Smart thermostat makes dumb security mistakes

[Permalink]

The ā€˜Internet of things’… because SCADA didn’t turn out to have any security problems, so it’s clearly ready for a rollout to the the public at large.

3 Likes


http://thethingsystem.com/

Don’t open ports to stuff inside your network. This is why we have things like VPN.

Unfortunately, ā€œopen port(s) in firewallā€ is just seen by most people as that thing they do in order to get their stuff working.

I’m not surprised. I never trusted that guy.

7 Likes

He’s too much!

2 Likes

That depends. Each is for a specific purpose. A VPN is not automatically secure (actually, a lot of supposedly secure system, e.g. that nuke plant, got wormed because of contractors’ VPNs), and a portforward is not automatically insecure (if the device it is forwarded to is not holey like a sieve).

Re the video, the comparison of the remote control with the Apple TV one clearly shows the disadvantages of Apple TV - no way to enter text, apparently other than painful cursoring around. Classical Apple; what they insist you want is easy, but if you stray away from their vision it is a sleek white plastic hell.

1 Like

Absolutely. I was being deliberately provocative. However, the person who goes through the trouble of setting up a VPN is more likely to take care of their credentials, and the entity providing the software for the VPN is more likely to patch vulnerabilities than a random hardware vendor who slapped a web interface on a thermostat. Adding another layer of security is unlikely to make things less secure.

I’m not sure what the solution is. This vendor instructed its users to open a port that fairly uniquely identified them as users of this device. That’s obviously bad, as is their implementation of authentication in the web interface. I can’t really expect the vendor to properly document how a user would secure their network while also providing access to their device(s), and I certainly can’t expect consumers to hire these tasks out as that’s likely cost prohibitive. Education seems like a noble enough pursuit, but I don’t imagine most people even think about these sorts of topics until after some widespread breach happens. And even then, I expect their attention span on such matters is very limited. People have lives to live, after all.

1 Like

That’s not so certain. It can motivate you to trust that new layer, and if you rely on it too much, and there is a bug, you are a toast. Which you were before too, because there are other bugs you aren’t aware of, but you didn’t know it so you slept better.

I have a growing suspicion there is no solution.

This topic was automatically closed after 5 days. New replies are no longer allowed.