An article on the Techdirt website about the ease with which a Smart Kettle can be hacked has highlighted the dire state of device security for the ‘Internet of Things’.
The iKettle by allows users to remotely turn it on from anywhere using a Smartphone App. However, researchers have pointed out that the Kettle is relatively easy to hack especially if the user has not configured the kettle properly. The company that produces the iKettle has said its associated Android and iOS APPs would be upgraded to eliminate the security vulnerabilities. However, there is still the wider problem of ‘Internet of Things’ devices opening up vulnerabilities in people’s home networks, especially where device security is an afterthought.
The advice the researchers give is to not put ‘Internet of Things’ devices on your network unless you are absolutely sure they are secure.
Nikolaj Nielsen reports in the EU Observer that France is proposing that all travelling EU nationals should be required to give their fingerprints and possibly also have their faces scanned as part of the Smart Borders programme.
Smart Borders was proposed in 2013 by the EU Commission to allow management of the external borders of the Schengen Member States. Biometric scanning of visiting non-EU nationals was also included in the scheme. It has been on hold for a while due to cost concerns; however, an updated plan for the scheme is expected before the end of the year.
In a document submitted by the French delegation it is claimed that an expanded Smart Borders scheme is required to address terrorist threats and gives examples such as the Charlie Hebdo attack in Paris and the recent attack on an Amsterdam to Paris train to justify their proposal. Further justifications include dealing with migration and managing increasing passenger numbers.
France is of course one of the key powers within the EU and the concern must be that they will be able to force their plans through irrespective of the wishes or objections of the people of the EU, or of other member state Governments.
A team at WP Engine have conducted an interesting analysis of some 10 million passwords that had been collected from various sources such as leaks and dumps of passwords. Virtually none of the passwords were still in use so the researchers considered that it was ethical to use the dataset in their research.
The analysis highlights that people tend to choose passwords based on defined patterns and what comes into their mind when asked for a password. So it is not surprising that in the 50 most used passwords, the most common text-based password is the word password itself. However, the use of patterns does often make guessing passwords very easy, especially for password cracking software such as HashCat which can make up to 300,000 guess at a password per second.
Other patterns identified were people adding their year of birth to their name to create a password and an interesting sex difference was that the word”love” appeared in women’s passwords more often than in men’s. Keyboard patterns (e.g. qwerty) also feature prominently in the passwords. These can appear apparently random, but again they are easy to predicted using software.
The WP engine team highlight the strength of a password increases with its entropy which is a measure of variation of the characters in the password. Entropy increases most significantly with the length of the password; however, passwords that appear to have a lot of entropy when an entropy calculation is applied may in practice have none. For example, “password” has an entropy score of 37.6 bits; however, in practice its score is zero because every word list used by password crackers includes the word password.
Interestingly, adding a number to a password will increase its entropy, but the increase in entropy may not be as significant as it may initially appear. This is because both adding a number and the actual number added (the most common being 1) is predictable and therefore easily incorporated into a password cracking program.
Overall, the WP Engine article is a recommend read, if only to make sure that any passwords you are using are not amongst the 50 most used passwords!
The Australian Broadcast Corporation (ABC) website has an interesting article describing an experiment where they have released the mobile phone metadata of one of their reporters, Will Ockenden, and asked readers to identify what it revealed about him.
A lot of information can be obtained from telephone and internet metadata and the Newsblog has highlighted this in previous posts (see here), but these have all involved professional researchers. What is interesting about the ABC experiment is that the data was released to members of the public who were asked to identify what it revealed about the reporter.
Despite the amateur nature of the investigators, it was amazing what they could discover about his movements and lifestyle. For example, the bus route and stops he gets off at on his way to work were identified, as were the domestic flights he took. Some people were even able to identify the times that he got stuck on his way to work because a moveable bridge lifted up.
Australia has recently introduced legislation to require metadata to be retained by phone and internet operators. The ABC experiment once again shows the privacy issues associated with metadata retention and how it is much more than just “billing information” as so often claimed by Governments who want to access it.