Hackers say they breached Russian contractor, got details on IoT hacking project for Russia spy agency

• 'Fronton' is the FSB's IoT botnet project

Internet of Starving Pets: animals go hungry after "smart feeder" fails

Petnet is a $300 internet-of-things pet food bowl. Its network went down and stayed down for a week, leaving some pets to go hungry. The BBC reports that owners are livid and that it's not the first trouble Petnet's had maintaining service.

Petnet has two Twitter accounts. The official one has not tweeted since 30 August 2019 but the support account issued four tweets between 14 and 21 February about the problems experienced. In its first tweet it said a "system outage" was affecting second generation devices and asked customers not to switch off their feeder even if it appeared to be offline. ... On 21 February it said smartfeeders were "returning online" and a "system reset" was in progress.

The Petnet has dismal reviews on Amazon, where the Wopet is the clear favorite: a plain old automatic feeder, no internet required.

PREVIOUSLY: Smart pet food bowl closes when pets overeat. Read the rest

New app helps you identify IoT devices around you, tells you what data they collect

Researchers at Carnegie Mellon have come up with this new IoT Assistant app (available for both iOS and Android) that will supposedly inform you about what Internet-connected smart devices are around you at any point in time, and what kind of information they might be collecting.

“Because of new laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), people need to be informed about what data is collected about them and they need to be given some choices over these processes,” says Professor Norman Sadeh, a CyLab faculty member in Carnegie Mellon’s Institute for Software Research and the principal investigator on the project. “We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies.”

I've downloaded the app myself, and I plan on adding my own smart home devices to their database, just to see what I can find. I don't know how well it will actually work, but I'm certainly intrigued by the idea.

New infrastructure will enhance privacy in today’s Internet of Things [Daniel Tkacik / CyLab, the Carnegie Mellon University Security and Privacy Institute] Read the rest

Podcast: The case for ... cities that aren't dystopian surveillance states

For my latest podcast, I read my Guardian Cities column, "The case for ... cities that aren't dystopian surveillance states," which was the last piece ever commissioned for the section. Read the rest

Unauthorized Charcoal: GE fridges won't dispense ice or water unless your filter authenticates as an official ($55!) component

@ShaneMorris: "My fridge has an RFID chip in the water filter, which means the generic water filter I ordered for $19 doesn't work. My fridge will literally not dispense ice, or water. I have to pay @generalelectric $55 for a water filter from them." Read the rest

Radicalized is a Canada Reads finalist, will be a graphic novel, and is eligible for the Hugo Award!

My 2019 book Radicalized has been named one of the five finalists for Canada Reads, the CBC's annual book prize -- Canada's leading national book award, alongside of the Governor General's award! Read the rest

Imagining a "smart city" that treats you as a sensor, not a thing to be sensed

The editors of Guardian Cities (previously) saw my Toronto Life blurb about how a "smart city" could be focused on enabling its residents, rather than tracking and manipulating them, and asked me to write a longer piece on the theme: The case for ... cities where you're the sensor, not the thing being sensed is the result. Read the rest

Inventive students detach IoT car-immobilizers, use their SIMs to power free wifi hotspots

The "Barnacle" is a networked car-immobilizer that parking guards stick over the windshield of your illegally parked car; you pay the fine online and the Barnacle gets an over-the-air signal to release itself from your car so you can remove it and put it in a nearby deposit bin. Read the rest

Nulledcast: a podcast where hackers play live audio of themselves breaking into Ring cameras and tormenting their owners

Nulledcast is a realtime podcast streamed on a Discord channel for the hacking forum Nulled: the hosts break into Ring and Nest cameras in realtime, blare sirens at the owners, then torment them with insults and racist slurs, livestreaming their responses to hundreds of listeners. Read the rest

Talking with the Left Field podcast about Sidewalk Labs's plan to build a surveilling "smart city" in Toronto

We've been closely following the plan by Google sister company Sidewalk Labs to build a surveilling "smart city" in Toronto; last week, I sat down with the Out of Left Field podcast (MP3) to discuss what's going on with Sidewalk Labs, how it fits into the story of Big Tech, and what the alternatives might be. Read the rest

A woman's stalker compromised her car's app, giving him the ability to track and immobilize it

An Australian woman's creepy, violent ex-boyfriend hacked her phone using stalkerware, then used that, along with her car's VIN number, to hack the remote control app for her car (possibly Landrover's Incontrol app), which allowed him to track her location, stop and start her car, and adjust the car's temperature. Read the rest

My review of Sandworm: an essential guide to the new, reckless world of "cyberwarfare"

For years, I've followed Andy Greenberg's excellent reporting on "Sandworm," a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world. Read the rest

Griefer terrorizes baby by taking over their Nest babycam...again

Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities. Read the rest

Assessing the security of devices by measuring how many difficult things the programmers tried to do

The Cyber Independent Testing Lab is a security measurement company founded by Mudge Zadko (previously), late of the Cult of the Dead Cow and l0pht Heavy Industries and the NSA's Tailored Access Operations Group; it has a unique method for assessing the security of devices derived from methods developed by Mudge at the NSA. Read the rest

Guy returns his "smart" light bulbs, discovers he can still control them after someone else buys them

You know what's great about putting wifi-enabled, Turing-complete computers into things like lightbulbs? Not. A. Single. Fucking. Thing. Read the rest

Ring: "We don't use facial recognition"; also Ring: "We have a head of facial recognition research"

One of the most obvious facts I've learned in covering the unfolding scandal of the secret deals between Amazon's Ring surveillance doorbell group and hundreds of US police departments is that Amazon loooooves to play word-games. Read the rest

Penetration tester releases proof-of-concept code for hijacking smart buttplugs

Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities. Read the rest

More posts