IoST: The Internet of Spying Things

Thinking of buying that Skype-enabled smart TV? Bad move bud, you’re inviting all sorts of hackers, spy agencies, feds, and other undesirables directly into your living room.

Once upon a time in 2003, the FBI sought permission to wiretap an OnStar-like device in a car… except it wasn’t wiretapping communications, it was turning the device into an always-on microphone that got piped directly to FBI HQ. And they didn’t seek permission, they coerced the manufacturer into helping them, concluded their surveillance, then asked the court later. Oops.


A recent report, released by “the Berkman Center for Internet & Society at Harvard University” said:

A plethora of networked sensors are now embedded in everyday objects. These are prime mechanisms for surveillance: alternative vectors for information-gathering that could more than fill many of the gaps left behind by sources that have gone dark – so much so that they raise troubling questions about how exposed to eavesdropping the general public is poised to become.

The report itself is a very interesting read, and surprisingly unbiased; I’d recommend reading the full thing if you have 20 mins to spare. 

In short: who cares if you’re using Signal if your TV can just listen in on your conversation? Why bother with PGP if your Wi-Fi enabled anytime-vlogging necklace can just read your emails off your screen? Is there a point to avoiding Windows 10 if your voice-activated Twitter-enabled fridge is reporting everything you do in your kitchen anyway? Ignoring, for a second, that The Greatest Surveillance Tool of All Time rarely leaves you pocket: a microphone, two cameras, a GPS chip, and even an always-on data connection! 


Our glorious government’s been getting assblasted by the recent we-do-encryption-toono-backdoors-we-swear corporate meme, but that’s sadly about to become irrelevant as IoT becomes more prevalent. The Xbox One was a fairly good test of how the public would react to inserting a surveillance device directly into their living room (I still get creeped out when I enter a room and see that thing looking back at me), and according to MS, the “vast majority” of people who bought an Xbone with a Kinect still use it (although, MS is “decommissioning” certain Kinect features like gesture control for menus, so I’d read the preceding statement as “left it plugged in but don’t really use it”). As Wi-Fi enabled everything becomes the new cool thing to have, we’ll keep seeing more and more stories about exploits in poorly-written firmware. Then one day, some whistleblower will drop a story about some agency having recorded everything you said in your livingroom over the last decade and everyone will be all surprised all over again.


Sounds bleak right? There are a few things you can do though:

  • Try to avoid IoT-esque devices for “nifty” features. Do you really need to control your house temperature from your phone, at the expense of your house “occupancy metadata” being available?
  • If you’re using a device in a LAN context, don’t let it talk to the outside world. If you like turning on your blender with a button in your bathroom, that’s cool. But no, the blender does not need 24/7 internet connectivity to “check for updates”. Least amount of access necessary is good secsec anyway.
  • If your device needs to talk to someone external, firewall it down to just the people it should be talking to (you do have a hardware firewall at the edge of your network, right?). If your toilet posts to Twitter, there’s no reason for it to be talking to anyone but Twitter.
  • If you need to connect to your device from outside your LAN, do yourself a favor and set up a VPN server on your network. Exposing these IoT devices to the outside world is a terrible, terrible idea considering that they often offer no authentication past a basic username and password, and are often hilariously insecure. Personally, I make a single RPi available to the outside world, which I OpenVPN to (using PKI) (this is a one-button connection on my phone), then I access all internal services from there.
  • Unplug your Xbone Kinect. Plug it in when you’re using it. And for the love of god, rip the OnStar module out of your car.

Self-host Everything

I firmly believe that “cloud services” will be the downfall of the internet: instead of a free and open network, where anyone can provide services, we’re moving towards a few monolithic networks providing “free” services (in exchange for selling your data to advertisers, and showing you advertisements) and stomping out all smaller competition, Walmart-style.


There are several issues with depending on cloud service providers:

You are at the mercy of the service provider. What would happen if, say, Facebook chose to shut down services in your country tomorrow? How many people would you lose touch with? How many photos and messages would you lose forever? Better yet, how fucked would you be if Gmail disappeared?

Your data is most likely being vacuumed up by various nation-state attackers. As the Snowden slides revealed, virtually all major cloud service providers are providing your personal data directly to the NSA — however, it would be foolish to assume that only the NSA has your data. Because these cloud service providers are international, your data is most likely also provided to intelligence agencies in virtually all developed countries, from China to Russia to Israel. Why? Because these providers “must follow the law”, and operating in many countries means following the law in many countries.

Cloud services are a tempting target for attackers. Imagine if you could… oh I dunno, find nude pictures of many celebrities in a single datastore. If you had the skills, wouldn’t that be a juicy target? That being said, cloud services are usually fairly secure, but slip-ups still happen.

All “free” cloud services sell your data to advertising firms. There’s probably some sweatshop worker reading your emails right now to figure out whether to sell your male enhancement pills or sunglasses. I hope you’re not surprised, as you agreed to it in the EULA you accepted — how else did you think these services would get paid for? Interestingly, Google is mostly likely the least evil of the providers in this regard, because they do their own advertising. So at least your data stays with one company.

I bet you have a solution, LG. 

Of course. The answer is to self-host everything.

Running your own services lets your keep control of your data, and offers enhanced privacy and security. While running services requires a certain amount of technical competence, it’s far more straightforward (and cheaper) than many people assume. Find yourself a nice VPS host (DigitalOcean and Linode are good) or a host for dedicated servers (I’ve had good experiences with, Hetzner, and OVH), find some tutorials, pay a few bucks per month, build services, break services, fix services. Find a few technically-able friends to give you a hand, or a few privacy-aware friends to split the cost with. Some examples:

  • Email: Postfix and Dovecot, optionally Roundcube (webmail)
  • Chat: Prosody (XMPP)
  • Files: OwnCloud
  • Documentation: Mediawiki
  • Blog: WordPress
  • Search Engines: Searx
  • More


Won’t this be horrendously expensive?
For a few users, you can run all of the above on a $5/month DigitalOcean VPS.

Won’t things break?
Absolutely. But learning how to fix things when they break is what makes you a good sysadmin. Backup often, backup well.

Won’t it be inconvenient?
Absolutely. But that’s the whole appeal of cloud service providers: convenience, in exchange for your personal data. At some point, you’ll realize it’s just not worth it.

Will I be secure against hackers/nation-state attackers?
Kinda. You’ll be safe from certain types of attacks: the NSA storing and analyzing every email you send via Gmail, for instance. If you’re specifically targeted, no, you’ll get #rekt anyway via the attacker compromising/compelling your hosting provider, putting malware on your home computer, or being beaten with a wrench until you give up your encryption keys. But self-hosting keeps your data out of the massive, easy-to-access pools of personal data on cloud services — it makes it more difficult for attackers to get at your data, and making attacker’s jobs more difficult is something we should all strive to do.

Humor me: try it out today. Get a domain name, fire up a $5 VPS on DigitalOcean, find an inital server setup and securing your server guides, then follow the ISPmail tutorial and set up email services (DigitalOcean and Linode have excellent knowledge bases of tutorials: see 1 and 2). Test it out, find features you want, find tutorials to implement them. Do something dumb, break something, then figure out how to fix it. Find some friends, work together, and free yourself of the cloud service botnet.