Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to "replay attacks" that allowed the researchers to bypass the encryption. Read the rest

Jibo the social robot announces that its VC overlords have remote-killswitched it, makes pathetic farewell address and dances a final step

Jibo was a "social robot" startup that burned through $76m in venture capital and crowdfunding before having its assets sold to SQN Venture Partners late last year. Read the rest

Alias: a smart-speaker "parasite" that blocks your speaker's sensors until you activate it

Alias is an open source hardware/free-open firmware "parasite" that fits over your smart speaker's sensors and fills them with white noise; the Alias has its own (non-networked, user-controlled) mic and speaker and when you speak a magic phrase, the Alias temporarily stops the white noise and transmits your commands to the speaker; Alias also lets you specify strings of commands and other useful utilities that restore control over your smart-speaker to you. Read the rest

Bad security design made it easy to spy on video from Ring doorbells and insert fake video into their feeds

Researchers from Dojo/Bullguard investigated the security model of the Ring smart doorbell -- made by Amazon -- and discovered that the video was sent "in the clear" (without encryption) meaning that people on the same network as the doorbell, or on the same network as one of its owners, can easily tap into its feeds. Read the rest

As sports company abandons support for "smart" basketball, Nike pushes a software update that bricks its self-tying shoes

Wilson X was the sports manufacturer's entry into the market for smart basketballs, but maintaining the app that made sense of the telemetry from your sensor-equipped roundball was expensive and stupid and so the Wilson X app is no more, and the "B" in "B-ball" stands for "bricked." Read the rest

Google admits Nest security product has a secret mic, insists it wasn't supposed to be a secret

Nest is the Internet of Shit company Google bought and steadily expanded from "smart" thermostats to the current home security product, "Nest Secure," which has an undisclosed microphone -- but don't worry, it wasn't intended to be a secret, Google just forgot to mention it, and "the microphone has never been on and is only activated when users specifically enable the option." Read the rest

The Internet of Dongs remains a security dumpster-fire -- UPDATED

The Internet of Dongs is Brad Haines's term for the world of internet-connected, "teledildonic" sex toys, and Haines, along with Sarah Jamie Lewis, have exhaustively documented all the ways in which internet-connected sex toys can screw you, from leaking private data to physically attacking your junk. Read the rest

18 months on, kids' smart watches are STILL a privacy & security dumpster-fire, and a gift to stalkers everywhere

In late 2017, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't). Read the rest

Discarded smart lightbulbs reveal your wifi passwords, stored in the clear

Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that's just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties. (Thanks, John!) Read the rest

Vizio exec: we'd have to charge a premium on "dumb" TVs to make up for the money we'll lose by not spying on you

At CES, the Verge's Nilay Patel interviewed Vizio CTO Bill Baxter, who told her that when it comes to the surveillance features of his company's "smart" TVs, "it’s not just about data collection. It’s about post-purchase monetization of the TV...[When it comes to 'dumb' TVs,] we’d collect a little bit more margin at retail to offset it." Read the rest

Whistleblower: Amazon Ring stores your doorbell and home video feeds unencrypted and grants broad "unfettered" access to them

Sources "familiar with Ring's practices" have told The Intercept that the company -- a division of Amazon that makes streaming cameras designed to be mounted inside and outside your home -- stores the video feeds from its customers' homes in unencrypted format and allows staff around the world to have essentially unfettered access to these videos. Read the rest

Livetweeting a toothbrush's firmware update

When your toothbrush is part of the Internet of Shit, sometimes you need to update its firmware, and when that happens, sometimes you have to decide whether your toothbrush will have access to your location. Thank you to Andrew Crow for livetweeting this glimpse of the future of Surveillance Dentistry. (Thanks, Radical Goats!) Read the rest

Arizona realtor surprised to find Canadian "white hat" hacker talking to him through his smart doorbell

Arizona realtor Andy Gregg's Nest doorbell/camera started talking to him: the voice on the other end identified itself as a Canadian "white hat" security researcher who'd broken into his camera by using a password that Gregg had used on multiple services, including some that had been breached. The hacker warned him that he was vulnerable and told him to tighten up his security before a bad guy got into his doorbell. Read the rest

A Trustmark for IoT: separating the Internet of Shit from the Internet of Things

Peter writes, "ThingsCon, our Berlin-based non-profit for a more responsible IoT, launches a trustmark for IoT - the Trustable Technology Mark. Cory gave some input to it a while back already, and finally it's launch day: We want to highlight the best work in IoT, the best/most respectful of users' rights, privacy and security. It's an entirely non-profit effort to elevate the debate in this odd space that's full of crap; I think you might like it." Read the rest

Insurance companies gouge on CPAP machines and consumables, use wireless modems to spy on your usage

Sleep apnea is a fast-growing health complaint among Americans, and that has triggered a set of deceptive and unethical measures by US health insurers to shift the cost of using CPAP machines (the forced air machines that sleep apnea patients rely on to stay healthy) to the people who use them, with the effect that it's often much cheaper to pay cash for your machine and its consumables than it is to get them through insurance. Read the rest

Consumer Reports finds that D-Link's home camera sends unencrypted video without unique passwords

As part of its ongoing commitment to evaluate information security and privacy when reviewing IoT devices (previously), Consumer Reports has published a scathing review of D-Link's home security camera. Read the rest

Internet of Shit watch: Honeywell server outage means "smart" thermostats are inaccessible

For weeks, Honeywell Home customers have been complaining about outages with their Honeywell "Total Connect Comfort" apps, which allow them to remote control their smart thermostats; several days ago, customers started complaining that the app had stopped working altogether. Read the rest

More posts