Your cable TV box may soon be spyng on you and your family

News that Google Inc. may be developing a television set-top box with a motion sensor and video camera has rekindled the debate over technology that can record so-called ambient action. Should a TV-mounted box have the ability to track our movements, record our voices and monitor our behaviors? Should cable providers and tech companies be allowed to collect such information without our consent?

In November, the Microsoft Corp. filed a patent application for a system that would use its Kinect camera to monitor users’ behavior. Kinect will come attached to Microsoft’s forthcoming Xbox One game consoles. Its always-on sensors can read body behavior, track eye movements and listen for commands. It even knows how many people are in the room. As Polygon reported, the device has raised numerous concerns among privacy advocates, particularly in light of Microsoft’s reported compliance with the National Security Agency’s PRISM program.  

Lawmakers and privacy advocates are asking such questions as companies continue to experiment with data collection that will extend beyond our gadgets and into our living rooms and bedrooms. On Thursday, the Wall Street Journal reported that Google privately showed off a prototype device at the Consumer Electronics Show in Las Vegas last January. The company is one of many tech players looking to compete with pay-TV providers, who themselves have been exploring new ways to capture information about viewers’ behavior.

In November, Verizon Communications Inc. (NYSE:VZ) filed a patent application for a set-top box that delivers advertisements based on users’ behaviors. For instance, two people cuddling on sofa watching TV might see a commercial for a romantic Disney cruise, while an arguing couple might see a pitch for couples’ therapy. The device would use a combination of motion and audio sensors to collect information about what viewers are doing as they watch TV.

Creeped out yet? You’re not alone. News of Verizon’s plans brought countless headlines about the potential for Orwellian cable boxes and digital video recorders, spying on us during our most intimate moments. And legislators have been quick to respond. Last month, two U.S. congressmen, a Democrat and a Republican, introduced a bill that would require such devices to be opt-in, meaning consumers would have to grant explicit consent before companies could collect data on ambient action. The bill -- dubbed the “We Are Watching You Act of 2013” -- would also require that devices flash on-screen warnings whenever they are recording such information.

Reps. Michael E. Capuano, D-Mass., and Walter Jones, R-N.C., who sponsored the bill, called such technology an “invasion of privacy.” In a statement, Jones even acknowledged the data collected through such devices could be potentially abused by the government itself. “When the government has an unfortunate history of secretly collecting private citizens’ information from technology providers, we must ensure that safeguards are in place to protect Americans’ rights,” he said.
http://www.ibtimes.com/your-cable-box-spying-you-behavior-detecting-devices-verizon-microsoft-others-worry-privacy-1361587

"Smart homes" are easily hacked:

The home automation market was worth $1.5 billion in 2012 according to Reuters; there’s been an explosion in products that promise to make our homes “smarter.” The best known is Nest, a thermostat that monitors inhabitants’ activity, learns their schedules and temperature preferences and heats or cools the house as it deems appropriate. Many of these products have smartphone apps and Web portals that let users operate devices, cameras, and locks from afar. Getting to live the Jetsons’ lifestyle has downsides though; as we bring the things in our homes onto the Internet, we run into the same kind of security concerns we have for any connected device: they could get hacked.

Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.

Thomas Hatley’s home was one of eight that I was able to access. Sensitive information was revealed – not just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world. The names for most of the systems were generic, but in one of those cases, it included a street address that I was able to track down to a house in Connecticut.

The Insteon vulnerability was one of many found in smarthome devices by David Bryan and Daniel Crowley, security researchers at Trustwave. Bryan got one of Insteon’s HUB devices in December, installed the app on his phone, and began monitoring how it worked.

“What I saw concerned me,” he said. “There was no authentication between the handheld and any of the control commands.”

“You could put someone’s electric bill through the roof by turning on a hot tub heater,” says Bryan. He contacted Insteon support by email and asked how to enable a username and password, and Trustwave recently sent the company a full advisory as to its vulnerabilities. The company later fixed the problem with HUB, issuing a recall for the devices in early 2013, though it did not inform customers that the security vulnerability was one of the reasons for that recall.

The problem with Insteon products that don’t have password protection by default is similar to one found with Trendnet IP cameras a few years ago; a lack of authentication meant that anyone who figured out the IP address for a particular camera could watch the camera’s stream—some streams were rather intimate. Even without a public-facing website, a vulnerability like this means that anyone who figures out how to identify the addresses for vulnerable systems – as happened with the Trendnet cameras –  could get access to and control of people’s homes.
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/