Now that Consumer Reports is explicitly factoring privacy and security into its tech reviews, we're making some progress to calling out the terrible state of affairs that turned the strange dream of an Internet of Things into a nightmare we call the Internet of Shit. Read the rest
Brett writes, "As a critique of the IoT buzz, I hacked a portable karaoke machine, stuffed a Raspberry Pi in it, connected it to the internet, and installed Docker on it." (tl;dr: he needed a portable CRT for an installation, found one embedded in a thrift-store karaoke machine, and got it wired up to the Raspi on the first try and discovered it made a perfect and delightful casemod). Read the rest
In 2008, a presentation at the RSA conference revealed the existence of "DNS rebinding attacks," that used relatively simple tactics to compromise browsers; a decade later, Berkeley and Princeton researchers announced a paper on DNS rebinding attacks against consumer devices (to be presented at August's ACM SIGCOMM 2018 Workshop on IoT Security and Privacy), while independent researcher Brannon Dorsey published similar work. Read the rest
The MQ-9 Reaper unmanned aerial vehicle is a scary piece of hardware, capable of unleashing hell on an unsuspecting target from miles away, without ever being seen. It’s the sort of hardware that you don’t want falling into the wrong hands—even the details of how it operates are best kept squirreled away.
So, of course, a group of hackers got their hands on the Reaper’s operating manual with the intention of selling it online to anyone that wants it for $150 a pop. As with most security flaws, the exploit they used was all too human: they accessed the document through an Air Force Captain’s under protected home network:
From Task & Purpose:
Andrei Barysevich at cybersecurity firm Recorded Future, who first spotted the document on June 1, wrote an analysis of the hacker group’s methods, which were fairly unsophisticated. The group used the Internet of Things search engine Shodan to find open, unsecured networks, before connecting and pilfering them of documents.
The drone manual came from a captain at the 432nd Aircraft Maintenance Squadron out of Creech Air Force Base in Nevada, the analysis said.
But that’s not all! As an added bonus, the hackers also managed to snag a manual for ground troops that details how to lessen the threats posed by improvised explosive devices. Where the chances of someone being able to get their hands on a Reaper Drone to pair with a pilfered manual are pretty slim, the information given to grunts on how to keep from getting blown up by IEDs could easily be put to use by an aggressor: if you know what soldiers are looking for when they're sniffing out a threat, then you understand what to change up in order to potentially provide your attacks with a higher rate of success. Read the rest
Last week, I wrote about Shenzhen Gwelltimes Technology Co's ubiquitous "home security" cameras that can be hacked with ease by voyeurs and criminals, seemingly the last word in dangerously lax security -- but here comes scrappy underdog Swann Security, with a hold-my-beer turning point in shitty technology designs: a self-hacking camera that nonconsensually sends the video feed from inside your home to strangers who didn't even try to hack you. Read the rest
People who help domestic abuse survivors say that they are facing an epidemic of women whose abusers are torturing them by breaking into their home smart devices, gaslighting them by changing their thermostat settings, locking them out of their homes, spying on them through their cameras. Read the rest
Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish security practices (such as sequentially numbering each camera, allowing attackers to enumerate vulnerable devices), the devices are trivial to locate and hijack over the internet. Read the rest
As of July 1, registering a car in China will involve registering an RFID radio-beacon that will be planted on the car in order to track its movements. Read the rest
The tiny embedded processors in smart gadgets -- including much of the Internet of Shit -- are able to do a lot of sensing without exhausting their batteries, because sensing is cheap in terms of power consumption. Read the rest
Jonathan Zittrain (previously) writes, "There’s reason to worry about security for the ever-growing Internet of Things, and it’ll be tempting to encourage vendors to solely control their devices that much more, limiting interoperability or user tinkering. There are alternatives - models for maintaining firmware patches for orphaned devices, and a 'Faraday mode' so that iffy devices can still at least partially function even if they’re not able to remain safely online. Procrastination around security has played a key role in its success. But 'later' shouldn’t mean 'never' for the IoT." Read the rest
The UK consumer review magazine Which? (equivalent to America's Consumer Reports) has published a special investigation into the ways that Internet of Things smart devices are spying on Britons at farcical levels, with the recommendation that people avoid smart devices where possible, to feed false data to smart devices you do own, and to turn off data-collection settings in devices' confusing, deeply hidden control panels. Read the rest
The Internet of Things morphed from a ridiculous answer in search of a problem ("why do I want my fridge connected to the internet?") to a source of Black Mirror-style modern absurdities ("someone pushed a load of internet porn to my fridge") to an existential threat ("my fridge just joined a world-killing botnet"). Read the rest
As scary as the epidemics of malware for Internet of Things devices have been, they had one saving grace: because they only lived in RAM (where they were hard to detect!), they could be flushed just by rebooting the infected gadget. Read the rest
Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker. Read the rest