Smart Refrigerator Security Vulnerability

These days we are in the IOT revolution.  Everyone is flocking to the electronic stores to purchase smart appliances, so they have more convenience in their everyday lives.  Security vulnerabilities are being found by security researchers constantly as these new smart devices find their way to the stores.  It seems that for every IOT device that is released there is a corresponding security threat that seems to be discovered.  It turns out that even a smart refrigerator could be vulnerable to malicious people trying to obtain a user’s personal information.  While researching smart refrigerator vulnerabilities I came across a hack that lets malicious users obtain a user’s Google login credentials and I thought that this hack is definitely noteworthy.  In this document I will go over who discovered this smart refrigerator vulnerability, details on how this vulnerability is utilized, and what a user can do to prevent being a victim of this security vulnerability.

         This hack to find out a user’s Google login credentials through the Samsung smart refrigerator was discovered by security researchers at a security company named Pen Test Partners.  These security researchers discovered this hack at an IOT hacking challenge called the Def Con Security Conference (Neagle, 2015).  Security researchers at Pen Test Partners went through a bunch of different routes to find vulnerabilities in the Samsung smart refrigerator like firmware attacks, tearing down the mobile app, and TCP services (Venda, 2015).  Where the security researchers found the vulnerability was in the smart refrigerators implementation of SSL because it failed to validate the SSL certificates.  Since the refrigerator failed to validate the SSL certificates, that led to the ability of performing a man in the middle attack allowing a malicious user to obtain Google login credentials because the refrigerator has a Google calendar application on it letting a user post calendar events and notes on the door of the refrigerator.  Having a Google calendar on the door of your refrigerator sounds like a great idea and could be very convenient in organization of tasks and meetings for a user’s family.  Unfortunately, the hack discovered by Pen Test Partners makes the Google Calendar a prime target for the user’s personal information.

         This smart refrigerator hack is basically a man in the middle attack.  A man in the middle attack is when a malicious user is listening for packets between a device and servers communications.  Since the SSL implementation in the Samsung smart refrigerator does not validate the SSL certificates, that means that anyone can intercept the information being exchanged by the refrigerator and the server with a packet sniffer like Wireshark.  Packet sniffers like Wireshark can intercept information being transmitted over a network, specifically unencrypted information (Nohe, 2018).  This hack could be the result of the lack of security testing on the Samsung smart refrigerator where the developers of the refrigerators smart abilities just did not know how to implement SSL correctly.  It seems that this hack could be easily fixed with a software update and Samsung has reported that they are looking into the vulnerability (Neagle, 2015).  Although having your Google credentials exposed to a malicious user could be a very terrible thing, the malicious user would have to be able to have access to the same network that the smart refrigerator is a part of to be able to execute this attack.

         Personally, I would love to have a refrigerator with the kind of functionality that this Samsung smart refrigerator has.  The convenience of having my Google calendar presented on the door of the refrigerator with all of my notes and to-do lists could be very beneficial.  The first thing you would have to do to prevent this kind of hack from victimizing you is that you have to be very aware of who has access to the network that your refrigerator is running on.  I am sure that once Samsung was notified about this vulnerability that they made some updates to the refrigerators system software.  Always keep your IOT devices software up to date with the latest software because that is how many security vulnerabilities are combatted.  It is a shame that this kind of vulnerability was present in this smart refrigerator because a user’s Google credentials should always be kept confidential and the ability to do a man in the middle attack on a smart refrigerator should be addressed immediately.

         Although the man in the middle attack on this smart refrigerator doesn’t seem like a very severe security threat, it is still nonetheless a pretty substantial vulnerability. No one wants their personal information exposed to any malicious users in the technological world and this hack gave malicious users yet another way to deceive the regular users of IOT devices.  As I do more and more research on IOT devices and their vulnerabilities, it seems that company’s software engineering practices need to implement more security testing.  Samsung is a very big corporation with many customers, and I am sure that they already do plenty of security testing, but this is evidence that even the larger companies need to ramp up their security practices.

Works Cited

Neagle, C. (2015, August 26). Smart refrigerator hack exposes Gmail login credentials. Retrieved from networkworld.com: https://www.networkworld.com/article/2976270/smart-refrigerator-hack-exposes-gmail-login-credentials.html

Nohe, P. (2018, November 29). Executing a Man-in-the-Middle Attack in just 15 Minutes. Retrieved from thessistore.com: https://www.thesslstore.com/blog/man-in-the-middle-attack-2/

Venda, P. (2015, August 18). Hacking DefCon 23’s IoT Village Samsung fridge. Retrieved from pentestpartners.com: https://www.pentestpartners.com/security-blog/hacking-defcon-23s-iot-village-samsung-fridge/

Smart Lightbulb Vulnerabilities

In the past year people have spent about eight billion dollars on smart lightbulbs to conveniently illuminate their homes.  Over the next year, that price point is estimated to jump to about 28 billion because more and more people are turning to smart devices around their houses for the convenience that they provide (Min, 2019).  Smart lightbulbs seem simple when you think about them as far as functionality goes.  You can turn your light on, turn your light off, and with the smart lightbulbs today you can even have them change brightness or color according to music or video that is playing in the house, blending in with multimedia.  But little do the consumers know that there are flaws in the security layer of their smart lightbulbs.  Some smart lightbulbs specifically the ones that change brightness and color according to multimedia playing along with it can let hackers infer the actual media playing along with the light, like audio or video.  Some smart lights that have an infrared function, hackers have shown that a covert data exfiltration threat can be done with them (MAITI, 2019).  In this document I will first go into detail about the video-audio inference threat, details about the covert data exfiltration threat, and conclude with a section on preventive measures that can be taken so the user does not fall victim to these threats.

         The video and audio inference threat that is present in smart lightbulbs lets a malicious user know what song or video a user is playing along with the lightbulbs ability to change brightness according to the media that is playing.  This is a big problem because there is a law called the US Video Privacy Protection Act to prevent getting a user’s media information like this because it can reveal personal interests and preferences (MAITI, 2019).  While this threat is actually difficult to set up and exploit, it is still possible to do.  The smart lightbulbs in examination of this threat change brightness and hue according to the different media that is playing in conjunction with them.  It turns out that the audio waveform and the fluctuations in brightness in the smart lightbulb have similar graphs(MAITI, 2019) and with this information a malicious user, having a library of songs to compare the light fluctuation to, can infer the media type from. To achieve this inference, the malicious user needs a luminance meter and a library of media to reference.  For the difference in luminance when the hue option is used in the smart lightbulb, an RGB sensor should be used.  The researchers tested audio in intervals from 15 seconds to 120 seconds and as you would expect, the accuracy of inferring the media that the user is engaged in is greater the longer the observation. The same holds for video but the time intervals were from 60 seconds to 360 seconds (MAITI, 2019).  Inferring a user’s audio and video usage is a really dangerous threat.  Because there is a law protecting users’ privacy when it comes to media consumption, I think that this threat is potentially very dangerous.

         The covert data exfiltration threat is present in smart lightbulbs because in theory, any light can transmit data.  The research says that this threat is available on smart lights that do not have a hub connecting the lights or having a hub but without permission controls.  Using this threat, a malicious user can obtain data from an unsuspecting users’ private network.  The researchers tested obtaining data using the infrared light from a smart lightbulb sending strings and images through the network.  Using the infrared light from the bulb the researchers were able to get binary data from the different power levels of the bulb. 

Text at 15 meters

Original Text: A cup of sugar makes sweet fudge 

Reconstructed Text: A buq pf!sugbr m`kessuees hudfe 

As you can see, this is a very dangerous threat that is present in these smart lightbulbs.  Anyone can use this threat to obtain any sensitive information about the users over a private network.

         These threats in smart lightbulbs are actually very difficult to utilize.  Given the right tools and proximities, a malicious user may be able to use these threats to obtain personal information.  First, I would like to note proximity.  To prevent these threats from being executed in your home network, proximity is vital to the execution and extraction or inference of your data.  Be careful who you let into your private network or into your home.  If a malicious user is too far away from your devices the information obtained may be too degraded for malicious use by the time the malicious user gets the information.  Both of these threats can be done through a window.  I would say that curtains that do not let any light through them could be a good preventive measure taken against these threats.  You should buy smart lightbulbs that connect to a hub with permission controls.  The research says that lightbulbs connected to a hub with permission controls are not susceptible to the covert exfiltration threat.

         Although smart lightbulbs are very convenient to the extent that you no longer have to get up and go to a switch to turn them off and on, and they provide some extra features like musical or video lighting, they are prone to security vulnerabilities.  As I found out doing this research, even though light bulbs have very crude electronic circuitry and seem very simple, they evidently provide multiple access points for a user’s sensitive data to malicious users.  I don’t know if there could be any better of a software engineering practice to prevent these types of threats, but there has to be some type of remedy.  Security researchers are finding security holes just about as fast as the number of devices that are being released.  You cannot even trust a lightbulb these days.

Works Cited

MAITI, A. (2019, September). Light Ears: Information Leakage via Smart Lights . Retrieved from sprite.utsa.edu: https://sprite.utsa.edu/publications/articles/maitiIMWUT19.pdf

Min, S. (2019, October 24). Are “smart” light bulbs a security risk? Retrieved from cbsnews.com: https://www.cbsnews.com/news/are-smart-light-bulbs-a-security-risk/

Smart Lock Vulnerability

While researching home security issues with IOT devices I came across an article about a smart lock that is used in many homes that has a major security vulnerability giving hackers access to your home.  On a scale from one to ten where one is minimal security threat to ten being a major threat, I would say that a lock on the front door of your house that is pretty much useless would be a ten.  Researching home security in IOT devices is pretty interesting because nowadays more and more people are turning to use IOT smart devices to power their homes.  New IOT devices are coming out all of the time for home use but many of them have security flaws or vulnerabilities making them a threat to the safety of your home.  In this document I will go over what this smart lock is, how hackers can bypass the locking mechanism, and what is being done to prevent this vulnerability from letting the bad guys into your home.

         The smart lock that has this vulnerability is made by the company “KeyWe”.  It is a lock that is to be used to secure a user’s front door, or main entry to the house.  It can be locked or unlocked physically, using the application that comes with the lock, or through NFC on an armband (Marciniak, 2019).  The smart lock uses encryption for the digital keys that it transmits back and forth from the physical device and the application that the user controls it from.  There is even an option to have guest keys where the user can grant a guest access to the lock with the push of a button in the application.  All and all this smart lock seems like a nice device to have in your house and provides great convenience in managing the security of your home.  The problem is that a hacker can completely bypass all of the security measures of the device and application and gain access to the user’s house if they wanted to.

         A Finland based security company named F-Secure has discovered the security vulnerability of the lock letting hackers and unauthorized users gain access to your house through sniffing packets being sent between the lock and the application.  The problem is not with the encryption of the keys but the ability of the hacker to obtain the key before it is encrypted (Ng, 2019).  F-Secure labs has a web page for this specific hack and it shows you the teardown of the device naming all of the components and how to actually execute the hack, and it looks too easy (Marciniak, 2019).  With the use of a tool named Frida the security researchers could intercept all of the messages with information like name of the function being executed and which way the transmission was going e.g. From lock to application or application to lock.  Turns out that intercepting messages that are being sent between the lock and the application for the lock all you have to do is use a piece of hardware that has Bluetooth capability and the commonly used Wireshark application (Marciniak, 2019).  The hack is easy to execute if the hacker has the appropriate equipment which is relatively inexpensive and can be obtained by anyone.  The smart lock can be unlocked by anyone that really wants to get through the door that it is attached to, so what is KeyWe doing about it?

         According to the research I’ve done on this, the security engineers who discovered this hack at F-Secure Labs have disclosed this information to KeyWe right when they found out.  Since the hack was disclosed to KeyWe, the company says that they have resolved the problem.  The truth is that the problem cannot be fixed and that after speculation from security research engineers, KeyWe has advised the users of the lock that the security vulnerability cannot be fixed and that users should remove and replace the device with a newer smart lock which they say are now up to date.  KeyWe says that they take the security in their devices very seriously and their customers security is top priority (Ng, 2019).  Amazon has been notified about the flaw in the smart lock and declined to respond on whether they will still sell the product on their site.  Of all of the security vulnerabilities that I have read about so far, this is a major one.  There is not even any kind of fix for this vulnerability as users are advised to just remove the device from their homes.  The company KeyWe will most definitely lose many customers because of this and their lack of security practices.  Researchers at F-Secure Labs say that the hack was easy to figure out which shows a major lack of security testing by KeyWe on their products.

         Having a door lock that grants entry to anyone who has a key whether it was gained properly or not is a major deficit in the world of cyber security.  There are plenty of people out there who bought this lock only to find out some time later that anyone can get through the lock, even burglars.  This shows that companies need to focus much more on the security of their devices, especially if these devices are going to operate in their customers homes.  Computer security has been picking up as an industry lately and that is because of these types of flaws that security researchers are discovering every day.  There are so many security vulnerabilities in IOT devices and that is one of the main reasons for the surge in computer security research.  KeyWe should be ashamed of their software development process, especially their testing department to let such an obvious vulnerability happen in their smart lock.  I personally will remember the name KeyWe and I will definitely never purchase any of their products.

Works Cited

Marciniak, K. (2019, December 11). Digital lockpicking – stealing keys to the kingdom. Retrieved from labs.f-secure.com: https://labs.f-secure.com/blog/digital-lockpicking-stealing-keys-to-the-kingdom

Ng, A. (2019, December 11). Smart lock has a security vulnerability that leaves homes open for attacks. Retrieved from cnet.com: https://www.cnet.com/news/smart-lock-has-a-security-vulnerability-that-leaves-homes-open-for-attacks/

The Botnet Chamois in Mobile Devices

Doing research on home security vulnerabilities within IOT devices, I started to think about different kinds of hacks and malicious abilities that can pose a threat to mobile devices or IOT devices.  I thought that a bot net could potentially pose a major threat to home security through the different types of devices throughout a house.  Bot nets are capable of many different types of malicious attacks.  From collecting sensitive information to devising a denial of service attack, bot nets are a major security vulnerability that need to be addressed.  I heard about a bot net named Chamois that has been around for a while and keeps getting updated and distributed among mobile and IOT devices.  I decided to look into this specific bot net because I thought that I poses a major security risk in the area of mobile, IOT, and home security.  In this document I will go over what Chamois botnet is, how it infects devices, and what is being done to make sure that this botnet cannot spread to mobile devices.

         Chamois was a botnet that when on a device was controlled by a remote command and control server.  Once on a device it would serve malicious ads and directed users to premium SMS scams. Chamois was a very resilient botnet that could evade detection so good and evolved so rapidly that it took Google years to finally eradicate it from android devices (Rashid, 2019).  One way that Chamois was distributed to devices was through a developer advertising software development kit that was thought to be legitimate.  While developers not knowingly placed this malicious bot net code into users’ devices, Chamois appeared to be a mobile payments solution to device manufacturers (Rashid, 2019).  With the Chamois botnet intruding in users’ homes, the unfortunate users of devices infected with this botnet were robbed of their money if they fell for the SMS scams.  Some scams were about making donations and users did not know they were even scammed until they got their phone bills (Newman, 2019).  Botnets pose a major security risk when it comes to home security because a botnet literally breaks into your house through different mobile and IOT devices and attempts to steal your money.

         Once Chamois was able to be detected it evolved from four stages to six stages, being able to avoid anti-virus and malicious code detection software (Rashid, 2019).  Many applications on Google Play Store were infected with this botnet and Google security engineers had a very hard time trying to get rid of it.  Every time the Google security engineers figured out some sort of barrier to detect and get rid of the botnet, the makers of the botnet would figure out ways to get around the barriers (Rashid, 2019).  Chamois was a very resilient botnet that infected about 21 million devices and Google has eventually whittled that number down to around two million over the years (Newman, 2019).  From what I read about this specific botnet; it seems to me that it could still be in devices today just waiting around for the chance to strike.  Since this botnet was disguised as a software development kit there could have been many applications that were not even found to have it yet.  A botnet this powerful could even evolve to collect sensitive information about unsuspecting users.  I mean this botnet has evaded Googles best security engineers for years and years, which means that the developers of Chamois could have evolve the botnet in many different ways, even to make the security engineers think that they have defeated it as another way to evade detection and barriers.

         To prevent becoming a victim of the type of botnet that Chamois is, people will really have to rely on security researchers to be able to detect and remove it from mobile devices.  The type of scams that this botnet uses like premium SMS can be avoided by just never using SMS for transferring of money or credentials.  Sensitive information should never be shared over unsecure digital mediums, and premium SMS is as unsecure a medium as any to be used to transfer such information.  The articles I read about this say that Google has defeated this botnet, but for some reason I think that it could still be going around out there.  The articles said that security researchers have dwindled the infected numbers from about 20 million down to 2 million, but that means that 2 million devices are still infected which gives the Chamois botnet makers time to evolve and redistribute a greater and even more dangerous version of the bot net with even more malicious capabilities.  I think that this botnet is still a threat to mobile and home security all over the world.  I don’t know if there is a way to tell if the botnet will ever be completely eradicated.

         To keep homes safe from these kinds of botnets users will have to be knowledgeable in the types of malicious scams that it initiates.  Education might be the only safe bet when it comes to users not falling victim to these types of attacks.  If something seems fishy, then a user should automatically assume that it is some type of scam.  If you click an ad and are redirected to a sketchy looking site that is requesting some type of sensitive information, you should just delete the site or even turn off your device and definitely delete the application that redirected the user to the site.  Botnets may always pose a threat to unsuspecting users and they need to be educated to be able to avoid the situations that a malicious attacker may make arise.

Works Cited

Newman, L. H. (2019, April 19). How Android Fought an Epic Botnet—and Won. Retrieved from wired.com: https://www.wired.com/story/google-android-chamois-botnet/

Rashid, F. Y. (2019, April 9). CHAMOIS: THE BIG BOTNET YOU DIDN’T HEAR ABOUT. Retrieved from duo.com: https://duo.com/decipher/chamois-the-big-botnet-you-didnt-hear-about

Eavesdropping and Phishing Smart Assistants

Amazon Alexa and Google Home are the most used personal assistants in the world right now.  Their use is increasing very rapidly and research on security vulnerabilities involving these devices is providing some interesting hacks.  While researching vulnerabilities in home smart assistants I came across an article about hackers using the Google Home and Amazon Alexa to eavesdrop on unsuspecting users and even perform phishing using the same hack.   The hack is a form of third-party software that embeds malicious code into the home assistants.  In this document I will go over exactly how malicious developers utilize this hack to eavesdrop on unsuspecting users, what Amazon and Google are doing to prevent this type of malicious behavior within their devices, and what are some preventive measure you can take to make sure you do not fall victim of malicious third party software for your smart home assistant.

         Google and Amazon let developers make their own third-party actions or skills for their smart assistants.  For instance, a developer could make a calculator action or skill for a smart assistant where the user can ask the smart assistant to add two plus three.  There is a way for developers to design these skills or actions so that the assistant will keep listening even after the action or skill has completed its task.  The security researchers have made skills and actions that simulate silence by inserting the character sequence of “�. ” (U+D801, dot, space), and this allowed the developed actions or skills to keep listening to conversations in the background when the user thinks that the assistant has finished listening (Ng, 2019).  Both Google and Amazon assistants have an option to disclose your conversations with the assistants to improve the recognition of commands or phrases that a user might say to it.  With the eavesdropping hack mentioned above where the third-party skills or actions can keep listening in the background, whoever the third-party developer is that injected this malicious hack into the assistant can collect conversations while the user would not even know that it was recording.

         With this eavesdropping hack the developers have even worked out a way to do phishing for passwords.  They would design their skills or actions for the assistant to speak to the user something like “An important security update is available for your device. Please say ‘start update’ followed by your password.” (Ng, 2019).  Unsuspecting users that maybe have a little too much trust in their assistants might fall for this kind of phishing attack although Google and Amazon try to make it clear that you should never need to give your assistant your password.  Another thing about Google and Amazon telling users to never give their password to their assistant is a conflict with one of the resolutions to the laser hacking which is to have a password to give to the assistant for it to be able to process sensitive commands like purchases or unlocking doors.

         Google and Amazon both have a vetting process for developers who make applications for their smart assistants.  They say that after reviewing the researchers’ evidence that they have found and removed malicious applications that are of concern.  Even though both companies have their vetting process, it seems that the companies do not vet updates to already existing applications which would allow developers to make a simple application that abides by the standards.  Once it is approved, they could actually make an update to the application injecting the malicious code thereby bypassing the original vetting process (Porter, 2019).  Smart assistant makers like Google and Amazon say that they have a vetting process for not allowing specific skills or actions to be performed by their smart assistants, although security researchers have made these malicious apps that actually worked and it took time for Google and Amazon to remove them only after they were informed about the malicious behavior.  The security researchers were from SRLabs who figured out this eavesdropping and phishing vulnerabilities and before making the information public the disclosed everything to Google and Amazon (Porter, 2019).

         One way to prevent this kind of malicious behavior on your smart assistant is to not install third-party applications on your device.  That seems a little too excessive but there are potentially many malicious applications out there and it may pose a risk to your smart assistant.  Google and Amazon have settings that let you see what data has been used from your assistant and enable or disable certain actions or skills.  Users should keep track of what specific actions or skills that their smart assistants are utilizing, and I would say that if your smart assistant asks or prompts you for any sensitive information that you should definitely not disclose it.  There are many vulnerabilities in the smart assistants these days and they will have to be resolved by the makers of the devices.  Although these hacks do not seem to have been used by any third-party developers other than the security researchers at SRLabs, the consumer should always be careful about the information that they disclose to any type of electronic medium.  More and more people are using smart assistants because of the convenience that they provide for doing certain tasks and they need to be careful.

Works Cited

Ng, A. (2019, October 19). Alexa and Google Assistant fall victim to eavesdropping apps. Retrieved from cnet.com: https://www.cnet.com/news/alexa-and-google-voice-assistants-app-exploits-left-it-vulnerable-to-eavesdropping/

Porter, J. (2019, October 21). Security researchers expose new Alexa and Google Home vulnerability. Retrieved from theverge.com: https://www.theverge.com/2019/10/21/20924886/alexa-google-home-security-vulnerability-srlabs-phishing-eavesdropping

Laser Hacking Smart Assistants

In the news lately I have seen some articles suggested to me by Google on the topic of Lasers being able to hack into IOT devices like Google Home, Amazon Alexa, iPad, and pretty much anything with a microphone.  I decided to look into this topic because I think that the security of IOT devices and mobile devices is a very important topic in computer security.  According to the articles that I have read, it has been verified that lasers can send silent voice commands to devices with microphones.  Some devices are more susceptible than others when it comes to the range that a laser can actually work from.  In this document I will go into some detail about how a laser can send these silent voice commands, some statistics on the lasers effect on different devices, and some possible remedies to the hack.

         All of the devices have a type of microphone called MEMS (micro- electro-mechanical systems) microphone.  A gap was found between the physics and specifications of this type of microphone that allows light to be recognized as sound. By modulating the amplitude of the laser light, sound can be injected into the microphone. (Takeshi Sugawara, 2019)  At first I wondered how it is even possible that a laser beam consisting of light could inject voice commands into a device with a microphone.  Evidently when the laser is aimed at a microphone with the intensity at a precise frequency, the light would perturb the microphones membrane at that same frequency producing the actual digital signal through the microphone to be received and translated by the device it was sent to.  This was tested on many devices with microphones and everyone was susceptible to the laser.  The discovery of the lasers ability to manipulate a microphones membrane to produce electrical signals to be processed by the device was made by a cyber security researcher named Takeshi Sugawara.  He brought the discovery to the attention of a professor at the University of Michigan and they have been experimenting with it since. (Greenberg, 2019)

         Some of the devices that the hack was tested on by the researchers were Amazon Echo, Apple Home Pod, iPhone XR, Google Pixel 2, Samsung Galaxy S9, Facebook Portal Mini, etc. (Iyer, 2019)  Some devices were susceptible from up to 360 feet like Siri and other AI assistants.  The devices are even susceptible through windows.  Mobile phones were much more difficult to hack into with the lasers, but it was still possible with the range for the iPhone being about 33 feet and Android phones range being around 16 feet. All of these were done with a 60-milliwatt laser.  The researchers of the laser hack also tested the devices with a 5-milliwatt laser which is the equivalent of a cheap laser pointer that anyone can get.  From 361 feet away with the 5-milliwatt laser, most of the researcher’s tests failed except for Google Home and a first generation Echo Plus. (Greenberg, 2019)

         As for problems that may arise because of this newfound hack, I do not think that it is something that people should be causing pandemonium over.  This laser hack is very stealthy because the lasers are silent while they produce physical voice commands.  Google, Apple, and some other device manufacturers say that they are looking into the research closely.  Some day there could be a fix for the problem by making two microphones so the laser cannot penetrate both at the same time.  Another fix for the problem could be a password that only the users of the device are aware of.  With the password option it would be possible for sensitive commands like purchasing items to only be executed when given the password.  More remedies like placing your assistants away from the window were suggested since the laser hack can be done through a window, potentially letting the hacker access to unlocking your door or garage.  I guess as long as the microphone of your assistant is not visible from a window then it should be fine.

         It seems like it is a lot of work to be able to actually set up and execute a laser hack on any device.  I do not think that many people out there will be utilizing this hack just because of the complexity of setting it up.  Turning the voice command into a light signal seem very complicated to be able to do.  Luckily the hack was discovered by cyber security professional researchers and they are figuring out all of the details about it so that it cannot be used in a malicious way.  They disclosed all of their research so Google, Apple and other major manufacturers of the latest IOT devices can consider preventing these security vulnerabilities.

         To conclude I would like to mention that I think this hack is a very sophisticated one.  It is amazing that all of the IOT device designers and engineers totally overlooked this hacking ability.  IOT device makers will have to really rethink their designs and apply preventive measures for this security vulnerability.  It is not just one company that is making these devices that are susceptible to this laser hack security vulnerability, it is all of them.  Be it teamwork or whatever measures necessary, these companies need to put their heads together and really work out the problem at hand.

Works Cited

Greenberg, A. (2019, November 4). wired.com. Retrieved from https://www.wired.com/story/lasers-hack-amazon-echo-google-home/

Iyer, K. (2019, November 7). Retrieved from techworm.net: https://www.techworm.net/2019/11/alexa-google-assistant-siri-laser-hack.html

Takeshi Sugawara, B. C. (2019, November 4). Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems*. Retrieved from lightcommands.com: https://lightcommands.com/20191104-Light-Commands.pdf

Agents and Environments in AI

Agents and Environments play a big part in Artificial Intelligence and in the post I am just going to lay out the basics of what Agents and Environments are made up of.

An agent is anything that can be viewed as perceiving its environment through sensors and acting upon that environment through actuators. You can think of an agent as being like a robotic player in a chess game. Its sensors are the ability to see the other players moves in the game. The environment is the game of chess, the board, the other player, and all of the pieces. The actuators of the chess game agent could be a robotic arm or in software the ability to make or making moves. There are many different examples of agents and environments of artificial intelligence in the world today, for example the self driving car, the car is the agent and the world is the environment.
A rational agent could be seen as an agent that tries its best to make the right decision.

The definition of a rational agent is:

For each possible percept sequence, a rational agent should select an action that is expected to maximize its performance measure, given the evidence provided by the percept sequence and the agents built-in knowledge.

The Performance Measure is an objective criterion for success of an agents behavior.

The performance measure embodies criterion for success and is generally defined in terms of desired effect on the environment (not on actions of agent)

When specifying a task environment we use what is called PEAS.  The task environment must be defined to design a rational agent.

PEAS: Performance measure, Environment, Actuators, Sensors

Performance Measure: a function the agent is maximizing (or minimizing)

Environment: a formal representation for world states

Actuators: actions that change the state according to a transition model

Sensors: observations that allow the agent to infer the world state

When thinking about the environment there are many different types of environments.  It is good to know what type of environment your agent will be interacting with and the types can tell you the difficulty of defining your agent altogether.

Environment Types:

Fully observable vs. Partially observable

Do the agents sensors give it access to the complete state of the environment?  For any given world state, are the values of all the variables known to the agent?

Deterministic vs. Stochastic

Is the next state of the environment completely determined by the current state and the agents action. Strategic: The environment is deterministic except for the actions of other agents.

Episodic vs. Sequential

Is the agents experience divided into unconnected single decisions/actions, or is it a coherent sequence of observations and actions in which the world evolves according to the transition model?

Static vs. Dynamic

Is the world changing while the agent is thinking?

Semi-dynamic: the environment does not change with the passage of time, but the agents performance score does.

Discrete vs. Continuous

Does the environment provide a fixed number of distinct percepts, actions, and environment states?

Are the values of the state variables discrete or continuous?

Time can also evolve in a discrete or continuous fashion

Single Agent vs. Multi Agent

Is an agent operating by itself in the environment?

Known vs. Unknown

Are the rules of the environment (transition model and rewards associated with states) known to the agent?

With the types of environments laid out they can be easy or hard:

Easy: Fully Observable, Deterministic, Episodic, Static, Discrete, Single Agent

Hard: Partially Observable, Stochastic, Sequential, Dynamic, Continuous, Multi-Agent

The environment type largely determines the agent design.

The Structure of Agents:

There are four basic types of agents, here they are in order of increasing generality:

  1.  Simple Reflex Agents
  2. Reflex Agents with State
  3. Goal-based Agents
  4.  Utility-based Agents

Each kind of agent program combines particular components in particular ways to generate actions.

Simple Reflexive Agent handles the simplest kind of world.  This agent embodies a set of condition-action rules.  Basically works with If perception then action.  The agent simply takes in a percept, determines which action could be applied, and does that action.  The action is dependent on the current precept only.  This type of agent only works in a fully observable environment.

A Model-Based Reflex Agent works so when it gets a precept it updates the state, chooses a rule to apply, and then schedules the action associated with the chosen rule.

Goal-Based Agent is like a model based agent but it has goals so it will think about the state that it is in and then depending on the goals that it has it will take an action based on reaching its goals.

A Utility-Based Agent is the same as a goal based agent but it evaluates how performant the action it will perform to achieve its goal will be.  In other words how happy will the agent be in the state that would come if the agent made an action.

Finally there is Learning Agents it says above that there are four agent types but a learning agent is a special kind of agent.  One part of the learning agent is a utility-based agent and it is connected to a critic, a learning element, and a problem generator.  These three other parts make the learning agent able to tackle problems that are very hard.  The critic of a learning agent is just what it sounds like. It criticizes the agents actions with some kind of score so the agent knows the difference between good actions and bad actions.  The problem generator is used by the learning element to maybe introduce a small measure of error because if the agent always does the highest critic graded actions then the agent may be missing a more optimal solution because they have not tried something that should be unlikely but was better.

I hope you liked this post.  I am going to continue doing more Artificial Intelligence posts if I get the time as I am very busy.  I hope you learned a bit about agents and environments in AI because making this post has helped me solidify some of this knowledge in my own mind.

Merge Sort algorithm with Generics that implement Comparable interface

Sorting algorithms are used everyday to sort all types of information in computer programs so I decided to share a O(Nlog2N) sorting algorithm called Merge Sort with you today. This is written in Java Programming. I shared a post last year on Quick Sort algorithm and I just decided to do all of the Big-O (Nlog2N) sorting algorithms. Of course Java has many built in data structures and uses the best sorting algorithms already, but if you are learning about data structures and algorithms you might find this post handy.

First I will post the Circle class just like in the Quicksort example that can be found here by the way QuickSort sorting algorithm in java with Generics that implement Comparable

Circle.java


/**
 * author: copypasteearth
 * date: 7/17/2019
 */
public class Circle implements Comparable<Circle> {
    public int xValue;
    public int yValue;
    public int radius;

    @Override
    public int compareTo(Circle o) {
        return (this.radius - o.radius);
    }
    @Override
    public String toString() {
        return "x: " + xValue + " ---y: " + yValue + " ---radius: " + radius;
    }
}

Secondly you are going to need the MergeSort class which also has the main method inside it so it can run the program. The class has static methods called merge and mergeSort that do all of the work. They basically keep splitting and sorting the array untill everything is sorted and then merges it all back together.

MergeSort.java


import java.util.Arrays;
import java.util.Random;

/**
 * author: copypasteearth
 * date: 7/17/2019
 */
public class MergeSort<T extends Comparable<T>> {

    public static <T extends Comparable<T>> void merge(int leftFirst, int leftLast, int rightFirst, int rightLast, T[] array){
        T[] tempArray = Arrays.copyOf(array,array.length);
        int index = leftFirst;
        int saveFirst = leftFirst;

        while((leftFirst <= leftLast) && (rightFirst <= rightLast)){
            if(array[leftFirst].compareTo(array[rightFirst]) < 0){
                tempArray[index] = array[leftFirst];
                leftFirst++;
            }else{
                tempArray[index] = array[rightFirst];
                rightFirst++;
            }
            index++;
        }
        while(leftFirst <= leftLast){
            tempArray[index] = array[leftFirst];
            leftFirst++;
            index++;
        }
        while(rightFirst <= rightLast){
            tempArray[index] = array[rightFirst];
            rightFirst++;
            index++;
        }
        for(index = saveFirst; index <= rightLast;index++){
            array[index] = tempArray[index];
        }
    }
    public static <T extends Comparable<T>> void mergeSort(int first, int last,T[] array){
        if(first < last){
            int middle = (first + last) / 2;
            mergeSort(first,middle,array);
            mergeSort(middle+1,last,array);
            merge(first,middle,middle+1,last,array);
        }
    }

    public static void main(String[] args){
        Circle[] circlearray = new Circle[20];
        Random rand = new Random();
        for (int index = 0; index < 20; index++)
        {
            circlearray[index] = new Circle();
            circlearray[index].xValue = Math.abs(rand.nextInt()) % 100;
            circlearray[index].yValue = Math.abs(rand.nextInt()) % 100;
            circlearray[index].radius = Math.abs(rand.nextInt()) % 100;
        }
        System.out.println("Circle Array Unsorted....");
        for(int i = 0;i < 20;i++){

            System.out.println(circlearray[i]);
        }
        MergeSort<Circle> mscircle = new MergeSort<Circle>();
        mscircle.mergeSort( 0, circlearray.length-1,circlearray);
        System.out.println("Circle Array Sorted");
        for(Circle i: circlearray) {
            System.out.println(i);
        }
    }
}

And that pretty much sums it up for MergeSort. Another one of your should be favorited sorting algorithms that run at a whopping O(Nlog2N) complexity. Thanks for your time and i hope you liked this article and got some use out of it. I am leaving the Link to this and QuickSort on github here it is https://github.com/copypasteearth/Sorting

The Pros and Cons of Raiding Area 51

One of the latest crazes on the internet today is about people getting together and raiding area 51. Celebrities have stated that they are down to go raid area 51, and there is supposedly and event organized for a certain day when all of these people are going to get together and march into the unknown. One thing that is totally great about this event is that the memes are going to be gold for the rest of the world to enjoy and laugh about for probably a long time to come.

So what are some pros to people actually raiding area 51? With anything that goes on there are pros and cons and I have been thinking about this event lately even though I am not attending I have been thinking of the possibilities. You know I love the idea of a naked man space suit (By the way where do I sign up to be a tester of it) and my favorite animal is the tardigrade that can actually live in the vacuum of space. Any way here is a list of some pros I have been thinking about concerning raiding area 51.

  1. They discover that there really are aliens that have came to earth and are somehow being held captive there.
  2. The discovery of some types of alien technology like teleportation or telepathy.
  3. Secret weapons that are unheard of being experimented with
  4. The results of the age old experiment of what came first the chicken or the egg(trillions of dollars have probably been dumped into this)
  5. Maybe an alien spacecraft could be discovered being held in this facility.
  6. Years of research knowledge about things that no one has ever even heard of.
  7. Maybe the possibility of knowledge of habitable planets that has not been released to the public.
  8. Secret alien recipes for 5 star alien restaurants haha

Not only is this mission to raid area 51 not well thought out and pretty much ridiculous, it is a secret place for a reason. So I get to the cons of raiding area 51. I really hope that people do raid area 51 just because I would like to see what comes of it. There are some pros that I think would come of it but there are many more cons associated with raiding a top secret facility.

  1. Armed Guards
  2. Releasing an alien toxin into the atmosphere.
  3. Armed Guards killing civilians to protect area 51 secrets.
  4. The aliens there want to remain secret and if word gets out they will destroy earth because they are so technologically advanced to even be able to travel this far.
  5. Armed Guards
  6. The military nukes area 51 to destroy everything that has been going on there.
  7. We find out all of the technology that we love so much comes from aliens and that we are all just pawns in their intergalactic game of chess.
  8. And last but not least Armed Guards!!!!!!!!

That is my very small rendition of the pros and cons of raiding area 51. I personally wouldn’t do it in respect for our own government in keeping secrets and making America a great place to live, but I hope that this group does raid area 51 because I would like to see how everything would turn out. I just hope if there is aliens there that they do not destroy earth because they have been revealed to the public while if there is aliens here and they have the technology to come all of this way then they could probably destroy earth with the snap of their fingers. Thank you for reading haha!!!!!! Good luck raiders of the area 51 lost arc!!!!!!

Information Warfare: Closing Thoughts

This will be my last blog dealing with information warfare even though I may eventually pick back up and make more information warfare related blogs. I wanted to close with a view about information warfare and dealing with malware attacks like stuxnet. Stuxnet was a malicious program made in secret by the United States. Its main goal was to breech Iranian uranium enrichment plants security in an effort to disrupt the normal operations of the centrifuges. Now that sounds great in preventing other countries from obtaining nuclear weapons but how I see it is that using malware to attack other countries facilities could be a very dangerous game. Stuxnet was not supposed to be made public and for good reasons. The people who made stuxnet were very angry that it was spread around and made public, and this kind of carelessness when making malware to attack adversary’s facilities should not be taken lightly.

First of all, one thing that I have always thought of and fear the most about information warfare since I heard of stuxnet a couple years back is when if a country attacked another countries nuclear power plants. That would be very catastrophic if a country were able to cause a nuclear meltdown of a nuclear power plant with malware. We all know from experience in Chernobyl that a nuclear meltdown can be a very expensive thing to fix and can cause many deaths to civilians. That is my main concern about information warfare. Although information warfare will likely cause fewer deaths due to non-physical means of use, if the right malware were spread into the right facility it could be even more catastrophic than the effects of physical warfare. I hope that the United States and all of their allies work together in an effort to eradicate the world of such malware attacks used for information warfare.

Stuxnet was a marvel in malware and could be one of the most important information warfare lessons that any nation could learn from. While it did complete its objective and disable the Iranian uranium enrichment plants, it also got out into the public. Even though stuxnet getting out into the public did not cause any harm, the lesson learned from that type of malware is tenfold important to nations everywhere. If another stuxnet that was more lethal in the sense that it could attack a very volatile facility causing the deaths of many people were made, even if the objective was completed there could be a chance that it may backfire on the country that created it and cause a great deal of damage.

source : http://large.stanford.edu/courses/2015/ph241/holloway1/

%d bloggers like this: