Forget Huawei, The Internet Of Things Is The Real Security Threat

from the somebody's-watching-you dept

We’ve noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn’t supported by much in the way of hard data. And while it’s certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don’t really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.

Week after week we’ve documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.

The latest case in point: a popular Chinese GPS tracker, used to track everything from vehicles to kids and the elderly, has been found to contain a significant flaw that can trick the device into handing over GPS data using little more than a text message. The devices, which are made in China and rebranded and sold by more than a dozen companies, can also be used as remote surveillance devices, notes cybersecurity researchers:

“Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless.”

While the device can be protected with a PIN, that setting isn’t enabled by default, and the researchers found the devices can be remotely reset, bypassing the pin anyway. This is, if you hadn’t been paying attention, kind of the norm when it comes to IOT devices. By the time flaws like this are exposed the company involved has usually moved on to marketing new devices with an entirely new array of vulnerabilities. And since most such devices don’t offer much in the way of transparency, consumers usually are largely clueless to the fact that their devices are putting their private data at risk.

Security researchers keep warning us that the check is going to come due on the internet of things front, and we’re not taking the warnings seriously:

“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”

As security researchers have been saying for several years, it’s likely going to take a major attack on significant infrastructure and some significant fatalities before we wake up out of our collective stupor. In the interim DC is obsessed with whether companies like Huawei are covert Chinese spies, but largely apathetic to the fact that the internet of broken things already provides all the spying opportunities a nosy government or rogue actor would ever need.

Filed Under: , , ,
Companies: huawei

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Forget Huawei, The Internet Of Things Is The Real Security Threat”

Subscribe: RSS Leave a comment
28 Comments
PaulTsays:

Re: Re: Re: Re:

"Considering Google has pulled the plug on Huawei it seems likely they may fold."

That’s very unlikely. They will just create their own store and clone whatever non-FOSS components they need to retain compatibility. I wouldn’t be surprised if some Chinese organisation has already created a homegrown fork of the OS in preparation for a move like this.

Seegrassays:

Re: Re: Re: Re: Re: Re:

Are you saying there isn’t any national security component to our telecom infrastructure?

None. At least according to the actions of the CIA and NSA — and national government itself. Leaving companies for three years with open vulnerabilities. On purpose. So they can spy on them. Wannacry?

Anonymoussays:

Re: Re: Re: Re: Re: Re: Re:

Every vulnerability and zero-day that comes to the attention of the NSA goes before a board that weighs the value against the potential danger. Disclosure is negotiated on a case-by-case basis with a bias for disclosing.

The defense department and homeland security worry a great deal about the security of our infrastructure but the concern isn’t necessarily about spying as much as it is of control.

Anonymoussays:

Re: Re:

Yes. If researching new trade secrets, starting up a company, building strategic plans, there is expectation that some things are confidential. Without this the major tech players can simply keep a finger to the pulse and rip off innovative development before competitor brings it to market. Complete transparency breaks the market.

On personal level the media routinely takes partial statements out of context. Complete transparency provides too much opportunity for character assassination, a trend we see increasing in use to destroy livelihood of the population speaking out against establishment politics.

ECAsays:

Re: Who to depend on?

So..Who would you depend on..
Do you understand that the programming of devices ISNT setup At the maker/builder..
In the USA you have 5 people in a New corp, design and send the data TO China. It is up to those 5 people to Evaluate the product BEFORE, they have it shipped TO the USA for sales.

Go look up the ‘BARBIE’, that was connected to the internet. That listened to Everything in the house. That the Corp said Saved the data and shipped it, so that the Corp could Adjust and fix any REMOTE problem, and improve the language..
Look around your home, and Find 1 thing, that IS MADE in the USA, that is IOT.. Dont look at the Flower pot, that Connects to your Router to tell you the DIRT NEEDS WATER…
Look at all the Security cameras, that HAVE TO HAVE A REMOTE ACCESS TO ANOTHER COMPANY, to save pictures and video, and send them to your phone.. I would rather have a Small wireless NAS in my home that would Save the data, and a Rasp Pi, to send the data DIRECT to my phone..

tomsays:

Most ‘Smart’ devices are designed to spy on the end purchaser. No hack needed. Whether it is your viewing habits, things you buy, how often you leave the house, etc, the data is being collected, aggregated with other data, and the result sold to other companies.

All one has to do is look at Facebook and Google’s announcements about future ‘features’ to learn some of the things the data is being used for. I think it was FB that recently announced a ‘Who you are about to meet with’ feature being worked on.

If they know who you are about to meet with, very likely they know who your kids are about to meet with.

And it is likely that most folks have little idea this data collection is happening. After all, for most people, things like TVs, refrigerators, microwaves, etc are passive gizmos. Not even in their thoughts that the new TV is spying on them.

And most Congress critters are still buying the ‘Computer companies needs special laws that exempt them from normal laws’ line that was bought off on when Microsoft was still a small upstart company competing with IBM for the OS market.

ECAsays:

Re:

Consider..
Cellphone with full remote access to your GPS..
(its said it can be turned on remotely..)
Any device that has a NAME to respond to..
Google, Windows, Iphone..Name it, even your barbie.
Your car have a NAV system?? A built in computer to ask directions?? or do other things..

What would it take to LET IT, talk directly to the cellphone system…NOT ALLOT… how about bypass your Router password..NOT ALLOT…(most people dont change the orig passwords..) ADMIN/PASSWORD will get you into 50% of them.

Do you really know whats in your Hardware?? how easy it is to install a BUG..software or hardware..
DONT ASK.. you wont like it.

Anonymoussays:

Re:

Have you ever watched Congress question a tech executive? I’m not confident that they could spell IoT let alone tell you what it means.

Plus, why would they care about my connected light bulbs and garage door opener when the greatest spy device ever is in almost everybody’s pocket and contains GPS, a camera, a microphone, and logins to every service imaginable?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it