Tag Archives: IoT

Unknown's avatar

If You Think The Internet of Things Isn’t a Problem…

by

That only means you don’t work in hardware or software engineering. This Hacked Coffee Maker Demands Ransom and Demonstrates a Terrifying Implication About the IoT. It isn’t just that they can spy on you. They can. They do. They can do more.

So a security researcher was asked to prove that this kind of thing can be done.

After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.

Now why anyone needs a smart coffee maker is beyond me, especially if you see the price. And I paid quite a bit for a coffee maker that is certified by the Specialty Coffee Association. But then it is certified to make a good cup of coffee, not talk to my smartphone. And it didn’t cost $250.

So what happens when your door locks get hacked, or your car? But the main problem with the coffee maker in question is as toehold to the rest of your network.

But Hron says the implications of this kind of hack are much more concerning. Through this exploit, attackers could render a smart gadget incapable of receiving future patches to fix this weakness. He also argues that attackers could program the coffee maker or other Smarter appliances with this vulnerability to attack any device on the same network without ever raising any alarm bells. Given the years-long and even decades-long lifespan of traditional appliances, this also begs the question of how long modern IoT device vendors plan on maintaining software support, Hron points out.

The implications of how bad this can be in the long-run explain the image at the top of this post. (Click the image for a look at the fine print.)

Hat tip to Small Dead Animals: I, For One, Welcome Our New Self-Driving Overlords

Unknown's avatar

Who Thought Controlling Lights From a Smartphone Was a Good Idea?

by

Because security won’t ever be an issue with a lightbulb. Until it is. The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb.

This is a long, somewhat technical article. The TLDR version is if you have Philips IoT lightbulbs, then you need to have auto-update enabled on the bridge (the central box) and you need to update the bulbs. (Turn them on and wait an hour. They may turn on and off.) Otherwise the bulbs are a gateway into your wifi, for stuff like Ransomware to work their way into your systems. And note that not all of the Philips hubs support auto-update, which means you HAVE TO MANUALLY UPDATE.

You can watch 15 minutes of video, from this week’s Security Now. The relevant portion of the video starts at 1 hour, 11 minutes and 16 seconds in. (Not that you won’t learn something if you watch the whole thing….) The show notes can be cound at the following link. Security Now Episode 754 Notes. (Info on the version of firmware required to be safe, is in the notes.) The section of the video that deals with this issue is about 15 minutes long. Enjoy.

The moral of the story? Why the frack do you think you need to be able to control lighting via your smartphone? You don’t. And stuff like this says that trying to do so is just inviting trouble. What could go wrong?

Unknown's avatar

Your Not-so-smart Home – 2 Billion Records Exposed

by

Billion with a B. If you think your smart home is making you safe, you might be kidding yourself. Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach.

Orvibo is a Chinese company that makes “smart home” hubs, and outlets, and a bunch of other things. It turns out they have an awful lot of data about their customers, and they made it all public.

The list of data included in the breach is extensive according to the vpnMentor report and includes:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise geolocation
  • IP address
  • Username
  • UserID
  • Family name
  • Family ID
  • Smart device
  • Device that accessed account
  • Scheduling information

The kinds of thing that this lets bad guys do… Access your security camera. Unlock your smart lock. Lock you out of your account.

OK this is a story about data being made public, but why are they logging all of this data? Even if they don’t make it public, this is a lot of data to entrust a company that doesn’t seem to have your security on its radar.

Unknown's avatar

Internet of Industrial Things Still Lacking in Security

by

It’s one thing to use IoS to turn the lights down when you want to watch a movie, but this is serious infrastructure stuff. 147 Security Vulnerabilities Found in ICS Mobile Applications. (ICS is Industrial Control System technology.)

The security of mobile applications used to help monitor industrial control system (ICS) technology is severely lacking

What a surprise. Because in 2018, after a year of Operating system problems, and IoT problems, in the midst of CPU vulnerabilities, managers still can’t prioritize security. (Makes products more complicated and provides no additional features? Budget denied!)

I don’t care what you do with the lights in your home theater, but I sort of do care with what the power companies, water purification plants, et al do with their tech.

In October 2017, US-CERT warned about ongoing threats targeting industrial infrastructure across the United States.

Put a bunch of unsecured Linux nodes on the internet, and offer to control them via a smartphone app. What could go wrong?

Unknown's avatar

Amazon Gets Internet of Things Wrong – Part 2

by

And you thought it was bad that Amazon Echo would let people hack into your home network. Amazon Key flaw could let a courier disable your Cloud Cam. So Amazon came up with a system to allow couriers to unlock your door and deliver packages inside house. What could go wrong?

Now, researchers from Rhino Security Labs have shown that it’s possible, under rare circumstances, to hack the camera so that everything looks fine while someone takes all your stuff.

The attack would work like this. A courier unlocks your door with their Key app, drops off the package and closes the door behind them. Rather than re-locking it, they then run a program on a custom-built device or laptop that spoofs the home’s router and disconnects the Cloud Cam from the network.

And keeping the camera disconnected from the network means that they are not being monitored. While they steal all your stuff.

Amazon is promising to “address the issue.” But really, this is the kind of thing that should have been done in INITIAL design. (Gee, you think we should consider all the ways that bad-actors might attack the system?) Idiots. (Part 1 is at this link.)

Unknown's avatar

The Internet of Things (IoT): All your security cameras belong to us

by

The “S” in IoT stands for “Security.” And Sony is the latest company to live up to that standard. Or down to it.Backdoor accounts found in 80 Sony IP security camera models | PCWorld

You could also file this under, “You’re doing it wrong!”

80 different versions of Sony web-connected security cameras have back-doors that would allow hackers to take them over. These are not cheap consumer devices, but those sold to corporations and government.

The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven’t actually cracked it, they believe it’s only a matter of time until someone does.

My guess is that we are living in the golden age of Internet access. In another 10 years, there will be so many botnets made of non-secure IoT devices, that the DDoS attack that brought down sites like Twitter will be so commonplace that trying to get anything done will be a fools errand.

Unknown's avatar

Enough with the IoT? There are only computers connected to the Internet.

by

cybersecWhether PC, Mac, smartphone, or tiny Linux kernel in a light bulb, they are all computers. It’s just that a large number of them have NO security. IoT Security: Deja Vu Or Part 2?

Researchers we able to hack into the Philips Hue ZigBee Light Link Touch System from an aerial drone more than a thousand feet away from the light source to remotely control the Hue lights and cause them to blink S-O-S in Morse code. Fundamentally they injected one lightbulb with a worm, and that bulb infected its neighbors, and so on, and so on—infecting an entire building in a matter of minutes.

I’m sure there is some reason you want your light bulbs controlled via some wireless protocol. I doubt you want them to be under the control of some random hacker.

Aside from losing control of your light bulbs, they can be used in DDoS attacks. Not good.

Web cams (including baby monitors) that let strangers spy on you. Hacks into your personal network (where you might keep things like banking and tax data). Just because something is “neat” doesn’t mean that you have to buy it.

Unknown's avatar

A (Worse than) Useless Internet of Things

by

Joy of TechHaving everything connected to internet would be interesting if everything needed to be connected to the internet. And the vendors took security into account. Consumers Prepare For An Internet Of Very Pointless Things – Forbes (Click the image to see a larger view at the original site.)

And I don’t mean that they should take security seriously. (They should!) But they aren’t even treating security as a third or fourth level requirement. In a previous post I wrote about how a certain smart-fridge was a good way to get your Gmail password hacked. Why Do We Need a Smart Fridge? But that isn’t the end of it.

Now we have even more “smart” objects, that aren’t smarter than the hackers.

In 2014 Context Security released details about how it was able to hack into the wi-fi network of one brand of network-enabled smart bulb, and control the lights remotely. “We bought some light bulbs and examined how they talked to each other and saw that one of the messages was about the username and password,” said Michael Jordon, Research Director at Context. “By posing as a new bulb joining the network we were able to get that information,” he added.

If you are passing information about userid and password around to an unverified node in the network, I think your software engineers need to take a course in Security 101. Or maybe revisit the 11th grade. To design a system – today, these were not designed in 1984, but 2014 – assuming that all players in the environment are legitimate is beyond naive. (And even in 1984 we had security on closed systems. Resource Access and Control Facility – the dreaded RACF from IBM. Top Secret from Computer Associates. And more.)

And is it really easier to turn lights on via your phone than to slap the switch when you walk into a room? OK if you are on vacation I can see having lights turn on and off at given times, but are you going to be doing that via your phone? (“It’s 7:30 in Chicago, I better turn on the kitchen lights.” Really? That is what you are going to worry about when you are relaxing on a Hawaiian beach?)

There is a place for the internet of things. Monitoring the temperature of pharmaceutical reactions during manufacturing. Monitoring or controlling any number of manufacturing processes. Monitoring the health of oil wells, agricultural pumps, traffic signals.

But having a stove that you can turn on remotely? Do you really leave food in the oven all day? Or you can’t wait 8 minutes for the oven to warm up to get that frozen pizza?