It’s no surprise that the U.S. National Security Agency and presumably other spy agencies around the world are investigating how they might take advantage of the new generation of Internet-connected devices in homes and offices for spying purposes.
What is surprising is how willing Richard Ledgett, the NSA’s deputy director, was to talk about it in remarks at a conference in Washington on Friday. “As my job is to penetrate other people’s networks, complexity is my friend,” he said of the growing mass of common household and office items that are increasingly likely to be logged in to a nearby Wi-Fi network. “The first time you update the software, you introduce vulnerabilities — or variables, rather. It’s a good place to be in a penetration point of view.”
He means these items are easy to hack, and there’s a lot of evidence to back up that claim. A study last year by the software security firm Veracode found numerous basic security vulnerabilities in devices like garage door openers and some widely sold hubs used to build a home IoT network. And as another study in 2014 by the security arm of Hewlett-Packard found, those devices often leave the factory with default passwords like “12345” enabled and no requirement to change them.
Finally, in a comment that sounds awfully like a plot point from the TV series “Homeland,” reported by The Intercept, Ledgett said the agency’s research extends into potentially exploiting biomedical devices like pacemakers as a possible “tool in the toolbox.” He went on to say, though, that it’s easier to keep track of foreign spies and terrorism suspects through other means.
Ledgett is the latest to elaborate on the U.S. intelligence community’s thinking about the potential for IoT spying. In comments during a U.S. Senate hearing earlier this year, James Clapper, the director of national intelligence, said intelligence services spying on the U.S. might target devices for use in surveillance, eavesdropping, recruiting sources or to gain access to networks. What he didn’t say at the time was whether or how U.S. spy agencies might do the same thing.
This article originally appeared on Recode.net.