Rolling robots 3D print a bridge, inching their way along the span as they lay it

The Smarter Bridge is a project led by Mix3d, which makes robotic 3D printers that can sinter stainless steel structures and inch their way along the surfaces as they are completed. Read the rest

Insecure medical equipment protocols let attackers spoof diagnostic information

Douglas McKee of McAffee presented his research into the security of medical diagnostic equipment at last week's Defcon conference in Las Vegas. Read the rest

What should go in an IoT safety-rating sticker?

Now that Consumer Reports is explicitly factoring privacy and security into its tech reviews, we're making some progress to calling out the terrible state of affairs that turned the strange dream of an Internet of Things into a nightmare we call the Internet of Shit. Read the rest

Karaoke casemod: it's surprisingly easy to hook up a karaoke machine's CRT to a Raspberry Pi

Brett writes, "As a critique of the IoT buzz, I hacked a portable karaoke machine, stuffed a Raspberry Pi in it, connected it to the internet, and installed Docker on it." (tl;dr: he needed a portable CRT for an installation, found one embedded in a thrift-store karaoke machine, and got it wired up to the Raspi on the first try and discovered it made a perfect and delightful casemod). Read the rest

Half a billion IoT devices inside of businesses can be hacked through decade-old DNS rebinding attacks

In 2008, a presentation at the RSA conference revealed the existence of "DNS rebinding attacks," that used relatively simple tactics to compromise browsers; a decade later, Berkeley and Princeton researchers announced a paper on DNS rebinding attacks against consumer devices (to be presented at August's ACM SIGCOMM 2018 Workshop on IoT Security and Privacy), while independent researcher Brannon Dorsey published similar work. Read the rest

Hackers swiped an operator manual for a fancy airborne killing machine

The MQ-9 Reaper unmanned aerial vehicle is a scary piece of hardware, capable of unleashing hell on an unsuspecting target from miles away, without ever being seen. It’s the sort of hardware that you don’t want falling into the wrong hands—even the details of how it operates are best kept squirreled away.

So, of course, a group of hackers got their hands on the Reaper’s operating manual with the intention of selling it online to anyone that wants it for $150 a pop. As with most security flaws, the exploit they used was all too human: they accessed the document through an Air Force Captain’s under protected home network:

From Task & Purpose:

Andrei Barysevich at cybersecurity firm Recorded Future, who first spotted the document on June 1, wrote an analysis of the hacker group’s methods, which were fairly unsophisticated. The group used the Internet of Things search engine Shodan to find open, unsecured networks, before connecting and pilfering them of documents.

The drone manual came from a captain at the 432nd Aircraft Maintenance Squadron out of Creech Air Force Base in Nevada, the analysis said.

But that’s not all! As an added bonus, the hackers also managed to snag a manual for ground troops that details how to lessen the threats posed by improvised explosive devices. Where the chances of someone being able to get their hands on a Reaper Drone to pair with a pilfered manual are pretty slim, the information given to grunts on how to keep from getting blown up by IEDs could easily be put to use by an aggressor: if you know what soldiers are looking for when they're sniffing out a threat, then you understand what to change up in order to potentially provide your attacks with a higher rate of success. Read the rest

Self-hacking Internet of Shit camera automatically sends randos the feed from inside your house

Last week, I wrote about Shenzhen Gwelltimes Technology Co's ubiquitous "home security" cameras that can be hacked with ease by voyeurs and criminals, seemingly the last word in dangerously lax security -- but here comes scrappy underdog Swann Security, with a hold-my-beer turning point in shitty technology designs: a self-hacking camera that nonconsensually sends the video feed from inside your home to strangers who didn't even try to hack you. Read the rest

The Internet of Shit: a godsend for abusers and stalkers

People who help domestic abuse survivors say that they are facing an epidemic of women whose abusers are torturing them by breaking into their home smart devices, gaslighting them by changing their thermostat settings, locking them out of their homes, spying on them through their cameras. Read the rest

Insecure internet security cameras and nannycams are actively exploited by voyeurs to spy on owners

Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish security practices (such as sequentially numbering each camera, allowing attackers to enumerate vulnerable devices), the devices are trivial to locate and hijack over the internet. Read the rest

Screwdriver optional: fingerprint lock broadcasts its unlock code over Bluetooth (and the steel is garbage)

Fingerprint locks are catastrophically awful, part LXVII: the software security on the crowdfunded Tapplock "is basically nonexistent" -- the lock broadcasts its own unlock code over Bluetooth, and if you send it back to the lock, it pops open. Read the rest

China mandates radio-tracking beacons in all cars

As of July 1, registering a car in China will involve registering an RFID radio-beacon that will be planted on the car in order to track its movements. Read the rest

Machine learning may be most useful in tiny, embedded, offline processors

The tiny embedded processors in smart gadgets -- including much of the Internet of Shit -- are able to do a lot of sensing without exhausting their batteries, because sensing is cheap in terms of power consumption. Read the rest

How do we fix IoT security without blocking interoperability and creating monopolies?

Jonathan Zittrain (previously) writes, "There’s reason to worry about security for the ever-growing Internet of Things, and it’ll be tempting to encourage vendors to solely control their devices that much more, limiting interoperability or user tinkering. There are alternatives - models for maintaining firmware patches for orphaned devices, and a 'Faraday mode' so that iffy devices can still at least partially function even if they’re not able to remain safely online. Procrastination around security has played a key role in its success. But 'later' shouldn’t mean 'never' for the IoT." Read the rest

UK consumer review magazine Which?: your smart home is spying on you, from your TV to your toothbrush

The UK consumer review magazine Which? (equivalent to America's Consumer Reports) has published a special investigation into the ways that Internet of Things smart devices are spying on Britons at farcical levels, with the recommendation that people avoid smart devices where possible, to feed false data to smart devices you do own, and to turn off data-collection settings in devices' confusing, deeply hidden control panels. Read the rest

An analysis of all those Internet of Things manifestos sparked by the slow-motion IoT catastrophe

The Internet of Things morphed from a ridiculous answer in search of a problem ("why do I want my fridge connected to the internet?") to a source of Black Mirror-style modern absurdities ("someone pushed a load of internet porn to my fridge") to an existential threat ("my fridge just joined a world-killing botnet"). Read the rest

A new strain of IoT malware can survive a reboot

As scary as the epidemics of malware for Internet of Things devices have been, they had one saving grace: because they only lived in RAM (where they were hard to detect!), they could be flushed just by rebooting the infected gadget. Read the rest

Security researchers can turn Alexa into a transcribing, always-on listening device

Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker. Read the rest

More posts