IoT baby monitor style hacks still a threat Lessons have not been learned from an incident where a Russian website provided links to access baby monitor cameras, according to the UK’s data protection watchdog. The website allowed people to watch footage from insecure cameras around the world, prompting a warning from the Information Commissioner’s Office (ICO) back in …
This is why people who know, prefer to keep important things within their LAN where the risk is lower.
As they say, if its open to the Internet, then anyone can access it - and generally will, who's watching or controlling your stuff ???.
With IoT, the lack of any standards or minimum functionality levels for good practice and every "hip" web framework only discussing anything to do with security around Volume 2, Chapter 25 in the manual, its hardly surprising that things are being abused, its just that the target audience of devices is growing, rather than shrinking. Clearly this is a trend that needs to be reversed.
Secondly, gadgets should have a reasonable shelf life - do we want to have to replace our entire set of possessions every 3 years just because standards have moved on ?? I have socks older than this, why should the IT widgets be any different !
So, perhaps what we need is a minimum standard for things sold to users, Taking metals as a common scale, then something along the lines of :
Lead - It kind'a works - sometimes and it might have some security in it somewhere and the developer may be here tomorrow, but generally, you are on your own. Limit device to LAN only connections.
Aluminium - It sort of works today, and the developer read and implemented some bits about securing the device, so its using only recognised secure protocols to communicate and has a password for access, which is at a minimum derived from serial number of similar and the serial number is not visible without authenticating to the device first.
Bronze - Everything is fully secure with secure protocols and authentication. There must be 3 years worth of guaranteed updates from the vendor and these must be FOC to everyone without question
Silver : Same as Bronze, plus proper Penetration testing of the infrastructure and application at every major release, the reports to be published with corrective actions acted on. There must be 5 years worth of guaranteed updates from the vendor and these must be FOC to everyone without question
Gold - Same as silver, except security includes multi-factor authentication. Proper Penetration testing of the infrastructure and application on an annual basis (with reports published) . 7 years minimum worth of guaranteed updates from the vendor and code in escow just in case they go bust. Updates available FOC to everyone without question
Platinum : Same as gold, but 10+ year expected product life span.
Most search engines crawl the web, this one crawls for open ports:
Some background reading: https://www.mikecarthy.com/offensive-security/shodan-worlds-dangerous-search-engine & http://www.zdnet.com/article/shodan-the-iot-search-engine-which-shows-us-sleeping-kids-and-how-we-throw-away-our-privacy/
Well that was interesting. I got a bit scared reading about this Shodan portal. I went off to find it, read the Ts & Cs, went about checking it out. As a search portal, it does not seem dangerous (meaning it doesn't look like a blackhat is on the other side, waiting to infect me with malware).
So I signed in, authenticated my account, and went about discovering how to use it. At first, I was a bit unprepared - I'm not used to searching for IoT stuff, I usually google normal stuff. I used the Explore button and got page upon page of TCP IP addresses. Clicked on one, got a login page. Didn't want to go there.
Then I got an idea : I would search my own IP address. If I discover a problem, all I have to do is shut down my router for a minute and I'll get a new IP, so not much risk there. I dared it, wondering if the security cameras installed by the firm I subscribed to would show up.
Relief, they do not. On top of that, when the result page displayed it showed a city location that has nothing to do with where I live, but is most likely the local ISP hub for my connection. So not only can no one find me like that, but it would appear that my ISP is on the ball concerning security, because there was nothing else on the page besides the TCP address and the city name.
I actually feel a bit safer now.
@Pascal - yes, you should feel reasonably safe anyway, unless you are a tinfoil hat wearer. As you say your IP, being dynamic will change periodically but turning your router off for a minute is unlikely to change it. I would however take a closer look at those cameras.
Sadly, to do a proper job of IT security needs multiple VLANs, a policy (that the significant other will drive a coach and horses through), a deep knowledge of networking, a decent firewall, a series of internal sensors, an Elasticsearch cluster for the raw data, a correlation system, an analysis system, an alerting system, quite a decent budget.
However, for you sir, I genuinely suggest that you keep up with software updates, AV and make sure that no-one you care about clicks on a link in an email unless you have vetted it first. And make long term backups - enough to recover from a nasty unscheduled encryption session. Do that and you are safe (for a given, but pretty decent, value of safe)
Don't disconnect the missus from Facebook by rebooting the router - s/he won't be impressed and you don't gain any extra security.
Unfortunately, the instructions for installing the Internet of Shit device would almost certainly include detailed explanations on how to turn it back on. This would naturally be the one thing every one would get right. The First Time!
Cynical, yes, but the universe really is out to get us every second.
"Unfortunately, the instructions for installing the Internet of Shit device would almost certainly include detailed explanations on how to turn it back on."
It's worse than that, many of them exhort you to turn off firewalls, AV etc to get their shonky "finder" to work. DO NOT DO THAT. Invariably they will DHCP or they will have an easily Googlable default IP address.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
