back to article Porn parking, livid lockers and botched blenders: The nightmare IoT world come true

Some time in the near future, you may go to a parking kiosk and rather than be presented with a $5 fee request, get confronted with low-res porn images. Likewise that locker at the gym may be used to send your bank account details to cybercriminals. And even your blender could be spying on you. That is the nightmare internet- …

  1. Wellyboot Silver badge

    Answers on a postcard.

    >>what better than an amusing and worrying tale to bring it home to the suits?<<

    No shortage of material sourced from their own insecure IoT junk at home. Pity it's illegal to show people how far they've bent over the barrel for a little 'convenience'

  2. a_yank_lurker Silver badge

    Idiocy of Turds

    Having some knowledge of security I only have dumb devices for household items and controls. In most scenarios used to justify one the turds a little bit of planning (may be 3 minutes) or opening the fridge or pantry before wondering off dramatically reduces the need for them. And it simplifies my security problems to only having to worry about wifi connections for phones and laptops. (I do not use a wifi connection for my wifi capable printer).

  3. Rockets

    You're Doing Corporate WiFi Wrong

    "It only takes a line manager to buy and plug in a new piece of kit and then type in the office's wireless password for a security hole to be opened up."

    If this is all it takes to get a device on your corporate WiFi network then you're doing WiFi security wrong.

    1. Paul Crawford Silver badge

      Re: You're Doing Corporate WiFi Wrong

      Any sane company has at least two wifi systems: one for user's own phones / visitors / IoT crap / etc, and a 2nd (or more) that is more locked down and only for approved corporate devices that need to access internal systems.

      1. Rockets

        Re: You're Doing Corporate WiFi Wrong

        Any sane company has at least two wifi systems: one for user's own phones / visitors / IoT crap / etc, and a 2nd (or more) that is more locked down and only for approved corporate devices that need to access internal systems.

        Most corporates would use controller based WAPs solutions from companies like Cisco, Aruba etc that support multiple SSID and security deployments with AP groups and have a profiling tool that can send a RADIUS CoA to the controller when a rogue device is detected. Even SMB's have products that are affordable while being able to support different security requirements. Ubiquiti Unify, Foritnet or Draytek WAPs with their own firewall products give controller like experience as well as being able to firewall traffic.

        Have a SSID for your corporate devices using EAP-TLS for security. Mobile devices should be provisioned by an MDM so they get the correct certificates to use. If you can't afford a MDM or don't have the staff to deploy an internal CA infrastructure then use a PEAP secured SSID and firewall it. Mobile devices could be firewalled off and on a separate SSID depending on your use case.

        Another SSID for guest access that is on separate VLAN & firewalled off with P2P disabled. Use a PSK or Captive Portal for security. I prefer Captive Portal so you can see who's connected to the guest WiFi. Any IoT crap gets it's own SSID, VLAN and firewalled off & P2P disabled again. If you have to use a PSK with these devices, only IT & application support get to know the PSK and you'd restrict the devices access to the bare minimum for them to work on the firewall so you don't any free loaders on this SSID.

        Security is hard and you need to spend some money but a competent network admin should be able to deploy a reasonably secure WiFi solution no problem at all.

        Probably more a case of the line manager insisting on you doing WiFi security right (from the point of view of his convenience).

        IT staff shouldn't report to a line manager for security related items. If the manager has a problem they can take it up with who's responsible for IT security or my boss. As IT staff I'll happily work with the line manager to be able to accommodate his requirements but only in a secure fashion and I'll be completely up front about it. If it's a rush I'll do my best to help them out as quick as I can but if I need extra hardware then he's going to have to wait. If my boss tells me to cut corners for a deployment, I'll do it but then my boss most likely wouldn't ask anyway because at the end of the day it'll be his name on a incident report if something happens and that's the last thing he wants.

    2. Doctor Syntax Silver badge

      Re: You're Doing Corporate WiFi Wrong

      "If this is all it takes to get a device on your corporate WiFi network then you're doing WiFi security wrong."

      Probably more a case of the line manager insisting on you doing WiFi security right (from the point of view of his convenience).

  4. Anonymous Coward
    Anonymous Coward

    What exactly is the Internet-of-Things?

    1. Its a Smart TV that exists for industry-wide consumer surveillance

    2. Its a vacuum cleaner with video cam for remote spying capability

    3. Its the very next Alexa / eavesdropping smart-speaker clusterfuck

    4. Its a car that will spy on you anywhere / everywhere you go / drive

    5. Its a kids toy that will burn your kids privacy badly or even horribly

    6. Its a home security device that will often leave the front door open

    7. Its a home security system that will track your family for hackers

    8. Its medical equipment / a hacked CT scanner that gives a lethal dose

    9. Its a kettle / home device hacked to start a fire while you're asleep!

    0. Its a cyberwar device for ddosing and conducting WW3 attacks etc.

    ~~~~~

    IoT is basically

    ~~~~~

    1. A solution to a problem no one really cares about versus flying cars

    2. An empty marketing sales pitch in search of some real practical use

    3. Intelligence / Spying target-device that Govt has promised to exploit

    4. A device that 'phones-home' reliably, but fails when you need it to work

    5. A host of juicy data left wide-open on an Amazon S3 Cloud bucket

    6. A marketing device designed to bump GDP / Surveillance-Economy

    7. A 'Scam' perpetrated on unwitting low-hanging-fruit users / consumers

    8. A clusterfuck of unintended consequences that'll burn vulnerable people

    9. Endless devices offering 24/7 Worldwide-Surveillance Orwellian-Hell

    0. - *Internet_of_Threats* - *Internet_of_Tat* - *Internet_of_Twats* -

    1. Allan George Dyer Silver badge

      Re: What exactly is the Internet-of-Things?

      @AC - Can you try to be a little more original in your posting? You posted the same list 9 days ago.

      Release your creativity, after all, you are anonymous.

      1. This post has been deleted by its author

    2. Doctor Syntax Silver badge

      Re: What exactly is the Internet-of-Things?

      "the very next Alexa / eavesdropping smart-speaker"

      Next?

      1. Ben Tasker Silver badge

        Re: What exactly is the Internet-of-Things?

        I recently got fed up of explaining _again_ why I'm not having Alexa in my house. So I ended up writing this and just send people a link when they ask

        Edit: make clicky

        1. Pascal Monett Silver badge
          Thumb Up

          @Ben Tasker

          Normally I don't much appreciate people using El Reg to promote their own web site material, but in this case I must say thank you for that. I have saved it for local reference and I will be using it as grounds for my own deep-seated mistrust in IoT.

  5. Anonymous Coward
    Anonymous Coward

    Internet of Idiots

    So last week I’m sat quietly in the office getting on with stuff as normal. It’s a hot desking office so some random turns up and sits himself down next to me. His phone beeps at him and he picks it up. It’s his IoT (Internet of Twats) doorbell. Because he needs to see who’s at the door he then proceeds to have a FaceTime-esque conversation on speaker phone with a delivery bloke at the door who he then proceeds to tell to put the package behind the unlocked gate. Later on he has a conversation with his bank confirming his life history and address / location of said package. It was tempting....

    Solution looking for a problem, or solution looking for a victim?

    1. Halfmad

      Re: Internet of Idiots

      IOT has it's place. My father was disabled and we got him a Ring doorbell as it was hard for him to get up and to the door quickly, it was also incredibly tiring and meant additional risk of him falling - he lived alone 40 miles from my brother or myself so we were constantly worried about him.

      It meant he could check without letting them know he was doing so - who it was, and talk to them and say he's on his way if he wanted to let them in, otherwise he could ignore them in the knowledge the camera had stored their image with a short video should they harass him.

      It's easy to say "christ nobody needs this nonsense device" but there are many use cases for devices like this, but I'd say that personally I have no need and no desire for one. But I'm not the target market arguably as I'm healthy and happy to tell randoms to **** off when try to sell me windows for the 3rd time that month.

      1. EnviableOne Bronze badge

        Re: Internet of Idiots

        yes but is there any need for that to be connected to the Internet?

        there are video door intercoms, and at most, it needs to work over a local network....

      2. paulf Silver badge
        Alert

        Re: Internet of Idiots

        @ Halfmad

        I think the point is that all of the desirable functionality you've mentioned (and I agree it makes a lot of sense in the case of your Father) can be provided without requiring an internet/Wifi connection, and the ability to phone home to a manufacturer or connect to a smartphone app.

      3. Doctor Syntax Silver badge

        Re: Internet of Idiots

        "IOT has it's place"

        The exact place depends on whether it's recyclable or not.

        And, in your particular use case, door phones have been a thing for a very long time now.

      4. jelabarre59 Silver badge

        Re: Internet of Idiots

        But I'm not the target market arguably as I'm healthy and happy to tell randoms to **** off when try to sell me windows for the 3rd time that month.

        Did you mean "windows" or "Windows(tm)"? Or even worse, "windows running Windows(tm)"...

        1. DougS Silver badge

          Ring doorbell for elderly or disabled

          That's a great use case, the problem is that's not how they're marketed or who is buying them. Is it even possible to restrict it to your local network - for a normal person, so don't say "configure the firewall in your DD-WRT router to block it". That's how it should work by default, and if you want to be able to see who is at your door when you are at work or on vacation you can enable that functionality.

          But of course Ring is owned by Amazon, and like Google and Facebook they want to collect every scrap of data about you they can possibly can, and leaving a possible entry point for hackers isn't something they care about.

        2. MachDiamond Silver badge

          Re: Internet of Idiots

          "Did you mean "windows" or "Windows(tm)"? Or even worse, "windows running Windows(tm)"..."

          It may come as a surprise, but Microsoft wasn't allowed to trademark "windows". The proper trademark is "Microsoft Windows". The trademark office doesn't allow common words to be trademarked. Apple is "Apple, Inc", previously "Apple Computer". You could form a company named "Apple Electrical Appliance" and shorten the name in advertising to "Apple", but you'd wind up with a bad case of lawyers.

      5. MachDiamond Silver badge

        Re: Internet of Idiots

        "IOT has it's place. My father was disabled and we got him a Ring doorbell as it was hard for him to get up and to the door quickly"

        There have been AV intercoms for residential applications for years. I see the usefulness of something that lets your father answer the door remotely, but why does it have to be connected to the internet?

  6. tiggity Silver badge

    Parking kiosk

    They wondered why someone hacked it?

    Presumably the hack gave free parking by knocking out the payment system?

    .. Total result as far as most people, faced with rip off parking charges, are concerned.

    What is it with short sighted UK councils, huge parking charges to park in town centre, so you go to out of town superstore to shop instead as it has free parking, then the useless council wonder why local small business are closing and high street is becoming deserted of customers

    1. paulf Silver badge
      Unhappy

      Re: Parking kiosk

      They do it, not because it makes sense to anyone who sees the whole picture, but because it's considered an easy win and they assume putting up parking charges will not cause any change in behaviour.

      Councils used to get about half of their income from central Gubmint as a grant. That's been reduced to nil over the last 8 years leaving them to either cut services or raise new revenues from somewhere other than Council Tax (they have to hold a referendum if the put up CTax by more than 5%). Some councils are so stuffed by the current situation they're struggling to provide the bare minimum (statutory) services. Faced with that I'm not surprised they're going after the "easy wins" even if it makes bugger all sense for the reasons you cite.

    2. Doctor Syntax Silver badge

      Re: Parking kiosk

      "Presumably the hack gave free parking by knocking out the payment system?"

      Or it was working some scam clicking through adverts?

    3. Doctor Syntax Silver badge

      Re: Parking kiosk

      "so you go to out of town superstore to shop instead as it has free parking"

      The "free" parking is funded by letting it out to parking vultures who hand out fines to people who might only have driven through to drop off a passenger. And yet the chains who rent premises there don't seem to mind being treated as bait.

      And yet both town centre and out-of-town venues wonder why they lose business to the net.

    4. Anonymous Coward
      Anonymous Coward

      Re: Parking kiosk

      How much do you think town-centre parking would cost if it were left to market forces and not subsidised?

      A "standard" parking space is 2.4 x 4.8 m. You need the same again, roughly, for access to the parking spaces. You can look up how much rented office space costs per square foot (sic) for a comparison which isn't entirely fair but gives a rough idea of how much the land is worth.

      1. The First Dave

        Re: Parking kiosk

        Downvoted for incorrect use of (sic)

    5. Anonymous Coward
      Anonymous Coward

      Re: Parking kiosk

      "Presumably the hack gave free parking by knocking out the payment system?"

      Sadly most councils will still ticket you for using the car park in that scenario. All parking kiosks I've seen for a long time instruct you to use an alternate machine if the one you're looking at is out of action. All kiosks being out of action doesn't seem to be a use case they've considered ... the onus remains on YOU to post a valid parking ticket on your vehicle.

  7. ecofeco Silver badge

    This will not end well

    See title.

  8. Crisp Silver badge
    WTF?

    Why would someone try and send me low res porn?

    What kind of monster doesn't send high def?

  9. SVV Silver badge

    Our future IoT dystopia

    "you may go to a parking kiosk and rather than be presented with a $5 fee request, get confronted with low-res porn images"

    Shit, how will I cope with being shown free porn instead of having to pay for something? As for your toaster spying on you, If you buy such crap all they're going to learn is that you're an IdioT.

  10. Tom Paine Silver badge

    ...the fact that, out of necessity, large number of employees have access to wireless passwords...

    If you'll excuse me, I just need to make a small choking noise for a moment. Ah! That's better. Not to worry, it's inside the firewall, and anyway that's why we have them AVs.

  11. Version 1.0 Silver badge
    Pint

    It's not the problem

    This story is about the symptoms, not the problem. We can tack up the holes, increase security but the fact is we have a significant number of people in the world now who are basically out to screw anyone and don't care who they walk over to get what they want. Social Responsibility has disappeared, who does anything for the common good any longer?

    This is why we have politicians like May, Corbyn, Trump, Putin, Clinton etc, they are all in it for themselves and the bottom of the bucket is just scrambling around for the crumbs. Nobody cares about the world - the only thing that can fix this is a really good pandemic. Me? I don't give a top ten hit, I'm off to the pub.

  12. Anonymous Coward
    Anonymous Coward

    Huh

    ". But hackers got into the system and used the locker codes to enter the third-party's system and steal data....The report notes a gigabyte of data was sent out of the network"

    WTF... how do you end up with a gigabyte worth of data on a storage locker system? TFA doesn't sound like the data came from the park itself (using the smart locker system as a beachhead).

    1. AS1

      Re: Huh

      Gigabyte of data is really easy when the UI is written as a web app. If you're really lucky it has the members' pass card information (complete with photo ID, address and CC info); more probably it's cruft like several megabytes for each animated button and transition screen advert.

  13. Anonymous Coward
    Anonymous Coward

    internet connected

    I'm struggling with the concept of -

    "The report details another incident where hackers connected to a range of internet-connected devices on a food assembly line – including blenders and slicers "

    Not being familiar with industrial scale food production, I'm trying to imagine the use case in which this sort of equipment has a network connection at all, let alone being internet accessible. Now I suppose LAN connections might make sense for monitoring and maintenance purposes, possibly even centralised control of the production line if its fully automated. But _internet_ ..? Why the WAN? Is this company running automated production lines on several sites and controlling them from some central ops centre or something?

    Jeez, this gives me horrible flashbacks of coding a virtual vending machine in VAX Pascal back in computer science 1.01 at Uni.

    1. Anonymous Coward
      Anonymous Coward

      Re: internet connected...why would anyone do that?

      Here's an example from a home system.

      *

      1. User has a LAN, with ONLY the TV, laptops and a printer connected. The LAN can even include WiFi, but there is no internet service available. The TV is fed from an old fashioned yagi aerial on the roof.

      - This is fine for streaming MP3 and video files to the TV, for watching terrestrial TV channels, and for typical WP and speadsheet use.

      *

      2. User decides that the TV needs broadband access (Netflix), and at the same time this "upgrades" the laptops for web browsing and email. So a broadband device is attached to the LAN.

      - So, immediately, every device on the LAN is potentially "internet connected".

      *

      The fix is not easy in a home environment where ease of installation and ease of use are primary concerns -- but a similar problem should have a solution within the reach of a manufacturing company!

  14. 2Nick3 Bronze badge
    Childcatcher

    Why hack a parking meter screen?

    "The company says that none of the images actually appeared on the screen and seems confused as to what the reason for the hack was in the first place (we're willing to bet the answer is not more complicated than: because we can)."

    Because putting porn where the children could see it is a great way to get attention.

    Are we sure Darktrace didn't pull that one off themselves - it's pretty "sexy" (yeah, I did that) to have in their announcement.

  15. Anonymous Coward
    Anonymous Coward

    From Neal Stephenson's "Diamond Age":

    ...it was rumored that hackers for big media companies had figured out a way to get through the defenses that were built into such systems, and run junk advertisements in your peripheral vision (or even spang in the fucking middle) all the time—even when your eyes were closed. Bud knew a guy like that who'd somehow gotten infected with a meme that ran advertisements for roach motels, in Hindi, superimposed on the bottom right-hand corner of his visual field, twenty-four hours a day, until the guy whacked himself.

  16. Walter Bishop Silver badge
    Linux

    IoT devices can send your bank account details to cybercriminals

    that locker at the gym may be used to send your bank account details to cybercriminals.’

    How about you put a switch on your IoT devices rendering them read-only?

  17. allthecoolshortnamesweretaken Silver badge

    This scenario is basically how the Krell wiped themselves out, isn't it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019