Cayla, A Living Doll from the Twilight Zone

Cayla, a computer driven talking doll, uses technology similar to that behind Amazon’s Alexa, Microsoft’s Cortana, Apple’s Siri, and Google Home to construct a toy that simulates a living friend for a child. Unfortunately, some believe that Cayla may be the embodiment of the murderous Talky Tina of the fifty-year-old episode of The Twilight Zone, The Living Doll.

In Germany, Cayla has been declared a banned surveillance device. Selling and even possessing a Cayla in Germany is illegal. The doll’s communication capability must be permanently disabled to make it legal in Germany. Also, several groups in the US have launched an action to have Cayla sanctioned under the Children’s Online Privacy Protection Act (COPPA).

I’m not here to advocate that these government and legal actions are justified or not justified, that’s for individuals to decide for themselves, but I think anyone who is concerned about cybersecurity should understand some of the issues involved. We are likely to see many more products like Cayla appearing on the market. Some will be for children, others for teens, and many aimed at adults. Some will be great, some exploitative, and some will, no doubt, be just plain shoddy.

So let’s take an engineer’s look at Cayla. The complaint document sent to the Federal Trade Commission is against Genesis Toys and Nuance Communications and was lodged by the Electronic Privacy Information Center and Consumers Union, among others. Genesis Toys is a Hong Kong corporation that developed the doll. Nuance Communications is a US corporation that retains and processes data collected by the Cayla doll. The exact relationship between Genesis and Nuance is not clear to me, but they are two separate corporations.

Cayla’s architecture is fairly simple. The doll itself is the equivalent of a Bluetooth headset that acts as a microphone and speaker for an app that runs on a smartphone, like an iPhone or an Android. The app communicates with a cloud service that supplies computing and storage resources that power Cayla.

This architecture has issues. Bluetooth headsets are insecure. I mentioned in a blog a few months ago that the NSA has banned commercial Bluetooth headsets for classified or confidential information. Here. A criminal hacker would not have much trouble listening in on a child’s conversations with Cayla and interjecting their own questions and suggestions. Imagine a pedophile speaking through Cayla suggesting to a three-year-old that they meet out in the street. The Bluetooth standard says the protocol is good to ten meters (30 feet) but special equipment can extend the range substantially. Also, Bluetooth signals, essentially the same as Wi-Fi, penetrate walls.

Even in isolated spots where Bluetooth intrusion may not be a consideration, Cayla has vulnerabilities. The FTC complaint points out that Cayla is programmed to promote certain commercial products, such as movies. In addition, the information that Cayla collects, like names, locations, favorite foods and toys, etc., is stored in the cloud. The Genesis Toys privacy policy states that this information is kept and analyzed by Nuance Communications and may be shared. I should note that while I was writing this blog, the posted Genesis privacy statement was changed. You may want to check it for yourself.

Cayla simulates conversation, answers and asks questions, and can, or potentially can, do all of the things Alexa, Cortana, Siri, and Google Home can do: order pizza, open the front door, adjust the thermostat, call for an Uber. The list gets longer every day. Cayla can’t do all these things now, but the technology she is built upon can. Cayla’s limits are set by the discretion of Genesis Toys and Nuance Communications. Parents may want to be certain that controls are in place that will prevent their three-year-old from ordering a dozen pizzas or their ten-year-old embarking on a trip to Aruba. I don’t suggest that Cayla is likely today to cause these things to happen. Rather, parents should be aware that these new products make such mishaps possible.

Like the living doll on Twilight Zone, Cayla is a new technology with unexpected powers and these powers can harm us if they are not used properly.

In another blog, I plan to discuss the steps I would take when deciding whether I want a product like Cayla in my home. These products have amazing potential for improving our lives and could be more fun than a barrel of monkeys for our children. But they can also be dangerous. You should choose with knowledge and good judgement.

Tax Refund Cyber Fraud

I’ve been thinking about tax refund fraud a lot this month. I was resolved that we would get our tax return in early this year so it would be harder for a scammer to rip off our refund, but not all the required documents have wandered in yet and so I sit and fret.

The FBI and the IRS are expecting more fraud than last year, and last year set records. I thought maybe folks would be interested in how the tax refund fraud business works. It is simple: a scammer sends in a fraudulent tax return in your name that nets a big tax refund. The scammer arranges to have the refund wired to his account instead of yours. Then the money vanishes and so does the scammer. When you file your genuine return, the IRS shows its unpleasant side until you can prove that you are the real Clem Kaddidlehopper.

How can the hackers do this? Tax refund fraud is big business. Like all big business, the work is divided up among specialists. Before the tax fraud can occur, the criminals have to steal your identity and steal or manufacture the documents to substantiate a refund that is worth the scammer’s effort and risk. Gathering the documents is the most difficult because it requires the most special knowledge and skill. If scammers have a genuine W-2 form for a victim, they are set. Those W-2s have everything they need.

But how do they get a person’s W-2? The old-school method was to steal them from mail boxes. Modern crooks reject stealing paper mail as risky and inefficient. Stealing W-2s electronically requires more skills, but risk is lower and the take is higher. This year, there have been a number of exploits recorded in which an employee in the financial or human resources department gets an emergency email request from what appears to be the CEO or other higher up in the organization. The request is for the electronic copy of all the W-2s for a department or the entire company. The employee complies and sends the files. Then they discover that the CEO’s email account has been hacked, or on close examination, the email was actually sent by an outside impostor who now has hundreds of juicy W-2s. This outside impostor could be operating from anywhere— onshore, offshore, makes no difference.

What happens then? The impostor might be a tax fraudster, although chances are good that the impostor is an accomplished social engineer who does not dirty his hands with tax fraud. Instead, the impostor goes to a dark net criminal sales site and sells the W-2s for prices that vary based on the amount earned. More money can be extracted from high-earning W-2s, so they sell for more.

The tax fraudster purchases W-2s that suit his fancy on the dark net, then fabricates deductions to extract a large refund from the IRS and files the return electronically. The fraudster’s job is to put together a return that is plausible enough to trick the IRS into believing it is genuine. Although there is word that the IRS has taken steps to clamp down on refund fraud this year, the service is also under pressure to get refunds out speedily, which limits the intensity of the vetting before a check is cut. The growing fraud numbers suggest it is not too hard for a fraudster to fool the IRS.

Good luck! And get those returns in early.

Relabel the Email Send Button “Make Public”

Email is not private. Ever.

We’ve heard a lot about email security during this election year and I am afraid people may have gotten some wrong impressions from the discussion. Most of the debate has been over the use of secure email servers. People may get the impression that using a secure email server makes the information on email private. Securing an email server makes it difficult to snoop into email stored on the server, but that is only a fragment of the picture.

Using email for critical private information is unwise under any circumstances. I fear this point is lost in the discussion. An email server is only one vulnerability in the chain of vulnerabilities from sender to receiver. You can never be certain, even reasonably sure, they are all safe.

Sending information in an email exposes the information to unauthorized access that you will not be able to control. In addition to unauthorized snooping, any email sent or received on company email is open to both the employer of the sender and the receiver. A business may be legally required to make their email public in court. An additional danger is the email message you receive may not be the message your correspondent sent to you. The sender in the email header may not be the real sender. Email was designed for convenience, not for integrity or privacy of communications.

My attitude, and that of a few other software and network architects with whom I have discussed it with recently, is to treat an email as a postcard, open to anyone who cares to snoop.

How email snooping works

To understand email security, you have to know a little about the email system architecture. There are five components: the email sending client, the receiving client, the connecting infrastructure, and the sending and receiving servers. Usually the sending and receiving clients are a single piece of software, like Outlook or Thunderbird, but the sender and receiver each has their own. In addition, unless you are sending email to someone in your own domain (the right side of the “@” in both addresses are the same) the email will go from the sender’s client to the sender’s email service to the receiver’s email service to the receiver’s client. The connecting infrastructure is usually the Internet, and it is often the most vulnerable part of the process.

As an email sender, you can protect your email client by choosing a reputable email service, managing your email account passwords carefully, and following good security practices on the devices you use for sending and receiving email, but you do not control the receiver’s elements in the chain. Steps can be taken to increase the security of email, but there is no way to tell if they have been taken at the links you do not control in the chain. In other words, no matter how careful you are, there are still many opportunities for tampering with the email you send and receive.

Email encryption

However, you can do something to protect your privacy: you can send encrypted messages that you encrypt yourself and your recipients must decrypt themselves. Independent encryption that is controlled by you and your recipient eliminates most of the issues. The problem is that you can’t send an encrypted message to just anyone because you and your recipient have to share some secret key to the encryption. This is the method behind PGP (Pretty Good Privacy) that technical types have used for a long time for email privacy. Many off-the-shelf products require less technical skill to use than PGP, but senders and recipients still have to share some secret information before communication can take place. Off the shelf products can hide the sharing and lessen the pain, but you and your correspondents will still have to agree on tools and keys before you can exchange messages privately.

Encrypted email is the only kind that I consider secure. But I also keep in mind that encryption-based systems are still fallible. What is safe today may be vulnerable tomorrow because all encryption can be broken if sufficient computing power is applied. Today, breaking the most secure encryption requires decades of computer time, but tomorrow’s computers are likely to be much more powerful. Emails that are securely encrypted today will be easy to hack in a few years.  Also, if an encryption key gets into the wrong hands, the message is no longer private. If a careless recipient saves an unencrypted copy of a message, it is no longer private. Also, a strong but poorly implemented encryption is still weak. Encryption products that ought to have been secure have turned out to be insecure through implementation errors. Always keep in mind that email places whatever you send into the hands of strangers.

Email was, like the Internet, designed for flexible and open communications. Its complex and sprawling structure changes slowly. Computer and network security in general has improved greatly in recent years, but the criminals have gotten better too.

The upshot is that secure email servers do not secure email. I, and many other software engineers and architects, regard all email as insecure. Period. Always assume that hitting the send button makes the message public.

Email is fast and convenient, but not private.

Seven Rules for Bluetooth at Starbucks

A few weeks ago, I was talking to another engineer about Bluetooth security. Between us, we weren’t sure how secure Bluetooth is. I decided to find out. The first place I went was to the Bluetooth standard. That got me a great answer to the question “How secure is Bluetooth?” The answer: a firm maybe. To remove some of the uncertainty,  I compiled seven rules for reducing the chances that your Bluetooth connections will be hacked.

Before I list the rules, I will explain why the answer to Bluetooth security is only maybe.

What Is Bluetooth?

BluetoothLike Wi-Fi, Bluetooth is a standard designed to be a cord and cable eliminator. It is a well-established hardware and software standard for short-range communication between computing devices and peripherals that most of us use all the time. Bluetooth and Wi-Fi use the same radio frequencies, but they are quite different. Bluetooth connects accessories to computers. Wi-Fi connects computers to networks.

Bluetooth’s normal range is 30 feet, with special antennas, the range can extend to about 100 feet. The signal can penetrate some walls. In contrast, current home Wi-Fi range is over 200 feet and commercial variations on the standard have greater range. Any Bluetooth client device within 30 feet in any direction will be able to communicate with your Bluetooth host computing device, if your host will accept the client. Your host could be a desktop, laptop, tablet, or smartphone. In our Internet of Things world, almost anything, like a coffeepot or a bathroom scales, can be a Bluetooth client device, but headphones, keyboards, and mice are usual the candidates. The client device could be on the other side of a wall or across the room.

Bluetooth Security

Most people realize that an unsecured Wi-Fi connection can be intercepted by hackers, but how secure is Bluetooth? What can hackers do to us through Bluetooth? It is a complicated question.

Let’s be clear. Bluetooth is sometimes completely insecure. For example, the NSA has declared commercial Bluetooth headphones insecure and bans their use in the military and agencies that deal in confidential or classified information. However, some uses of Bluetooth are secure and a lot of uses are secure enough.

Dispelling a Myth

Bluetooth uses frequency hopping to eliminate interference with Wi-Fi and other radio devices that use the same frequencies. Bluetooth rapidly hops from one frequency to another. This blocks interference that doesn’t follow the hops. Occasionally, this scrambling of the signal is proposed to be a security measure that guarantees that Bluetooth is always secure. This is False! Hackers circumvent frequency hopping easily.

Bluetooth Profiles

A standard like Bluetooth is written to be used for many different purposes. To meet varying sets of requirements, standards like Bluetooth use a concept called profiles. A standards profile is a subset of the standard and a set of practices that narrow the scope of the standard to a specific need. Bluetooth has over thirty profiles. If you look at the details of Windows 10 Bluetooth documentation, you find a list of about a dozen Bluetooth profiles that Windows 10 supports. When a Bluetooth device pairs with a host, the devices agree on a profile they both support. A Bluetooth mouse or keyboard, for example, uses the Human Interface Device profile and a Bluetooth TV remote uses the Audio/Video Remote Control profile. Each profile tailors the standard to a specific purpose.

These profiles also determine the security of the connection. Profiles choose between security modes that vary between wide open to quite secure. Those headphones NSA doesn’t like use an insecure mode that makes it quite easy to for a hacker to listen in. Those low-security head phones pair up with phones and music players easily and are not weighed down with extra security circuitry. You may still want those convenient headphones because, unlike the NSA, you may not care if someone listens in.

Threats
man-in-the-middle
Man-in-the-middle Bluetooth attack.

A Bluetooth hacker can listen in on the connection passively without interfering in the traffic, but they can also launch a man-in-the-middle style attack in which the hacker takes control of the traffic over connection. The most dangerous attack is spoofing, in which a hacker tricks your host device into believing that the hacker’s signal is coming from a device you have paired with. The first step in spoofing usually occurs while your host and a Bluetooth device are exchanging security information during pairing. The hacker listens in on the exchange and then uses the information to spoof your host device.

Secure password exchange prevents man-in-the-middle and spoofing. Encryption blocks passive eavesdropping, which may not be so important if you are listening to Beyoncé on Bluetooth headphones, but critical if you are typing in your bank password from a Bluetooth keyboard and an eavesdropping hacker is recording it. Worse, hackers may use the connection to get into your device. A skillful hacker can take over and seriously compromise your laptop or other host device.

Secure Bluetooth

The most secure Bluetooth connections require secure passwords to be exchanged every time they connect. In secure mode, encryption is optional, but if the transmitted data is encrypted, the connection is similar to an HTTPS connection, which is the usual standard for secure network communications.

The big question with Bluetooth is which profile is in use and how it was implemented. A secure profile is secure; a low security profile is not. A rule of thumb is that if you are asked for a password when pairing, the profile is more secure. If you get to choose the password, rather than copy it from printed instructions, even better. The best approach is to find documentation on the security of the Bluetooth implementation. Knowing the profile is not enough to determine the level of security. For example, the Human Interface Device (HID) profile, which is used for mice and keyboards, leaves encryption optional. You can hope that all Bluetooth keyboards encrypt, but the HID profile does not guarantee it. If the situation requires security, you must consult the security documentation for the device. You may have to dig for it. Don’t rely on marketing literature. Marketers often over-simplify security issues.

My recommendation is that Bluetooth can usually be used safely at home if you control at least a thirty foot perimeter in all directions. Using Bluetooth in public is risky, but the risk can be moderated by following precautions.

Seven rules basic rules for Bluetooth safety:
  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.