Internet of Things - Security

Chuckanut

Chuckanut

Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Joined
Aug 5, 2011
Messages
17,280
Location
West of the Mississippi
Warning: Very geeky stuff follows. ;)

FWIW, we are now seeing an increase in the number of things inside our hourses, cars and maybe soon what we area wearing, that are connected to the internet in some way. This is being called the Internet of Things (IOT).

However, many of these devices are not secure. That clever device that allows you to tell your home to turn up the heat while your are driving home from work, essentially allows something outside your home to control something inside your home. Is it secure?

Here is a good discussion of the IoT and why these early devices are not secure. The speaker expects there will be security standards in the future but warns that devices you buy today probably will not conform to those standards. So, you get the buy them again. :(

Of course, it is one man's opinion, but he does back up it with studies of IoT devices done by others.

The discussion starts about 80% down from the top. Search for: So IoT in its infancy.

https://www.grc.com/sn/sn-562.pdf


And so taking a meta view, stepping
back from the details a bit, these first-
generation IoT devices are trying to do the
impossible. They're trying to be, they're
pretending to be a limited-use, purpose-specific appliance,
with at the same time having
all the sophisticated communications
and connectivity power of a general-purpose
computer hidden inside.
But they're also trying not to have, not to present any of the
responsibility baggage that all of our experience has
taught us necessarily comes along
with any powerful, connected,
general-purpose computer
Click to expand...
What we see are companies producing feature-laden
monitors that are virtually devoid of
security. Meaning that
anywhere, anyone in the world can be looking at your baby
sleeping, or wherever you have aimed this camera.
I mean, they're just - it's horrifying.
And they don't care. They're selling functionality. They're not selling security.
Click to expand...
 
Heck, most folks can't get their wireless systems to work in their homes with any degree of reliability. :LOL:

They can look at my internet camera all they want as all it shows in my front porch. :LOL:

On a more serious note, it's the financial stuff I worry about. Around here, most crooks that break into houses can't read English and use a disposable flip phone or a stolen one (while its still working).

For personal security and information gathering, I think I'd be more worried about Facebook information that people so proudly upload.
 
aja8888 said:
Heck, most folks can't get their wireless systems to work in their homes with any degree of reliability. :LOL:

They can look at my internet camera all they want as all it shows in my front porch. :LOL:

On a more serious note, it's the financial stuff I worry about. Around here, most crooks that break into houses can't read English and use a disposable flip phone or a stolen one (while its still working).

For personal security and information gathering, I think I'd be more worried about Facebook information that people so proudly upload.
Click to expand...

One of the issues is since your internet camera is actually a webserver computer.
If a person can get root access to your internet camera, then from within your intranet, they can now as a trusted device access other computers on the network since they are within your firewall.

A few years ago it was found a certain manufacturer of internet cameras used the same admin password for all cameras, users needed to download a firmware update to fix this, probably few did.

You are right to be worried about FB, etc, especially if you use real answers for the security questions on banks, email, etc.
 
Donning tin foil hat. I'd be concerned about having the ability to opt out of the Internet of Things. Seems like the Green Overlords would love to be able to monitor and micromanage your use of electrical appliances.
 
Sunset said:
One of the issues is since your internet camera is actually a webserver computer.
If a person can get root access to your internet camera, then from within your intranet, they can now as a trusted device access other computers on the network since they are within your firewall.

A few years ago it was found a certain manufacturer of internet cameras used the same admin password for all cameras, users needed to download a firmware update to fix this, probably few did.

You are right to be worried about FB, etc, especially if you use real answers for the security questions on banks, email, etc.
Click to expand...

Agreed, internet cameras are not very secure and one must use caution when setting up a system for surveillance.

On a side note, anyone accessing our home computers via our secure network would be wasting their time and bandwidth as there is nothing of importance stored on them. Maybe they would be interested in reviewing about 10 GB of old work reports stored in Word and .pdf files? (I should dump all that crap anyways).
 
Excuse the ignorance but don't most of these Internet connected devices have at least password security built in? In these early days, I would suspect most hacking would be against the low hanging fruit such as people that have not changed their devices' passwords from the default.
 
Well, security is great and all, but lots of people willing let all sorts of applications take over their phones/tablets. I just read an article about Facebook's use of devices phones/tablets to "listen" what going on. Of course, the great folks at FB say it's just used to tag songs and such, but if you look at the ACTUAL permissions your give the application, it says (very specifically) "MICROPHONE: LISTEN AND RECORD."

I am not usually a tin-foil kind of guy, but I think many of the apps we use everyday (with very little thought) take the permissions to an extreme that we are not fully aware of yet.

YVRRocketSurgery said:
Excuse the ignorance but don't most of these Internet connected devices have at least password security built in? In these early days, I would suspect most hacking would be against the low hanging fruit such as people that have not changed their devices' passwords from the default.
Click to expand...

As mentioned in an earlier post, not too long ago, an internet camera that was popular had a default admin password that was THE SAME for every unit it possessed. And I would venture to guess that there are quite a few people who never changed it. Perhaps that's where THIS website came from:

http://www.insecam.org/

These folks probably have ZERO idea that the world can watch in their living room: http://www.insecam.org/en/view/324690/
 
Last edited:
YVRRocketSurgery said:
Excuse the ignorance but don't most of these Internet connected devices have at least password security built in? In these early days, I would suspect most hacking would be against the low hanging fruit such as people that have not changed their devices' passwords from the default.
Click to expand...

Many do have passwords, but if you read the material in the conversation I mentioned, some of these products communicate passwords in UN-encrypted formats. Other passwords are created from easy to guess technical information. Others have flaws that allow bad guys to bypass password issues.
 
As someone who spent a significant portion of their career as a network security dude, my only comment is "we're doomed". Security has always been an afterthought, and it's only going to get worse. I remember doing pen tests and finding Cisco routers on our internet facing network that still had the default admin password. And I learned from my professional security peers that this sort of thing was very common in both private and public networks. Talk about leaving the barn door open! I'm sure if the NSA wanted to, they would be watching me through my laptop camera as I type this. Security and privacy are very important to me (as shown by my refusal to install Win10), but I don't see any way to avoid this. Big Brother was a piker compared to the IoT.
 
harley said:
As someone who spent a significant portion of their career as a network security dude, my only comment is "we're doomed". .
Click to expand...

As much as I hate to admit it, it will probably take a major lawsuit, brought by greedy, bull dog lawyers :bat:, costing some organization tens of millions, maybe hundreds of millions of dollars before companies sit up, take notice and spend the resources necessary to secure our data.

:rant: On

Much of my personal information is out in the wild thanks to a health insurance company that did not take basic security measures :crazy: such as encrypting the data of their customers. The consequences of that loss of data can pop-up to bite me anytime in the remainder of my life. :eek:


Their response was a 'poor victimized us' :hide: letter that talked about how criminals broke into their computer system. They tactfully avoided mentioning their lack of good data security practices and why the criminals were able to spend months inside their computer system before being detected.

They offered me a free subscription to a credit monitoring service. I signed up and sure enough, 6 weeks after I got a new credit card, the monitoring service e-mailed me with a notice about the new account. So for six weeks criminals could have been charging up a storm using my identity. Gosh, that makes me feel so good.:sick:

:rant: Off
 
Last edited:
Chuckanut said:
As much as I hate to admit it, it will probably take a major lawsuit, brought by greedy, bull dog lawyers :bat:, costing some organization tens of millions, maybe hundreds of millions of dollars before companies sit up, take notice and spend the resources necessary to secure our data.

:rant: On

Much of my personal information is out in the wild thanks to a health insurance company that did not take basic security measures :crazy: such as encrypting the data of their customers. The consequences of that loss of data can pop-up to bite me anytime in the remainder of my life. :eek:


Their response was a 'poor victimized us' :hide: letter that talked about how criminals broke into their computer system. They tactfully avoided mentioning their lack of good data security practices and why the criminals were able to spend months inside their computer system before being detected.

They offered me a free subscription to a credit monitoring service. I signed up and sure enough, 6 weeks after I got a new credit card, the monitoring service e-mailed me with a notice about the new account. So for six weeks criminals could have been charging up a storm using my identity. Gosh, that makes me feel so good.:sick:

:rant: Off
Click to expand...

I feel your pain. I am still *slightly* miffed that my information from previous government security clearance applications that have a TON of information on them were hacked into. Thanks Uncle Sugar, I appreciate it! :mad:
 
of course you could get a second wifi access point, not connect it to the internet, and have all your IOT things point to it. The IOT things will be accessable around the house, but not over the internet. I was reading a report that someone has figured out how to use the motion sensor in a smart phone as a mike to pick up conversations. All the more reason to leave the phone off most of the time. (after all phones have voicemail)
 
meierlde said:
of course you could get a second wifi access point, not connect it to the internet, and have all your IOT things point to it. The IOT things will be accessable around the house, but not over the internet.
Click to expand...

I like that idea, although it won't work for the things that I want to be able to access remotely, like my wifi camera and thermostat at my snowbird house. But if I start getting nagged by my refrigerator and toilet, I'll definitely put them on an electronic dead end.
 
harley said:
I like that idea, although it won't work for the things that I want to be able to access remotely, like my wifi camera and thermostat at my snowbird house. But if I start getting nagged by my refrigerator and toilet, I'll definitely put them on an electronic dead end.
Click to expand...

I don't think there would be too much of an invasion of privacy issue at your snowbird house. If there is no one there, there is literally nothing to see there. And when you ARE there, you can simply disconnect the camera.
 
FlyBoy5 said:
I don't think there would be too much of an invasion of privacy issue at your snowbird house. If there is no one there, there is literally nothing to see there. And when you ARE there, you can simply disconnect the camera.
Click to expand...

No, but an annoying a*hole could reset the thermostat higher (causing mold to grow everywhere) or lower (costing me money on wasted A/C). Pretty unlikely, I admit. But while I used my house as an example, it would still be a problem for people with nanny cams and such. A little real security and privacy built in would be really helpful.

I've always thought that internet connected devices should come with a randomized, unique password. If that was the case, most people would at least change it from the default to something they could remember. And if they didn't, they'd likely have a pretty secure password to start with. Certainly better than "admin" and "password". But that's me. I'm security conscious. I suspect, as usual, convenience/user friendliness would trump security.
 
harley said:
No, but an annoying a*hole could reset the thermostat higher (causing mold to grow everywhere) or lower (costing me money on wasted A/C). Pretty unlikely, I admit.
Click to expand...

I am not sure about your model, but mine has alerts where if a temperature limit is reached (mine is set at 83 and 55) then it will email and/or text you. Of course, if they hack into I suppose they could change the email and text notifications. Nonetheless, it could alleviate *a little* of the worry.
 
I have cameras in my snowbird houses, thermostats that can be monitored/adjusted, garage doors that can be opened closed remotely and temperature monitors.

I love this stuff and the more the better. I figure what privacy I do have left is what it is and well worth the trade off. Can't wait for more functionality.
 
FlyBoy5 said:
......I would venture to guess that there are quite a few people who never changed it. Perhaps that's where THIS website came from:

Insecam - World biggest online cameras directory

These folks probably have ZERO idea that the world can watch in their living room: View PanasonicHD camera in United States, Needham
Click to expand...

I took a quick look around this site, and you can find camera's all over the world, then you select one and see a big image like the living room one quoted above.
Then if you click on the big streamed image, you in some cases get control of the camera and if it can move around, you can pan around to look more.
Pretty creepy ...
 
You must log in or register to reply here.

Similar threads

Z
How Is OEM Windows License Transferred To Different PC Owner?
Replies
19
Views
450
zl55lz
Z
Jerry1
Silver Coin Collecting Question
2
Replies
43
Views
1K
Koolau
Koolau
Jimmie
Need to track network data usage by device
Replies
21
Views
524
Qs Laptop
Qs Laptop
G
Future Opt Out Lump Sum tax checkbox
Replies
2
Views
304
pb4uski
pb4uski
W
Electromagnetic pulse protecter (EMP) vs surge protector?
2
Replies
33
Views
3K
Koolau
Koolau

Latest posts

Back
Top Bottom