Anyone actually got a Belkin home automation kit?
If so, why?
Insecure firmware handling, poor communications practises and API vulnerabilities are among a range of vulnerabilities security company IOActive has identified in Belkin's WeMo home automation systems. In its advisory, here, IOActive says it's discovered that the systems leak a hard-coded key and password that Belkin uses to …
What dangers exactly?
Considering WeMo only really seems to offer the ability to turn a standard 3 pin plug socket on and off, exactly what are the dangers?
So a hacker may be able to turn a WeMo users table lamp on or off...... or maybe a fan. I'm not really seeing the danger there yet? I'm obviously missing something?
Yeah, millions.
Why? because people trust places like PC world to be more than box shifters selling overpriced outdated crap purly on a "most profit per cm"
It still pisses me off that people have been working with IT kit for around 15-20 years, but still use the arguement that its all "too complicated" and dont spend any time helping themselves by finding out what it is they are actually buying.
A second point about the post it self, this is one of the main reasons the "3 strikes and your out" ISP/Record industry thing would fail if anyone ever went to court over this.
Proove that the person being accused of illegal downloads is doing the download, not someone sitting in their car outside. You cant because the kit being used is still so shit.
"It still pisses me off that people have been working with IT kit for around 15-20 years, but still use the arguement that its all 'too complicated' and dont spend any time helping themselves by finding out what it is they are actually buying."
That doesn't piss me off at all. What pisses me off is the push by clueless marketeers that it should be easy. My boiler is 'too complicated' and beyond setting the temperature/timer I don't touch the bloody thing. I hire someone who knows what they are doing.
Why are people so averse to hiring someone to come in and sort out their router or what-have-you?
*I* am quite happy to arse about with my routers, but it is certainly way, way, WAY too complicated for the average user. Just as my boiler is way, way, WAY too complicated for me.
We can't all be experts in everything y'know.
"the systems leak a hard-coded key and password that Belkin uses to sign firmware."
So let's say that someone gets robbed because of this.
Would their insurance pay-out, or refuse because they had equipment that was known to be insecure?
Is Belkin in anyway liable for consequential loss?
And those aren't worth the paper they are printed on no matter what the lawyers hired by the company printing them tell you. At least in the case of home automation.
I worked for one such company back in the dark ages when 386 processors were new. They originally planned to integrate home security into their automation system. That was dropped when they found out that as soon as they included it they were fully liable if the bad guys used the remote access system to allow entrance to the domicile. They planned a "romantic" house mode that was supposed to bring on the lights dim, set the music playing, and turn on the gas fireplace all at the press of a button. Right up until the safety engineers said the light dimmers need to fail safe in the event of power loss and that meant all lights came on at full brightness and dimmed down.
You can swindle someone out of a couple hundred bucks on an OS that runs their business and it turns out to not be fit for purposes, but people's safety is a whole other kettle of fish.
Belkin (+many others) only care about selling little boxes, so the software will be poor quality and just good enough to ship.
Something like this deserves an open source solution, where a bunch of nut jobs¹ who obsesses about home automation and security has spent thousands of hours perfecting the stack.
¹ I use it affectionately, I'm also a nut job, just not about home automation..
> Don't buy security from box shifters ... deserves an open source solution
Really? Not everyone is a neckbeard with no social life. Some people just want to get on with things. Should people avoid ready made cars an build their own? Don't buy a house, build your own? Don't buy a sandwich, grow your own wheat, make your own bread, rear your own pig, make your own ham?
"nut jobs" is right if you think the average person has the time or the inclination to subscribe to the same prejudices and delusional world-view as you.
""nut jobs" is right if you think the average person has the time or the inclination to subscribe to the same prejudices and delusional world-view as you"
Quite amusing that your post accuses someone else of prejudice yet you use the term 'Not everyone is a neckbeard with no social life'
Way to miss the point AC. I didn't say people needed to write the damn thing themselves, just that that should be the source of the software. Many easy to use mass market consumer electronics have at their base open source software, the people using them do not know or care (as evidenced by your delightful musings).
"...McToffee, the leading supplier of antivirus software for outlets, switches and lightbulbs!"
I can picture it now, you come home one evening to turn on the light, only to have it still remain off. The control panel is flashing: "software update in progress, please wait". The dammed bulb needs an AV signature update.
This week's episode of Almost Human (Disrupt) was about a home automation and security system that got hacked in order to kill several people. The manufacturers of the kit protested that they used the same safeguards as the Pentagon. Sounds about right. Growing pains are to be expected with any new technology. Too, there will be unintended consequences and abuses of the same. The problem that I have with it all is that it is predictable enough that a bunch of TV writers, a group that routinely gets tech issues dead wrong, can figure it out and it is still going to happen.
I use it to be able to power cycle my office computer when I am away and it hangs... It works but the software is absolute shite. I'm not at all surprised it is full of security holes, in fact I'm more surprised that anyone would think a cheap consumer product like this would be secure.