back to article Cyber poltergeist threat discovered in Internet of Stuff hubs

New security research has revealed a whole new area of concerns for the soon-to-be-everywhere Internet of Things – smart home hubs. Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – can be dangerously vulnerable to attack, according to security tools firm TripWire. Craig Young, a …

  1. Yugguy

    Never

    I will NEVER have any form of IOT device in my house. I can accept that my TV might be connected, and of course laptops/tablets/phones etc.

    But my kettle, fridge, heating, lights, etc. will NEVER EVER EVER EVER EVER EVER EVER EVER EVER EVER have any form of connectivity.

    When the inevitable day comes when the stupid yoof "new is good" moronic mindset means I cannot buy non-connected devices I will be physically disabling their connectivity immediately.

    1. Chairo

      Re: Never

      I feel the same, but I have my doubts if it can be avoided.

      How about the electricity/water/gas meters? And there might be legal requirements to install "smart" heating and lighting solutions, at least for new or renovated houses. What about the smoke sensors? There is a reason Google bought Nest. Will you be able to get fire insurance, if your home is not connected? And the list goes on and on.

      There are a lot of big companies out there which bet a lot of money on IOT and have a lot of lobbying power. The situation is just the same as for connected vehicles. It's a security nightmare, but the push to "being connected" is strong. Too many companies bet their business on this stuff for it to fail. They'll lobby us into submission.

      I'm afraid we are all doomed.

      1. Yugguy

        Re: Never

        Depressingly I think you're right.

        1. VinceH
          Facepalm

          Re: Never

          Quite.

          The other day, one of my brothers was proudly telling me about his new smart thermostat - I forget which brand, only that it wasn't Nest and was one I hadn't heard of (he described it as the "next one up from Nest"). It learns their behaviour patterns, learns how much time it takes to bring the house up to the right temperature, tracks where they are via GPS on their phones, and works out when they're heading home, etc.

          I pointed out that because it's connecting to a remote server, there will always be a doubt about security (and that I would try to steer clear because of that). He just laughed and said "Who'd want to hack my thermostat?"

          Way to miss the point - and the bigger picture - Bro. But I suppose it's new and shiny and you can show it off to people who aren't as cynical (and paranoid) as me in order to impress them.

      2. Nigel 11

        Re: Never

        I have my doubts if it can be avoided.

        I'm sure it can and will. I just hope that the number of fatalities is no higher than single digits before the penny drops. It'll probably be assassination by car-hacking that causes the public mood to change. If not that, the big stink when some joker turns off every domestic IOT-enabled refrigerator in the USA. Shortly after which a terrorist will turn on every kettle and heater in the USA all at once, and the power grids will crash.

        1. Anonymous Coward
          Unhappy

          Re: Never

          It was the Fiat-Chrysler wide open public connections which control the brakes that convinced me that collectively we deserve this. Individually, not so much. I'm like you, waiting for the wave of assassinations before security is taken sincerely. Then it'll be massive legislative over-kill with the appropriate acronym.

          I'm not allowed to drive (nerve control shot), but I do walk, a lot. I've had the policy of waving any cars through whenever they might, might accidently run me over. [Mostly people that never look in my direction before passing/turning.] Now? I'm going to make damned sure that no cars are nearby. We'll never know whether they are hacked.

    2. Anonymous Coward
      Anonymous Coward

      Re: new is good

      "the stupid yoof "new is good" moronic mindset means I cannot buy non-connected devices"

      It's not just the stupid yoof though is it.

      At least one place I know has decidely non-yoof middle and senior management, and "new and shiny" wins over "trustworthy" in their eyes too, just as per the Dilbert Book of Management Training.

      And this one is an outfit that has big-budget safety critical hardware and software as a major part of its business at the moment, so in principle they oughta know better.

    3. Nigel 11

      Re: Never

      Actually there are a few primitive sorts of connectivity that are OK. One day I will get around to connecting my central heating to my home PC ... with a single signal to a relay, so that the PC can turn the heating on and off. With a manual override switch, for if/when the PC doesn't do what it's supposed to.

      I get to come home to a warm house, and/or tell the computer not to waste heating when I'll be home late.

      Someone hacks me, worst they can do is waste some fuel (and lay waste my PC which would be far worse).

      A few ...? I'm having trouble thinking of any others that would actually be useful.

  2. Anonymous Coward
    Anonymous Coward

    An often underestimated threat

    If you intend to target someone in meatspace, ruining their sleep can help ensure they're more vulnerable than normal. Connecting radios, tvs, kettles, even the toilet to the net can allow hackers to have a significant impact on how well people can sleep.

    1. Anonymous Coward
      Anonymous Coward

      Re: An often underestimated threat

      So that is why the toilet has been talking to me at night, oh thank goodness I thought I was going mad.

      1. P. Lee
        Big Brother

        Re: An often underestimated threat

        >So that is why the toilet has been talking to me at night, oh thank goodness I thought I was going mad.

        You aren't mad, but you should be paranoid.

    2. Nigel 11

      Re: An often underestimated threat

      Connecting radios, tvs, kettles, even the toilet to the net ...

      OBSF: Robert Heinlein, "The Moon is a Harsh Mistress", in which the lunar rebels made the toilets run backwards.

      1. Triggerfish

        Re: An often underestimated threat

        "Would you like some toast?"

        1. Anonymous Coward
          Anonymous Coward

          Re: An often underestimated threat

          "Given that the universe is infinite, and given that God is infinite, how about a muffin?"

  3. Christoph

    "the testing was done using an old 2012 version of their firmware."

    Then they should immediately supply the researchers with an up-to-date, fully patched version of their latest product so that the fix can be checked.

    "Any audit would only be meaningful if performed on a secured controller (users & account info/ unit settings/Secure Vera: enabled"

    And is that the default configuration as supplied to naive, non-technical users? If it isn't then the above statement is pure refined bullshit.

    1. Wize

      Trouble is, most users aren't technical to think about updating the firmware on any bit of kit they have at home. Its hard enough getting some to allow windows to apply its patches.

  4. Anonymous Coward
    Anonymous Coward

    CVE vs CWE

    Is the author or Trustwire responsible for referring to weaknesses as vulnerabilities?

    I had to look up CWE.

  5. petef
    Coat

    On the Internet nobody knows you're a fridge.

    1. P. Lee
      Coat

      re: On the Internet nobody knows you're a fridge.

      But you can still be a Hotpoint.

      1. PNGuinn
        Childcatcher

        "But you can still be a Hotpoint."

        There you go - Hoovering up a perfectly good thread fo the sake of cheap puns.

        1. Christoph

          Re: "But you can still be a Hotpoint."

          They're Dyson with death there.

          1. frank ly
            Coat

            Re: "But you can still be a Hotpoint."

            It's understandable, Indesituation we have here.

            (Coat: The scruffy patchwork one.)

  6. Zog_but_not_the_first
    Unhappy

    What's depressing....

    Is that El Reg is one of the few places where measured voices of caution will get an airing. Everywhere else it's bubbly enthusiasm about how the IoT will "make all our lives better".

    Yes, Rory Cellan-Jones, I'm looking at you.

    1. Intractable Potsherd

      Re: What's depressing....

      I'm sure "Rory Cellan-Jones" is Welsh for "I'm a Know-nothing Tosser".

  7. Nuno trancoso

    Wasn't this expected?

    I mean, if security isn't taken seriously in the "right" circles, is it sane to expect it to be taken seriously when it comes to "consumer stuff"?

    Anyway, to reduce exposure to the problems of IoT is simple. Reduce the T part you own. Amazing how much space, physical and mental, is taken up by crap you don't really need but just happen to have...

  8. Anonymous Coward
    Anonymous Coward

    But I "Want / Need" IOT it will make my life easier........

    Its a true statement as far as it goes.

    what is missing is i wouldn't touch the current generation of devices with a barge pole.

    IOT devices need to talk to my network to a secured audited "HUB" Only and not to any 3rd party CLOUD.

    IOT devices need to all have encryption built in for access and communication as default.

    IOT devices need security as the first step of their development.

    I will run my IOT on a separate Vlan untrusted by all my other Vlans

    I NEEEEEED an Enterprise grade Firewall to block traffic from that Vlan talking to the outside world.

    any communication to the IOT "HUB" will be done through a VPN with tough security authentication measures at the firewall and the "HUB"

    the problem is "consumers" see flashy adverts and how good and easy this tech is to use marketing with "Zero" setup needed and buy it.

    So devices are made for the lowest common denominator "Joe Public" who dont care or understand what risks they are putting themselves in. :-(

    So for this reason i see IOT doing very well selling in great numbers in the insecure state its in now so development of security will not progress due to its cost :-(

    1. Nigel 11

      Re: But I "Want / Need" IOT it will make my life easier........

      given all that ...

      (a) software will still have remotely exploitable bugs

      (b) the number of IOT systems will reduce to two or three (cf Apple, Android or MS for your mobile; MS or Linux for your desktop)

      (c) So sooner or later the very bad guys will exploit a bug in a high percentage of the national /global IOT-enabled households to do something horrible. Like crash the nation's power grids. I hope that my hypothetical prankster gets to a lot of fridges first, to deliver a nonlethal warning by stink and lawyers that couldn't be ignored.

      1. Anonymous Coward
        Anonymous Coward

        Re: But I "Want / Need" IOT it will make my life easier........

        I agree there are problems which is why i wont touch the current generation or probably the next and want the systems on their own Vlan and behind security of a hardware firewall.

        I dont hold out much hope that security will be taken seriously until there are many MAJOR exploits demonstrated in the wild and the "Daily Mail" informs its readers that the IOT is "BAD".

        Im hopeful that one display of lack of security will be someone working out how to wipe usage data from smart meters so they supply power but report back £ $ 0.00 usage over large areas of the country at the same time only when it hurts the large corporations involved in THEIR pocket will they take notice of security. but by then it will be too late the systems with no or weak security will already be pervasive in the market. :-(

        1. An ominous cow heard

          Re: Daily Mail on the case before you know it

          "the "Daily Mail" informs its readers that the IOT is "BAD"."

          May be closer than you think.

          The hardcopy Daily Mail front page headline today is

          "Fraud alert over new tap and pay bank cards: Thieves use scanners to steal account details - even when contactless card is in your wallet"

          Couldn't find it via the Mail's own website but Google News found it for me:

          http://www.dailymail.co.uk/news/article-3171431/Thieves-use-scanners-steal-account-details-contactless-card-wallet.html

          As reported here on El Reg at

          http://www.theregister.co.uk/2015/07/23/contactless_card_fraud_risk_which/

  9. Anonymous Coward
    Anonymous Coward

    IoT

    Internet of Tat

    1. Anonymous Coward
      Anonymous Coward

      Re: IoT

      Sorry, but that's the Internet of Twats. And we've seen a lot of them in the controls business. They go bankrupt or obsolete and leave their garbage connected to the internet and unsupported all the time.

  10. Anonymous Coward
    Anonymous Coward

    Nothing new here

    The problem is security is an after thought not a priority. Anyone foolish enough to buy into the IoT is bound to get burned. Many will cash in on gullible consumers who make their home defenseless with half-baked tech.

  11. N2

    But

    I don't think they could hack our Rayburn

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like