back to article Internet of Thieves: All that shiny home security gear is crap, warns HP

In a recent study, every connected home security system tested by HP contained significant vulnerabilities, including but not limited to password security, encryption, and authentication issues. HP's Fortify on Demand security service assessed the top 10 home security devices – such as video cameras and motion detectors – …

  1. JamesTQuirk

    This is News ?????????????

    1. Voland's right hand Silver badge

      Indeed

      This is exactly why I roll my own. I used to use Via mITX systems. I nowdays use Rapberry Pi.

      Properly secured, communication with mothership only over VPN. All data movement, etc written by me in my spare time so I know exactly what and how moves around. Anything that touches my locks, central heating, has sensors and cameras in my house is going in only if I can see all the source or even better - if it comes as hardware and I can write the software myself. Off-the-shell cheap Chinese internet camera as a security device (or Nest for that matter) - no thanks, do not smoke that.

      I was not that paranoid until I had to work with Smart Metering and review SCADA security as part of the process ~ 4-5 yeas ago. After seeing how they write those supposedly "critical" systems...

      1. Anonymous Coward
        Anonymous Coward

        Re: Indeed

        Security by obscurity.

        Just because you wrote it doesn't mean it is bug-free.

        1. John Robson Silver badge

          Re: Indeed

          No - but not being accessible excpet via a VPN is pretty good start.

          This is what I want - someone to make one of the control hubs that is just locally accessible, doesn't do cloudy stuff... Or at least that you have to actively enable cloudy stuff...

          Just sits at home and I can control stuff from inside the house. If it's Pi based under the hood then great, but I don't really care all that much - just have it self contained.

          I'll deal with communications from outside thank you...

      2. Anonymous Coward
        Anonymous Coward

        Re: IndeedAfter seeing how they write those supposedly "critical" systems...

        And so by that assumption, everyone and his dog should learn to code just to use a home automation system?

        wow

  2. Destroy All Monsters Silver badge
    Holmes

    Hurr!!

    It's the next generation of "skilled developers" and "discerning managers" unburdened by knowledge or lessons learned (but possibly with a wad of ZIRP-y cash) throwing things at the market that they don't know how to develop, properly design nor test or even intend on supporting after the next 6 months.

    Just stay away from this till after the superbubble pop.

    Gartner forecasts...

    Chriswell predicts!

    1. dan1980

      Re: Hurr!!

      ". . . throwing things at the market that they don't know how to develop."

      While I appreciate the adage about suspecting incompetence over deliberate poor practices, I would suggest that some of these people and companies know perfectly well how to do things 'right' but in an industry racing towards commoditisation, they aren't going to sell many well-designed systems if they end up costing even a little more, unless of course they are Apple devices*.

      Unfortunately, much of this is off-the-shelf stuff using standard bits with included firmware and standard software-stacks and the manufacturers just do see any value in changing things, hence devices shipping with 3 year old version of PHP and so forth.

      * - Not suggesting Apple devices are well-designed (nor that they are not!), just that they can consistently charge a premium for consumer electronics.

      1. Tom 13

        Re: some of these people and companies know perfectly well

        No they don't. If they did they wouldn't walk away, they'd run.

        Back in the pre-internet days I worked for a firm that wanted to make your house SMART. They developed a controller for it, wiring, and a number of devices that would let you program control of just about everything in your house. They even included specs for natural gas appliances in your house. Some of the ideas were completely daft, like using your phone to call your house to program your VCR to record a program (what's the point if you forgot to put a bank tape in the VCR?). One of the ideas the market droid threw out was integrating home security systems into the mix. The IT people had all kinds of ideas for ways to connect things up. Fortunately the boffin in charge of the IT development also had an eye on the legal. All of the proposed solutions opened the company up to entirely too much liability. So the security systems were never integrated into the system. Given they needed to know who you were, what your phone number was, and where your house was it was a hell of a lot easier to secure that than it is with world + dog knocking on your IoT security system.

    2. Voland's right hand Silver badge

      Re: Hurr!!

      It is not "next generation". It is today's generation of embedded device developers tackling a new niche.

      99% of the embeded development - cars, security systems, cctv, smart energy, etc has never heard of Postel's principle, has no clue of even the most basic Internet application security practices and will write insecure code by default. It comes with the territory.

      1. Triggerfish

        Re: Hurr!!

        I have to say I suspect its a mix of both. People who don't get security, mixed by people who get the value of selling data.

        I start to wonder if the white goods are not being sold on a console type model (cheap consoles loss leaders, make money on the games). Except the cheap console is your smart device and the revenue is really generated by selling your information.

  3. Kev99 Silver badge

    And people think having their refrigerators, stoves, and toilets connected to internet of things is a good idea. What a bunch of maroons! Read the news, people. If it's connected to the internet it can and WILL be vulnerable to any one with a computer. Just ask Anthem, Wells Fargo, Bank of America, etc.

    1. Jan 0 Silver badge

      Marooons?

      Launch the IPv6 Lifeboats now!

      1. Mark 85

        Re: Marooons?

        Think Bugs Bunny on "what a bunch of maroons"....

        1. Anonymous Coward
          Anonymous Coward

          Re: Marooons?

          No, the quote is: "What an ultramaroon. What an imbecile. What a nincompoop".

          We should probably add here: What a a [SCADA | CAR | ALARM | CCTV | SMART ENERGY ] developer here. Pick one or all - they are all the same. Just look at the code and wheep.

    2. Slartybardfast

      Maroons

      This sort of thing makes me see red.

      1. VinceH
        Coat

        Re: Maroons

        "This sort of thing makes me see red."

        Nyah... *chompchompchomp* What's up Doc Slartybardfast?

      2. chivo243 Silver badge

        Re: Maroons

        And then spots in front of your eyes, and just blackness. Must be rabbit fever.

    3. VinceH

      "And people think having their refrigerators, stoves, and toilets connected to internet of things is a good idea."

      Internet of Unwanted Things1 - iOUT!

      1. By me, and perhaps thee and anyone who realises the potential security implications. Sadly, the average consumer, OTOH, is more likely to think "Ooh, shiny!"

  4. tekHedd

    Low tech FTW

    The best security is always "a computer that is not accessible at all in any way". The only way to program my Ademco is by punching codes into the panel, which means to hack it you have to have already broken in to the house. :)

    1. elDog

      Re: Low tech FTW

      And the only way to program my lou is a via a single signal - lever up / lever down.

      However, there are times when I need to call in the sh-IT specialists to deal with a some application dump.

  5. Anonymous Coward
    Anonymous Coward

    Kettle meet HP

    HP really should audit their own products first. So many default backdoor accounts on everything, it truly is amazing that anybody uses their consumer and enterprise systems.

    1. luis river

      Great HP

      HP is the first world maker for the Enterprise (server) For something it is it! backdoor in HP?, is a this lie for the disloyal competition.

  6. Anonymous Coward
    Anonymous Coward

    I was noticing that problem when I was hooking up my system, so I decided to block its ports from the firewall and use VPN connections instead.

  7. Steve Davies 3 Silver badge
    FAIL

    HP is taking the Sauce!

    HP are simply saying that 'Out Snake Oil is better than other brands of snake oil'.

    The only HP I have in my home is a brown bottle of stuff for using on Bacon Sarnies.

  8. Anthony Hegedus Silver badge

    I often end up having to set up remote access to home security systems so that the owner can ogle his security cameras from afar and I'm shocked by the total lack of security on these systems. There's usually a separate user and admin account, but all too often only the admin account is set up. Then the actual security is usually just a 4-digit pin. And amazingly, it's usually set to "0000" or "1234".

    The security companies who put this kit in are not IT security consultants. They understand about fitting cameras to walls, best places to put IR sensors and certainly talk the security talk. But they get lost with IT - completely lost! That's why they often call us to set up the remote access bit.

    I've even seen some instances where they completely open up all the remote management ports on a home router that's still got its factory default password set.

    1. Tom 13

      Re: security companies who put this kit in

      You've only seen their installed kit. I use to do IT support work for the offices from which they dispatch their contractors to install those security systems. If I had a son or a daughter, I would not let them work in such a place. Those places were downright scary. When I got back from one of them I told my boss "I'd rather you sent me to southeast DC to yell N****er at the top of my lungs than go back to that place." And that's something every white boy knows to never, ever do.

    2. JamesTQuirk

      What a real Scare ? Run wireshark on capture on a lappy, take it for drive in your neighbourhood, come home & look @ the network waiting to used by some nasty....

  9. Anonymous Coward
    Anonymous Coward

    Simple decision process

    I will not allow anything into my house where I don't have a reasonable amount of ability to screen the operating outfit behind it. A classic example of 'duh' is one of those smart lock suppliers. It's a US outfit, so I asked them if it was really as independent as they said (for entertainment only, I won't use a US sourced digital lock near my EU home).

    This is their answer: "XXXX can be operated offline via Bluetooth Low Energy, however, it does indirectly connect to the XXXX web service."

    Yeah, right.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like