Peter writes, "ThingsCon, our Berlin-based non-profit for a more responsible IoT, launches a trustmark for IoT - the Trustable Technology Mark. Cory gave some input to it a while back already, and finally it's launch day: We want to highlight the best work in IoT, the best/most respectful of users' rights, privacy and security. It's an entirely non-profit effort to elevate the debate in this odd space that's full of crap; I think you might like it." Read the rest

Sleep apnea is a fast-growing health complaint among Americans, and that has triggered a set of deceptive and unethical measures by US health insurers to shift the cost of using CPAP machines (the forced air machines that sleep apnea patients rely on to stay healthy) to the people who use them, with the effect that it's often much cheaper to pay cash for your machine and its consumables than it is to get them through insurance. Read the rest

As part of its ongoing commitment to evaluate information security and privacy when reviewing IoT devices (previously), Consumer Reports has published a scathing review of D-Link's home security camera. Read the rest

For weeks, Honeywell Home customers have been complaining about outages with their Honeywell "Total Connect Comfort" apps, which allow them to remote control their smart thermostats; several days ago, customers started complaining that the app had stopped working altogether. Read the rest

Shelan Faith has an internet-enabled home "security" system from Vivint Home Security; it includes cameras that spy on the interior and exterior of her home, as well as sensors that report on things like when her doors and garage are open or closed. Read the rest

Bruce Schneier (previously) has spent literal decades as part of the vanguard of the movement to get policy makers to take internet security seriously: to actually try to make devices and services secure, and to resist the temptation to blow holes in their security in order to spy on "bad guys." In Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, Schneier makes a desperate, impassioned plea for sensible action, painting a picture of a world balanced on the point of no return.

If an attacker takes control of a device inside your network -- by exploiting a defect in it or a mistake you made in configuring it or by tricking you somehow -- then they can do all kinds of bad things, like scanning your local network for other vulnerable devices, attacking them and taking control over them. Read the rest

Every version of the popular Openssh program -- a critical, widely used tool for secure communications -- share a critical vulnerability that was present in the program's initial 1999 release. Read the rest

The Smarter Bridge is a project led by Mix3d, which makes robotic 3D printers that can sinter stainless steel structures and inch their way along the surfaces as they are completed. Read the rest

Douglas McKee of McAffee presented his research into the security of medical diagnostic equipment at last week's Defcon conference in Las Vegas. Read the rest

Now that Consumer Reports is explicitly factoring privacy and security into its tech reviews, we're making some progress to calling out the terrible state of affairs that turned the strange dream of an Internet of Things into a nightmare we call the Internet of Shit. Read the rest

Brett writes, "As a critique of the IoT buzz, I hacked a portable karaoke machine, stuffed a Raspberry Pi in it, connected it to the internet, and installed Docker on it." (tl;dr: he needed a portable CRT for an installation, found one embedded in a thrift-store karaoke machine, and got it wired up to the Raspi on the first try and discovered it made a perfect and delightful casemod). Read the rest

In 2008, a presentation at the RSA conference revealed the existence of "DNS rebinding attacks," that used relatively simple tactics to compromise browsers; a decade later, Berkeley and Princeton researchers announced a paper on DNS rebinding attacks against consumer devices (to be presented at August's ACM SIGCOMM 2018 Workshop on IoT Security and Privacy), while independent researcher Brannon Dorsey published similar work. Read the rest

The MQ-9 Reaper unmanned aerial vehicle is a scary piece of hardware, capable of unleashing hell on an unsuspecting target from miles away, without ever being seen. It’s the sort of hardware that you don’t want falling into the wrong hands—even the details of how it operates are best kept squirreled away.

So, of course, a group of hackers got their hands on the Reaper’s operating manual with the intention of selling it online to anyone that wants it for $150 a pop. As with most security flaws, the exploit they used was all too human: they accessed the document through an Air Force Captain’s under protected home network:

From Task & Purpose:

Andrei Barysevich at cybersecurity firm Recorded Future, who first spotted the document on June 1, wrote an analysis of the hacker group’s methods, which were fairly unsophisticated. The group used the Internet of Things search engine Shodan to find open, unsecured networks, before connecting and pilfering them of documents.

The drone manual came from a captain at the 432nd Aircraft Maintenance Squadron out of Creech Air Force Base in Nevada, the analysis said.

But that’s not all! As an added bonus, the hackers also managed to snag a manual for ground troops that details how to lessen the threats posed by improvised explosive devices. Where the chances of someone being able to get their hands on a Reaper Drone to pair with a pilfered manual are pretty slim, the information given to grunts on how to keep from getting blown up by IEDs could easily be put to use by an aggressor: if you know what soldiers are looking for when they're sniffing out a threat, then you understand what to change up in order to potentially provide your attacks with a higher rate of success. Read the rest

Last week, I wrote about Shenzhen Gwelltimes Technology Co's ubiquitous "home security" cameras that can be hacked with ease by voyeurs and criminals, seemingly the last word in dangerously lax security -- but here comes scrappy underdog Swann Security, with a hold-my-beer turning point in shitty technology designs: a self-hacking camera that nonconsensually sends the video feed from inside your home to strangers who didn't even try to hack you. Read the rest

People who help domestic abuse survivors say that they are facing an epidemic of women whose abusers are torturing them by breaking into their home smart devices, gaslighting them by changing their thermostat settings, locking them out of their homes, spying on them through their cameras. Read the rest

Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish security practices (such as sequentially numbering each camera, allowing attackers to enumerate vulnerable devices), the devices are trivial to locate and hijack over the internet. Read the rest