Jump to content

Another reason why the IoT may not be that good an idea ...


jaclaz

Recommended Posts

Another not strictly IOT, but near enough:

http://blog.ioactive.com/2016/02/remotely-disabling-wireless-burglar.html

Countless movies feature hackers remotely turning off security systems in order to infiltrate buildings without being noticed. But how realistic are these depictions? Time to find out.

Today we’re releasing information on a critical security vulnerability in a wireless home security system from SimpliSafe.

...

...

IOActive made attempts through multiple channels to contact SimpliSafe upon finding this critical vulnerability, but received no response from the vendor. IOActive also notified CERT of the vulnerability in the normal course of responsible disclosure. The timeline can be found here within the release advisory.

SimpliSafe claims to have its units installed in over a million homes in North America. Consumers of this product need to know the product is inherently insecure and vulnerable to even a low-level attacker.

jaclaz

Link to comment
Share on other sites


Hackers take control of a TOILET

 

Hikohiro Lin, head of the firm's product security team, revealed that potty-minded researchers managed to hack their way into a bluetooth-enabled Japanese toilet.

 

These super-loos allow users to control various functions using a smartphone.

 

But researchers found that one of these high-tech toilets was protected with only a basic password.

 

This meant they could take control of the toilet, allowing them to flush it at an awkward moment or even surprise people by unexpectedly aiming a jet of water at their nether regions.

 

For the life of me, I can't figure out why you'd want to control a toilet with your smartphone, but there you go...

 

Merely the thought of installing an operating system on a commode just boggles the mind. Imagine the possibilities if it were Windows 10 IoT Core, phoning home. Do we really want to be that connected? :wacko:

Your toilet needs some updates and needs to restart.We've scheduled a time we think is convenient for you.

--JorgeA

This honestly....is the most ridiculous thing I've ever heard of. I think we can safely say that the only reason you'd ever want to control your toilet with a *shudders* smartphone....is because you can....

Link to comment
Share on other sites

Things you never knew existed:

 

That toilet thing (or something similar) appears in one of the videos in the series.

Some of the gadgets are stupid or useless.

Very few of them are actually useful and/or nice to have.

Most of them are scary when thought of in depth. And yeah: smartphone-controlled.

 

We're living in a giant microwave oven. :(

Edited by Drugwash
Link to comment
Share on other sites

Most are solutions looking for problems, Drugwash. Got a laugh out of seeing Vanilla Ice in a WTF moment; totally did not expect him to be shilling jellyfish.

That, and "It's not a drone." Of course it's a drone: it flies by remote with a camera. The fact that the remote looks like a Microsoft XBox controller modified to hold an Apple iPhone makes it even more ridiculous.

Edited by 5eraph
Link to comment
Share on other sites

it's a 36-episode series of videos, the one above just got somehow stuck when I copied the link (I'm no friend of Google's "children").

Do watch them all from the beginning, it'll be an amazing(ly frightening, at some point) experience. ;)

Link to comment
Share on other sites

DVR snaps stills from CCTV surveillance and sends them to China

 

The Pen Test Partners post about what they found, from Andrew Tierney, is full of coding details on how he got a local root shell on the DVR and used it to uncover an unauthenticated, impossible to disable, remote root shell that an attacker could use to compromise and control the device from the comfort of their own laptop.

 

[...]

 

But weirdest of all, the thing is capturing still images from video feeds and emailing them to an address that appears to be hosted in China.

 

Buried deep in the device’s firmware code, Pen Test Partners found that images were being captured from CCTV feeds and sent to the mysterious email address lawishere@yeah.net.

 

As a screenshot of a firmware code sample shows, that email’s subject is “Who are you?”

 

The email’s body contained a 320x180px snapshot of the CCTV feed.

 

The email address was hosted on a Chinese email provider, according to Softpedia.

 

Pen Test Partners discovered that the firmware was taken from the JUAN-Device GitHub repository, managed by someone named Frank Law.

 

Why is the DVR snapping photos and sending them to Frank Law?

 

--JorgeA

 

 

Link to comment
Share on other sites

Krebs on Foscam:
http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/
 

This is Why People Fear the ‘Internet of Things’


Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!

 

 

jaclaz

Link to comment
Share on other sites

And now let's talk of IOT generated metadata and who exactly will access it:

http://www.theregister.co.uk/2016/02/28/metadata_scope_creep/

Governments around the world are legislating to collect metadata, usually with the excuse that modern crime-fighting and national security efforts require access to records of citizens' communications.

In many nations that's sparked what I call "horizontal" scope-creep, in which, as just one example, the Australian Health Practitioner Regulation Agency (AHPRA) wants access to metadata in order to identify and discipline doctors who are having affairs with their patients.

...

The number and nature of bodies seeking access to retained data goes far beyond how world governments have presented the need for data retention.

The AHPRA example mentioned above illustrates the trend well, because the organisation has identified metadata as a resource to help it probe something that is neither a criminal nor national security matter.

Worse, the retained metadata violates the privacy of a party to the communication – the patient - who might not even be behaving unethically (for example, both doctor and patient may be single, and the patient's conscience can be clear).

The AHPRA reckons gaining metadata access to phone records will tell it whether doctor and patient are constantly exchanging text messages, making it easier to confront the doctor with evidence. If AHPRA or any other organisation, in any nation, also gains access to IoT metadata it will become possible to build a very detailed breadcrumb trail indeed. Down to an opened door moments after a TV is turned off, in a proximate location to a moving smartphone that grazes a geo-located Wi-Fi hotspot.

 

No more "The Thorn Birds" or similar :no:.

 

jaclaz

Link to comment
Share on other sites

Well, it's starting to get interesting,  what about a device that autonomously "calls home" when needed ordering (original) spare parts for self?

 

Welcome to the future of hydration :w00t::

https://www.brita.com/water-pitchers/infinity?locale=us

 

The future of hydration is here, and it’s smarter than ever. Introducing Brita® Infinity, our first Wi-Fi connected pitcher that tracks your usage and automatically orders replacement filters through Amazon Dash Replenishment. Shipping charges apply for Non-Amazon Prime Members. 

This mid-sized wonder is perfect for any household, big or small. It is BPA-free, and comes packed with the latest features. Get connected with Brita® Infinity, and never run out of great-tasting water again.

 

 

And as a side it is interesting how in the "system requirements" we have proof of the progress that new technology and software brings into our lives:

https://infinity.brita.com/system-requirements/

 

 

You can activate your pitcher using any of the following operating system/browser combinations:  

  • OS X 10.9 + (with Safari 7+, Chrome 43+, Firefox 41+).
  • Windows 7 (with IE 8 and IE 11, Chrome 43+, Firefox 41+).
  • Windows 8.1 (with IE 11, Chrome 43+, Firefox 41+).
  • Windows 10 (with IE 11, Chrome 43+, Firefox 41+). Please note that many people who upgraded to Windows 10 experienced Wi-Fi connectivity problems. In many cases, the problem was an outdated or incompatible network adapter driver. If you’ve upgraded to Windows 10, please ensure your network adapter driver is compatible with Windows 10 before you start the Infinity activation process.
  • iOS 8.0 + (with Mobile Safari).
  • Android 4.1 + (with Native browser, Mobile Chrome).

 

 

(italics is NOT mine)

 

... and I guess that the real reason why people will soon abandon good ol' XP will be because of its inability to activate their new water pitcher... :dubbio:

 

jaclaz

Link to comment
Share on other sites

... and I guess that the real reason why people will soon abandon good ol' XP will be because of its inability to activate their new water pitcher... :dubbio:

 

jaclaz

 

Well, that's definitely a deal-breaker for me!!  :yes:

 

--JorgeA

Link to comment
Share on other sites

Get ready for a world of hackable cars

 

This is just amazing:

 

Not surprisingly, given the public's somewhat cavalier attitude towards protecting their phones and computers from hackers, they're unwilling to give up the convenience of a connected car to protect against a hypothetical hack.

 

For example, just 13% said they would never use an app if it increase the potential for their vehicle to be hacked.

 

Which is why figuring out how to hack cars is a growing area of specialization in some quarters.

 

And:

 

The convergence between connected cars and nefarious hackers (as opposed to research hackers) is coming, say Miller and Valasek, who now work at Uber's Advanced Technologies Center in Pittsburgh, Penn.

 

"I wrote four lines of Python [a programming language] and owned 1.4 million cars," Miller said of their Jeep exploit.

 

:w00t:

 

--JorgeA

Link to comment
Share on other sites

Bruce Schneier on IoT:
http://www.theregister.co.uk/2016/03/02/sleepwalking_towards_digital_disaster/

The problem is in the design. Traditionally we build complex systems like buildings and aircraft with a safety first principle. Time is spent in the design phase making sure that breakages are unlikely, and if things do go wrong then the effects are somewhat mitigated.

But software isn't like that. Instead you code fast and hard and then fix things when problems crop up. The merging of these two design styles poses almost insurmountable security problems for all of us.

Governments are going to have a hard time dealing with this, since they tend to focus on specific silos of influence, like defense, agriculture or energy. Markets won't deal with it because they are profit focused and motivated for short-term gain.

Schneier cited the current explosion of internet-of-things devices as an example of the latter issue. Almost none of these devices take security seriously because there's no money in addressing security issues for the makers, and the same is true for the world-sized web.

 

 

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...