Internet of Things - Security

[Chuckanut]

Warning: Very geeky stuff follows.

FWIW, we are now seeing an increase in the number of things inside our hourses, cars and maybe soon what we area wearing, that are connected to the internet in some way. This is being called the Internet of Things (IOT).

However, many of these devices are not secure. That clever device that allows you to tell your home to turn up the heat while your are driving home from work, essentially allows something outside your home to control something inside your home. Is it secure?

Here is a good discussion of the IoT and why these early devices are not secure. The speaker expects there will be security standards in the future but warns that devices you buy today probably will not conform to those standards. So, you get the buy them again.

Of course, it is one man's opinion, but he does back up it with studies of IoT devices done by others.

The discussion starts about 80% down from the top. Search for: So IoT in its infancy.

https://www.grc.com/sn/sn-562.pdf

Quote:

And so taking a meta view, stepping back from the details a bit, these first- generation IoT devices are trying to do the impossible. They're trying to be, they're pretending to be a limited-use, purpose-specific appliance, with at the same time having all the sophisticated communications and connectivity power of a general-purpose computer hidden inside. But they're also trying not to have, not to present any of the responsibility baggage that all of our experience has taught us necessarily comes along with any powerful, connected, general-purpose computer

Quote:

What we see are companies producing feature-laden monitors that are virtually devoid of security. Meaning that anywhere, anyone in the world can be looking at your baby sleeping, or wherever you have aimed this camera. I mean, they're just - it's horrifying. And they don't care. They're selling functionality. They're not selling security.

[audreyh1]

Yeah - we've been avoiding this.

[aja8888]

Heck, most folks can't get their wireless systems to work in their homes with any degree of reliability.

They can look at my internet camera all they want as all it shows in my front porch.

On a more serious note, it's the financial stuff I worry about. Around here, most crooks that break into houses can't read English and use a disposable flip phone or a stolen one (while its still working).

For personal security and information gathering, I think I'd be more worried about Facebook information that people so proudly upload.

[Sunset]

Quote:

Originally Posted by aja8888 Heck, most folks can't get their wireless systems to work in their homes with any degree of reliability. They can look at my internet camera all they want as all it shows in my front porch. On a more serious note, it's the financial stuff I worry about. Around here, most crooks that break into houses can't read English and use a disposable flip phone or a stolen one (while its still working). For personal security and information gathering, I think I'd be more worried about Facebook information that people so proudly upload.

One of the issues is since your internet camera is actually a webserver computer.
If a person can get root access to your internet camera, then from within your intranet, they can now as a trusted device access other computers on the network since they are within your firewall.

A few years ago it was found a certain manufacturer of internet cameras used the same admin password for all cameras, users needed to download a firmware update to fix this, probably few did.

You are right to be worried about FB, etc, especially if you use real answers for the security questions on banks, email, etc.

[John Galt III]

Donning tin foil hat. I'd be concerned about having the ability to opt out of the Internet of Things. Seems like the Green Overlords would love to be able to monitor and micromanage your use of electrical appliances.

[aja8888]

Quote:

Originally Posted by Sunset One of the issues is since your internet camera is actually a webserver computer. If a person can get root access to your internet camera, then from within your intranet, they can now as a trusted device access other computers on the network since they are within your firewall. A few years ago it was found a certain manufacturer of internet cameras used the same admin password for all cameras, users needed to download a firmware update to fix this, probably few did. You are right to be worried about FB, etc, especially if you use real answers for the security questions on banks, email, etc.

Agreed, internet cameras are not very secure and one must use caution when setting up a system for surveillance.

On a side note, anyone accessing our home computers via our secure network would be wasting their time and bandwidth as there is nothing of importance stored on them. Maybe they would be interested in reviewing about 10 GB of old work reports stored in Word and .pdf files? (I should dump all that crap anyways).

[YVRRocketSurgery]

Excuse the ignorance but don't most of these Internet connected devices have at least password security built in? In these early days, I would suspect most hacking would be against the low hanging fruit such as people that have not changed their devices' passwords from the default.

[ExFlyBoy5]

Well, security is great and all, but lots of people willing let all sorts of applications take over their phones/tablets. I just read an article about Facebook's use of devices phones/tablets to "listen" what going on. Of course, the great folks at FB say it's just used to tag songs and such, but if you look at the ACTUAL permissions your give the application, it says (very specifically) "MICROPHONE: LISTEN AND RECORD."

I am not usually a tin-foil kind of guy, but I think many of the apps we use everyday (with very little thought) take the permissions to an extreme that we are not fully aware of yet.

Quote:

Originally Posted by YVRRocketSurgery Excuse the ignorance but don't most of these Internet connected devices have at least password security built in? In these early days, I would suspect most hacking would be against the low hanging fruit such as people that have not changed their devices' passwords from the default.

As mentioned in an earlier post, not too long ago, an internet camera that was popular had a default admin password that was THE SAME for every unit it possessed. And I would venture to guess that there are quite a few people who never changed it. Perhaps that's where THIS website came from:

http://www.insecam.org/

These folks probably have ZERO idea that the world can watch in their living room: http://www.insecam.org/en/view/324690/

[Chuckanut]

Quote:

Originally Posted by YVRRocketSurgery Excuse the ignorance but don't most of these Internet connected devices have at least password security built in? In these early days, I would suspect most hacking would be against the low hanging fruit such as people that have not changed their devices' passwords from the default.

Many do have passwords, but if you read the material in the conversation I mentioned, some of these products communicate passwords in UN-encrypted formats. Other passwords are created from easy to guess technical information. Others have flaws that allow bad guys to bypass password issues.

[harley]

As someone who spent a significant portion of their career as a network security dude, my only comment is "we're doomed". Security has always been an afterthought, and it's only going to get worse. I remember doing pen tests and finding Cisco routers on our internet facing network that still had the default admin password. And I learned from my professional security peers that this sort of thing was very common in both private and public networks. Talk about leaving the barn door open! I'm sure if the NSA wanted to, they would be watching me through my laptop camera as I type this. Security and privacy are very important to me (as shown by my refusal to install Win10), but I don't see any way to avoid this. Big Brother was a piker compared to the IoT.

[Chuckanut]

Quote:

Originally Posted by harley As someone who spent a significant portion of their career as a network security dude, my only comment is "we're doomed". .

As much as I hate to admit it, it will probably take a major lawsuit, brought by greedy, bull dog lawyers , costing some organization tens of millions, maybe hundreds of millions of dollars before companies sit up, take notice and spend the resources necessary to secure our data.

On

Much of my personal information is out in the wild thanks to a health insurance company that did not take basic security measures such as encrypting the data of their customers. The consequences of that loss of data can pop-up to bite me anytime in the remainder of my life.


Their response was a 'poor victimized us' letter that talked about how criminals broke into their computer system. They tactfully avoided mentioning their lack of good data security practices and why the criminals were able to spend months inside their computer system before being detected.

They offered me a free subscription to a credit monitoring service. I signed up and sure enough, 6 weeks after I got a new credit card, the monitoring service e-mailed me with a notice about the new account. So for six weeks criminals could have been charging up a storm using my identity. Gosh, that makes me feel so good.

Off

[ExFlyBoy5]

Quote:

Originally Posted by Chuckanut As much as I hate to admit it, it will probably take a major lawsuit, brought by greedy, bull dog lawyers , costing some organization tens of millions, maybe hundreds of millions of dollars before companies sit up, take notice and spend the resources necessary to secure our data. On Much of my personal information is out in the wild thanks to a health insurance company that did not take basic security measures such as encrypting the data of their customers. The consequences of that loss of data can pop-up to bite me anytime in the remainder of my life. Their response was a 'poor victimized us' letter that talked about how criminals broke into their computer system. They tactfully avoided mentioning their lack of good data security practices and why the criminals were able to spend months inside their computer system before being detected. They offered me a free subscription to a credit monitoring service. I signed up and sure enough, 6 weeks after I got a new credit card, the monitoring service e-mailed me with a notice about the new account. So for six weeks criminals could have been charging up a storm using my identity. Gosh, that makes me feel so good. Off

I feel your pain. I am still *slightly* miffed that my information from previous government security clearance applications that have a TON of information on them were hacked into. Thanks Uncle Sugar, I appreciate it!

[meierlde]

of course you could get a second wifi access point, not connect it to the internet, and have all your IOT things point to it. The IOT things will be accessable around the house, but not over the internet. I was reading a report that someone has figured out how to use the motion sensor in a smart phone as a mike to pick up conversations. All the more reason to leave the phone off most of the time. (after all phones have voicemail)

[harley]

Quote:

Originally Posted by meierlde of course you could get a second wifi access point, not connect it to the internet, and have all your IOT things point to it. The IOT things will be accessable around the house, but not over the internet.

I like that idea, although it won't work for the things that I want to be able to access remotely, like my wifi camera and thermostat at my snowbird house. But if I start getting nagged by my refrigerator and toilet, I'll definitely put them on an electronic dead end.

[HFWR]

A hacker just burned my toast!

[ExFlyBoy5]

Quote:

Originally Posted by harley I like that idea, although it won't work for the things that I want to be able to access remotely, like my wifi camera and thermostat at my snowbird house. But if I start getting nagged by my refrigerator and toilet, I'll definitely put them on an electronic dead end.

I don't think there would be too much of an invasion of privacy issue at your snowbird house. If there is no one there, there is literally nothing to see there. And when you ARE there, you can simply disconnect the camera.

[harley]

Quote:

Originally Posted by FlyBoy5 I don't think there would be too much of an invasion of privacy issue at your snowbird house. If there is no one there, there is literally nothing to see there. And when you ARE there, you can simply disconnect the camera.

No, but an annoying a*hole could reset the thermostat higher (causing mold to grow everywhere) or lower (costing me money on wasted A/C). Pretty unlikely, I admit. But while I used my house as an example, it would still be a problem for people with nanny cams and such. A little real security and privacy built in would be really helpful.

I've always thought that internet connected devices should come with a randomized, unique password. If that was the case, most people would at least change it from the default to something they could remember. And if they didn't, they'd likely have a pretty secure password to start with. Certainly better than "admin" and "password". But that's me. I'm security conscious. I suspect, as usual, convenience/user friendliness would trump security.

[ExFlyBoy5]

Quote:

Originally Posted by harley No, but an annoying a*hole could reset the thermostat higher (causing mold to grow everywhere) or lower (costing me money on wasted A/C). Pretty unlikely, I admit.

I am not sure about your model, but mine has alerts where if a temperature limit is reached (mine is set at 83 and 55) then it will email and/or text you. Of course, if they hack into I suppose they could change the email and text notifications. Nonetheless, it could alleviate *a little* of the worry.

[Jack_Pine]

I have cameras in my snowbird houses, thermostats that can be monitored/adjusted, garage doors that can be opened closed remotely and temperature monitors.

I love this stuff and the more the better. I figure what privacy I do have left is what it is and well worth the trade off. Can't wait for more functionality.

[Lsbcal]

Quote:

Originally Posted by audreyh1 Yeah - we've been avoiding this.

Same here. I'm not letting any East European dudes take over my refrigerator -- could ruin the 4th of July BBQ.