Yet Another Study Shows The Internet Of Things Is A Privacy And Security Dumpster Fire
from the the-dumber-the-better dept
Day in and day out, it’s becoming increasingly clear that the smart home revolution simply isn’t all that smart.
Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it’s increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.
Study after study shows it’s a problem that’s not really getting better. For example, despite a decade of reports about the lack of real security and privacy standards in smart TVs, Consumer Reports recently found that most smart TVs remain impressively open to attack and abuse. And a new study out of the UK by Which? studied 19 different smart gadgets and found a “staggering level of corporate surveillance of your home” by devices that routinely hoovered up consumer data, then funneled it out to dozens of partner companies — often without clear consumer permission:
“Many apps ask for your exact location when they don?t actually need it for the product or service to work. Far too often, specific information is requested about you when the justification seems arguable at best. Then there?s the galaxy of other companies busily working in the background of your smart gadgets. During our testing we saw more than 20 other operators involved behind the scenes, including marketing companies. When we used a smart TV for just 15 minutes, it connected with a staggering 700 distinct addresses on the internet.
You’ll recall that a few years ago, the revelation that there was now a search engine specifically built to provide easy access to poorly secured webcams resulted in all manner of consternation about the problem of default usernames and passwords and devices with paper-mache-grade security. But despite flimsy webcam security being such a hot topic for years, many vendors still haven’t gotten the message:
“We?re also concerned over how companies secure your data. In a separate test together with other consumer organisations, we found a flaw in this wireless security camera?s app (provided by a company called Sricam), which meant that we could access more than 200,000 passwords and device IDs for other ieGeek cameras. We could then see live video feeds of other users, and talk to those users via the camera?s microphone (which we didn?t do). ieGeek/Sricam fixed this flaw in late March 2018, but we?ve subsequently found and disclosed other critical vulnerabilities with the camera and app.”
Security analysts like Bruce Schneier have clearly illustrated why there’s no incentive to fix these problems:
“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
The reality is we’re collectively more interested in making money and obsessing over the latest gadget than addressing the problem. And while there’s some very good ongoing efforts to create some basic security and privacy standards in the IOT space, the prevailing attitude among IOT users and vendors alike that this is all somebody else’s problem. Folks like Schneier have been warning for a while that it’s likely going to take a mass casualty event (caused by hacked infrastructure) to finally motivate some changes in the internet of broken things space.
Filed Under: internet of things, privacy, security
Comments on “Yet Another Study Shows The Internet Of Things Is A Privacy And Security Dumpster Fire”
This is a most difficult issue
The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.
Re: This is a most difficult issue
Although I go out of my way to avoid new technology, it can get hard if not impossible to avoid ‘high-tech’ things. Are there any cars sold in the US, for instance, that don’t have a (non-optional) advanced electronic/cumputerized backbone?
Maybe it’s one reason why old cars from the 1960s are worth so much money these days, as those were the last of the "simple" vehicles before government standards for tailpipe emmissions, fuel economy, and other things kicked in. Not that government regulation is all bad. In the case of cars, people who wanted the option of seat belts had to wait six decades until the government stepped in and forced automakers to offer them (first was as an option)
Re: Re: This is a most difficult issue
No, everything has electronic engine control, anti lock brakes, and electronic stability control, just for a start. I believe a backup camera or sensors are now mandated. Anything but a bare bones economy car (and maybe not even those any more) will also have electronics in the cabin controlling anything from audio to climate control.
Re: Re: Re: This is a most difficult issue
Worse: all new cars in the European Union must have an emergency call system.
https://www.motor1.com/news/238058/cars-emergency-services-mandatory-europe/
Re: This is a most difficult issue
Sure will, if for no other reason than the legislation will inevitably suck and be a 1/2-measure at best. If such a thing happens I imagine it would be started by well-meaning "nerds" and a handful of the more tech-savvy politicians, but get waylaid by excessive lobbying from large corporations who really don’t want to pay to fix the problem they caused and actually kinda like the data they’re gathering.. The result will be a watered-down, toothless version of whatever got proposed in the first place.
It’s still better than the even more scary alternative mentioned above, though:
Can you imagine the kind of headless-chicken, knee-jerk, politician-must-DO-something–NOW abortion-of-a-law that would result from that? I’ll take the weedy and ineffectual half-measure any day!
Earlier this month I had gotten a new air conditioner. It’s basically the same as the old one except it’s got wifi capability to allow you to control it from your smart phone. Convenience sake, like to turn on the a/c as you are coming home.
Think I’ve connected it to my internet to make use of that?
Hell no. And this article points out why. I’ll take safety over convenience.
Re: Re:
Programmable thermostats have been around for something like 40 years, and solved the problem of turning the A/C on shortly before you (expect to) arrive home.
I can see how a hacked furnace could be used to blow up a house, unless specific safeguards are built in.
Re: Re: Re:
40 years ago programmable thermostats weren’t connected to the Internet. Other than a few minutes of discomfort if you come home at a time the thermostat wasn’t programmed for, I see absolutely no reason for them to be connected now. Oh, except for the inane desire of the thermostat sellers to acquire information about you. That we, but apparently not they, can do without. No connectivity would solve the problem of someone hacking your furnace to blow up your house as well.
Re: Re:
Is the wi-fi radio is actually off, or is it still decoding packet headers (and potentially vulnerable to buffer overflows etc.)?
Re: Re: Re:
This is an important point. Many devices will search for a wifi connection ad infinitum until they establish a connection. That includes suddenly available unsecured wifi networks. You may not have configured wifi connectivity yourself but that doesn’t mean the device is disconnected.
Nothing will happen until...
One of our congresscritters gets directly impacted by this. Then there will be a hue and cry from the mountaintops. Unfortunately, it’s likely the word terrorism will get thrown into the regulation that gets created, leaving us to wonder if we had been better off without the new laws.
the market... finds a way
There’s no market solution? Because the buyers don’t care, and therefore the manufacturers don’t care?
Try as I may, I can’t think of a way to suggest the possibility of ********** without making everyone think that I’m responsible when it appears.
Re: the market... finds a way
Buyers generally only care about the things that a heavy advertizing campaign teaches them that they should care about. The few who actually think independently are too few for the industry to worry about. (I know I can’t be the only person in the world who demands that their laptop computer come without a built-in camera and microphone … but it often seems like it)
Re: Re: the market... finds a way
A camera’s easy to tape and I’ve seen lots of people do it. A microphone isn’t so easy, and it may be possible to use the built-in speakers as microphones.
I want a removable battery, so I can know that the thing’s actually off (and don’t have to throw the laptop in a landfill when it wears out in a few years). Stores don’t sell laptops like that; I can still order them, but then I have to worry about government interdiction. Phones with removable battery have become almost unattainable.
Typo
You misspelled hysterically.
Saw it coming, rolled my own
Not to brag of any special prescience, but this disaster was totally predictable given surrounding events (data slurping for cash, DDOSs and so on).
I developed my own homestead automation instead – it’s not like a lot of the ideas aren’t useful. But as I’m retired on an off-grid homestead I built…no need for the internet and its attack surface anyway – for that matter I skipped the whole smartphone thing – this area has only had coverage for the last 5 or so years anyway.
Survival is the oldest profession. If you don’t – that other one that makes the claim wouldn’t exist.
I have different challenges than most people do, I’d assume. Not having infinite power – not a good idea to turn on a big load like AC remotely anyway (not that I spend much time off my land as is). But I do need to monitor and control the solar system, the water collection/treatment/storage/delivery plumbing, and keep track of internal and external weather on campus (eg watch if pipes are going to freeze and preempt that if so).
I added in video and motion detection because it was easy and I get what amount to game pictures of the wildlife here as a bonus. I get audio announcements of important events off my background music system and if I want – I can send email to myself – all without leaving the LAN – or even having most of this (other than one raspi that serves as access point for the slave nodes and a web server) – visible even on my main LAN. I call it LAN of things, obviously.
The only real reason I see for being “out on the inet” is so some manufacturer can make money as a “man in the middle” – a widely discussed attack vector in security circles. And maybe charge rent, if not now, later after you’re locked in. Imagine having to pay to have your own house work! (I suppose many less fortunate pay rent as is, but yet another one?). I see no point giving anyone else that kind of control over me.
I don’t sell these, but some old documentation on how to do some parts yourself has been published. It’s way not rocket surgery, mostly a ton of sysadmin on small computers – which I don’t document, as it’s all over the web as is.
http://www.coultersmithing.com/forums/viewforum.php?f=59&sid=65ae80d0c2bcbb16960f301772dfad08
Re: Saw it coming, rolled my own
I miss the days of phpBB forums, and was sad to see the likes of Facebook, Twitter, Reddit, etc, bury them. A site that combines tech news, programming, and guns seems like an odd mix — certainly not the kind of thing you might expect to see coming from someone from the ‘tech mecca’ S.F. Bay area.
Re: Re: Saw it coming, rolled my own
Because I’m in Appalachia and not a leftie.
Marksmanship is what we do here in the mountains instead of golf…as any golf balls would wind up in the creek between the ridges no matter what.
It’s something to do sometimes when I’m not doing fusion research or on the 23 mile round trip to the beer store.
Re: Re: Re: Saw it coming, rolled my own
Note I don’t feel the least bit buried, as I’m not sucking data or selling anything at all. I never did do the FB thing as I kinda had my own anyway.
Re: Saw it coming, rolled my own
Second oldest. One thing is apparently more important.
Jashua told us "The only way to win is no
Kidding:) there is no way to win
Why all the outrage?
It looks to me like things are going just exactly as desired!
When I asked my Congress Critter about this a few years ago, got the doe in headlight look. Most of them have no idea what Cyber Security really is. Many of those that have some idea think it only applies to state sponsored actions. Most don’t see the need for Federal standards or are already in the pocket of ISPs and IOT makers that want to profit from the data being harvested.
For those that care, buy an enterprise grade firewall and make sure your first rules block all traffic in both directions. Now add specific rules for each PC as needed, HTTPS, POP, etc. PITA but it really cuts down on the harm malware can do when it slips into your network. You will likely be surprised at the number of blocked comm attempts the default deny rule will collect.
Make sure any IOT gizmos are on their own LAN that can’t talk to your main LAN. Install any needed control gizmo on the IOT LAN. Again with the default deny rule and only add needed allow rules.
PowerOffDevicesNotInUse
Power off your any device that is not being actively used.
Restart the power on any device DAILY.
Check for Firmware updates.
Do Not Buy an I.o.T. device unless you understand that it probably is backdoored, has a hard coded password and can be used by anyone on the internet… e.g. don’t buy into I.o.T. for another decade or more…
Sometimes it just feels like...
Vendors are truly embracing that you can’t spell idiotic security standards without iot.
I wonder..
Let me ask..
As I was told in the past and was demonstrated MANY times..
1 agency gets your info..even just a name and address..
THEY CAN SELL IT SO MANY TIMES…that they make MONEY. LOTS.
The more info they get, the more money they can get..
Even a few business’s that gather from MANY companies, and resort the data collected can find aLLOT of data.
There was 1-2 things missing from much of this. BANK/credit card/Credit rating and Social security INFO..
They got it now.
Love how we have Learned to protect our computers, but the Companies DONT GET IT..
How much spam do you like?
How many dead people trying to contact you??
How many STRANGE msg. do you get with a STRANGE LINK??
How many msg from services you DO USE, that you will NEVER CLICK THE LINK IN THE MSG..(I got one from my CC company, called them and sent it to them)
Since the year 2000, how easy was it to find PORN on your computer and you had NEVER seen that lady before?? or the Dog. Its allot CLEANER now, but we learned our lessons..
I can give you a link to a LEGIT site that has over 30 3rd party links and scripts they WISH to install…
This is a most difficult issue
The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.
The so-called “internet of shit”.
Not hopeful
I forget the actual saying, but it runs like this,
‘Never blame malicious intent for that which can be blamed on stupidity.’
I used to wonder when people would start to reverse this notion. Now I wonder if people will ever realize the opposite is the truth.
Re: Not hopeful
For reference, the original form would be “Never attribute to malice that which is adequately explained by stupidity.”.
Sometimes it just feels like...
The so-called “internet of shit”.
Mobdro
The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.