18 months on, kids' smart watches are STILL a privacy & security dumpster-fire, and a gift to stalkers everywhere

In late 2017, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't). Read the rest

Discarded smart lightbulbs reveal your wifi passwords, stored in the clear

Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that's just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties. (Thanks, John!) Read the rest

Vizio exec: we'd have to charge a premium on "dumb" TVs to make up for the money we'll lose by not spying on you

At CES, the Verge's Nilay Patel interviewed Vizio CTO Bill Baxter, who told her that when it comes to the surveillance features of his company's "smart" TVs, "it’s not just about data collection. It’s about post-purchase monetization of the TV...[When it comes to 'dumb' TVs,] we’d collect a little bit more margin at retail to offset it." Read the rest

Whistleblower: Amazon Ring stores your doorbell and home video feeds unencrypted and grants broad "unfettered" access to them

Sources "familiar with Ring's practices" have told The Intercept that the company -- a division of Amazon that makes streaming cameras designed to be mounted inside and outside your home -- stores the video feeds from its customers' homes in unencrypted format and allows staff around the world to have essentially unfettered access to these videos. Read the rest

Livetweeting a toothbrush's firmware update

When your toothbrush is part of the Internet of Shit, sometimes you need to update its firmware, and when that happens, sometimes you have to decide whether your toothbrush will have access to your location. Thank you to Andrew Crow for livetweeting this glimpse of the future of Surveillance Dentistry. (Thanks, Radical Goats!) Read the rest

Arizona realtor surprised to find Canadian "white hat" hacker talking to him through his smart doorbell

Arizona realtor Andy Gregg's Nest doorbell/camera started talking to him: the voice on the other end identified itself as a Canadian "white hat" security researcher who'd broken into his camera by using a password that Gregg had used on multiple services, including some that had been breached. The hacker warned him that he was vulnerable and told him to tighten up his security before a bad guy got into his doorbell. Read the rest

A Trustmark for IoT: separating the Internet of Shit from the Internet of Things

Peter writes, "ThingsCon, our Berlin-based non-profit for a more responsible IoT, launches a trustmark for IoT - the Trustable Technology Mark. Cory gave some input to it a while back already, and finally it's launch day: We want to highlight the best work in IoT, the best/most respectful of users' rights, privacy and security. It's an entirely non-profit effort to elevate the debate in this odd space that's full of crap; I think you might like it." Read the rest

Insurance companies gouge on CPAP machines and consumables, use wireless modems to spy on your usage

Sleep apnea is a fast-growing health complaint among Americans, and that has triggered a set of deceptive and unethical measures by US health insurers to shift the cost of using CPAP machines (the forced air machines that sleep apnea patients rely on to stay healthy) to the people who use them, with the effect that it's often much cheaper to pay cash for your machine and its consumables than it is to get them through insurance. Read the rest

Consumer Reports finds that D-Link's home camera sends unencrypted video without unique passwords

As part of its ongoing commitment to evaluate information security and privacy when reviewing IoT devices (previously), Consumer Reports has published a scathing review of D-Link's home security camera. Read the rest

Internet of Shit watch: Honeywell server outage means "smart" thermostats are inaccessible

For weeks, Honeywell Home customers have been complaining about outages with their Honeywell "Total Connect Comfort" apps, which allow them to remote control their smart thermostats; several days ago, customers started complaining that the app had stopped working altogether. Read the rest

Internet of Things security camera sends customers' video feed to someone else

Shelan Faith has an internet-enabled home "security" system from Vivint Home Security; it includes cameras that spy on the interior and exterior of her home, as well as sensors that report on things like when her doors and garage are open or closed. Read the rest

Schneier's "Click Here To Kill Everybody pervasive connected devices mean we REALLY can't afford shitty internet policy

Bruce Schneier (previously) has spent literal decades as part of the vanguard of the movement to get policy makers to take internet security seriously: to actually try to make devices and services secure, and to resist the temptation to blow holes in their security in order to spy on "bad guys." In Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, Schneier makes a desperate, impassioned plea for sensible action, painting a picture of a world balanced on the point of no return.

Vulnerabilities in smart electric plugs give attackers a staging point for scanning and attacking your whole network

If an attacker takes control of a device inside your network -- by exploiting a defect in it or a mistake you made in configuring it or by tricking you somehow -- then they can do all kinds of bad things, like scanning your local network for other vulnerable devices, attacking them and taking control over them. Read the rest

All versions of Openssh share a critical vulnerability, including embedded code that will never be updated

Every version of the popular Openssh program -- a critical, widely used tool for secure communications -- share a critical vulnerability that was present in the program's initial 1999 release. Read the rest

Rolling robots 3D print a bridge, inching their way along the span as they lay it

The Smarter Bridge is a project led by Mix3d, which makes robotic 3D printers that can sinter stainless steel structures and inch their way along the surfaces as they are completed. Read the rest

Insecure medical equipment protocols let attackers spoof diagnostic information

Douglas McKee of McAffee presented his research into the security of medical diagnostic equipment at last week's Defcon conference in Las Vegas. Read the rest

What should go in an IoT safety-rating sticker?

Now that Consumer Reports is explicitly factoring privacy and security into its tech reviews, we're making some progress to calling out the terrible state of affairs that turned the strange dream of an Internet of Things into a nightmare we call the Internet of Shit. Read the rest

More posts