Clapper, the director of national
intelligence, said intelligence services spying on the U.S. might target
devices for use in surveillance, eavesdropping, recruiting sources or
to gain access to networks. What he didn’t say at the time was whether
or how U.S. spy agencies might do the same thing.
No comments:
Post a Comment