What Is The Internet Of Things?

The Internet of Things (IoT) is a name given to ‘smart’ devices connected to the Internet. These devices exist in home, public, corporate, and yes even government environments.

Why? One way to make life easier is automation. Automation detects certain things, and rather than having to take time out from your busy day to react to those perceived states, something automatically happens to move the process along to the next step. Automation is the heart and soul of the IoT.

Sensors act as extensions of yourself when you aren’t physically there. For example, a smart doorbell can be used to talk to a delivery driver even when you aren’t home. A home assistant can listen to your commands and do things online or in the house even when you aren’t in front of the keyboard of an Internet-connected device. An agricultural system can ‘feel’ how damp the soil is, automatically watering it when needed. A perimeter alarm can ‘see’ intruders, and call security or police as needed.

The IoT’s intention is to allow an individual to leverage the power of the Internet to magnify their effectiveness, or to allow a business to operate more efficiently with less manual labor required. But the reality is that the IoT is a hacker’s paradise, and that includes government hackers.

IoT Hacks

IoT devices have been the target of government hackers long before the phrase ‘IoT’ was coined. There were many known weaknesses. But as time went on, the industry hoped that security could outpace the efforts of those who were looking to undermine device security.

That wasn’t the case. Instead, IoT devices became primary targets for gathering intelligence on networks, and on their owners as well. A good example of this is the 2019 series of attacks carried out by Strontium, a hacker group sponsored by the Russian government. Print-from-anywhere interfaces and VOIP phones were popular targets. Basic security measures were not taken to secure these devices… but with tens of billions of IoT devices worldwide, obviously some things are going to get missed.

More specifically targeted attacks happened years earlier, the templates of what was to come. First BASHLITE ended up with around a million IoT devices under its control, running from 2014 to 2016. Then another wave of IoT attacks occurred in 2016, when the Mirai botnet honed in on and took over two of the most common devices in households: IP cameras and low-end home routers. Note: These were not government attacks. But BASHLITE and Mirai were templates that governments could use to engage in their own IoT-based espionage.

For example, the Russian FSB used Mirai as an inspiration for their planned Fronton botnet. Detailed documentation was leaked, showing the design and testing of the government botnet. They decided to target IP cameras since their ability to dump large video files would make them capable of efficient DDoS attacks. The entire program could be transformed into resources for mass observation if the need arose.

But let’s not pretend that the U.S. doesn’t do the exact same thing. Sure, the NSA is usually more upfront about it, but it was the CIA who made a public splash with IoT hacking in the past few years. A leaked 2017 CIA document detailed the activities of their Engineering Development Group, including mass IoT hacking that targeted smart devices, turning them into active microphones. As of 2014, they had also been working on infecting the logistics and control systems found in modern cars and trucks.

And if their hacks were discovered? It was them, but it wasn’t really them. Whatever hacks they perform are then misattributed to whoever they want to blame, using the ‘UMBRAGE’ group’s custom digital fingerprint compilation library as a misdirection suite.

While the U.K.’s GCHQ pushes for better IoT security (which might indicate that they’re behind the curve on hacking IoT devices themselves), many other governments are hard at work pressuring the biggest IoT manufacturers to install backdoors in their products so that the government can monitor them at all times. So let’s talk about that for a little while.

IoT Backdoors

When you think of mandatory government backdoors, you should automatically think of China. (You may remember the supply chain backdoor mentioned in earlier chapters.) And as far as IoT devices go, they do not ‘disappoint’.

Although they claim to only require backdoors in imported hardware, the sad truth is that China demands backdoor access to many IoT devices made inside the country as well. The massive Xiongmai firmware backdoor has been known about for years, but mysteriously it remains unpatched on millions of devices. And many new devices are still using compromised firmware versions.

Similar stories have broken every few months for the past few years: DblTek VOIP products. Ezviz security cameras. Vivo’s pop-up camera implementation. Anything associated with Huawei. It’s hardly a coincidence at this point.

But why be so subtle about it? If the German Home Secretary can call for backdoors on IoT products publicly, why not shout it from the rooftops? They’re perfectly willing to push for encryption backdoors, why not broaden the scope?

The answer is simple: People generally don’t understand encryption. But they do understand that they don’t want the government spying on them from their smart toaster.

So at least there is some measure of public resistance to mandatory IoT backdoors. As the debate for fully autonomous driverless cars heats up, expect the subject to come up again, however. Law enforcement will want a way to automatically stop a self-driving car, I can guarantee it.

Conclusion

With the average home having multiple IoT devices, and with things like smart doorbells and home assistants becoming more common, government spying will quickly embrace their ubiquitous nature. Government-controlled botnets and backdoors on IoT devices will only get more common in the future, as their coverage and autonomous power grows.

Conclusion - A Few Final Words

If you’ve made it this far, and if you’ve checked out even a third of the news stories, technical papers, public statements, and biographies linked in this book… congratulations. You’re probably as informed about government hacking as most people in the security industry. Believe me, I’ve known CISM candidates who had no idea about a fraction of the things we’ve discussed.

In this chapter, you won’t find any more evidential links. If you aren’t convinced by now, when the public record states the case against government hacking quite plainly, then another URL isn’t going to help.

Right about here, there will probably be a nice link to our sponsor, Hoody, who paid for the creation of this entire book out of their own pockets. On a personal note, I want to say a huge ‘thank you’ to the entire Hoody team, who is as interested in personal privacy and digital independence as any group that I’ve had the pleasure of dealing with.

I know that these topics aren’t talked about a lot in the press. They’re not ‘feel good’. They’re not sexy. They’re a series of uncomfortable truths that a lot of folks like to hide away from because they can make us feel… helpless.

But you aren’t helpless. Your family, your friends, and future generations aren’t helpless.

It takes real political will, and often it takes a measure of protest and reform before things like privacy get treated seriously. Electing candidates who are against governments spying on their citizens and residents is where things have to start. That happens at the local level, 99 percent of the time. So please pay attention to what’s happening around you, and back the people who are willing to speak out against this kind of injustice.

And make them walk the talk. Voting history is far more important than anything they say on a debate stage. If the candidate doesn’t vote against the expansion of police and government spying, they aren’t your friends, and they don’t care about your privacy.

In places where the elections are fixed, or where no elections are held at all, vigilance must be your watchword. You need to use end-to-end encryption if you can do so safely. You need to be as anonymous as possible online. You need to ‘walk with no footprints’, at least on a digital level. That’s how you start to make a difference: You survive. You teach others to survive. You pass on the power of anonymity and the knowledge of self-preservation. And you seek freedom and escape whenever the opportunity arises. It’s not simple, and for some, it may be impossible. Try not to lose hope. And please be careful.

I’m getting older. For me, this used to be a subject about people who went too far for the greater good. Or people who would do anything to control and enslave the less fortunate. But these days, I think that I understand the reality of the situation: Most of the time, it’s about paranoia. Most of the time, these people see enemies everywhere. They feel so hated that they assume everyone wants to take a shot at them. Ironically, this mad spiral into paranoia is exactly why some people would consider a revolution against dictators who spy on their every move. Their reaction to this perceived hatred causes actual hatred. Their overreaction to possible danger conjures real danger.

But the truth is that dictators get away with it most of the time. Big government entities rarely get punished or reformed. Whenever there’s a successful uprising or a wave of radical reform, it’s a coin flip as to whether the new balance of power is better or worse for the lives of the average citizen or resident.

All we can do is point out the injustice whenever it happens, which is what we’ve done in this book. All we can do is make a decision:

1) Give up the encryption, rights, and freedoms that we enjoy because someone is telling us it’s for the greater good.

2) Or fight like Hell to retain our anonymity, our right to privacy, and our dignity in this world.

I’ve chosen a path that not many security experts have the luxury to walk. I live my life so publicly that there are no secrets that can be used against me. My successes and failures are well documented. I publicly talk about who I am, what I do, and who I love. I do this so that I’m above reproach, and I can write about things like this without anyone threatening to talk about the skeletons in my closet. I’m out of the closet, and the door is wide open.

But that doesn’t mean that I’ve stopped fighting like Hell for those who don’t have that same luxury. That’s why I’m here, writing this. My personal interactions, my government dealings, my experiences with police services, my international travels… all of these things contributed to the subjects that I chose to present in this book. I felt that these were the most important topics for people to know about. And I knew that the public record would back me up.

As you close this book, physical or (most likely) digital, I want you to have hope. I firmly believe that knowledge is power. You’re far more powerful now that you’ve read about and researched these topics.

Please, share your knowledge with others. Fight to protect the free press. Don’t give another inch to those who would oppress you. And if times seem dark wherever you are, I hope to see you again when the light finally dawns.

Bill Ricardi - Author of ‘How The Government Hacks You’