Crapgadget apocalypse: the IoT devices that punch through your firewall and expose your network


#1

[Read the post]


#2

Someone else had suggested it in a previous IoT post, but i think a certification group (international or federal) should be vetting these and enacting warnings, fines or bans on selling insecure devices. As it stands it seems like the wild west out there and no one is responsible for all these shitty connected gadgets.


#3

LOL. This reminds me of when we could remotely control security cameras back in 2005. This article about the IoT breach makes the comparison - and even includes a picture of

http://thenewstack.io/snooping-webcam-reveals-security-dangers-internet-things/


#4

“I was mooching around this Chinese bloke’s shop with no one to be seen,” posted one prankster.
_ “Then all of a sudden they turn up, he looks at the camera whilst I was_
_ zooming in on him and he twigged something was not right…so he runs _
_over to his PC with me following him with the camera, then he calls his _
_friend over….obviously they went there to check the PC as the camera is _
linked through that.”

As they pulled up the camera-controlling software on their PC, they saw: a picture of themselves.


#5

If we weaken encryption standards, these devices will work even better, if their purpose is to backdoor your home computer for all comers.


#6

If we have nothing to hide then we should not bother with firewalls, passwords & encryption. Right? :smiley:


#7

Exactly. Also, install your toilet and shower on the front porch.


#8

Exactly. As long as everybody does it, where’s the harm, eh?


#9

Pish posh. Good luck with that, IoTs.


#10

I wonder if there will ever be a network device equivalent of the UL/FCC/CSA/CE/etc certification for electrical safety. A label that says “this device has passed a rigorous series of independent tests that confirm it adheres to best design practices for Internet-connected equipment etc etc”.

Maybe it’s not feasible but it really feels like this is an industry that lets us down time and time again in this regard. And any amount of exposure doesn’t seem to help since 1) it’s hard to keep track of these idiots and 2) most people don’t even understand how at risk they are so they’d never wonder if that webcam is royally fucking them n their backdoor.


#11

The sheer number of devices does make it very difficult to do the proper testing and documentation. However there are existing groups that do this already for other products so i don’t see why this hasn’t happened already.


#12

I wonder if there is software which would automactically upload malware to the network (malware that only works when someone operates in Chinese.)
But, that would be wrong.


#13

Yeah as far as volume of devices is wouldn’t be much worse than all the coffee makers, hair dryers, toasters, string lights, etc that need to go through certification. I think the bigger obstacle to this being feasible would be the fact that software is directly involved. How do you test against the vast number of ways code can cause harm? And even if you could it would certainly make the cost of updates or enhancements prohibitive.


#14

You can fairly easily lock a device out of the internet access, directly on the firewall.

Just either nullroute its assigned IP, or even statically set its MAC address to bogus IP via static ARP assignment.

You still can access it from the outside, if needed, but through your own proxy and on your own terms. E.g. through ssh portforward.

Having a firewall under your own control instead of it being just a vendor-provided black box is pretty important. Then you can do various shenanigans, run VPNs from it, monitor and log comm in general or from the specific devices, block specific IPs, block or reassign specific DNS names if you run a resolver there…


#15

The cost definitely would fall on the manufacturer and potentially passed onto the consumer, unfortunately. But as it stands some companies offer bounties for bugs being found by security researchers and white hat hackers. I think this could be done as well for the IoT, have bounties offered up for helping find vulnerabilities & bugs. Any issues found need to be paid by the company making the product(s). Anything not found in compliance could face fines or something? (not sure about this last bit).

I don’t know how well that might work but crowd-sourcing out this kind of work is doable and there’s existing precedent for it.


#16

Have you met most people that use the internet? Or even understand how the internet works?


#17

I served my sentence at techsupport duty. I don’t want to care about those anymore.


#18

While it may seem easy to people who are tech savvy to prevent this type of thing from happening, I’m sure even some of those tech savvy people are caught by surprise at the lack thought (or intentional backdoor integration) when it comes to home network security.


#19

I totally wouldn’t be surprised if I see these in the BoingBoing Store in a few weeks :grin:


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.