We use cookies (or similar technologies) to collect information about how you interact with our website and allow us to remember you. We use this to improve your experience and for analytics about who our visitors are. To learn more, see our Privacy policy
Everything Set: case studies
There’s no button to press which gives you instant device and network privacy, that’s not how it works. Network security is an ongoing process. Think of a security camera, a constant monitor of activity around your home, that’s similar to how this works. We constantly monitor network activity to ensure there isn’t the smart device equivalent of a stranger climbing over your fence or peeping through your curtains.
We have grown a community across America, analyzed thousands of smart devices, ran vulnerability scans on home networks, identified troublesome device chatter to bad IP addresses, and built device profiles from behavior patterns. The cumulative and ongoing data from this beta has provided a robust foundation for our users’ privacy and security.
The moment we notice anything strange, we alert the user and help to provide a fix.
We thought you might be interested to read about the kind of privacy and security issues we identified and helped to fix over the last year. The kind of privacy and security issues Everything Set could help you avoid.
Entertainment monitor: malware gateway
The beauty of smart home devices is that they learn our preferences and customize the home experience. We like it when they adjust our thermostats to make us cozy or turn our lights on at just the right time. However, we may not want these intimate details shared with third parties without our consent, or worse, find that they provide a gateway to other sensitive data in our home.
While running a vulnerability scan, we noticed two identical custom-installed smart home monitors (in different homes) had the same Telnet port running and open. Telnet is one of the prime culprits in the spread of many well-known botnets, most notably Mirai and its variants. We discovered that in addition to their vulnerability, they were actively communicating with the same flagged IP address: a known command and control server. With this connection, this IP address could send malware into the smart home monitor and eventually infect other smart devices on the home network, provide other network backdoors, or cause the device to attack other networks.
In layman's terms, we discovered this device offered an opening into the home network and the bad guys had access to it.
So, we alerted both users of this device, found there were no security patches available, and determined the devices themselves were compromised. As a result, we suggested the users disconnect the rogue devices and replace them with more secure devices complete with updated functionality. No other bad behaviors were found on either user’s network.
Smart phone: Pegasus hack
Last year, Citizen Lab discovered that both iOS and Android smartphones were being exploited by Pegasus, a spyware software that could be installed without any user knowledge or participation. In response, operating system developers released emergency firmware patches as a fix. We had a front-row seat to the Pegasus debacle thanks to the hundreds of smartphones we were monitoring as part of our security service.
Pegasus spyware works in a contactless way: users don’t have to download a text, open an email attachment, or conduct any action. Instead, the malware works simply by calling you on WhatsApp, you don’t even have to answer the call, and the spyware is installed on your phone. The record of the call is also erased so there is no way to trace it or prove that it happened. Meanwhile, all your activity on the phone can be stolen.
The way Pegasus infections are currently identified is by taking a backup of your phone and running it through a command line tool. This tool checks all the places your phone contacted and compares them against forensically determined lists of Pegasus servers. This works for a small subset of very technical users but not for the vast majority of people who won't know about this type of tool, or even how to produce a backup of their phone.
We tackle the Pegasus issue differently and, importantly, in a super easy, user-friendly way. We actively check a list of known Pegasus servers against all devices in our ecosystem and then alert users if their smartphone is in contact with them.
During our beta, we identified one phone that had contacted a Pegasus server and alerted the user immediately. They upgraded their phone’s operating system and, as a technical user, created a backup and ran the command line tool to see if there was further evidence of malicious activity after the update. No other issues were found, the problem was resolved, and the user was protected.
The ability to identify Pegasus quickly is a preventative measure in itself. Everything Set can then immediately stop access to the Pegasus servers within the home network. This is a solid first step as it can slow the problem down, but it may not prevent all data leaking from an infected device—particularly a mobile phone that will travel onto cellular (and other) networks unprotected by Everything Set. With the infection contained, users have the ability to apply the latest security update, reinstall software on their phone, or even switch to a new device if they choose before the problem spreads.
Desktop computer: exploited device
Desktop computers have a wide number of services designed to secure and protect them, including antivirus software embedded in the operating system and additional subscription-based antispyware, malware, and virus software. Despite all of these protections in place, we identified a desktop communicating to IP addresses that were flagged as dangerous by Cisco’s Talos group. Addresses like this tend to be flagged because they’re participating in widespread hacking or botnet activity, and activity to them can be an indicator that a device has already been exploited.
We notified the user of the computer and also identified that their device was missing security updates that might patch the vulnerability being exploited. Following this update, our continued monitoring did not identify any further unsafe internet communication.
Set-top box: botnet attack participant
Many cable and satellite TV companies provide set-top boxes that stream their services. These devices are easy to use and provide a simple utility: you plug them in and watch TV. Most users don’t think twice about adding them to their home networks. Unfortunately, these devices are commonly involved in botnet attacks. They’re likely targeted because of their broad distribution and how uniform their vulnerabilities are. If a bad actor can exploit a specific problem, it can be widely deployed quite rapidly.
During our beta, we identified that a set-top box began repeatedly contacting a known bad IP address. The box was an older device provided by a large media company for a home TV service. We notified this user of the problem and suggested they return the box to their cable or satellite provider for a replacement (since users usually cannot update the firmware on these devices). After getting a replacement, the newer set-top box again began repeatedly contacting the same known bad IP address. The user again contacted their cable or satellite provider which finally provided a firmware upgrade to the device. Since that time, the user’s home showed no additional strange behavior from any of the devices on their network.