The eminently hackable police bodycam

Josh Mitchell's Defcon presentation analyzes the security of five popular brands of police bodycams (Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc) and reveals that they are universally terrible, though the Digital Ally models are the least bad of the batch, as Wired's Lily Hay Newman reports. Read the rest

What should go in an IoT safety-rating sticker?

Now that Consumer Reports is explicitly factoring privacy and security into its tech reviews, we're making some progress to calling out the terrible state of affairs that turned the strange dream of an Internet of Things into a nightmare we call the Internet of Shit. Read the rest

Karaoke casemod: it's surprisingly easy to hook up a karaoke machine's CRT to a Raspberry Pi

Brett writes, "As a critique of the IoT buzz, I hacked a portable karaoke machine, stuffed a Raspberry Pi in it, connected it to the internet, and installed Docker on it." (tl;dr: he needed a portable CRT for an installation, found one embedded in a thrift-store karaoke machine, and got it wired up to the Raspi on the first try and discovered it made a perfect and delightful casemod). Read the rest

Half a billion IoT devices inside of businesses can be hacked through decade-old DNS rebinding attacks

In 2008, a presentation at the RSA conference revealed the existence of "DNS rebinding attacks," that used relatively simple tactics to compromise browsers; a decade later, Berkeley and Princeton researchers announced a paper on DNS rebinding attacks against consumer devices (to be presented at August's ACM SIGCOMM 2018 Workshop on IoT Security and Privacy), while independent researcher Brannon Dorsey published similar work. Read the rest

Self-hacking Internet of Shit camera automatically sends randos the feed from inside your house

Last week, I wrote about Shenzhen Gwelltimes Technology Co's ubiquitous "home security" cameras that can be hacked with ease by voyeurs and criminals, seemingly the last word in dangerously lax security -- but here comes scrappy underdog Swann Security, with a hold-my-beer turning point in shitty technology designs: a self-hacking camera that nonconsensually sends the video feed from inside your home to strangers who didn't even try to hack you. Read the rest

The Internet of Shit: a godsend for abusers and stalkers

People who help domestic abuse survivors say that they are facing an epidemic of women whose abusers are torturing them by breaking into their home smart devices, gaslighting them by changing their thermostat settings, locking them out of their homes, spying on them through their cameras. Read the rest

Insecure internet security cameras and nannycams are actively exploited by voyeurs to spy on owners

Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish security practices (such as sequentially numbering each camera, allowing attackers to enumerate vulnerable devices), the devices are trivial to locate and hijack over the internet. Read the rest

Screwdriver optional: fingerprint lock broadcasts its unlock code over Bluetooth (and the steel is garbage)

Fingerprint locks are catastrophically awful, part LXVII: the software security on the crowdfunded Tapplock "is basically nonexistent" -- the lock broadcasts its own unlock code over Bluetooth, and if you send it back to the lock, it pops open. Read the rest

China mandates radio-tracking beacons in all cars

As of July 1, registering a car in China will involve registering an RFID radio-beacon that will be planted on the car in order to track its movements. Read the rest

Machine learning may be most useful in tiny, embedded, offline processors

The tiny embedded processors in smart gadgets -- including much of the Internet of Shit -- are able to do a lot of sensing without exhausting their batteries, because sensing is cheap in terms of power consumption. Read the rest

How do we fix IoT security without blocking interoperability and creating monopolies?

Jonathan Zittrain (previously) writes, "There’s reason to worry about security for the ever-growing Internet of Things, and it’ll be tempting to encourage vendors to solely control their devices that much more, limiting interoperability or user tinkering. There are alternatives - models for maintaining firmware patches for orphaned devices, and a 'Faraday mode' so that iffy devices can still at least partially function even if they’re not able to remain safely online. Procrastination around security has played a key role in its success. But 'later' shouldn’t mean 'never' for the IoT." Read the rest

UK consumer review magazine Which?: your smart home is spying on you, from your TV to your toothbrush

The UK consumer review magazine Which? (equivalent to America's Consumer Reports) has published a special investigation into the ways that Internet of Things smart devices are spying on Britons at farcical levels, with the recommendation that people avoid smart devices where possible, to feed false data to smart devices you do own, and to turn off data-collection settings in devices' confusing, deeply hidden control panels. Read the rest

An analysis of all those Internet of Things manifestos sparked by the slow-motion IoT catastrophe

The Internet of Things morphed from a ridiculous answer in search of a problem ("why do I want my fridge connected to the internet?") to a source of Black Mirror-style modern absurdities ("someone pushed a load of internet porn to my fridge") to an existential threat ("my fridge just joined a world-killing botnet"). Read the rest

Working replica of Snake Plissken's Lifeclock countdown timer watch from Escape From New York

The Lifeclock One: Snake Edition is a $300 licensed replica of the countdown timer watch worn by Snake Plissken in Escape From New York: it's very cool looking and faithful to the original prop, but regrettably, the designers have added in a bunch of "smart-watch" features (Bluetooth, an app, text-message and app notifications from your phone) that raise the price, create needless attack surface, and add complexity. Read the rest

A new strain of IoT malware can survive a reboot

As scary as the epidemics of malware for Internet of Things devices have been, they had one saving grace: because they only lived in RAM (where they were hard to detect!), they could be flushed just by rebooting the infected gadget. Read the rest

Security researchers can turn Alexa into a transcribing, always-on listening device

Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker. Read the rest

ISO rejects the NSA's IoT crypto standard, believing it to be backdoored

For three years, International Standards Organization has been wrangling over which cryptographic algorithms will be incorporated into a standard for interoperability in "Internet of Things" gadgets; at issue has been the NSA's insistence that "Simon" and "Speck" would be the standard block cipher algorithms in these devices. Read the rest

More posts