Curious Conversations, a Research Podcast

(music)

Travis

For many of us, December is a season of both giving and receiving gifts. And that process often includes the latest and greatest gadgets on the market, many of which connect to the internet. And of course, while the World Wide Web can be a very fun place, it can also be a very scary place. So I'm curious, what security considerations should I be thinking about before I connect this digital meat thermometer or singing Travis the Trout fish to my wifi. And thankfully Virginia Tech's Christine Julien was kind enough to answer all my questions and give me a little bit advice on shopping. Christine is the department head of computer science at Virginia Tech and along with leading that department, her research interests include pervasive computing, mobile computing, software engineering, and middleware.

Christine and I talked a little about what the Internet of Things is and what types of risks or threats are we opening ourselves up to when we connect devices to the Internet. We also talked a little about the things she thinks we should be considering when it comes to binding that perfect gift for that special person, especially when it comes to children, as well as what considerations we should be making when it comes to using a gift that we've received. So it's a great idea to listen to this episode before putting your shopping list down in ink.

I'm Travis Williams and this is Virginia Tech's Curious Conversations.

(music)

Travis

So you and I talked in the past about the Internet of Things.

Christine

So I thinking maybe a good place to start this conversation is just when we talk about the Internet of Things, what are we actually talking about? Yeah, so usually what you're talking about is anything like objects, of ordinary everyday objects actually being connected to the Internet. It's that simple. So, you know, we've always had thermostats. Now we have smart thermostats that are connected to the Internet or we have smart locks or your fitness tracker that you're wearing on your wrist. So the idea is that you have ordinary things that are. When I think about the Internet of Things, I like to think about the disappearance, this notion of a disappearing computer, the idea that the computing part of computers is kind of woven into your everyday environments. So rather than kind of having a screen and you seeing that there is a computer there, it's basically part of the objects or part of the walls or part of your surroundings instead. So in my opinion, kind of any IoT device, any of the software that

kind of is running the IOT, so IOT is Internet of Things. And software that's running that device should basically make you be more present in your spaces, not pull you away from those spaces, like behind a screen or something that we're commonly doing.

Travis

Yeah, I think that's a great way of thinking about it. Like we've taken what used to be the, well, I would say the laptop, but what used to be the big desktop computer that you had to sit behind, and now it's just in all of the stuff, a lot of the things. So that's a great way to think about it. When we do connect these things to the larger internet, whether they're, I guess, our at home networks or maybe a public network, what types of threats are we opening ourselves up to?

Christine

Yeah, so you have the possible network vulnerabilities. So actually people intercepting the packets that you're trying to send between your device and whatever cloud servers that it's talking to. Or the other way around. So by connecting this device to the internet, it's receiving data from the internet so somebody could send information that you don't want to receive potentially. A lot of these devices have GPS capabilities inside of them so you might have location tracking and if you're wearing them or carrying them or transporting them in some way then you're being potentially tracked or your items are being tracked. A lot of these devices require you to like register them with some third party so you might have to provide personal information like your address phone number, your birthday, like this other kind of personally identifiable information. Some of the scariest ones are, you know, when you have internet of things devices that have microphones and cameras in them. So you're like smart doorbells or like home security cameras or Alexa is like smart assistance, this kind of thing. They have microphones and speakers and cameras in them. So you can imagine like collecting data, audio and video data about your, what you're doing in an environment. So that's the kind of data that you're talking about. If you're thinking about potential vulnerabilities, so potential threats, I guess, you can think about examples. There was one just last week. Maybe I just read about it last week. I guess it didn't happen last week. But recently, it was reported that hackers from a foreign entity actually broke into someone's home Wi-Fi router and then use their Wi-Fi router to actually break into a secure facility that happened to be across the street from the home. So just by having that device in the house, you make yourself vulnerable. Right. One example, I can give you more examples of scary stories of Internet of Things devices.

Travis

Well, yeah, I'm curious. I'm curious about things that connect to the Internet that may not have a very that may not be very secure. They may not be encrypted. They may be like very like a low bar. I don't want to say necessarily cheap, but you know, the type of stuff that's very affordable that maybe you get for like a child or something and it connects. Can that be used for something like what you're talking about to get in and do something more nefarious to something more important?

Christine

Yeah, so indeed more nefarious to something more important. So one of the scariest stories about a IoT device gone bad, I think, is these smart teddy bears that were on the market several years ago where the idea was that they got connected to the you got them as a gift for somebody like a grandchild or something. And as part of the gift, you could connect the teddy bear to the Internet and then you could send your grandchild.

messages, audio messages, and then Teddy Bear would play them back. And then the child could record, hi grandma, I'm doing great, won my soccer game today, right? And that would get sent back to you at the other side, which is really cool. And it's a really nice, neat way for people to stay connected to each other with these devices. Unfortunately, what happened though, was that all these audio messages, they didn't just go straight to grandma's pocket. They went to a cloud server that before they could go back and forth the other way and that cloud server was compromised. And something like, more than 2 million messages between kids and other adults were lost. Actual audio recordings of people that were met as private conversations were made public, basically released publicly. So that can be a really scary kind of thing. You feel very vulnerable. Another one that many people may have heard about have to do with home security cameras or home audio devices where people weren't using strong passwords to protect them. So the devices themselves, the company didn't get compromised, but because people didn't protect their passwords, other nefarious folks got access to say your smart speaker or your smart camera in your house and then were talking. There's some very scary videos you can watch online talking to kids in their bedrooms from a farm pretending to be Santa Claus or whatever or saying scary things to people threatening them via their speakers and cameras just because the passwords weren't secure.

Travis

That does sound terrifying. They don't want videos. They're very, very scary. Unless the people are breaking in and breaking into our cameras and telling my son to clean his playroom. That's fine. If you'll listen to them, they're more than welcome to try that.

Christine

We've seen that in Jess, but it's still pretty creepy, right? Like to have somebody completely from outside potentially talking to you without knowing who it is.

Travis

Yeah, that's extremely creepy. I'm totally joking. If anybody's listening to this, please don't do that. Well, I'm glad that you mentioned kids and devices and even the teddy bear situation because we're entering a season where a lot of people are thinking about buying things for other people, not just kids, but gadgets and fun things. I think we all kind of see them out there and they seem fun. So I'm curious from someone who is a computer scientist who studies this stuff. What are some things that we should be thinking about when we're seeing these gifts pop up like the teddy bear that you just mentioned?

Christine

Yeah, so I think it depends a little bit on kind of how much expertise you have in the area, right? So if you're able to give like one of the things I like to do because I know this space and I'm kind of aware of what the potential pitfalls are is when you're giving a gift, you give the gift of the service to right, which is, you know what? A smart frame would be really cool for us to pick out a smart frame together because I want to give that to you and I'm going to set it up and I'm going to make sure it's secure and I'm going to spend a couple hours making sure you know how to use it and it works and everything. So there's the piece of kind of remembering to give, you know, the basically the assembly required kind of version of the modern IoT gift, right? Like I'm going to help make sure that this gets assembled and it's not frustrating for you. So I think a lot about, so security is a big deal, right? We should research, we should not give gifts that we're not comfortable using ourselves. I like to think about what I'm giving a gift to. Like, I've actually tried this out in my house and I think it's really cool and I know you well enough to know that you might really like this gift too. So knowing something about it, doing the research on like the third party that is controlling the data centers that are going to have all of the data. So security is really important. I think usability and interoperability are really important too. So if I'm getting a gift for somebody and I know they're already kind of all in on one of the mobile ecosystems like Android or Apple, I might be sure that I get them a gift that's going to work with whatever they're already using, right? Because otherwise I'm just getting them a thing that's going to collect dust and is annoying to keep clean. So I think that's really important. And then, you know, knowing the person you're giving the gift for, like you're not buying a gift for yourself, you're buying a gift for somebody else. Do they really need it? Is it something, is it solving a problem or a need or giving them something that they actually want? Or is it going to be more frustration than it is actually usefulness? And then on the kid's side, as a parent myself, I've had a lot of, actually, I've been given a lot of gifts for my kids, but truth be told, I've probably bought a lot of these gifts for my kids myself that I think are really cool, but then the kids play with them for like 10 minutes and then they're in the corner for a long time. And I was reading something recently about kind of picking out gifts like toys for kids that, you know, really think about the gift should itself be like 90 % kid, 10 % toy. And I thought that was a really cool idea, especially in the space of IoT devices. It should really be about you and centering you as a person and what your experiences are, and much less about the device itself being cool. And so I think that that's way to think about those gifts. It's really about the person, and it's going to make the person shine, rather than, I've got a cool shiny new thing in the corner that everybody can Yeah, I think that's a great way to look at that, especially the last little bit of information or advice that you gave there. I think I will be employing that for our son.

Travis

Well, how about on the flip side of that? How about when maybe you mentioned that you have kids. What do you do and what's your thought process when maybe your kids get one of these gifts that plugs into the internet? are you thinking about and what types of things should we consider when we're in similar situations?

Christine

Yeah, I can fall into the trap easily too, which is that like this thing is cool. It's really fun. Let's get it turned on and let's get going. Right. And so I think it is important to take a little beat and kind of think about what is this device going to collect about me or my kid or whatever? Like what information is it going to collect? Where is it going to store that information? Does it need that information? Who's going to have access to that information? Who's it going to be sold to and how are they going to use it? Like all of this is really important. So as boring as it is, I think it's important to read that fine print. You can also use product reviews for this. So pretty much any kind of online retailer has product reviews and a lot of people will weigh in on this. There's a lot of use recently of like LLMs, which you can do yourself or you can rely on somebody else to kind of parse through some of those reviews too, just to make sure you kind of understand what's happening.

And then once you decide, yes, we're gonna plug this sucker in, I'm gonna use it, I love it, it's gonna be great, make sure you set up those strong passwords for it. Every single one of your devices should have a different password so that if one gets compromised, they're not all compromised. Another thing that's harder to do but I think is pretty important is to kind of, when you're thinking about your home network, separate your kind of essential devices, your laptops, your smartphones, kind of thing. Those things that you really rely on where you keep very privileged information from your toys, your smart fridges, your vacuum. And you can do that by putting in like a mesh network, which is what we have at our house. Or you can even just use like the guest network on your Wi-Fi router. And so you connect the kind of toy devices to that guest network and you connect your really important devices to your regular network and keeping them separate, you know, prevents things like this Russian attack I was talking about at beginning. Another thing I think about this is that just because an IoT device that you're going to use comes with a feature doesn't mean you have to use that feature. So as an example, we have a smart garage door opener at our house, right? And it has some features that are important just to get the garage door open. Like if I'm standing in front of it, I need to make it open, right? And I can enable those features which are really local control, but then it's also connected to the internet. So I can open my garage door from afar, but I don't necessarily need that feature to be enabled. And I definitely don't need it to be enabled all the time. So you can also think about enabling and disabling features kind of as you're traveling or you might need them or not need them. And that provides an added, it's kind of like turn the lights off, right? It's an added level of security.

Travis

Are there any particular websites or resources that you use when you go to maybe research some of these things or that you particularly trust?

Christine

Like I said, I always use product reviews. so Amazon, especially when I'm buying things from Amazon, even if I'm not, using the reviews that you find there can be very. helpful, right? And you can look through them for very specific keywords. I also kind of just trust other product review sites, know, consumer report style things, For, and asking the very pointed questions for are these secure and insecure. And I'm not kidding when I say, you can throw some of this into chat GPT and say, I'm getting a whatever for Christmas. What are some security vulnerabilities I should be concerned about? There's no shame in doing that. That's a great way to use that feature.

Travis

Yeah, have you had some success using ChatGBT to answer that question?

Christine

It helps, especially when you have kind of that dense fine print that's a novel legalese, like helping you kind of navigate through that and simplify that in a way that's understandable. You can give it a big chunk of that fine print and say, what kind of data is this going to share? And it'll say, this is what it's, you say, this is what the privacy policy is. Can you tell me what kind of data it's really going to share about me? And it'll distill it into much more simple terms for you, which I think is a great use of such a AI.

Travis

Yeah, I think that that's an excellent tip and I think that's something I'll definitely be using because I don't think in my life I have ever made it through any of that five print.

Christine

You want to, right? You start and then you're like, it's calling me.

Travis

No, I just, agree. I agree. Like what's my, what's the alternative here? I'm sorry.

Christine

Exactly.

Travis

You've talked a little bit about this, but I'm just kind of curious, big picture, how do you, how do you go about navigating this kind of tricky space when it comes to balancing, you know, life and wanting to get the gadget out and have fun, but also being safe?

Christine

Yeah, I mean, I'm an early adopter. If I see a gadget on the market, I like to buy them, I like to try them out. I'm guilty of buying them, using them for a little bit of time, and then getting rid of them if they didn't really work for me. I mean, I definitely, this is my space and I'm excited about using them. So I would never want the message to be, my goodness, don't get any IoT devices for your house because it's so scary. So we definitely do that. We have smart voice assistants, smart garage door opener, I already mentioned, smart locks, smart frames, these sorts of things. I like the locks and garage door openers. have to say I have two kind of tween teenage children and they've been really helpful in kind of helping them gain a little bit of independence, right? Get in and out of our house and then feel safe. Like they get feedback. The house is secure. The door is locked. The garage door is closed. Like they get this kind of feedback instead of a sense of control. And I think that's been really good for their kind of independence, which is nice.

The smart, my family right now is separated across two states. So kind of having a smart frame and being able to see photos that go back and forth between the two places is pretty fun. And then the same feature I was mentioning before, like dropping in on a smart speaker and speaking out loud to somebody that's in the space. I actually use this all the time with my kids, right? I just drop in and like have a conversation while they're hanging out in the kitchen at the other house. So I think that we use all of these things. We just try to be cognizant of what data is being sent about us as we do it.

(music)

Travis

And thanks to Christine for helping us better understand the stuff we should be considering when it comes to connecting all the things to our internet. If you or someone you know would make for a great curious conversation, email me at traviskw at vt.edu. I'm Travis Williams and this has been Virginia Tech's Curious Conversations.

(music)