How Your Home Music System Opens the Door for Ghosts (and Hackers)

TO SAY THAT Aaron Gotwalt is afraid of the future wouldn’t be fair. The San Francisco–based entrepreneur and programmer, like most of his kind, loves technology. But work has a way of turning even the most enthusiastic developer into a bit of a skeptic, which is perhaps why, behind his piercing gray eyes, he possesses a subtle look of skepticism.

Gotwalt is a born tinkerer, particularly when it comes to his in-home music system. “I remember a long time ago I hacked my friend’s music device so the only thing it played was ‘The Final Countdown,’” says Gotwalt. “But now, when I play music in my house, I can’t hear the doorbell, so I wanted to figure out how to pause the music when the doorbell rang.” That led to a deeper dive into the system’s APIs. “Eventually I said, let’s see if we can make this do something more interesting.”

That something came in the form of a massive prank on Gotwalt’s friends: Ghosty, a decidedly “unofficial” app whose sole reason for existence is to play creepy sounds–think shambling footsteps and children weeping–in the dead of night, all piped through your victim’s own in-home, wireless music system. After all, what good is technology if you can’t use it to keep your best buds up at night?

Ghosty is part of a new breed of exploits taking advantage of design flaws that have been baked, sometimes intentionally, into the Internet of Things, those web-connected devices like speakers, thermostats, and washing machines that have been rapidly filling the homes of the tech-savvy. The catch with all of these products? “They’re often built with the user’s convenience foremost in mind. And while that’s not necessarily a bad thing, it does mean that security can often be lackluster,” Gotwalt says. The only defense: extreme diligence, or a device such as Bitdefender’s BOX, which monitors your network for potentially malicious traffic.

Ghosty isn’t the simplest hack to pull off. “You need access to your victim’s home and his Wi-Fi network password, and you have to plug this little Raspberry Pi computer into an electrical outlet in his house,” says Gotwalt. “But once it’s on the network, it covers its tracks. Ghosty then has the full ability to discover, observe, and control the music devices on the network it’s connected to. Once running, it can be left unattended indefinitely while your friend slowly loses his mind.”

His friend’s biggest mistake: giving out his Wi-Fi password. “Once you have access to a home network,” he says, “you have access to whatever’s on that network. You have to be smart.”

Gotwalt’s biggest concern revolves around cheaply made smart devices, like off-brand, Wi-Fi-connected lightbulbs that aren’t being designed with any security in mind. Similarly, he’s anxious about how exploits like his could someday evolve to target more critical systems, such as smart door locks or home security systems. Even an attack against a smart refrigerator, he says, could prove costly to a homeowner if a prankster decided to shut off the freezer while the owner went on vacation.

The good news is that solutions are starting to emerge that can help to secure nontraditional devices like this, which are otherwise left undefended by traditional security tools like anti-virus software running on a PC. For example, Bitdefender’s BOX treats all devices–computers, phones, televisions, and even your baby monitor–the same way, watching for rogue network traffic and malicious activity and blocking out any shenanigans, whether they were intended as a practical joke or something worse.

Pairing good security practices with even better technology can ensure your connected home is also a safe home, and that the only thing coming out of your IoT speakers is the album that you put on.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s