More insecure IoT, now more creepy!
Pfft. Isn't there a liability for makers of this stuff?
Security researchers say they can back up a mother's claim that her baby monitor had been remotely hacked and used to spy on her family. SEC Consult says it found flaws in the Fredi Wi-Fi baby monitor that would allow an outside attacker to remotely connect to the device and use its built in camera without authentication. The …
Over in HK & China it works like this:
You get hired.
You know almost fuck all about programming, but you are good at talking.
you get onto git hub or stack overflow for C&P your code, but most important you throw up a few screens for the MD to look at and you bullshit.
most of these guys would not know security if it bit them on the ass, i do work for a company where thier "programmer" built a whole business system that is just screens, no code written just "under construction" but it does have great graphics.
Language handling is done by having (screen * number of languages) and most of the code so far is just patch on patch on patch.
But MD's don't want to know, becasue they see the money going out to pay you.. but don't see the results... unlike the over paid guy who can throw up a screen in 30 min.
if a security guy does his job , then there is "nothing to see"
How do you justify a salary if there are no "measurable results"?
"Pfft. Isn't there a liability for makers of this stuff?"
The article says it's got a default standard password. The user should have changed that. There may be other vulnerabilities, but in this case it seems to be the users fault for not setting up their own password.
The article says it's got a default standard password. The user should have changed that. There may be other vulnerabilities, but in this case it seems to be the users fault for not setting up their own password.
This exactly is the problem. The unit shouldn't have a default password but no password and should not be operable unless the user sets one upon first boot.
Seeing that phrase in headlines a lot recently, perhaps it's just a meme, but since we are seeing it a lot, perhaps panic is well past due.
I know I experience significant culture shock when I notice not just the 'we don't give a shit as long as we get your money' IOT attitude, but the mindless buy-in that only encourages them.
I know I'm most certainly a prime example of a 'culture of one', but all the same....
This post has been deleted by its author
The first question is why a password is required. If it's so the user can log in remotely and control/access the device then giving them a random password is pointless. They'll get so fed up not being able to remember it that they'll change it to be Password1.
What they really need is some better password-less authentication system, perhaps a way to securely link an app & the device at install time. That, unfortunately, costs more money to develop, especially to make it both secure & sufficiently simple for a non-technical user to setup. If it's too complex we'll just see Amazon comments along the lines of "Too hard to set up, returned and bought XXX instead", where XXX is the model that allows you to enter "Password1".
It's cheap consumer tat, and very difficult to get past the "leave the key under the mat, no-one will look there" mindset.
"Users are advised to use some basic practices like immediately changing default passwords and keeping an eye out for suspicious hardware activity and network traffic."
'basic practices' and 'network traffic' in the same sentence
How is your average punter going to have any idea about what suspicious network traffic is or how to keep an eye out for it!?
It's a pity that for most users this list applies;
Networks? what's that? I've just got a wifi box that gives me the internet
Can't see I'm being spied on 'now' so it isn't happening
Can't do deductive reasoning
Don't see the 'change password' messages
Don't understand something so it's magically perfect and/or trivial
Security is always beaten by Convenience
The only reason I would use a baby monitor is if my child was really ill. I mean with wires monitoring heart rate or on a drip for medicine. Or if I lived in a mansion with 40 rooms where the nursery was in the upper west wing. As none of the above applies then letting a child that needs attention call out (cry) is good. It develops the lungs and teaches Jr patience as the parent dosn't appear every time it farts. I used to love technology but now i'm an old fart I fail to the reason for most of its existence unless the aim is to give your privacy away for free.
This post has been deleted by its author
"As none of the above applies then letting a child that needs attention call out (cry) is good. It develops the lungs and teaches Jr patience as the parent dosn't appear every time it farts."
Ever thought Jr. lacks the mental capacity for patience, that very young children are basically acting on instinct, and that a house doesn't have to be so big (just very noisy, say one with other kids) to mask a baby's cry even from a not-so-considerable distance? Not to mention the potential calls for parental neglect? Thus the infamous meme that a baby means sleepless nights?
pretty well anything like this is a security nightmare.
IoT to me means that anyone installing it is either and Idiot or a total Twat.
If you aren't able to check the security of a device then don't install the effing thing.... It ain't rocket science it is?
As for those IoT front door locks, what thief needs a better invite to rob your place as it will certainly be full of other electronic goodies...
[see icon]
"If you aren't able to check the security of a device then don't install the effing thing.... It ain't rocket science it is?"
To Joe Stupid, IT IS. That's what IT often overlooks to their detriment. We need a solution for people who demand unicorns or else, think The Internet is their Web browser, and can't remember a password to save their lives.
"To Joe Stupid, IT IS. That's what IT often overlooks to their detriment. We need a solution for people who demand unicorns or else, think The Internet is their Web browser, and can't remember a password to save their lives."
Easy, just tie every IoT device to their Facebook account. Sorted!
Good point I like my IOT stuff but I keep it local. Also you need to be careful how you communicate. My electronic deadbolts do not communicate wirelessly. I could upgrade to some but why would I add a security hole. Though with my house a good foot would do the trick. When thinking about IOT be sure to look at how they communicate.
Knowing it's about as secure as Adobe Flash means I can count on it getting hacked within moments of connecting it to the internet.
Which means script kiddies will find it, hack it, & soon be exposed to the live feed from the camera & mics...
Which I will have "accidentally" connected to the Vogon porn broadcast!
*Ominous maniacal laughter*
I'm not evil, I'm "Creatively Vindictive", there's a difference. =-D
These devices are sold to people with the implication that security is properly taken care of. Even knowing to change the password by the more aware does not mean they have necessarily properly secured the device. To make matters worse, the typical set up of these devices is done by a simple wizard which implies you are finished securing once the wizard finishes.
This is compounded by the fact that most people view networks, microwaves, computers, etc. as black boxes with varying levels of complexity. They do not really understand how their coffee maker works so expecting them be an expert on computer network security is idiotic in the extreme.
BRISTOL NEWS
TECHNOLOGY PUZZLES
A reader has contacted this paper, incensed about a recent purchase of a security camera system. The set up procedure required the reader to create a new account in "the cloud" in order to set up the cameras. When the user went away on holiday, they logged in to the camera account and were surprised to see the inside of some else's house.
When they got back home, they discovered that they had been burgled.
More puzzling was the complete lack of any sign of forced entry. Further inquiries with Amazon revealed that the burglar had gained entry by shouting though the letter box "Alexa, open the front door" and subsequently "Alexa, open the garage door". The burglar used the empty garage, which had access directly into the house, to load up a box van with stolen property. Unfortunately, the security camera vendor cannot trace the video which actually came from the house at the time of the burglary.
The insurance company refused our reader's claim, saying that the security system was defective. The warehouse vendor and the security system manufacturer both refused to provide even a refund. An Amazon spokesperson told this paper "No comment".
Congratz, nearly every modern laptop, router, IoT device, car, toaster, and even your nan's toothbrush are connected to the internet and shout at the nearest master server not only that they exist, but where they are, who you are, your dog's name, and the shape of your left gonad.
The more advanced models allow you and anyone else to remotely access anything for your and their convenience, because this is what you and they want, we and they are sure of it! See: Windows RDP which is enabled by default on most models, Swiss cheese router admin panels, cameras of the baby variety or otherwise, cars with a giant phablet plonked right in the dash that automatically connects to any nearby bluetooth device, or otherwise anything even partially cloudy.
There is no escape. Embrace the Intimacy of Telemetry.