This is bad
And it's going to get worse before it gets better.
Amid ongoing malware infections of IoT gadgets and armies of commandeered gizmos attacking server, glaring security holes in web-connected CCTV cameras are going unpatched. So say researchers with Cybereason, who claim a pair of high-profile vulnerabilities they spotted in surveillance cams two years ago have been completely …
... but to the ordinary user, it's just scaremongering. What he needs, (as I do) are lists of possibly affect-able kit, and tools to establish whether or not they have been compromised. If they cannot be fixed, I'm sure that most people with one of these will just junk it. After all, we're not talking about expensive kit. What we have here, is part of the mushroom culture. kept in the dark and fed bull...it.. If the likes of the people raising this issue can point the finger, why cannot we, the pointed at come to the same conclusion?
"If they cannot be fixed, I'm sure that most people with one of these will just junk it."
Why? Even if they see the warning, as long as it's still functioning, many people will just keep using it, completely unaware or uncaring of the DDoS or other nastyness running in the background.
Anything that connects to the network is an IoT device, and thus exploitable. Heck, even USB sticks can be exploited.
There seems to be a race on to produce the smallest bit of hardware with a network interface. Mind you, it doesn't take much to have an IP network running. And first the whole computer wasn't much larger than an RJ45 jack, and now you get a wireless computer the size of a dime. You want to try and avoid that? The things are everywhere.
Really, any kind of certificate, except "No electronics inside," is useless. As long as it can be reached through the network, and it can't update itself, it's basically screwed. Really, I wonder why OpenBSD isn't available in an embedded distro.
"Really, I wonder why OpenBSD isn't available in an embedded distro" -- Brian Miller
Isn''t this what tools like flash-rd do, generate OpenBSD images for embedded devices? Personally I don't understand why the IoT manufacturers don't start with something like OpenWRT.
Some people are already working on this, e.g. https://blog.tho.ms/hacks/2016/08/28/openwrt-on-logilink-wc0030a.html. It seems a promising approach.
Maybe a partial solution to IoT devices is that manufacturers must make the devices user-modifiable the moment they stop supporting them (which in many cases is the moment they leave the factory).
The common use case is that people add these cameras to a WiFi network that is connected via a router to the Internet. Being able to hack the camera from the LAN side, which is what the video seems to demonstrate, is of course a major vulnerability, but the real-world problem most people face is attackers getting to the cameras from the WAN side.
I possibly haven't had enough coffee yet this morning, but how do you find a Vstarcam behind a NAT and send it one of these packets if you haven't hacked the cloud protocol?
"Below is a video showing how easy it is to exploit an at-risk, internet-facing surveillance camera remotely."
keyword: internet-facing. And there's many of them. Not in people's homes but used for crossings etc. Because: oh that's easy to use if can be accessed from anywhere...
If we accept that these devices are eminently hackable and that at some point they're going to be used for bad things, can't the good guys hack and disable them for the greater good?
We've seen some big DDOS taking out chunks of the Internet very simply. As people add more crap, the chunk size and duration of the DDOS is just going to increase.
Not sure if I feel it's unethical to bork everyones wifi camera / printer / dongle / etc. but then I think about the greater good. And then I think.. who cares if people can't play wow over Xmas, who cares about all the poor lolcat videos that won't get watched. It would even be a bonus if Trump couldn't tweet and / or I couldn't read about his tweets over the festive period.
And in some ways maybe THAT is the greater good, with no Internet, people can socialise, read books, play out in the snow on that new bike they got for Xmas. And then I think about having to socialise with my in-laws and I'm back to needing the Internet to protect me over the holidays.
Like I said to the British Gas man who was trying to sell me that "Hive" automated thermostat thing: "If I can change the heat in my house from my phone when I'm at work, someone else can do that to my house too".
So while I plan on putting CCTV in my home, it'll be on a device that can only be accessed in the home and not connected to the internet. That's literally the most secure way to run these cameras.
If you must have an internet connected widget, then put it behind OpenVPN and accessing it via that, then at least you have a decent security perimeter, irrespective of the defects in the Internet of Tat devices
Admittedly this isn't the sort of thing the average consumer will do, but its cheap as you probably already have a spare Raspberry Pi lying around and the major App stores have the OpenVPN clients available.
Part of the problem is that people see a widget and think "that's cheap, I'll get one". Never in their thought process do they consider its network access requirements or security impacts. Obviously this in turn leads to the race to the bottom on cost with competing vendors, so things get worse.
I think that all of us as more technically aware people need to be educating our friends, neighbours, etc. so that they understand the risks and perhaps will think twice next time before they purchase the next shiny widget they see.
Fully agree with the other posters that we need a minimum bar for any connected device. Also interested in the OpenWRT or equivalent approach, but I expect that the "built to a price" issue means that the devices will have virtually no internal storage and reverse engineering the devices to get things functional will be problematic - just like it was when WhiteRussian first came out.
I know I'm feeling the strain when I find myself reading this article and thinking "couldn't that nice Mr Trump just order the NSA counter-geek-geeks to run a massive program to pwn-and-brick these threats to national cybersecurity?"
If the devices stop working, and do so when replaced, eventually the buyer will beware on their own.
Because warnings of a nebulous intrenet-borne threat are incomprehensible and therefore ignorable by the vast majority of normal people.
Biting the hand that feeds IT © 1998–2019