Yet Another Study Shows The Internet Of Things Is A Privacy And Security Dumpster Fire

from the the-dumber-the-better dept

Day in and day out, it’s becoming increasingly clear that the smart home revolution simply isn’t all that smart.

Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it’s increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.

Study after study shows it’s a problem that’s not really getting better. For example, despite a decade of reports about the lack of real security and privacy standards in smart TVs, Consumer Reports recently found that most smart TVs remain impressively open to attack and abuse. And a new study out of the UK by Which? studied 19 different smart gadgets and found a “staggering level of corporate surveillance of your home” by devices that routinely hoovered up consumer data, then funneled it out to dozens of partner companies — often without clear consumer permission:

“Many apps ask for your exact location when they don’t actually need it for the product or service to work. Far too often, specific information is requested about you when the justification seems arguable at best. Then there’s the galaxy of other companies busily working in the background of your smart gadgets. During our testing we saw more than 20 other operators involved behind the scenes, including marketing companies. When we used a smart TV for just 15 minutes, it connected with a staggering 700 distinct addresses on the internet.

You’ll recall that a few years ago, the revelation that there was now a search engine specifically built to provide easy access to poorly secured webcams resulted in all manner of consternation about the problem of default usernames and passwords and devices with paper-mache-grade security. But despite flimsy webcam security being such a hot topic for years, many vendors still haven’t gotten the message:

“We’re also concerned over how companies secure your data. In a separate test together with other consumer organisations, we found a flaw in this wireless security camera’s app (provided by a company called Sricam), which meant that we could access more than 200,000 passwords and device IDs for other ieGeek cameras. We could then see live video feeds of other users, and talk to those users via the camera’s microphone (which we didn’t do). ieGeek/Sricam fixed this flaw in late March 2018, but we’ve subsequently found and disclosed other critical vulnerabilities with the camera and app.”

Security analysts like Bruce Schneier have clearly illustrated why there’s no incentive to fix these problems:

“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

The reality is we’re collectively more interested in making money and obsessing over the latest gadget than addressing the problem. And while there’s some very good ongoing efforts to create some basic security and privacy standards in the IOT space, the prevailing attitude among IOT users and vendors alike that this is all somebody else’s problem. Folks like Schneier have been warning for a while that it’s likely going to take a mass casualty event (caused by hacked infrastructure) to finally motivate some changes in the internet of broken things space.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yet Another Study Shows The Internet Of Things Is A Privacy And Security Dumpster Fire”

Subscribe: RSS Leave a comment
32 Comments
Anonymous Anonymous Cowardsays:

This is a most difficult issue

The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.

Anonymoussays:

Re: Re: This is a most difficult issue

Although I go out of my way to avoid new technology, it can get hard if not impossible to avoid ‘high-tech’ things. Are there any cars sold in the US, for instance, that don’t have a (non-optional) advanced electronic/cumputerized backbone?

Maybe it’s one reason why old cars from the 1960s are worth so much money these days, as those were the last of the "simple" vehicles before government standards for tailpipe emmissions, fuel economy, and other things kicked in. Not that government regulation is all bad. In the case of cars, people who wanted the option of seat belts had to wait six decades until the government stepped in and forced automakers to offer them (first was as an option)

naschsays:

Re: Re: Re: Re: This is a most difficult issue

Are there any cars sold in the US, for instance, that don’t have a (non-optional) advanced electronic/cumputerized backbone?

No, everything has electronic engine control, anti lock brakes, and electronic stability control, just for a start. I believe a backup camera or sensors are now mandated. Anything but a bare bones economy car (and maybe not even those any more) will also have electronics in the cabin controlling anything from audio to climate control.

Not an Electronic Rodentsays:

Re: Re: This is a most difficult issue

The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks.

Sure will, if for no other reason than the legislation will inevitably suck and be a 1/2-measure at best. If such a thing happens I imagine it would be started by well-meaning "nerds" and a handful of the more tech-savvy politicians, but get waylaid by excessive lobbying from large corporations who really don’t want to pay to fix the problem they caused and actually kinda like the data they’re gathering.. The result will be a watered-down, toothless version of whatever got proposed in the first place.

It’s still better than the even more scary alternative mentioned above, though:

Folks like Schneier have been warning for a while that it’s likely going to take a mass casualty event (caused by hacked infrastructure) to finally motivate some changes in the internet of broken things space.

Can you imagine the kind of headless-chicken, knee-jerk, politician-must-DO-somethingNOW abortion-of-a-law that would result from that? I’ll take the weedy and ineffectual half-measure any day!

kallethensays:

Earlier this month I had gotten a new air conditioner. It’s basically the same as the old one except it’s got wifi capability to allow you to control it from your smart phone. Convenience sake, like to turn on the a/c as you are coming home.

Think I’ve connected it to my internet to make use of that?

Hell no. And this article points out why. I’ll take safety over convenience.

Anonymous Anonymous Cowardsays:

Re: Re: Re: Re:

40 years ago programmable thermostats weren’t connected to the Internet. Other than a few minutes of discomfort if you come home at a time the thermostat wasn’t programmed for, I see absolutely no reason for them to be connected now. Oh, except for the inane desire of the thermostat sellers to acquire information about you. That we, but apparently not they, can do without. No connectivity would solve the problem of someone hacking your furnace to blow up your house as well.

Anonymoussays:

Re: Re: the market... finds a way

Buyers generally only care about the things that a heavy advertizing campaign teaches them that they should care about. The few who actually think independently are too few for the industry to worry about. (I know I can’t be the only person in the world who demands that their laptop computer come without a built-in camera and microphone … but it often seems like it)

Anonymoussays:

Re: Re: Re: Re: the market... finds a way

(I know I can’t be the only person in the world who demands that their laptop computer come without a built-in camera and microphone … but it often seems like it)

A camera’s easy to tape and I’ve seen lots of people do it. A microphone isn’t so easy, and it may be possible to use the built-in speakers as microphones.

I want a removable battery, so I can know that the thing’s actually off (and don’t have to throw the laptop in a landfill when it wears out in a few years). Stores don’t sell laptops like that; I can still order them, but then I have to worry about government interdiction. Phones with removable battery have become almost unattainable.

Saw it coming, rolled my own

Not to brag of any special prescience, but this disaster was totally predictable given surrounding events (data slurping for cash, DDOSs and so on).

I developed my own homestead automation instead – it’s not like a lot of the ideas aren’t useful. But as I’m retired on an off-grid homestead I built…no need for the internet and its attack surface anyway – for that matter I skipped the whole smartphone thing – this area has only had coverage for the last 5 or so years anyway.

Survival is the oldest profession. If you don’t – that other one that makes the claim wouldn’t exist.

I have different challenges than most people do, I’d assume. Not having infinite power – not a good idea to turn on a big load like AC remotely anyway (not that I spend much time off my land as is). But I do need to monitor and control the solar system, the water collection/treatment/storage/delivery plumbing, and keep track of internal and external weather on campus (eg watch if pipes are going to freeze and preempt that if so).

I added in video and motion detection because it was easy and I get what amount to game pictures of the wildlife here as a bonus. I get audio announcements of important events off my background music system and if I want – I can send email to myself – all without leaving the LAN – or even having most of this (other than one raspi that serves as access point for the slave nodes and a web server) – visible even on my main LAN. I call it LAN of things, obviously.

The only real reason I see for being “out on the inet” is so some manufacturer can make money as a “man in the middle” – a widely discussed attack vector in security circles. And maybe charge rent, if not now, later after you’re locked in. Imagine having to pay to have your own house work! (I suppose many less fortunate pay rent as is, but yet another one?). I see no point giving anyone else that kind of control over me.

I don’t sell these, but some old documentation on how to do some parts yourself has been published. It’s way not rocket surgery, mostly a ton of sysadmin on small computers – which I don’t document, as it’s all over the web as is.

http://www.coultersmithing.com/forums/viewforum.php?f=59&sid=65ae80d0c2bcbb16960f301772dfad08

Anonymoussays:

Re: Re: Saw it coming, rolled my own

I miss the days of phpBB forums, and was sad to see the likes of Facebook, Twitter, Reddit, etc, bury them. A site that combines tech news, programming, and guns seems like an odd mix — certainly not the kind of thing you might expect to see coming from someone from the ‘tech mecca’ S.F. Bay area.

dcfusorsays:

Re: Re: Re: Re: Saw it coming, rolled my own

Because I’m in Appalachia and not a leftie.
Marksmanship is what we do here in the mountains instead of golf…as any golf balls would wind up in the creek between the ridges no matter what.
It’s something to do sometimes when I’m not doing fusion research or on the 23 mile round trip to the beer store.

tomsays:

When I asked my Congress Critter about this a few years ago, got the doe in headlight look. Most of them have no idea what Cyber Security really is. Many of those that have some idea think it only applies to state sponsored actions. Most don’t see the need for Federal standards or are already in the pocket of ISPs and IOT makers that want to profit from the data being harvested.

For those that care, buy an enterprise grade firewall and make sure your first rules block all traffic in both directions. Now add specific rules for each PC as needed, HTTPS, POP, etc. PITA but it really cuts down on the harm malware can do when it slips into your network. You will likely be surprised at the number of blocked comm attempts the default deny rule will collect.

Make sure any IOT gizmos are on their own LAN that can’t talk to your main LAN. Install any needed control gizmo on the IOT LAN. Again with the default deny rule and only add needed allow rules.

RestartDailysays:

PowerOffDevicesNotInUse

Power off your any device that is not being actively used.

Restart the power on any device DAILY.

Check for Firmware updates.

Do Not Buy an I.o.T. device unless you understand that it probably is backdoored, has a hard coded password and can be used by anyone on the internet… e.g. don’t buy into I.o.T. for another decade or more…

ECAsays:

I wonder..

Let me ask..
As I was told in the past and was demonstrated MANY times..
1 agency gets your info..even just a name and address..
THEY CAN SELL IT SO MANY TIMES…that they make MONEY. LOTS.

The more info they get, the more money they can get..
Even a few business’s that gather from MANY companies, and resort the data collected can find aLLOT of data.

There was 1-2 things missing from much of this. BANK/credit card/Credit rating and Social security INFO..
They got it now.

Love how we have Learned to protect our computers, but the Companies DONT GET IT..
How much spam do you like?
How many dead people trying to contact you??
How many STRANGE msg. do you get with a STRANGE LINK??
How many msg from services you DO USE, that you will NEVER CLICK THE LINK IN THE MSG..(I got one from my CC company, called them and sent it to them)
Since the year 2000, how easy was it to find PORN on your computer and you had NEVER seen that lady before?? or the Dog. Its allot CLEANER now, but we learned our lessons..

I can give you a link to a LEGIT site that has over 30 3rd party links and scripts they WISH to install…

This is a most difficult issue

The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.

Mobdro

The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow