This is News ?????????????
Internet of Thieves: All that shiny home security gear is crap, warns HP
In a recent study, every connected home security system tested by HP contained significant vulnerabilities, including but not limited to password security, encryption, and authentication issues. HP's Fortify on Demand security service assessed the top 10 home security devices – such as video cameras and motion detectors – …
COMMENTS
-
-
Wednesday 11th February 2015 07:00 GMT Voland's right hand
Indeed
This is exactly why I roll my own. I used to use Via mITX systems. I nowdays use Rapberry Pi.
Properly secured, communication with mothership only over VPN. All data movement, etc written by me in my spare time so I know exactly what and how moves around. Anything that touches my locks, central heating, has sensors and cameras in my house is going in only if I can see all the source or even better - if it comes as hardware and I can write the software myself. Off-the-shell cheap Chinese internet camera as a security device (or Nest for that matter) - no thanks, do not smoke that.
I was not that paranoid until I had to work with Smart Metering and review SCADA security as part of the process ~ 4-5 yeas ago. After seeing how they write those supposedly "critical" systems...
-
-
Wednesday 11th February 2015 10:12 GMT John Robson
Re: Indeed
No - but not being accessible excpet via a VPN is pretty good start.
This is what I want - someone to make one of the control hubs that is just locally accessible, doesn't do cloudy stuff... Or at least that you have to actively enable cloudy stuff...
Just sits at home and I can control stuff from inside the house. If it's Pi based under the hood then great, but I don't really care all that much - just have it self contained.
I'll deal with communications from outside thank you...
-
-
-
-
Tuesday 10th February 2015 23:02 GMT Destroy All Monsters
Hurr!!
It's the next generation of "skilled developers" and "discerning managers" unburdened by knowledge or lessons learned (but possibly with a wad of ZIRP-y cash) throwing things at the market that they don't know how to develop, properly design nor test or even intend on supporting after the next 6 months.
Just stay away from this till after the superbubble pop.
Gartner forecasts...
Chriswell predicts!
-
Wednesday 11th February 2015 05:37 GMT dan1980
Re: Hurr!!
". . . throwing things at the market that they don't know how to develop."
While I appreciate the adage about suspecting incompetence over deliberate poor practices, I would suggest that some of these people and companies know perfectly well how to do things 'right' but in an industry racing towards commoditisation, they aren't going to sell many well-designed systems if they end up costing even a little more, unless of course they are Apple devices*.
Unfortunately, much of this is off-the-shelf stuff using standard bits with included firmware and standard software-stacks and the manufacturers just do see any value in changing things, hence devices shipping with 3 year old version of PHP and so forth.
* - Not suggesting Apple devices are well-designed (nor that they are not!), just that they can consistently charge a premium for consumer electronics.
-
Wednesday 11th February 2015 17:34 GMT Tom 13
Re: some of these people and companies know perfectly well
No they don't. If they did they wouldn't walk away, they'd run.
Back in the pre-internet days I worked for a firm that wanted to make your house SMART. They developed a controller for it, wiring, and a number of devices that would let you program control of just about everything in your house. They even included specs for natural gas appliances in your house. Some of the ideas were completely daft, like using your phone to call your house to program your VCR to record a program (what's the point if you forgot to put a bank tape in the VCR?). One of the ideas the market droid threw out was integrating home security systems into the mix. The IT people had all kinds of ideas for ways to connect things up. Fortunately the boffin in charge of the IT development also had an eye on the legal. All of the proposed solutions opened the company up to entirely too much liability. So the security systems were never integrated into the system. Given they needed to know who you were, what your phone number was, and where your house was it was a hell of a lot easier to secure that than it is with world + dog knocking on your IoT security system.
-
-
Wednesday 11th February 2015 07:26 GMT Voland's right hand
Re: Hurr!!
It is not "next generation". It is today's generation of embedded device developers tackling a new niche.
99% of the embeded development - cars, security systems, cctv, smart energy, etc has never heard of Postel's principle, has no clue of even the most basic Internet application security practices and will write insecure code by default. It comes with the territory.
-
Wednesday 11th February 2015 11:04 GMT Triggerfish
Re: Hurr!!
I have to say I suspect its a mix of both. People who don't get security, mixed by people who get the value of selling data.
I start to wonder if the white goods are not being sold on a console type model (cheap consoles loss leaders, make money on the games). Except the cheap console is your smart device and the revenue is really generated by selling your information.
-
-
-
Tuesday 10th February 2015 23:06 GMT Kev99
And people think having their refrigerators, stoves, and toilets connected to internet of things is a good idea. What a bunch of maroons! Read the news, people. If it's connected to the internet it can and WILL be vulnerable to any one with a computer. Just ask Anthem, Wells Fargo, Bank of America, etc.
-
Wednesday 11th February 2015 10:50 GMT VinceH
"And people think having their refrigerators, stoves, and toilets connected to internet of things is a good idea."
Internet of Unwanted Things1 - iOUT!
1. By me, and perhaps thee and anyone who realises the potential security implications. Sadly, the average consumer, OTOH, is more likely to think "Ooh, shiny!"
-
Wednesday 11th February 2015 07:57 GMT Anthony Hegedus
I often end up having to set up remote access to home security systems so that the owner can ogle his security cameras from afar and I'm shocked by the total lack of security on these systems. There's usually a separate user and admin account, but all too often only the admin account is set up. Then the actual security is usually just a 4-digit pin. And amazingly, it's usually set to "0000" or "1234".
The security companies who put this kit in are not IT security consultants. They understand about fitting cameras to walls, best places to put IR sensors and certainly talk the security talk. But they get lost with IT - completely lost! That's why they often call us to set up the remote access bit.
I've even seen some instances where they completely open up all the remote management ports on a home router that's still got its factory default password set.
-
Wednesday 11th February 2015 17:42 GMT Tom 13
Re: security companies who put this kit in
You've only seen their installed kit. I use to do IT support work for the offices from which they dispatch their contractors to install those security systems. If I had a son or a daughter, I would not let them work in such a place. Those places were downright scary. When I got back from one of them I told my boss "I'd rather you sent me to southeast DC to yell N****er at the top of my lungs than go back to that place." And that's something every white boy knows to never, ever do.
-
-
Wednesday 11th February 2015 09:34 GMT Anonymous Coward
Simple decision process
I will not allow anything into my house where I don't have a reasonable amount of ability to screen the operating outfit behind it. A classic example of 'duh' is one of those smart lock suppliers. It's a US outfit, so I asked them if it was really as independent as they said (for entertainment only, I won't use a US sourced digital lock near my EU home).
This is their answer: "XXXX can be operated offline via Bluetooth Low Energy, however, it does indirectly connect to the XXXX web service."
Yeah, right.