Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study It's what we all assumed, but quietly hoped wasn't quite this bad. Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned. In other words, if you can log into one gizmo remotely, you can probably log …
I'm going to enjoy the steady trickle of schadenfreude, as the IoT early-adopters mangled corpses mount up.
Followed by a massive payout of schadenfreude, when the consumer masses eventually turn against IoT, and the media are finally forced to write a post-mortem on the big ball of fail.
You'll be lucky, so long as the customer has a flashy gizmo that works, they wont care.
The guys who baked the certs have long since been dismissed, after all, who needs engies after the product is finished, and the CEOs etc have also moved on to other companies... taking their dodgey practises (does it work ok? yes? ship it then) with them.
One silver lining though.. at least the NSA/GCHQ only have to decrypt a few 100 certs to be able to listen to most of the internet ...
"You'll be lucky, so long as the customer has a flashy gizmo that works, they wont care."
^This.
I cite my brother as an example, with his central heating system. When he boasted about and and I (was the only one who...) expressed doubts and questioned how secure it was, his reaction was more or less "I don't care - who'd want to hack my central heating?"
This post has been deleted by its author
Idiots or Twats?
I can't decide which.
Obviously everything is build down to a target price, made to work and shipped. fuck security because it is Far TOOoooooo hard.
This is just one of the reasons why no IoT kit will be used in my home anywhere near a connection to the Internet. Isolated yes (well maybe). Connected, No, no and thrice no.
Where's the Disaster waiting to happen icon when you need it eh?
What we need is the IT equivalent of a fuse so the link to the internet opens under certain conditions. It's only after a major IT meltdown that makes the Fukushima disaster look small that security will become the primary goal. I just can't see anyway around this particular singularity.
You deserve what you get. Replace the vendor firmware on wireless routers with DD-WRT or OpenWRT, and lose those built in backdoors. If you have a DSL or cable modem that can only run vendor firmware, disable all the remote login options from the internet side AND firewall off those ports (and do a port scan from the outside to verify they really are turned off)
That's not 100% protection because maybe they have a certain range of IPs that they will allow connections from regardless of settings, or use some sort of port knocking setup to override settings and enable remote logins, but hopefully when that information leaks out it won't be in bad guys hands before long until the good guys find out, you read a Reg article, and say "shit, now I gotta replace my DSL modem".
For IoT type devices it is simple - you don't allow access to them directly from the outside. Do you really need to visit your thermostat's web page from work or whatever the hell the IdioT proponents think that crap is good for? If so, then you deserve to come home and find your house is 90* and the only way to stop the furnace is to pull the thermostat off the wall!
hmm, are these keys actually used for authentication on the device or are they used to encrypt traffic to/from the device?
OK, both are a massive fail, but one will mean that any script kiddie can search for vulnerable devices and log into them, and the other will mean that someone will have to perform a MiM attack and wait for someone else to log in before he can get the means to.
"Can one install a distributed file system and make a cloud with free redundant storage": the answer is probably yes, but you would need more local storage to keep track of all the cloud stored bytes than keeping all your data locally. Especially since you would need massive redundancy to allow for devices being devices which someone may unplug. The only advantage is that you may be able to be able to create your own virtually uncrackable crypto system since the NSA would not know in which order you wrote or read individual bytes to which devices. The main drawback would be that you would not know if someone else had randomly selected the same devices for THEIR storage.
Internet side of home routers? Old hat. Leaving this open for remote access has been a security risk for decades along with default passwords.
WiFi or bluetooth access locally to IoT devices? This looks like a credible threat with default access credentials, but it does require the attacker to be close enough to interract with a low power wireless signal. War driving people's IoT installations may be fun - and easily automated - but there is limited scope for damage as far as I can see.
Remote access over the Internet to home installations? How is this going to work? As far as I can see to have multiple IoT devices in the home you will need a NAT router to share your single IPv4 address and at least some entry level smarts to allow you to call into multiple devices to collect data. This is the software package where the risk lies as it sits between local devices and the Internet. If they are sending only then they have the same protection as any other home computing device on a LAN today. Only if they open an outgoing port in the router (to where?) which also accepts incoming calls from any IP address does there seem to be a route into an individual device. Sounds sadly quite possible, though.
So I am prepared to believe all kinds of short cut stupidity in local management software, but the only obvious risk seems to be war driving. Until IPv6 of course. Which I understand is to be implemented at the same time as Linux becomes the global desktop replacement for Windows.[Which I also understand is always "this year".]
TL;DR the only obvious threat to dumb IoT devices with default credentials seems to be within low power wireless range. All other threats seem to require intermediate aggregating software, which is the real area of risk. Unless you know otherwise?
Oh, and pretty please a few upvotes to counter the downvotes for the Linux snark? Almost at my first thousand :-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
