Why the Internet of Things is a security nightmare

[Batu69]

The good guys over at Context Information Security have cracked Motorola’s outdoor security camera just to point out how the Internet of Things is still a completely unsecure industry that needs serious work.

 

The camera that got cracked was the Motorola Focus 73, and not only did the researchers manage to get inside, but they also managed to obtain the home network’s Wi-Fi password, take full control of the camera’s movement and even redirect the video feed.

 

The exploit was fixed in the meantime, and the update to the firmware released without the end user having to do anything. So basically, if you have one of those cameras, there’s no need to panic, any more.

 

The process of cracking the camera was, according to the researchers, a piece of cake: "During set up, the private Wi-Fi security key is transmitted unencrypted over an open network, using only basic HTTP Authentication with username 'camera' and password '000000', while a number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product", the company said.

 

After some more investigation, the researchers managed to get root access to the camera. The root password was easy to crack as it was '123456' -- one of those passwords you should never set up. The home network’s Wi-Fi password was sitting there in plaintext, as well as factory wireless credentials for secure test networks.

 

What’s even more worrying, is that the credentials for the developers’ Gmail, Dropbox and FTP accounts were also there. For the icing on the cake, the researchers managed to install their own firmware and it wasn’t checked for validity.

 

Article source

[knowledge-Spammer]

smartguys

[DKT27]

This one's implementation is complete nonsense, but I still believe this IoT is a big problem, including a security and privacy one.

 

But then again, remote / mobile controlled lights is nice to have. It's probably a tech that may become common though.

[vibranium]

IoT will be a security nightmare alright.

 

Just look at those online medical monitoring devices. Some of them are devices needed to sustain life. I shudder at the thought of some drive-by hacking of a pacemaker.

[SURbit]

What Actually Is The Internet of Things (IoT)

 

IoT or Internet of Things is a modern-day buzzword that points to the technological advancement that we have had in recent years. Connectivity in all spheres of life through regular devices is what IoTs are trying to achieve. But do you know what IoT or Internet of Things is?

 

Coined by British entrepreneur Kevin Ashton in 1999, IoT or Internet of Things is one of the most interesting subjects which usually overwhelms the discussions on the advancement in the science and technology.

 

IoT is rapidly becoming a big part of human lives, but many are still ignorant of what Internet of Things or IoT actually is!

 

What Actually Is The Internet of Things (IOT)?

Now, as confusing as the name Internet of Things already is, we will keep it simple and avoid any jargons.

“The Internet of Things is a web of physical objects or “things”, that are connected to each other allowing them to collect and exchange information with the help of embedded electronics, sensors, software or AI. Here, the Internet or any other network infrastructure acts as the medium of data transfer.”

 

In the network of these connected objects, each device has a unique identity which work in harmony and it is reported that the IoT will expand to 50 billion devices by 2020 inching in all spheres of our life.

 

What is the current state of the Internet of Things?

Unlike the other game changer technologies such as Quantum computing, the Internet of Things is already affecting human lives. It has multitudes of uses which are being exploited by both security experts as well as the black hats.

 

IoT offers advanced connectivity and is heralding the revolution in the machine to machine communication. The “things” in the Internet of Things account for the devices ranging from connected automobiles and surveillance cameras to the heart monitoring implants.

 

Many tech giants and startups have entered the race of delivering the best and most secure connected devices to the consumers. The technology which was in the nascent stage a few years back has drastically picked up the pace and here we are listening to reports such as car hack and CCTV botnet attacks. These expose the loose security issues, but at least the direction is right.

 

What is the future of the Internet of Things?

In near future, majority of our electronic or quantum ( hopefully) devices will be connected to the Internet via unique IP address (IPv6, since IPv4 will soon be filled up) and thus could be controlled by the owner from any place at any time.

 

Developing countries such as India envisaging the flagship projects of Smart Cities will pin their hopes to smart infrastructure combined with the huge influx of IoT technology. As for individuals, wearable connected devices and smart homes would be a key to a smart and sustainable future.

 

The IoTs will also help the governments and big enterprises in monitoring, collecting, analyzing and then providing solutions for any situation in a short time.

 

However, while constant upgradation of the technology will mean more electronic waste, the environment issue and green development should be kept in mind as well. Overall, the Internet Of Things has the capacity to build a futuristic society.

 

Watch Dr. John Barrett explaining the Internet of Things in this video:

 

[CODYQX4]

TVs spying on you 1984 style, and good old hacking of email accounts, except using a fridge... what a time to be alive!

[SURbit]

Government may tap into your IoT gadgets and use your smart devices to spy on you

Feb 10, 2016

The U.S. spy chief admitted the government may use your “smart” internet-connected devices to spy on you.

 

A Harvard report no sooner debunked the FBI’s “Going Dark” argument than the U.S. intelligence chief admitted the government might use your “smart” internet-connected devices to spy on you.

U.S. Director of National Intelligence James Clapper testified (pdf):

 

“Smart” devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.

 

Clapper’s prepared testimony about spying via IoT were included in the “Worldwide Threat Assessment of the U.S. Intelligence Community” report (pdf) delivered to the Senate Armed Services Committee on February 9. The Internet of Things was the first topic mentioned under “cyber and technology,” followed by artificial intelligence, although the report notes that the order of topics doesn’t necessarily mean the intelligence community views the topic as the most important.

 

While this is not the first time an intelligence chief has admitted the potential of spying on people via their internet-connected devices—since CIA Director David Petraeus said the same thing four years ago—the Harvard report pointed out just how widely IoT surveillance could be used.

 

The report included specific examples of potential surveillance via baby monitors, smart TVs, IP cameras, home automation products such as smart thermostats and smoke detectors, smart toys such as Hello Barbie or Elf on a Shelf, the Amazon Echo, connected cars and smartphones. But there are so many more when you consider fitness trackers, refrigerators, crock-pots, motion detectors, even pregnancy tests—although a fitness tracker might do double-duty as a Reddit user reported that his wife's Fitbit knew she was pregnant before they did.

 

“Appliances and products ranging from televisions and toasters to bed sheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables are being packed with sensors and wireless connectivity,” the Harvard report explained. “Law enforcement or intelligence agencies may start to seek orders compelling Samsung, Google, Mattel, Nest or vendors of other networked devices to push an update or flip a digital switch to intercept the ambient communications of a target.”

 

You’d think if companies adopting encryption by default in smartphones was really a threat to intelligence agencies that the “threat assessment” report would hammer the point home; yet Clapper mentioned encryption just four times in the 29-page report; once was in regard to attackers trying to change source code to break network equipment encryption. “Encrypting” was mentioned regarding ransomware developed by cybercriminals, a topic listed under “nonstate actors.” Violent extremists will “publicize their use of encrypted messaging apps” and terrorists will “take advantage of widely available, free encryption technology, mobile-messaging applications, the dark web, and virtual environments to pursue their objectives.”

 

However, when describing global threats, FBI Director James Comey did mention the FBI’s inability to crack encryption on a phone belonging to one of the San Bernardino shooters. Comey claimed, “I don’t want a backdoor…I would like people to comply with court orders, and that is the conversation I am trying to have.”

 

But who needs a back door when you can waltz right in the front door of a home with internet-connected smart devices or home automation? Not much time passes without hearing about some new security flaw in smart devices and how to exploit their protocols to take control of the device or steal information. Even the FBI has warned citizens about IoT risks and “to be aware of IoT vulnerabilities cybercriminals could exploit.” If hackers can exploit those devices, do you really think intelligence agencies can’t already do so?

 

The ENCRYPT Act

Meanwhile, Reuters reported that the bipartisan legislation “ENCRYPT Act” was introduced to the U.S. House of Representatives. The ENCRYPT Act would “prevent any state or locality from mandating that a ‘manufacturer, developer, seller, or provider’ design or alter the security of a product so it can be decrypted or surveilled by authorities.”

 

Now, if only manufacturers of internet-connected devices would deploy encryption. It might stop cybercriminals as well as government spies from using our IoT devices against us.

SOURCE