recentpopularlog in

charlesarthur : iot   84

« earlier  
Microsoft catches Russian state hackers using IoT devices to breach networks • Ars Technica
Dan Goodin:
<p>Microsoft researchers <a href="">discovered the attacks</a> in April, when a voice-over-IP phone, an office printer, and a video decoder in multiple customer locations were communicating with servers belonging to “Strontium,” a Russian government hacking group better known as Fancy Bear or APT28. In two cases, the passwords for the devices were the easily guessable default ones they shipped with. In the third instance, the device was running an old firmware version with a known vulnerability. While Microsoft officials concluded that Strontium was behind the attacks, they said they weren’t able to determine what the group’s ultimate objectives were.

Last year, the FBI concluded the hacking group was behind the infection of more than 500,000 consumer-grade routers in 54 countries. Dubbed VPNFilter, the malware was a Swiss Army hacking knife of sorts. Advanced capabilities included the ability to monitor, log, or modify traffic passing between network end points and websites or industrial control systems using Modbus serial communications protocol. The FBI, with assistance from Cisco's Talos security group, ultimately neutralized VPNFilter.

Fancy Bear was one of two Russian-sponsored groups that hacked the Democratic National Committee ahead of the 2016 presidential election. Strontium has also been linked to intrusions into the World Anti-Doping Agency in 2016, the German Bundestag, and France’s TV5Monde TV station, among many others. Last month, Microsoft said it had notified almost 10,000 customers in the past year that they were being targeted by nation-sponsored hackers. Strontium was one of the hacker groups Microsoft named.</p>
hacking  fancybear  iot 
15 days ago by charlesarthur
D-Link agrees to new security monitoring to settle FTC charges • Ars Technica
<p>Tuesday’s agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks. The hardware maker, the FTC said, failed to test its gear against security flaws ranked among the most critical and widespread by the Open Web Application Security Project. The 2017 suit also said that, despite the lack of testing and hardening of its products, D-Link misrepresented its security regimen as reasonable.
Specific shortcomings cited by the FTC included:

• hard-coded login credentials on its D-Link camera software that used easily guessed passwords<br />• storing mobile app login credentials in human-readable text on a user’s mobile device<br />• expressly or implicitly describing its hardware as being secure from unauthorized access<br />• repeatedly failing to take reasonable testing and remediation measures to protect hardware from well-known and easily preventable software security flaws

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a <a href="">release</a>.</p>

There are almost surely more egregious IoT flaws out there, but they simply haven't come to the FTC's notice. (Though my current router has had a firmware upgrade available for roughly two years, and I haven't wanted to install it because, well, it works fine at the moment.)
dlink  iot  software  hacking 
6 weeks ago by charlesarthur
Teeny-tiny Bluetooth transmitter runs on less than 1 milliwatt • IEEE Spectrum
Samuel Moore:
<p>Engineers at the University of Michigan have now built the first millimeter-scale stand-alone device that speaks BLE [Bluetooth Low Energy protocol]. Consuming just 0.6 milliwatts during transmission, it would broadcast for 11 years using a typical 5.8mm coin battery. Such a millimeter-scale BLE radio would allow these ant-sized sensors to communicate with ordinary equipment, even a smartphone.

The transmitter chip, which debuted last month at IEEE International Solid-State Circuits Conference, had to solve two problems, explains David Wentzloff, the Michigan associate professor who led the research. The first is power consumption, and the second is the size of the antenna. “The size of the antenna is typically physics-based, and you can’t cheat physics,” says Wentzloff. The group’s solution touched on both problems.

 An ordinary transmitter circuit requires a tunable RF oscillator to generate the frequency, a power amplifier to boost its amplitude, and an antenna to radiate the signal. The Michigan team combined the oscillator and the antenna in a way that made the amplifier unnecessary.</p>

This is how the real internet of things gets started: devices you fit and pretty much forget.
bluetooth  iot 
march 2019 by charlesarthur
Nest Secure had a secret microphone, can now be a Google Assistant • CSO Online
Ms. Smith:
<p>When announcing that a software update will make Google Assistant available on Nest Guard, Google added, “The Google Assistant on Nest Guard is an opt-in feature, and as the feature becomes available to our users, they’ll receive an email with instructions on how to enable the feature and turn on the microphone in the Nest app. Nest Guard does have one on-device microphone that is not enabled by default.”

Nest Secure owners have been able to use Google Assistant and voice commands, but it previously required a separate Google Assistant device to hear your commands. I suppose it depends upon your outlook on if you are happy or creeped out that your security system secretly had an undocumented microphone capable of doing the listening all along.

Google didn’t really focus on the “surprise there was a microphone hidden in the Nest Guard brain of your Nest Secure” angle, preferring a take on how Google Assistant and Nest Guard can help you out.</p>

This is not something you accidentally include. It's not something you accidentally forget to tell people about either, because your engineers know that it's there, because they're going to enable it in the future: it's on the schedule.

Surprising that a teardown by iFixit et al didn't find this. But it's bad for Google not to tell people, because that's how you undermine trust.
Google  nest  iot  security  microphone 
february 2019 by charlesarthur
Japanese government plans to hack into citizens' IoT devices • ZDNet
Catalin Cimpanu:
<p>The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices.

The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.

The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.

The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.</p>

That's not going to be controversial at <em>all</em>. Though possibly Japanese consumers are more relaxed about this.
japan  iot  hacking 
january 2019 by charlesarthur
The IoT needs a new set of eyes • IEEE Spectrum
Stacey Higginbotham:
<p>two challenges [are] driving the silicon shift. First, processing power: Many of these [IoT] cameras try to identify specific objects by using machine learning. For example, an oil company might want a drone that can identify leaks as it flies over remote oil pipelines. Typically, training these identification models is done in the cloud because of the enormous computing power required. Some of the more ambitious chip providers believe that in a few years, not only will edge-based chips be able to match images using these models, but they will also be able to train models directly on the device.

That’s not happening yet, due to the second challenge that silicon providers face. Comparing images with models requires not just computing power but actual power. Silicon providers are trying to build chips that sip power while still doing their job. Qualcomm has one such chip, called Glance, in its research labs. The chip combines a lens, an image processor, and a Bluetooth radio on a module smaller than a sugar cube.

Glance can manage only three or four simple models, such as identifying a shape as a person, but it can do it using fewer than 2 milliwatts of power. Qualcomm hasn’t commercialized this technology yet, but some of its latest computer-vision chips combine on-chip image processing with an emphasis on reducing power consumption.

But does a camera even need a lens? Researchers at the University of Utah suggest not, having invented a lensless camera that eliminates some of a traditional camera’s hardware and high data rates. Their camera is a photodetector against a pane of plexiglass that takes basic images and converts them into shapes a computer can be trained to recognize.

This won’t work for jobs where high levels of detail are important, but it could provide a cheaper, more power-efficient view of the world for computers fulfilling basic functions.</p>

If you know the lens's distortion, you can adjust for it in software.
Iot  camera  software 
november 2018 by charlesarthur
Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs • ZDNet
<p>Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today.

All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou.

But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top.

Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own.

All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud."

The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time.</p>

When I was writing Cyber Wars, Xiongmai cropped up as a company which had been criticised for the (lack of) security in devices it built. I tried getting in touch. Nothing.
hacking  iot 
october 2018 by charlesarthur
Announcing LTE Beacon for asset tracking • Estimote
<p>Today we are proud to announce another revolutionary IoT device. Once again, we chose to leverage emerging IoT technologies (LTE M1 and NB-IoT) and have designed and productized a new device we call the “Estimote LTE Beacon.”

It’s a small, wireless beacon that can compute both its precise indoor and outdoor position. It can talk directly to the cloud and last multiple years on a battery.
Estimote LTE Beacons are designed primarily to seamlessly locate assets and vehicles when they move between indoor and outdoor environments. Their secure firmware/cloud software is crafted to provide true “proof of location” and “proof of delivery.”

Since the device is fully programmable using JavaScript, it can also support other creative use-cases — for example, it can act as a remotely managed iBeacon or a gateway used to configure other Bluetooth beacons.

The best way to think of this new IoT device is to imagine it as a small smartphone, but without a screen. It can last years between charges and the cost is similar to a beacon. It has cellular LTE connectivity, built-in GPS, and Bluetooth radio. And it is also possible to create and download apps that run on the LTE beacon.</p>

Apparently a use for this will be for Hilton and other hotel chains so that housekeepers can push it as a panic button: it's accurate to a metre.
lte  iot  bluetooth 
august 2018 by charlesarthur
Lattis Ellipse Smart Bike Lock review: equal parts smart and frustrating • CNET
Patrick Holland:
<p>In everyday use, the lock worked… okay. But there were many times I struggled with it. For example when we filmed the video accompanying this review, I tried to lock my bike to a thicker post and ended up dropping my phone and cracking the screen. This scenario happened frequently: Holding the two pieces of lock and my phone, while tapping the screen to force the Ellipse closed.

The Ellipse app does provide a "handsfree" alternative called auto lock and auto unlock. To use, I close the Ellipse around my bike and the rack, walk away, and the app automatically triggers it to lock. The same thing happens in reverse to unlock it: I just have to walk towards the lock.

This is a good idea, but it doesn't work consistently. Sometimes it took an unnerving amount of time for the lock to trigger. Also, this doesn't quite solve the problem when I had to physically hold the Ellipse closed to lock it. I wish the Ellipse was integrated with the Apple Watch or Wear OS device to free up my hands.

There were also instances when my phone's Bluetooth connection was off, and I had to wait for it to connect to the Ellipse and then unlock it. For those moments, I opted to use the lock's built-in touch keypad. But even then, the keypad was annoying, too. It feels like touch technology from 10 years ago. I was only able to enter my passcode successfully when I used a deliberately slow touch.</p>

The "smart" bit is that it can tell if there's a theft (or attempt), or if it thinks you've had a crash. The stupid bit is described in the extract above: it's too hard to lock.
smartlock  lock  iot 
july 2018 by charlesarthur
Totally pwning the Tapplock smart lock • Pen Test Partners
Andrew Tierney:
<p>We move onto the Bluetooth Low Energy and this is where things get really, really bad.

Normally I love reading about IoT hacks that take time, effort and ingenuity, but I can’t do that here. In under 45 minutes, we had the ability to walk up to any Tapplock and unlock it.

First things first, the app communicates over HTTP. There is no transport encryption. This is unforgiveable in 2018.

<img src="" width="100%" />

I could see that a string of “random” looking data was sent to the lock over BLE each time I connected to it. Without this data, the lock would not respond to commands.

<img src="" width="100%" />

But it was also noted that this data did not change, no matter how many times I connected. A couple of lines of commands in gatttool and it was apparent that the lock was vulnerable to trivial replay attacks.

<img src="" width="100%" />

The app allows you to “share” the lock with someone else, revoking permissions at a later date. I shared the lock with another user, and sniffed the BLE data. It was identical to the normal unlocking data. Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity.

This issue is remarkably similar to the problem with the Ring Smart Doorbell – it was impossible to revoke another high privilege users permissions.</p>

I'm doing a webinar today (Thursday) titled "<a href="">The Internet of Insufficiently Safe Things</a>". This is obviously going to be a late addition.
iot  hacking 
june 2018 by charlesarthur
From Westworld to best world for the Internet of Things • The New York Times
Jonathan Zittrain:
<p>A longstanding ethos of internet development lets anyone build and share new code and services, with consequences to be dealt with later. I call this the “procrastination principle,” and I don’t regret supporting it. But it’s hard to feel the same way about the internet of things.

Worries about security for these devices have become widespread, and they fall roughly into two categories.

First, compromised networked things can endanger their users. In 2015, Chrysler recalled 1.4 million vehicles after researchers showed they could hack a Jeep and disable its brakes and transmission. Coffee makers and other appliances with heating elements could have safety features overridden, starting a fire. And an alert was issued on certain pacemakers last year after vulnerabilities were found that could allow attackers to gain unauthorized access and issue commands to the devices.

Second, hacking even a tiny subset of the 10 billion and counting networked things can produce threats larger than any one consumer. Individually these devices may be too small to care about; together they become too big to fail. Security systems in a city could be made to sound an alarm simultaneously. Light bulbs can be organized into bot armies, directed to harm any other internet-connected target. And worse than a single Jeep executing an unexpected sharp left turn is a whole fleet of them doing so.

Short of rejecting internet integration with appliances, dealing with this is not easy. As with home routers, we tend to keep appliances around for years, so vulnerabilities aren’t phased out quickly.

In fact, many vendors might stop issuing firmware updates for physical objects even while they’re still widely in use — abandoning the public to problems lurking in embedded code. And otherwise-valuable “over the air” security updates could also be a gateway to a hack, especially for small vendors of cheap if useful objects like $5 drones.</p>

Zittrain is one of the important thinkers out there. If he's worried about IoT, so should we all be.

Did I mention that one of the chapters in my book looks at a botnet attack via the IoT, and has a surprising discovery about Ikea? It does.
iot  hacking 
june 2018 by charlesarthur
Cryptocurrency-mining malware targeting IoT, being offered in the underground • TrendLabs Security Intelligence Blog
<p>Crime follows the money, as the saying goes, and once again, cybercriminals have acted accordingly. The underground is flooded with so many offerings of cryptocurrency malware that it must be hard for the criminals themselves to determine which is best. This kind of malware, also known as cryptomalware, has a clear goal, which is to make money out of cryptocurrency transactions. This can be achieved through two different methods: stealing cryptocurrency and mining cryptocurrency on victims’ devices surreptitiously (without the victims noticing), a process also known as cryptojacking. In this post, we discuss how these two methods work, and see whether devices connected to the internet of things (IoT), which are relatively underpowered, are being targeted.</p>

*taps mic* in my book <a href="">Cyber Wars - published today!</a> - I look at how weak the security around IoT devices tends to be, based on amazingly old code and with terrible business models that don't envisage security updates.

Cryptocurrency is a quiet way of doing it, rather than the hacking where you get millions of devices to attack someone in a DDOS attack.
crypto  iot  hacking 
may 2018 by charlesarthur
They’re on the lookout for malware that can kill • The Washington Post
Ellen Nakashima and Aaron Gregg:
<p>Dragos built a software product to help industrial companies detect cyberthreats to their networks and respond to them. Its clients include energy, manufacturing and petrochemical factories in the United States, Europe and Middle East.

In October, Dragos discovered Trisis, a malware that targets a “safety instrumented system,” or a machine whose sole function is to prevent fatal accidents. In a petrochemical plant, for instance, there are machines that operate at very high pressures, and if a valve blows, the pressure or the leak of hazardous materials could kill a human being. But a safety instrumented machine is supposed to shut down the entire system to reduce the risk of a fatal accident.

There has been one known deployment of the Trisis malware — FireEye called it Triton — at a petrochemical plant in Saudi Arabia in August. But a coding error prevented the malware from working as intended, and a potential catastrophe was averted.

As of this week the culprits behind Trisis were still active in the Middle East, Lee said. “It’s reasonable to assume that [what happened last year] is not a one-time event.’’

Though Dragos had some indication of who was responsible, the firm refrained from drawing a conclusion. “It wasn’t cut and dried,” Lee said. Dragos shared the malware with the Department of Homeland Security, but Lee argued against the government seeking to assign blame.

“The best they could do is a well-reasoned guess,” he said. “There’s not the years’ worth of data on this event that would make attribution possible.”</p>
malware  iot 
may 2018 by charlesarthur
Internet of babies: when baby monitors fail to be smart • SEC Consult
<p>Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number of more than 52,000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.</p>

Baby monitors have never been the most secure things (in older times, they offered a couple of radio channels; people in adjacent flats or houses could sometimes eavesdrop accidentally). But this is taking it further.
Video  iot  security  hacking 
february 2018 by charlesarthur
The house that spied on me • Gizmodo
Kashmir Hill and Surya Matta:
Matta: Yes, I am basically Kashmir’s sentient home. Kashmir wanted to know what it would be like to live in a smart home and I wanted to find out what the digital emissions from that home would reveal about her. Cybersecurity wasn’t my focus. (I wasn’t interested in hacking her sex toy or any of her other belongings.) Privacy was. What could I tell about the patterns of her and her family’s life by passively gathering the data trails from her belongings? How often were the devices talking? Could I tell what the people inside were doing on an hourly basis based on what I saw?

Using a Raspberry Pi computer, I built a router with a Wi-Fi network called “iotea” (I’m not very good at naming things) to which Kashmir connected all of her devices, so that I could capture the smart home’s network activity. In other words, I could see every time the devices were talking to servers outside the home.

I had the same view of Kashmir’s house that her Internet Service Provider (ISP) has. After Congress voted last year to allow ISPs to spy on and sell their customers’ internet usage data, we were all warned that the ISPs could now sell our browsing activity, or records of what we do on our computers and smartphones. But in fact, they have access to more than that. If you have any smart devices in your home—a TV that connects to the internet, an Echo, a Withings scale—your ISP can see and sell information about that activity too. With my “iotea” router I was seeing the information about Kashmir and her family that Comcast, her ISP, could monitor and sell.</p>

All very scary, really. And inconvenient: she needed 14 different apps (and accounts) to control it all, and the lights wouldn't listen to the Alexa, and "smart coffee was also a world of hell". (The dream of making-coffee-at-a-distance just won't go away.)
surveillance  iot 
february 2018 by charlesarthur
Why smart devices will get more expensive • The Information
Aaron Tilley:
<p>Qualcomm is talking with a fridge maker about adding a downward-facing camera to understand if a kid or an adult is standing in front of the appliance, according to Raj Talluri, a senior vice president at Qualcomm.

But these higher end chips and other more complex hardware could add several hundred dollars to the cost of devices. And the big question is whether consumers will want to pay extra for these more advanced features and capabilities. As it is, devices with virtual assistants have yet to prove themselves as must-have products. The vast majority of people still only use their Echo, for instance, to check the weather or to play music, according to market research firm Argus Insights. It could be hard to persuade consumers to pay even more for a function they don’t need.

“Unless it’s a piece of hardware that’s earth shattering that no one can get from anyone else, it will be hard to convince consumers to buy it,” said Rene Haas, president of the chip licensing product group at Arm. He said companies behind the virtual assistants like Google and Amazon will have to make money off services.</p>

Services tend not to make that much money, unless you're Google offering people ads to click. Hardware makes money, if you do it right. Not sure that people are really going to want cameras monitoring them by the fridge.
fridge  iot  camera 
january 2018 by charlesarthur
q2vq2 • Ghostbin
"Dr Cyborkian a.k.a. janit0r, conditioner of 'terminally ill' devices":
<p>I am now here to warn you that what I've done was only a temporary band- aid and it's not going to be enough to save the Internet in the future.

The bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it's only a matter of time before a large scale Internet-disrupting event will occur. If you are willing to believe that I've disabled over 10 million vulnerable devices over the 13-month span of the project then it's not far-fetched to say that such a destructive event could've already happened in 2017.

YOU SHOULD WAKE UP TO THE FACT THAT THE INTERNET IS ONLY ONE OR TWO SERIOUS IOT EXPLOITS AWAY FROM BEING SEVERELY DISRUPTED. The damage of such an event is immeasurable given how digitally connected our societies have become, yet CERTs, ISPs and governments are not taking the gravity of the situation seriously enough.

ISPs keep deploying devices with exposed control ports and although these are trivially found using services like Shodan the national CERTs don't seem to care. A lot of countries don't even have CERTs. Many of the world's biggest ISPs do not have any actual security know-how in-house, and are instead relying on foreign vendors for help in case anything goes wrong. I've watched large ISPs withering for months under conditioning from my botnet without them being able to fully mitigate the vulnerabilities (good examples are BSNL, Telkom ZA, PLDT, from time to time PT Telkom, and pretty much most large ISPs south of the border).</p>

HE seems to be the author of "Brickerbot", an IoT-attacking malware strain which just seems to wreck them. If history is a guide, he's releasing the code for this (linked earlier in his post) because law enforcement is close enough that he's about to be caught, so he wants deniability - he uploads the code somewhere and then downloads it, and denies he wrote it. (Paras Jha, who recently pleaded guilty with others to writing the Mirai IoT bot, did the same.)
internet  security  hacking  iot 
december 2017 by charlesarthur
Mirai IoT botnet co-authors plead guilty • Krebs on Security
Brian Krebs, who named two of the people he believed - through online sleuthing - were behind the original Mirai botnet (which is not the one that knocked Twitter, Reddit et al offline last year):
<p>In addition, the Mirai co-creators pleaded guilty to charges of using their botnet to conduct click fraud — a form of online advertising fraud that will cost Internet advertisers more than $16bn this year, according to estimates from ad verification company Adloox. 

The plea agreements state that Jha, White and another person who also pleaded guilty to click fraud conspiracy charges — a 21-year-old from Metairie, Louisiana named Dalton Norman — leased access to their botnet for the purposes of earning fraudulent advertising revenue through click fraud activity and renting out their botnet to other cybercriminals.

As part of this scheme, victim devices were used to transmit high volumes of requests to view web addresses associated with affiliate advertising content. Because the victim activity resembled legitimate views of these websites, the activity generated fraudulent profits through the sites hosting the advertising content, at the expense of online advertising companies.

Jha and his co-conspirators admitted receiving as part of the click fraud scheme approximately two hundred bitcoin, valued on January 29, 2017 at over $180,000.

Prosecutors say Norman personally earned over 30 bitcoin, valued on January 29, 2017 at approximately $27,000. The documents show that Norman helped Jha and White discover new, previously unknown vulnerabilities in IoT devices that could be used to beef up their Mirai botnet, which at its height grew to more than 300,000 hacked devices.</p>

Click fraud by IoT. Things pretending to be people to click ads.
clickfraud  mirai  hacking  iot 
december 2017 by charlesarthur
Amazon wants a key to your house. I did it. I regretted it • The Washington Post
Geoffrey Fowler (and no, the boss - Bezos didn't force him to do it or be nice about it):
<p>The good news is nobody ran off with my boxes — or burgled my house.

The bad news is Amazon missed four of my in-home deliveries and charged me (on top of a Prime membership) for gear that occasionally jammed and makes it awkward to share my own door with people, apps, services — and, of course, retailers — other than Amazon.

“Amazon Key has had a positive reception from customers since its launch last month,” Amazon spokeswoman Kristen Kish said. “There have been situations where we haven’t gotten it right with a delivery and we use these situations to continue making improvements to the service.”

Big tech companies love building walled gardens, in ham-handed attempts to keep customers loyal. But for an ask this big (total access to your home, after all), Amazon needs to make Key better…

…When you use Amazon Key, you get a phone alert with a window when a delivery might occur. If no one is home, the delivery person taps an app that grants one-time access to unlock your door, places the package inside, then relocks the door. (They don’t recommend Key if you have a pet, and won’t come in if they hear barking.) The moment the door unlocks, the Cloud Cam starts recording — and sends you a live stream of the whole thing. It’s a surreal 15 seconds.</p>

Not only but also: finicky setup, occasional bugs leading to fake warnings, and a door that ended up with Schrödinger's Lock.
amazon  technology  iot 
december 2017 by charlesarthur
A smart fish tank left a casino vulnerable to hackers • CNN
Selena Larson:
<p>Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.
"Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network," Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable -- but it became a weak link in a the casino's security.

The unnamed casino's rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.</p>

security  iot  fishtank  hacking 
july 2017 by charlesarthur
IoT thermostat bug allows hackers to turn up the heat • Newsky Security blog
Ankit Anubhav:
<p>With the ever-increasing impact of smart and connected devices in our daily lives, Cybersecurity has a variety of security challenges to deal with. The field of traditional computer security deals with a myriad of issues like data theft or sabotage. However, when it comes to IoT security, the consequences of a successful attack can be even more diverse. In this post, we discuss an IoT Smart Thermostat bug and how a hacker leveraged it to raise the control temperature by 12C (~22F) degrees.</p>

Turns out to be pretty straightforward. Shodan, the search engine that lets you search for IoT systems, is something of a hazard in that respect. The bug has been patched, but it won't be the last.
thermostat  iot 
july 2017 by charlesarthur
Intel discontinues Joule, Galileo, and Edison product lines • Hackaday
Jenny List:
<p>Sometimes the end of a product’s production run is surrounded by publicity, a mix of a party atmosphere celebrating its impact either good or bad, and perhaps a tinge of regret at its passing. Think of the last rear-engined Volkswagens rolling off their South American production lines for an example.

Then again, there are the products that die with a whimper, their passing marked only by a barely visible press release in an obscure corner of the Internet. Such as this week’s discontinuances from Intel, in <a href="">a series of PDFs lodged on a document management server</a> announcing the end of their Galileo (PDF), Joule (PDF), and Edison (PDF) lines. The documents in turn set out a timetable for each of the boards, for now they are still available but the last will have shipped by the end of 2017.

It’s important to remember that this does not mark the end of the semiconductor giant’s forray into the world of IoT development boards, there is no announcement of the demise of their Curie chip, as found in the Arduino 101. But it does mark an ignominious end to their efforts over the past few years in bringing the full power of their x86 platforms to this particular market, the Curie is an extremely limited device in comparison to those being discontinued.</p>

So Intel is retreating from a number of Internet of Things spaces. ARM stuff is likely to dominate. Strange how it turns out that ARM's RISC (reduced instruction set computing) has won, bit by bit, over Intels' CISC (complex instruction set). ARM, of course, being a British company before Softbank bought it. Just wanted to mention that.
arm  intel  iot 
june 2017 by charlesarthur
Rise of the machines: who is the ‘internet of things’ good for? • The Guardian
Adam Greenfield:
<p>In San Francisco, a young engineer hopes to “optimise” his life through sensors that track his heart rate, respiration and sleep cycle. In Copenhagen, a bus running two minutes behind schedule transmits its location and passenger count to the municipal traffic signal network, which extends the time of the green light at each of the next three intersections long enough for its driver to make up some time. In Davao City in the Philippines, an unsecured webcam overlooks the storeroom of a fast food stand, allowing anyone to peer in on all its comings and goings.

What links these wildly different circumstances is a vision of connected devices now being sold to us as the “internet of things”. The technologist Mike Kuniavsky, a pioneer of this idea, characterises it as a state of being in which “computation and data communication [are] embedded in, and distributed through, our entire environment”. I prefer to see it for what it is: the colonisation of everyday life by information processing.

Though it can often feel as if this colonisation proceeds of its own momentum, distinct ambitions are being served wherever and however the internet of things appears. The internet of things isn’t a single technology. About all that connects the various devices, services, vendors and efforts involved is the end goal they serve: capturing data that can then be used to measure and control the world around us.</p>

Or just control us? A good (long) read.
ai  internetofthings  iot  capitalism 
june 2017 by charlesarthur
Even Apple can't make the Internet of Things tolerable • The Verge
The person behind the @internetofshit Twitter account:
<p>The companies behind our devices, both big and small, must make hardware changes to be accepted into HomeKit, must add authentication chips that are only available from Apple, must choose an Apple-approved manufacturer, must send free samples for certification, and must not talk about the certification while hoping they don’t go bankrupt while waiting for the entire process to complete.

Here’s an example of the frustration HomeKit creates: I bought Philips Hue lights a few years ago, and had been happily using them via the app provided by Philips. But if I wanted to get them working with HomeKit and the Home app I’d need to go out and buy an upgraded $59.99 bridge with Apple’s special chip just to get them talking — a change that could normally be done via a software upgrade. The same goes for other existing devices. If it didn’t ship with HomeKit support, you’ll have to replace it at your own cost to get it working later on. With Google Home, all I had to do was pair my existing Hue bridge and it worked immediately with my voice — no weird naming or specific phrases like “Siri, turn off Office Lights 2” required.

I must concede that this rigor is a net positive: Apple’s approved HomeKit devices are presumably the least likely to suffer from IoT plagues like the Mirai botnet that famously took down millions of connected cameras. For many IoT manufacturers and their customers, the last thing they’re thinking about is security, as we’ve all seen. What frustrates me is that HomeKit ignores all previous work done to standardize the Internet of Things, leaving thousands of useful products incompatible.</p>
apple  iot 
may 2017 by charlesarthur
Hacking blamed for emergency sirens blaring across Dallas early Saturday • Dallas News
Claire Ballor, Robert Wilonsky and Tom Steele on the suspected hack that set off 156 sires around the city early on Saturday morning:
<p>Council member Philip Kingston, a member of the Public Safety Committee, said Saturday morning that officials will move the compromised emergency system to the top of their agenda.

"And that's sad, because the list is so long," he said, referring to other problems, including the short-staffed 911 call center.

"If this is indeed hacking, it has just become top priority," Kingston said. "And you can put me down as terrified."

Jennifer Staubach Gates, who also serves on the Public Safety Committee and is chairwoman of the Budget, Finance and Audit Committee, said City Auditor Craig Kinton recently told her it was time for the city to review its security vulnerabilities.

"If it's hacking, it's extremely concerning," she said. "If someone's messing with our emergency system, we've got an issue. We need to get to the bottom of it — what kind of vulnerabilities do we have?"</p>

The answer to that is probably "more than one". Another day (or early morning), another IoT exploit.
security  hacking  infrastructure  iot 
april 2017 by charlesarthur
Forget Mirai – Brickerbot malware will kill your crap IoT devices • The Register
Iain Thomson:
<p>A new form of attack code has come to town and it uses techniques similar to Mirai to permanently scramble Internet of Things devices.

On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four days, one honeypot logged 1,895 infection attempts by Brickbot, with the majority of attacks coming from Argentina, and a second logged 333 attempts – untraceable as they came from a Tor node.

"The Bricker Bot attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim's devices," <a href="">Radware's advisory</a> states.

"Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv.'"</p>

There's a suggestion that it's trying to brick devices before they can become part of a botnet. Seems like burning the village to save it if so.
malware  iot  security 
april 2017 by charlesarthur
iPhone App will not stay open - just flashes when trying to launch - Install / Device Setup • Garadget Community
Garadget is a Bluetooth-enabled garage door unlocker. And here's a customer on the support forums with a complaint:
<p><strong>rdmart73d:</strong> Just installed and attempting to register a door when the app started doing this. Have uninstalled and reinstalled iphone app, powered phone off/on - wondering what kind of piece of shit I just purchased here...

<strong>garadget3d [the operator]:</strong>
Martin: The abusive language here and in your negative Amazon review, submitted minutes after experiencing a technical difficulty, only demonstrates your poor impulse control. I'm happy to provide the technical support to the customers on my Saturday night but I'm not going to tolerate any tantrums.

At this time your only option is return Garadget to Amazon for refund. Your unit ID 2f0036... will be denied server connection.</p>

Hey, now that's what I call customer service.. of a sort. It <a href="">made the front of YCombinator's Hacker News</a>. Though as Mr Garadget pointed out, <a href="">Elon Musk once did the same</a>. (Hint: don't.)
cloud  iot  customerservice 
april 2017 by charlesarthur
About 90% of smart TVs vulnerable to remote hacking via rogue tv signals • Bleeping Computer
Catalin Cimpanu:
<p>[Rafael] Scheel says that "about 90% of the TVs sold in the last years are potential victims of similar attacks," highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe.

At the center of Scheel's attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that "harmonizes" classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV.

Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.

By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city.

According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background.

Knowing this, Scheel developed two exploits he hosted on his own website, which when loaded in the TV's built-in browser would execute malicious code, gain root access, and effectively take over the device.</p>

Guess what? His first hack used a Flash exploit from 2015; then a Javascript sorting flaw. Why do we need smart TVs again?
security  tv  hack  iot 
march 2017 by charlesarthur
Dishwasher has directory traversal bug • The Register
Richard Chirgwin:
<p>Don't say you weren't warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it's accused of ignoring the warning.

The utterly predictable <a href="">bug report</a> at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 - Web Server Directory Traversal”.

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”

Proving it for yourself is simple: GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.</p>

If you squint hard, you can see why you might want this - to turn on your dishwasher at some convenient time of day when you're not there. (Solar panels work during the day...) However, internet security is harder than making dishwashers.
iot  security  failure 
march 2017 by charlesarthur
What’s wrong with the smart home? • Stacey on IoT
Stacey Higginbotham:
<p>I’ve been thinking for the last few months that we’ve misled people about the promise of the smart home, and perhaps as an industry, we need to focus on the basics before promising these intuitive homes of the future.

<img src="" width="100%" />

I recently built a presentation to this effect (which also digs into the reasons voice won’t save us) and was excited to see others discussing this topic as well.  Scott Jenson, a designer who works at Google, and Kai Kreuzer who works on the OpenHab smart home platform, both did a great job digging into the current state of the industry to explain why it’s not awesome.

Jenson’s point is that we’ve screwed up by not building the internet of things on the same principles of the open web. Instead, companies force consumers into their own apps and refuse to share data. The result of this is that nothing works together and the onboarding experience is terrible for most consumer devices.

He argues that we are missing essential underpinning technology to get the level of distributed intelligence the smart home needs. So not only do things need to be open, but we also need to think about how to make trusted, distributed systems.</p>

"Trusted, distributed systems"? Sounds a bit like blockchain, or something similar. Equally, the reason companies force consumers into their own apps is that that's the only way to make the business model work.
iot  smarthome 
march 2017 by charlesarthur
Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages • Troy Hunt
The security researcher explains:
<p>firstly, put yourself in the shoes of the average parent, that is one who's technically literate enough to know the wifi password but not savvy enough to understand how the "magic" of daddy talking to the kids through the bear (and vice versa) actually works. They don't necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn't realise that in CloudPets' case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).

Unfortunately, things only went downhill from there. People found the exposed database online. Many people and the worrying thing is, it's highly unlikely anyone knows quite how many. The first I knew of it was when earlier last week, someone sent me data from the table holding the user accounts, about 583k records in total (this subsequently turned out to be a subset of the total number in the CloudPets service). I started going through my usual verification process to ensure it was legitimate and by pure coincidence, I was in the US running a private security workshop at the time and one of the guys in my class had a CloudPets account. Sure enough, his email address was in the breach and it was time-stamped Christmas day, the day his daughter had been given the toy. His record looked somewhat like these, the first few in the data I was given:

The password was stored as a bcrypt hash and to verify it was legitimate, he gave me his original password (I asked him to change it on CloudPets first) and I successfully validated that the hash against his record was the correct one (I'd previously validated the Dropbox data breach by doing the same thing with my wife's account). The data was real.

CloudPets left their database exposed publicly to the web without so much as a password to protect it.</p>
security  privacy  iot  bears 
march 2017 by charlesarthur
University attacked by its own vending machines, smart light bulbs & 5,000 IoT devices • Network World
"Ms Smith":
<p>Today’s cautionary tale comes from Verizon’s sneak peek (pdf) of the 2017 Data Breach Digest scenario. It involves an unnamed university, seafood searches, and an IoT botnet; hackers used the university’s own vending machines and other IoT devices to attack the university’s network.

Since the university’s help desk had previously blown off student complaints about slow or inaccessible network connectivity, it was a mess by the time a senior member of the IT security team was notified. The incident is given from that team member’s perspective; he or she suspected something fishy after detecting a sudden big interest in seafood-related domains.

The “incident commander” noticed “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” That explained the “slow network” issues, but not much else.

The university then contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and handed over DNS and firewall logs. The RISK team discovered the university’s hijacked vending machines and 5,000 other IoT devices were making seafood-related DNS requests every 15 minutes.</p>
iot  hacking  malware 
february 2017 by charlesarthur
The future of advertising relies on the internet of things • Aldo Agostinelli
Aldo Agostinelli:
<p>The survey [by the Interactive Advertising Bureau, IAB], rather bluntly titled <a href="">“The Internet of Things”</a>, showed that 62% of the interviewees owns at least one device connected to the IoT and 65% of those who don’t own any are going to buy one soon. Data on advertising is even more interesting: 55% of the interviewees are willing to be served ads in exchange for discounts or exclusive apps, and the percentage reaches 65% among those who already own IoT connected devices. Furthermore, 69% of those whose income is around 100 thousand dollars per year, and 68% of young people aged between 18 and 34, are happy to receive with pop up ads via the IoT.

The IoT has many benefits for advertising: not only can a message related to a product reach a specific and clearly identified target audience, but the message can be designed based on data which makes it more personal and, therefore, more efficient. Indeed, companies which can collect data from the Internet of Things will be able to use the data also to better understand who their customers are and how their products are used. They’ll be able to add new information to the CRM, notify customers about future product upgrades and develop advertising campaigns aimed at increasing customers loyalty. Which means other agents may intervene and develop ad hoc software and applications.

Absolut, for instance, in partnership with Evrythng, a company specializing in the IoT, is trying to design smart bottles which can connect to the net. With a total of over 100 million bottles delivered each year, this is a logical step aimed at keeping in touch with their customers even after purchases have been made.</p>

What an appalling, dystopian world. Ads with everything.
Advertising  iot 
february 2017 by charlesarthur
Cops use pacemaker data to charge man with arson, insurance fraud • Network World
<p>There were additional “conflicting statements” given to the 911 operator; [houseowner Ross] Compton had said “everyone” was out of the house, yet the 911 operator also heard him tell someone to “get out of here now.” In the 911 call published by WLWT5, an out-of-breath Compton claimed he had “grabbed a bunch of stuff, threw it out the window.” He claimed to have packed his suitcases, broken the glass out of bedroom window with his walking stick, and tossed the suitcases outside.

Compton also told the dispatcher he had “an artificial heart.”

After this, things really get interesting because police investigators used data from Compton’s electronic heart device against him. Isn’t that self-incrimination? Can a person “plead the Fifth” when it comes to self-incriminating data collected from their medical device?

Police set out to disprove Compton’s story about the fire by obtaining a search warrant to collect data from Compton’s pacemaker. WLWT5 reported that the cops wanted to know “Compton’s heart rate, pacer demand and cardiac rhythms before, during and after the fire.”</p>

This happened in the wonderfully named Middletown, Ohio. How soon before it's your smartwatch or fitness band giving the lowdown on what you've been doing?
privacy  biometrics  data  iot 
february 2017 by charlesarthur hacked the Samsung Smartcam yet again, this time with a root exploit • Android Police
<p>After the first wave of exploits [in May 2014], the Smartcam's local web interface was completely removed, only allowing users to connect to it via the <a href="">Samsung SmartCloud website</a>. The company hoped that this would remove all possible exploits, but they neglected to remove the actual web server itself (only deleting the interface that the server was running).

Because the web server is still available, another exploit was found - allowing commands to be run on the Smartcam as root. The full technical details <a href="">can be found on the wiki</a>, but essentially, this works by injecting a specific file into the device's "iWatch" webcam monitoring service as a firmware update. This can then be used to execute commands remotely as the root user, because the web server runs as root.

Interestingly, the Smartcam was developed by Samsung Techwin, a former division of Samsung. Samsung sold its holding stake of Techwin in 2015 to South Korean conglomerate Hanwha Group. The company, now called Hanwha Techwin, is still responsible for the Samsung Smartcam - likely explaining the camera's poor user experience and security.</p>

The Exploiteers wiki is worth a browse; seems to be an IoT hacking/exploit wiki. Oddly, no Apple gear in there.
iot  samsung 
january 2017 by charlesarthur
Demo: Hidden Voice Commands • UC Berkeley/Georgetown U research
An eight-strong team from the two universities show how machines can hear things that you can't - and will act on them:
<p>The <a href="">video below</a> shows black box attack attack being carried out in presence of background noise with the target phone kept at a distance on 10.1 ft away from the speakers used to play the attack audio. 

The understanding of attack commands by a human listener is subject to priming effects:  when we already know the actual message embedded in an obfuscated command, we unconsciously "hear" that message in the noise. This effect is so extreme that we can even "hear" primed messages when no such message actually exists; see, for example, <a href="">Sounds you can't Unhear</a>. </p>

<iframe title="YouTube video player" class="youtube-player" type="text/html" src="//;wmode=opaque" frameborder="0" allowfullscreen="true" width="560" height="315"></iframe>

The video is creepy, and amazing. They've <a href="">published a paper</a> too.

I mean, imagine if you broadcast one of those "hidden" commands over some speakers to direct the phone belonging to, say, a resident of a tower in New York to open a URL which exploited a known Android security flaw so you could take the phone over and passively connect to the microphone. Imagine.
security  technology  iot  research 
january 2017 by charlesarthur
Google launches first developer preview of Android Things, its new IoT platform • TechCrunch
Frederic Lardinois:
<p>Google has partnered with a number of hardware manufacturers to offer solutions based on Intel Edison, NXP Pico and the Raspberry Pi 3. One interesting twist here is that Google will also soon enable all the necessary infrastructure to push Google’s operating system updates and security fixes to these devices.

In addition, Google also today <a href="">announced</a> that a number of new smart device makers are putting their weight behind Weave. Belkin WeMo, LiFX, Honeywell, Wink, TP-Link and First Alert will adopt the protocol to allow their devices to connect to the Google Assistant and other devices, for example. The Weave platform is also getting an update and a new Device SDK with built-in support for light bulbs, smart plugs, switches and thermostats, with support for more device types coming soon. Weave is also getting a management console and easier access to the Google Assistant.

Google’s IoT platforms have long been a jumble of different ideas and protocols that didn’t always catch on (remember Android@Home from 2011?). It looks like the company is now ready to settle on a single, consolidated approach. Nest Weave, a format that was developed by Nest for Nest, is now being folded into the overall Weave platform, too. </p>

Fingers crossed that the security updates really do get to the devices. As we've seen with the IoT, security is much more important than on smartphones because web servers will do anything you tell them to.
google  iot  androidthings 
december 2016 by charlesarthur
Routers behaving badly • net.wars
Wendy Grossman:
<p>Late on Saturday night, a small laptop started having trouble connecting. This particular laptop sometimes has these issues, which I put down to the peculiarities of running wired ethernet into it via a USB converter. But the next day I realized that the desktop was timing out on some connections, and one of the other laptops was refusing to connect to the internet at all. An unhappy switch somewhere in the middle? Or perhaps a damaged cable? The wireless part of the network, which I turned on as a test, worked much better, which lent credence to the cable idea.

By Monday morning, I had concluded the thing to do was to restart the main router. Things were fine after that. On Tuesday morning, some bounced emails from my server alerted me to the fact that my IP address had been placed on one of the three blacklists Spamhaus consults. It was only then that I realized my router was one of the ones affected by <a href="">the 7547 bug</a>. If my network had been spewing botnet messages, the router was infected.</p>

She managed to fix it (pretty much) but as she points out, if even knowledgeable people are struggling with this, what hope for those who just buy a smart lightbulb or smart thermostat or smart whatever and assume that's the end of the story? We're building up trouble.
Iot  hacking  malware 
december 2016 by charlesarthur
Newly discovered router flaw being hammered by in-the-wild attacks • Ars Technica
Dan Goodin:
<p>Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.</p>
iot  hacking 
november 2016 by charlesarthur
IoT Security • DevicePilot
<p>In this DevicePilot white paper we summarise the various aspects of security which need to be considered when designing connected products for the Internet of Things… Why exactly might you (or your users) care about security? What are you trying to prevent? What are the risks? What’s the worst that could happen? Let’s illustrate the risks with a few concrete examples:

• TriplePoint Inc. is launching a range of Smart Meters with remotely-operable power switches. If an attacker gained control over their network the risk is not just that they might shut-down the 1 million homes in which they are installed, but might also crash large part of the distribution grid by adding or removing massive loads synchronously, overwhelming the emergency services for weeks. This would result not just in huge economic damage, but in the deaths of large numbers of vulnerable people.

• Edison Motors has a range of connected automobiles which synchronise with home WiFi to get updates and allow the vehicle to be remote-managed by both the owner and the manufacturer. The risks include not “just” attack on the vehicle’s essential systems, compromising safety, but also the potential to use the cars as a “botnet” to attack other computer systems on the internet.

• Babbadoo Products have just launched their new remote baby monitoring system for at-risk neonatal infants, which includes a live video feed. Risks include––</p>

iot  security 
november 2016 by charlesarthur
The inevitability of being hacked • The Atlantic
Andrew McGill:
<p>I switched on the server at  1:12 p.m. Wednesday, fully expecting to wait days—or weeks—to see a hack attempt.

Wrong! The first one came at 1:53 p.m.

<img src="" width="100%" />

This graphic is a simulation—a bot’s-eye view, if you will—but it’s the actual sequence of commands the hacking script used. It tried a common default username and password (root/root) and executed the “sh” command, giving it the ability to run programs and install its own code. My fake toaster doesn’t allow that, of course—it just cuts the connection.

The next hacking attempt, from a different IP address and using different login credentials, came at 2:07 p.m. Another came at 2:10. And then 2:40. And 2:48. In all, more than 300 different IP addresses attempted to hack my honeypot by 11:59 p.m. Many of them used the password “xc3511,” which was the factory default for many of the old webcams hijacked in last week’s attack.

The last attempted hack came 6 minutes ago using the username "root" and the password "xc3511." (Yes, those are live figures; they were updated when you loaded this page.)

I’ll admit this volume of attacks might not be typical. I hosted my fake toaster on a virtual Amazon server, not an actual toaster hooked up to residential internet. Hackers aren’t typing these passwords themselves—they’ve programmed bots to do the hard work for them, scanning through thousands of open ports an hour. </p>

Actual journalism: show people what happens, and how quickly. Nicely done, The Atlantic.
iot  crime  hacking 
october 2016 by charlesarthur
ARM: Hold my beer, we'll install patches for your crappy IoT gear for you • The Register
Chris Williams:
<p>Processor designer ARM will squirt security fixes directly into internet-connected gadgets to hopefully keep them defended from hackers.

Manufacturers of Internet-of-Things gizmos and other embedded products have complained that updating gear in the field is too much hard work. That means devices are rarely patched when security bugs are found, clearing the way for hackers to hijack vulnerable hardware to spy on people, flood websites offline, and cause other havoc.

So ARM has come up with mbed Cloud, a software-as-a-service platform that securely communicates with firmware in devices to install fixes and feature updates. Product makers pay to remotely manage all their sold kit. Crucially, they pay for what they use – whether it's pushing updates, or connecting millions of units, and so on.

It's similar to the cloud Next Thing Co has set up for its C.H.I.P. Pro: a web-based management interface for updating firmware over the internet, plus controls on the data leaving the devices.</p>

Mmmmm don't like this much either.
iot  security  arm 
october 2016 by charlesarthur
Akamai finds longtime security flaw on two million Internet of Things devices • WIRED
Lily Hay Newman:
<p>It’s well known that the Internet of Things is woefully insecure, but the most shameful and frustrating part is that some of the vulnerabilities that are currently being exploited could have been eradicated years ago. Now evidence of how these bugs are being used in attacks is calling attention to security holes that are long overdue to be plugged.

New research released this week from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices — routers, cable modems, satellite TV equipment, and DVRs — and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers — in industries like financial services, retail, hospitality, and gaming — have been targets of this attack.</p>
iot  security 
october 2016 by charlesarthur
The Insecurity of Things: part two • Xipiter
Stephen Ridley:
<p>With some really dead-simple techniques this device was easily compromised. Furthermore not only can you attack your own device, but an attacker could (without purchasing a device) potentially just download the firmware image from the manufacturer (as linked from the manufacturer's wiki), extract the filesystem image using binwalk and unsquashfs, and navigate to the right directories on the filesystem to retrieve the ssh private keys used to access the manufacturers backend.

From there potentially (if SSH works the way we think it does),  this key can be used to access ALL THE OTHER devices like it in the world currently connected to the internet. It should be noted that as the interns discovered these vulnerabilities in this device, they found "prior art" vulnerabilities found by D. Crowley (then of Trustwave Spider Labs) although there was no explicit mention of the ability to potentially access all the other devices via the manufacturer's servers (via the hardcoded SSH keys).</p>

Basically, showing how you'd take over one of those IoT devices which brought down a chunk of the internet last week.
iot  security 
october 2016 by charlesarthur
Security bug lifetime « codeblog
Kees Cook:
<p>In several of my <a href="">recent presentations</a>, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010, and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.</p>

Spoiler: it's still five years. Many eyes don't do much to bugs. Given how many IoT things rely on Linux, this is concerning.
bug  security  iot  linux 
october 2016 by charlesarthur
English man spends 11 hours trying to make cup of tea with Wi-Fi kettle • The Guardian
Bonnie Malkin:
<p>All Mark Rittman wanted was a cup of tea. Little did he know he would have to spend 11 hours waiting for his new hi-tech kettle to boil the water.

Rittman, a data specialist who lives in Hove, England, set about trying to make a cup of tea around 9am. But thanks to his Wi-Fi enabled kettle it wasn’t long before he ran into trouble, tweeting: "Still haven't had a first cup of tea this morning, debugging the kettle and now iWifi base-station has reset. Boiling water in saucepan now."

Three hours later the kettle was still having problems. The main issue seemed to be that the base station was not able to communicate with the kettle itself.</p>
internetofthings  iot 
october 2016 by charlesarthur
We need to save the internet from the Internet of Things • Motherboard
Bruce Schneier:
<p>The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never. Already the banking industry is dealing with the security problems of Windows 95 embedded in ATMs. This same problem is going to occur all over the Internet of Things.

The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem.</p>

DDOS attacks like the one on Brian Krebs's site are indeed a sort of pollution; an externality, in economics lingo. And you need governments to regulate externalities like this, since a tort lawsuit against the maker of an insecure device will probably fail - seller goes bust, is in a different country, etc.
internet  security  iot 
october 2016 by charlesarthur
Hackers infect army of cameras, DVRs for massive internet attacks • WSJ
Drew Fitzgerald:
<p>The proliferation of internet-connected devices from televisions to thermostats provide attackers a bigger arsenal of weapons to infiltrate. Many are intended to be plugged in and forgotten. These devices are “designed to be remote controlled over the internet,” said Andy Ellis, security chief at network operator Akamai Technologies Inc., some of whose clients were affected. “They’re also never going to be updated.”

Experts have long warned that machines without their own screens are less likely to receive fixes designed to protect them. Researchers have found flaws in gadgets ranging from “smart” lightbulbs to internet-connected cars. Wi-Fi routers are a growing source of concern as many manufacturers put the onus on consumers to do the updating.

Level 3 identified cameras and video recorders made by Chinese manufacturer Dahua Technology Co. as the sources of a large share of the recent attacks, but Level 3 said other devices are being roped into a new attack network currently being assembled. Hackers often hijack the machines through computers that are already infected or poorly protected Wi-Fi routers.</p>

Question is, if you have a device like that, how do you protect it?
hacking  iot 
october 2016 by charlesarthur
Sex toys and the Internet of Things collide—what could go wrong? • Ars Technica
David Kravets:
<p>It was only a matter of time before the Internet of Things caught up with sex toys and led to products like apps that remotely control vibrators from an Apple or Android device via a Bluetooth connection.

And now, one of those apps is accused of being a little too connected to its users.

Standard Innovation—the maker of the We-Vibe vibrator and accompanying app—is the subject of a federal privacy lawsuit. The suit, which seeks class-action status, claims the We-Vibe vibrator app chronicles how often and how long consumers use the sex toy and sends that data to the company's Canadian servers. The suit says that the app also monitors "the selected vibration settings," the vibrator's battery life, and the vibrator's "temperature" with consumer consent. The data, along with the person's e-mail address, is stored on the vibrator-maker's Canadian servers, <a href="">according to the lawsuit</a>. (PDF)</p>

What. The. Actual.
sex  iot  lawsuit 
september 2016 by charlesarthur
Internet of things struggles as use of smart home gadgets flatlines • Daily Telegraph
James Titcomb:
<p>Deloitte’s research, due to be released next month in its annual Mobile Consumer Survey, also shows modest adoption of connected security cameras and smart home appliances, at 3% and 2% respectively.

A greater percentage of those surveyed said they intended to purchase a smart device in the next year, with 7% planning to upgrade to a smart thermostat and 6% to a surveillance camera. However, this showed little change from Deloitte’s survey of a year ago, when the intention to upgrade was 6% and 5% respectively.

<img src="" />

Paul Lee, Deloitte’s head of technology, media and telecoms research, said that at present, connected gadgets are too expensive and do not do enough for the vast majority of people to justify buying them.

“Some of them aren’t resonating well because they offer too little,” he said. “The ability to micromanage the temperature in your house doesn’t appeal to the mainstream, and the savings aren’t significant enough to upgrade.”</p>

Full survey comes out this month.
september 2016 by charlesarthur
The Internet of Things will turn large-scale hacks into real world disasters • Motherboard
Bruce Schneier:
<p>With the advent of the Internet of Things and cyber-physical systems in general, we've given the internet <a href="">hands and feet</a>: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.

Today’s threats include hackers <a href="">crashing airplanes</a> by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re <a href="">speeding</a> down the highway. We’re worried about manipulated counts from <a href="">electronic voting machines</a>, frozen water pipes through <a href="">hacked thermostats</a>, and remote murder through <a href="">hacked medical devices</a>. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.

The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn…</p>

…from between our fingers, behind the sofa.
internet  iot  schneier  security 
august 2016 by charlesarthur
Nest thermostats offline in U.S. heatwave • Business Insider
Todd Haselton:
<p>Google’s Nest is experiencing a widespread outage that has knocked its line of thermostats offline, a particularly scary situation given the widespread heatwave across the United States right now. Members of our staff noticed the thermostats weren’t functioning properly this morning, in multiple states around the U.S., and a quick search on Twitter shows a similar story.</p>

This might only be a small number of thermostats, but it's probably bloody annoying when it does. An internet of things that is completely reliant on an internet that isn't reliable is less useful than "things that just do".
july 2016 by charlesarthur Matthew Garrett's review of AuYou Wi-Fi Switch, Timing Wireless Smart ...
Garrett is a security researcher, and he got one of these free in return for writing an honest review. Hold tight:
<p>In practice the app is looking for a network called "SmartPlug" and this version of the hardware creates a network called "XW-G03", so it never finds it. I ended up reverse engineering the app in order to find out the configuration packet format, sent it myself and finally had the socket on the network. This is, needless to say, not a reasonable thing to expect average users to do. The alternative is to find an older Android device or use an iPhone to do the setup.

Once it's working, you can just hit a button on the app and your socket turns on or off. You can also program a timer. If your phone is connected to the same network as the socket then this is just done by sending a command directly, but if not you send a command via an intermediate server in China (the socket connects to the server when it joins the wireless and then waits for commands)…

…This is a huge problem. If anybody knows the MAC address of one of your sockets, they can control it from anywhere in the world. You can't set a password to stop them, and a normal home router configuration won't block this. You need to explicitly firewall off the server (it's in order to protect yourself. Again, this is completely unrealistic to expect for a home user, and if you do this then you'll also entirely lose the ability to control the device from outside your home.

In summary: by default this is stupendously insecure, there's no reasonable way to make it secure, and if you do make it secure then it's much less useful than it's supposed to be. Don't buy it.</p>

Apart from that, how's it going with the Internet of Things? (AuYou has withdrawn the device from sale.)
iot  security  hacking 
july 2016 by charlesarthur
Amazon to add dozens of brands to Dash buttons, but do shoppers want them? • WSJ
Sharon Terlep and Greg Bensinger:
<p>Several consumer-product executives said they have signed up for the gadget largely to ensure their brands maintain close ties to Amazon. The venture is more vital as a marketing tool than a product-delivery system, they said.

“It may not be the most intuitive feature,” said Ken McFarland, director of e-commerce for Seventh Generation Inc., which has Dash buttons for its cleaning products and diapers. “But Amazon is trying so many things and you don’t want to miss out on the ones that work. You want to be out there if it does happen to be a hit.”

Companies pay Amazon $15 for each button sold and 15% of each Dash product sale, atop the normal commission, which typically ranges from 8% to 15%, the people familiar with the matter said.

For their part, consumers pay $5 per button, though Amazon sweetens the deal by offering a $5 rebate for every button. The rebate is good toward the first purchase using that button. Only members of Amazon’s $99-per-year Prime membership are eligible to use the Dash buttons.

Helping expand Dash’s ranks: Amazon dropped a hefty buy-in fee of around $200,000 required of the first companies that signed up, according to people familiar with the terms.</p>

This resembles supermarkets charging companies to get their goods visible on shelves shoppers frequent - except here, the shelves are inside the shopper's home. "Fewer than half" who have one have used it, according to Slice Intelligence, at a rate of about once every two months. The other bugbear? You don't know what the price of what you're summoning with a push is.
amazon  iot 
june 2016 by charlesarthur
First Response's Bluetooth pregnancy test is intriguing — and a privacy nightmare » The Verge
Ashley Carman:
<p>This is a list of the app's permissions on Android, emphasis my own:

<li>Device &amp; app history - retrieve running apps</li>
<li>Identity - find accounts on the device</li>
<li>Calendar - read calendar events <b>plus confidential information</b>, add or modify calendar events, send <b>email to guests without owners' knowledge</b> </li>
<li>Contacts - read your contacts, <b>find accounts on the device</b> </li>
<li>Phone - read phone status and identity, directly call phone numbers</li>
<li>Photos/Media/Files - modify or delete the contents of your USB storage, read the contents of your USB storage</li>
<li>Storage - modify or delete the contents of your USB storage, read the contents of your USB storage</li>
<li>Device ID &amp; call information - read phone status and identity</li>
<li>Other - full license to interact across users, receive data from the internet, full network access, view network connections, pair with Bluetooth devices, access Bluetooth settings, prevent device from sleeping, <b>use accounts on the device</b>.</li>

Church and Dwight also list a Privacy Policy for the app, which explicitly says in bold, "If you opt-in, we may share your Personal Information with third parties for third party marketing purposes." Not only can the app call users' contacts without their permission, search their device for social media accounts, and send emails to calendar event guests without permission, but it can also use all that data to create tailored ads.</p>

The company told Carman: "Church & Dwight Co., Inc. puts users’ privacy first and works to ensure that the trust users place in our products is recognized and respected with the utmost discretion."

Which notably isn't "we would never send emails or messages to everyone without your permission saying HEY SHE'S PREGGERS!"
may 2016 by charlesarthur
Flaws in Samsung’s ‘smart’ home let hackers unlock doors and set off fire alarms » WIRED
Andy Greenberg:
<p>The security research community has been loudly warning for years that the so-called Internet of Things—and particularly networked home appliances—would introduce a deluge of new hackable vulnerabilities into everyday objects. Now one group of researchers at the University of Michigan and Microsoft have <a href="">published what they call the first in-depth security analysis of one such “smart home” platform</a> that allows anyone to control their home appliances from light bulbs to locks with a PC or smartphone. They discovered they could pull off disturbing tricks over the internet, from triggering a smoke detector at will to planting a “backdoor” PIN code in a digital lock that offers silent access to your home, all of which they plan to present at the IEEE Symposium on Security and Privacy later this month.</p>

Feels like we're roughly at the Windows95 level of device security, but with hackers working at the Windows 7 level.
iot  hacking  security 
may 2016 by charlesarthur
The Internet of Things has a dirty little secret » Internet of Shit
<p>As the market eventually saturates and sales of internet-widgets top off, you can bet that everyone from the smallest to largest vendor will look to what’s next: the treasure trove that is everything it knows about you.

Many of the newest IoT devices are the types of household appliances you won’t replace for a decade. We’re talking about a thermostat, fridge, washing machine, kettle, TV or light — long term, there’s just no other way to be sustainable for the creators of these devices.

There is an alternative path that some could take: maybe Nest needs to increase its revenue, so it decides to charge a monthly subscription model for its thermostat. Now you need to pay $5 per month or it’ll lock you out.

The question then, is if you’d pay for it? Will you pay for a subscription for everything in your home?

Maybe: if the device comes for free, with that subscription, and guarantees your data will be kept private… but I suspect that many people prefer to own outright and simply won’t care about the privacy compromise.

The future of your most intimate data being sold to the highest bidder isn’t dystopian. It’s happening now.</p>
may 2016 by charlesarthur
The absolute horror of WiFi light switches » Terence Eden's Blog
Eden bought a cheap Wi-Fi light switch originating in China which runs, of course, on Android and has an Android app which, let's see, wants to take pictures, directly call phone numbers, read your contacts, record audio, read your texts, read your USB storage..
<p>Those are some ridiculously scary permissions! I can understand wanting microphone access (voice control) and maybe GPS (turn lights on when I get home) - but why does this want to send SMS or place calls? Why does it need my contacts and the ability to take photos?

A quick virus scan showed nothing overtly malicious - but I decided to offer up a sacrificial tablet to run the app on. No way am I risking my main device with this software!

The software is of the usual sub-standard quality I've come to expect from cheap electronics. No set-up wizard, just dumped into a complicated screen.</p>

Oh, did we mention that it also connects to a fixed IP in China and sends the light switch's ID number to it, listening for.. something? Eden concludes:
<p>I'm guessing, with a small amount of effort, you could toggle strangers' lights to your heart's content.</p>

This probably reminds you of those <a href="">Android hotel light switches</a> from last week.
iot  privacy  security  wifi 
march 2016 by charlesarthur
I stayed in a hotel with Android lightswitches and it was just as bad as you'd imagine » mjg59
The "switches" were Android tablets. He hooked up an Ethernet connection to see what was going on:
<p>wireshark revealed that [the data protocol] was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!

And then I noticed something. My room number is 714. The IP address I was communicating with was They wouldn't, would they?

I mean yes obviously they would.

It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing <a href="">a couple of years ago</a>, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.

We're doomed.</p>
android  hacking  iot  security 
march 2016 by charlesarthur
Amazon adds the $130 Amazon Tap and the $90 Echo Dot to the Echo family » Techcrunch
Sarah Buhr:
<p>The Echo has received more than 33,000 Amazon reviews at a nearly five-star rating since launching in late 2014 and was one of the best-selling items going for more than $100 over the holidays. Amazon has not released sales figures for Echo, but its rise in popularity and the ability to build upon and integrate with the companion Alexa API have moved the Echo front and center as a must-have device for the smart home.

Amazon is now introducing two new members to the Echo family with slightly different uses in hopes of achieving a similar reaction: Amazon Tap is a portable version of the original Echo, and Echo Dot is a tiny, hockey-puck-sized version that includes a built-in line-out connector to hook into your choice of speaker.</p>
amazon  automation  iot 
march 2016 by charlesarthur
Samsung fails to secure thousands of SmartThings homes from thieves » Forbes
Thomas Fox-Brewster:
Critically, anyone relying on SmartThings devices for home security is vulnerable. In an environment where the SmartThings hub is connected to the firm’s own motion sensors, which act like traditional security alarms but provide alerts to people’s phones when activity is detected, they allow a hacker to enter a home undetected. Even worse, when connected to a connected smart lock, Cognosec researcher Tobias Zillner says a robber can get break into a home without using any brute force whatsoever.

“At the moment I am able to hack the system … and open the door lock as well as to jam the motion sensor without any trace left back in the system,” he told Forbes.

Come on, you knew the Internet of Things was going to lead to this.
iot  samsung 
february 2016 by charlesarthur
Nest thermostat goes from 'Internet Of Things' darling to cautionary tale » Techdirt
Karl Bode:
<p>[Tech writer Stacey Higginbotham's] Nest device began trying to cook her family in the middle of the night, something Nest first tried to blame on her smart garage door opener, then tried to blame on her Jawbone fitness tracker (Nest never did seem to pinpoint the cause). Her report suggests that <a href="">an overall culture of "arrogance" at Nest</a> shockingly isn't helping pinpoint and resolve bugs:
<p>"One Nest partner, who declined to be named to preserve his business relationship with the company, said that Nest being quick with the blame didn’t surprise him, citing a culture of arrogance at the company. When something went wrong during integration testing between his device and Nest’s, problems were first blamed on his servers and team."</p>

And fast-forward to last week, when researchers putting various internet of thing devices through tests found that the Nest thermostat was one of many IOT devices happily <a href="">leaking subscriber location data in cleartext</a> (with Nest, it's only the zip code, something the company quickly fixed in a patch). Granted Nest's not alone in being an inadvertent advertisement for a product's "dumb" alternatives. In 2016, smart <a href="">tea kettles</a>, <a href="">refrigerators</a>, <a href="">televisions</a> and <a href="">automobiles</a> are all busy leaking your private information and exposing you to malicious intrusion (or worse).

It's a fascinating, in-progress lesson about how our lust for the sexy ideal of the connected home appears to be taking a brief pit stop in reality.</p>
january 2016 by charlesarthur
Internet of Things security is so bad, there’s a search engine for sleeping kids » Ars Technica
JM Porup:
<p>Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.

The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.

"It's all over the place," he told Ars Technica UK. "Practically everything you can think of."

We did a quick search and turned up some alarming results [of a sleeping baby in Canada, kitchen in Spain, classroom in China, someone's house].

The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at Free Shodan accounts can also search using the filter port:554 has_screenshot:true.

Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.</p>
iot  security 
january 2016 by charlesarthur
Nest thermostat glitch leaves users in the cold » The New York Times
Nick Bilton:
<p>“Woke up to a dead nest and a very cold house,” a commenter wrote on the company’s forum. “Not good when you have a baby sleeping!”

“Mine is offline,” another customer tweeted. “Not enough battery (?) I’m traveling. Called nest. Known problem. No resolution. #nest #fail.”

Admittedly, this may strike some as a quintessential first-world problem: a thermostat that can’t connect to the web. But for some users, it posed genuine issues.

For those who are elderly or ill, or who have babies, a freezing house can have dire health consequences. Moreover, homeowners who installed a Nest in a weekend home, or who were on vacation, were also concerned that their pipes could freeze and burst, causing major damage.

Matt Rogers, the co-founder and vice president for engineering at Nest, blamed a software update from December. “We had a bug that was introduced in the software update that didn’t show up for about two weeks,” Mr. Rogers said apologetically. In January, devices went offline, and “that’s when things started to heat up.”</p>

The question is, will we look back on events like this as just teething problems - a bit like some of the cloud outages of, say, 2007 - or will they just multiply as more systems interact with slightly jury-rigged ones?

And as Bilton also points out, the contracts these gizmos/services are provided under use "arbitration" clauses which hugely favour the company, not the consumer; one lawyer tells him that Nest's terms of service "are inherently unfair to consumers". Not biased; inherently unfair.
iot  nest 
january 2016 by charlesarthur
Why the internet of things favours dominance » The Guardian
Julia Powles and Jat Singh, in July 2015:
<p>For the moment, all these approaches tend towards centralisation – whether towards operators of closed systems, controllers of particular ecosystems, or systems integrators for “open” systems. Data flows too, <a href="">tend to be centralised</a>, even when they <a href="">needn’t be</a>. So it seems that <a href="">concerns about</a> <a href="">dominance</a>, <a href="">power</a>, and <a href="">control</a> in the internet of things are based on solid ground – the end-user’s controls are left to whoever controls the centralised environment. </p><p>So, is there a way out? Perhaps, given the internet of things is still evolving. But the path to countering the strong forces <a href="">favouring dominance</a> is far from easy.</p>

I hadn't thought of this piece when I wrote about 90:9:1, but it suggests that IoT will see a similar trend.
internet  internetofthings  iot 
december 2015 by charlesarthur
Compromised CCTV and NAS devices found participating in DDoS attacks » Slashdot
<p>the security firm Incapsula [reports] that its researchers <a href="">discovered compromised closed circuit cameras as well as home network attached storage (NAS) devices participating in denial of service attacks</a>. The compromised machines included a CCTV at a local mall, just a couple minutes from the Incapsula headquarters.

According to the report, Incapsula discovered the infections as part of an investigation into a distributed denial of service attack on what it described as a "rarely-used asset" at a "large cloud service." The attack used a network of 900 compromised cameras to create a flood of HTTP GET requests, at a rate of around 20,000 requests per second, to try to disable the cloud-based server. The cameras were running the same operating system: embedded Linux with BusyBox, which is a collection of Unix utilities designed for resource-constrained endpoints. </p>

The Internet of Compromised Things is growing faster than our ability to cope with its effects.
internet  iot  hacking 
october 2015 by charlesarthur
Semantic sensors » Pete Warden's blog
Pete Warden (you know, the machine learning bought-by-Google guy):
<p>I think we’re going to see a lot of “Semantic Sensors” emerging. These will be tiny, cheap, all-in-one modules that capture raw noisy data from the real world, have built-in AI for analysis, and only output a few high-level signals. Imagine a small optical sensor that is wired like a switch, but turns on when it sees someone wave up, and off when they wave down. Here are some other concrete examples of what I think they might enable:

• Meeting room lights that stay on when there’s a person sitting there, even if the conference call has paralyzed them into immobility.<br />• Gestural interfaces on anything with a switch.<br />• Parking meters that can tell if there’s a car in their spot, and automatically charge based on the license plate.<br />• Cat-flaps that only let in cats, not raccoons!<br />• Farm gates that spot sick or injured animals.<br />• Streetlights that dim themselves when nobody’s around, and even report car crashes or house fires.</p>

And lots more. The only questions are how soon, and would we throw away the images or keep them?
ai  iot 
october 2015 by charlesarthur
Electronic noise is drowning out the Internet of Things » IEEE Spectrum
Mark McHenry, Dennis Roberson and Robert Matheson:
it is expensive to trace RF [radio frequency] pollution to a source and, when you do, it is often challenging to get offenders to stop offending.

The coming Internet of Things is going to make things worse. Much worse. It will do so by adding complex RF-control chips to countless common devices, like door locks, light switches, appliances of every type, our cars, and maybe even our bodies, which will enable them to connect to the Internet. Each of these chips is a potential source of noise. Plenty of technological fixes are available, of course, but the huge number of chips means that manufacturers will be more reluctant to add costly shielding and other noise-muffling features to their products. Silence is golden: It costs money to get it.
iot  noise 
september 2015 by charlesarthur
JFK displays actual wait times using sensors that monitor mobile phones » Blip Systems : Blip Systems
Passengers moving through JFK Airport’s Terminal 4 are now presented with estimated processing times on 13 new screens. The large and prominent screens are placed at TSA Security and Customs and Border Protection checkpoints, as well as the indoor taxi queue.

“It continuously updates,” says Daryl Jameson, vice president at the company JFKIAT, which runs Terminal 4. People like to know how long they are going to wait in queues. Nobody likes to wait in lines and signage helps to manage expectations.”

The wait times are driven by sensors that monitor passenger’s mobile devices as they <a href="">move through the airport</a>. The BlipTrack solution, invented by Denmark-based BLIP Systems, and installed by Lockheed Martin, detects Wi-Fi or Bluetooth devices in “discoverable” mode, found in mobile phones and tablets. When a device passes the sensors, its non-personal unique ID—called a MAC address—is recorded, encrypted and time-stamped. By re-identifying the device from multiple sensors, the travel times, dwell times and movement patterns become available.

Neat idea, though when you're waiting in an inescapable queue, you don't actually want to know your wait time; you want a distraction. This is why lift designers put mirrors and TVs showing news in lobbies where people wait for lifts: so you can do something else while you wait. Doesn't speed up the lift; does reduce the subjective queuing time.
august 2015 by charlesarthur
Samsung smart fridge leaves Gmail logins open to attack » The Register
John Leyden:
Pen Test Partners discovered the MiTM (man-in-the-middle) vulnerability that facilitated the exploit during an IoT hacking challenge run by Samsung at the recent DEF CON hacking conference.

The hack was pulled off against the RF28HMELBSR smart fridge, part of Samsung’s line-up of Smart Home appliances which can be controlled via their Smart Home app. While the fridge implements SSL, it fails to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections.

The internet-connected device is designed to download Gmail Calendar information to an on-screen display. Security shortcomings mean that hackers who manage to jump on to the same network can potentially steal Google login credentials from their neighbours.

Yeah, it's that "jump on the same network" thing which is the sticking point. I'd wager that most home networks are secured nowadays.
iot  security 
august 2015 by charlesarthur
Apple HomeKit requires ID chip » EE Times
Rick Merritt:
Apple requires anyone making a device compatible with its HomeKit environment to buy and use a special identity chip. The revelation was one of many from a session on platforms for the Internet of Things at last week’s ESC SV event here.

“I know a lot of people who have been surprised by this requirement and had to re-spin boards for the chip,” said Michael Anderson, chief scientist of PTR Group in his talk. “A lot of manufacturers are up in arms [about the] Apple silicon [that makes their] device more expensive,” he said.

“There’s no clear story what the chip does but I expect it is involved with access to the cloud and may have triggers for geo location,” Anderson said. Overall, “there’s not a lot known about HomeKit since it was first launched in iOS 8 because Apple’s got it under wraps,” he added.

Good way to add cost, but also a good way to be sure of security.
homekit  apple  iot 
july 2015 by charlesarthur
The three unlikely lessons from the Microsoft/Nokia Adventure » VisionMobile
Michael Vakulenko:
Looking at the industry through the lens of software-defined business models has helped us to accurately predict years before the story unraveled <a href="">the duopoly of Apple and Google</a> (2009), <a href="">the demise of Palm</a> (2009), <a href="">the outcome of HP’s foray into mobile with WebOS</a> (2010), <a href="">BlackBerry’s meltdown</a> (2010), and <a href="">the failure of Windows Phone</a> (2012).</p>
<p>The story repeats in Internet of Things. Much like in mobile, software-defined business models cause deep shifts in how value is created and delivered. The IoT winners will be decided by business model innovation, not by technology, product features or standard committees. VisionMobile’s Stijn Schuermans wrote about it here – <a href="">What the Internet of Things is not about</a>.

How bad is it for Microsoft if it misses out on the IoT?
iot  microsoft 
july 2015 by charlesarthur
High profile tech start-up Ninja Blocks goes bust » The Age
Rose Powell:
Ninja Blocks built and sold home automation systems that allowed users to control electrical devices through their smart phone. It managed both the software and also manufactured a range of sleek hardware products.

The company was launched three years ago and sustained its growth through sales and a series of successful crowdfunding campaigns: $103,000 in 2012 and $703,000 in 2013. Both brought in double or triple their original goal. It also raised $2.4m in three funding rounds, which included leading Australian tech investors Square Peg Capital, Blackbird Ventures, Atlassian founders Mike Cannon-Brookes and Scott Farquhar as well as Sing Tel's Innov8.

Crowdfunding campaigns require significant, ongoing public communication. The company went quiet in April as their latest product, the Ninja Sphere, ran over time and over-budget.

In a <a href="">blog post</a>, the team wrote the fact it was receiving "far below what they would expect to get somewhere else" their burn rate could not be sustained.

Unclear if the dollar amounts are Australian or US, but shows that hardware remains a tough business in which to succeed. (Side note: Powell's byline describes her as "journalist". Helpful.)
iot  business  hardware 
may 2015 by charlesarthur
HTC in-car wireless device certified » Digitimes
Max Wang and Steve Shen:
HTC is reportedly stepping into the IoV (Internet of Vehicles) market and has one of its in-car wireless devices, the Think+ Touch OBU 2015, certified by Taiwan's National Communications Commission (NCC), according to industry sources.

The Think+ Touch OBU 2015 features Bluetooth, GPS navigation, a lane departure warning system, tyre pressure monitoring system and sonar-based collision avoidance system, while supporting Android 4.4 KitKat platform, the sources noted.

Interesting move by HTC, though wonder how much retrofitting this would take (tyre pressure monitoring?). Also, please let "Internet of Vehicles" not be a thing.
htc  iot  cars 
april 2015 by charlesarthur
We put a chip in it! » Tumblr
It was just a dumb thing. Then we put a chip in it. Now it's a smart thing.

Such as for example these socks:
<iframe width="560" height="315" src="" frameborder="0" allowfullscreen></iframe>
blog  iot 
april 2015 by charlesarthur
From Product Club to Thington Inc. — Welcome to Thington » Medium
Tom Coates:
The more we explored the space, the more we found that however good and interesting the hardware was in the Internet of Things, the software and service layers were generally awful. Gradually, we came to believe that huge problems in these layers were hiding all of the value and the potential of the technology.

Which brings us to Thington! We decided that we wanted to build a new user interface and service layer that would push past all these problems and in the process bring in our experience working on social systems, location sharing, privacy, hardware and the web of data. And we’re super excited by what we’ve come up with. So excited in fact that we’ve put our money where our mouths are and have formally changed the name of the company from Product Club to Thington Inc.

Keep an eye on this: Coates and colleagues have a solid track record in making useful stuff.
iot  thington 
april 2015 by charlesarthur
Rochester family finds their "Nanny Cam" hacked for the world to see » KTTC Rochester, Austin
Mike Sullivan:
Many people across the country use "nanny cams" to monitor their children.  Some are closed circuit, but others allow parents to access their cameras through the Internet.  One Rochester family began to notice odd things happening with their "nanny cam", but what they found out may shock you.

"We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off," said the Rochester mother who chose to remain anonymous.

Where were these tunes coming from? Would you have guessed another country?

"We were able to track down the IP address through the Foscam software, and found out that it was coming from Amsterdam," said the concerned mother of one. "That IP had a web link attached to it."

hacking  iot 
april 2015 by charlesarthur
The Wolfram Data Drop Is Live! » Stephen Wolfram Blog
Our goal is to make it incredibly straightforward to get data into the Wolfram Data Drop from anywhere. You can use things like a web API, email, Twitter, web form, Arduino, Raspberry Pi, etc. And we’re going to be progressively adding more and more ways to connect to other hardware and software data collection systems. But wherever the data comes from, the idea is that the Wolfram Data Drop stores it in a standardized way, in a “databin”, with a definite ID.
Here’s an example of how this works. On my desk right now I have this little device:

<img src="" />

Every 30 seconds it gets data from the tiny sensors on the far right, and sends the data via wifi and a web API to a Wolfram Data Drop databin, whose unique ID happens to be “3pw3N73Q”. Like all databins, this databin has a homepage on the web: <a href=""></a>.

The homepage is an administrative point of presence that lets you do things like download raw data. But what’s much more interesting is that the databin is fundamentally integrated right into the Wolfram Language. A core concept of the Wolfram Language is that it’s knowledge based—and has lots of knowledge about computation and about the world built in.

Neat idea, aimed at the Internet Of Far Too Many Damn Things.
wolfram  data  iot 
march 2015 by charlesarthur
This guy's light bulb DDoSed his entire smart house -- Fusion
Kashmir Hill on Raul Rojas, a computer science professor who made his whole house into a smart home (apart from the locks - he worried about the locks):
About two years ago, Rojas’s house froze up, and stopped responding to his commands. “Nothing worked. I couldn’t turn the lights on or off. It got stuck,” he says. It was like when the beach ball of death begins spinning on your computer—except it was his entire home.

…when he investigated, it turned out that the culprit was a single, connected light bulb.

“I connected my laptop to the network and looked at the traffic and saw that one unit was sending packets continuously,” said Rojas. He realized that his light fixture had burned out, and was trying to tell the hub that it needed attention. To do so, it was sending continuous requests that had overloaded the network and caused it to freeze. “It was a classic denial of service attack,” says Rojas. The light was performing a DDoS attack on the smart home to say, ‘Change me.'”

Take a look at his home hub. That's not some little router.
iot  smarthome 
march 2015 by charlesarthur
Why is my smart home so fucking dumb? » Gizmodo
Adam Clark Estes:
I unlocked my phone. I found the right home screen. I opened the Wink app. I navigated to the Lights section. I toggled over to the sets of light bulbs that I'd painstakingly grouped and labeled. I tapped "Living Room"—this was it—and the icon went from bright to dark. (Okay, so that was like six taps.)

Nothing happened.

I tapped "Living Room." The icon—not the lights—went from dark to bright. I tapped "Living Room," and the icon went from bright to dark. The lights seemed brighter than ever.

"How many gadget bloggers does it take to turn off a light?" said the friend, smirking. "I thought this was supposed to be a smart home."

This is where voice control (Siri, Google, Cortana) would be ideal. Always assuming it dims the lights in the correct room. This experience also points to why "smart control" isn't necessarily what you want; smart feedback (what lights etc are on) could be more useful. Still requires installing stuff, though.
iot  technology 
february 2015 by charlesarthur
« earlier      
per page:    204080120160

Copy this bookmark:

to read