smart devices

Google launches new Assistant developer tools

Posted by | Android, artificial intelligence, Assistant, Banking, belkin wemo, Developer, Finance, Google, Google Assistant, Google Cast, google home, Google I/O 2019, lifx, Nike, Philips, smart devices, smart home devices, tp-link, wemo | No Comments

At its I/O conference, Google today announced a slew of new tools for developers who want to build experiences for the company’s Assistant platform. These range from the ability to build games for smart displays, like the Google Home Hub and the launch of App Actions for taking users from an Assistant answer to their native apps, to a new Local Home SDK that allows developers to run their smart home code locally on Google Home Speakers and Nest Displays.

This Local Home SDK may actually be the most important announcement in this list, given that it turns these devices into a real hardware hub for these smart home devices and provides local compute capacity without the round-trip to the cloud. The first set of partners include Philips, Wemo, TP-Link and LIFX, but the SDK will become available to all developers next month.

In addition, this SDK will make it easier for new users to set up their smart devices in the Google Home app. Google tested this feature with GE last October and is now ready to roll it out to additional partners.

For developers who want to take people from the Assistant to the right spot inside of their native apps, Google announced a preview of App Actions last year. Health and fitness, finance, banking, ridesharing and food ordering apps can now make use of these built-in intents. “If I wanted to track my run with Nike Run Club, I could just say ‘Hey Google, start my run in Nike Run Club’ and the app will automatically start tracking my run,” Google explains in today’s announcement.

For how-to sites, Google also announced extended markup support that allows them to prepare their content for inclusion in Google Assistant answers on smart displays and in Google Search using standard schema.org markup.

You can read more about the new ability to write games for smart displays here, but this is clearly just a first step and Google plans to open up the platform to more third-party experiences over time.

Powered by WPeMatico

Spy on your smart home with this open source research tool

Posted by | chromium, Gadgets, Internet of Things, IoT, IoT Inspector, Princeton University, privacy, privacy research, Security, smart devices, smart home devices, traffic analyzer, WireShark | No Comments

Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.

The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)

In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)

Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.

A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.

There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.

Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)

One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.

The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.

The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and postdoctoral researcher Danny Yuxing Huang at the university’s Computer Science department.

The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)

“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”

They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)

The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.

For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.

The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos. Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.

Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.

The project team has produced a video showing how to install the app on Mac:

Powered by WPeMatico

Hackers hijack thousands of Chromecasts to warn of latest security bug

Posted by | Amazon, chromecast, computing, echo, Gadgets, Google, Hack, hardware, iPad, media streamer, Security, smart devices, smart home devices, spokesperson, technology, wi-fi | No Comments

Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.

The culprits, known as Hacker Giraffe and J3ws3r, have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.

Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As the two say, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the ability to hijack a media stream and display whatever they want.

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found a hijack bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.

Updated at 9pm ET: with a new, clearer headline to better reflect the flaws over the years, and added additional comment from Google.

Powered by WPeMatico

Everyday home gear made smart

Posted by | Android, Assistant, Belkin, belkin wemo, Bluetooth, Column, electronics manufacturing, Gadgets, Google, Home Automation, iRobot, kwikset, Nest Labs, Roomba, smart devices, smart thermostat, smartphone, Speaker, wi-fi, Wirecutter | No Comments
Makula Dunbar
Contributor

Makula Dunbar is a writer with Wirecutter.

Editor’s note: This post was done in partnership with Wirecutter. When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and TechCrunch may earn affiliate commissions.

If you only have one smart home device, it’s likely something simple and fun like a voice-controlled speaker or color-changing LED light bulb. As you expand your smart home setup, you can begin to swap out gear that isn’t as flashy but you still use everyday.

Switching to connected locks, power outlets and smoke alarms are all simple installs that can improve your safety and comfort in your own home. We’ve pulled together some of our favorite essentials made smart for anyone looking to upgrade.

Smart lock: Kwikset Kevo Smart Lock 2nd Gen

The Kwikset Kevo Smart Lock 2nd Gen is the most versatile smart lock that we’ve tested. Whether you prefer to use a wireless fob, smartphone app or key, you’ll be able to control the lock with all of them. When we compared it to similar models, the Kevo’s Bluetooth-activated tap-to-unlock mechanism was the easiest to use.

The second generation of the Kevo improved on security and has all-metal internal components for better protection against forced break-in attempts. With the optional Kevo Plus upgrade, you’ll add the ability to control the lock remotely and receive status-monitoring updates.

Photo: Liam McCabe

Robot Vacuum: iRobot Roomba 960

If cleaning is neither your forte or preferred pastime, a robot vacuum will come in handy. Our upgrade pick, the iRobot Roomba 960, is one of the most powerful models that we tested. It can be controlled through the iRobot Home app and uses a bump-and-track navigation system that helps vacuum an entire floor without missing spots.

If its battery is running low during a session, it’ll return to its dock to power up before finishing the job. It’s easy to disassemble for maintenance and is equipped with repairable parts that make it worth its price over some of our less serviceable picks.

Photo: Rachel Cericola

Plug-in Smart Outlet: Belkin Wemo Mini

We tested 26 smart outlet models over more than 45 hours and chose the Belkin Wemo Mini Wi-Fi plug as our top pick. If you’ve ever thought it’d be nice to remotely turn on or off home essentials such as lamps, air conditioners and fans from your smartphone, plugging them into a smart outlet makes it possible.

The Wemo Mini has proven to be reliable throughout long-term testing, it doesn’t block other outlets on the same wall plate and it’s compatible with iOS and Android devices and assistants, including HomeKit/Siri, Alexa and Google Assistant. The interface of the Wemo app is intuitive and easy to use. You can view all of your connected devices on one screen, set powering timers and from anywhere power on or off a device plugged into the Wemo outlet.

Photo: Jennifer Pattison Tuohy

Smart Thermostat: Nest Thermostat E

For a smart thermostat that’s affordable and doesn’t require extensive programming, we recommend the Nest Thermostat E. After about a week, it creates a schedule after learning cooling and heating preferences that you’ve set. It isn’t compatible with as many HVAC systems as similar Nest models, but it’s easy to install and doesn’t lack any features we expect.

It does come with Eco Mode — an energy-saving geofencing feature that detects when your home is empty (or when your smartphone is nowhere near your house). The Nest app uses the same technology to set the thermostat to a preferred temperature when it senses you’re on your way home. If you don’t have your smartphone on hand, you can still operate the Thermostat E by turning its outer ring and pressing selections on its touchscreen.

Photo: Michael Hession

Smart Smoke Alarm: Nest Protect

A smoke alarm is one of the most relied-upon safety devices in every home. Nonetheless, it’s easy to forget to do routine checks to ensure it’s in tip-top shape and functioning properly. With a smart smoke alarm like the Nest Protect, we found that its simple app, self-tests, monthly sound checks and consistent alerts are enough to keep fire safety worries at bay.

It isn’t difficult to install, has a sleek design and integrates with other smart home devices like the Nest Cam (which can record video of a fire) and the Nest Learning Thermostat (which shuts down HVAC systems that may be the cause of a fire). It’s sensitive to fast- and slow-burning fires, plus it monitors homes for both smoke and carbon monoxide.

These picks may have been updated by Wirecutter. When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and TechCrunch may earn affiliate commissions.

Powered by WPeMatico

Defusing The Internet Of Things Time Bomb

Posted by | Column, cybersecurity, data security, Gadgets, Internet of Things, Online Trust Alliance, smart devices, TC | No Comments

shutterstock_139410728 They’re coming, and we won’t be able to stop them. But will they be friends or foes? What are we talking about? Internet of Things (IoT) devices. And, as with most things, the answer will depend on the details. Gartner predicts there will be approximately 5 billion such devices in use this year, growing to 25 billion (more than half of them consumer-focused) by 2020. Read More

Powered by WPeMatico