I realized there is a self-describing acronym for use of IoT...
I Do Internet Of Things.
IoT devices from a Chinese vendor contain a weird backdoor that the vendor is refusing to fix, we're told. The vulnerability was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposely built in as a debugging aid, according to researchers at TrustWave. The infosec biz says that …
"Your PC is not connected to the Internet?"
Nope, my PC is connected to the local network with a non-routeable address, and has to traverse a NATting firewall to access anything on the internet.
Most of these Internet of Trash devices get into trouble because many of them ARE directly connected to the internet, with no firewall between them and the Internet.
Your PC is still connected to the internet, however indirectly.
Also, NAT is not what is saving you there - it is your Firewall. NAT is NOT a security mechanism...
This is not really an IoT device either, it is just a crap embedded device that many people have connected to the internet/their internal network without a suitable set of firewall rules.
In deed! In fact such a device typically would be next to your PBX behind NAT and probably with no Internet access at all. For example we have a setup with another GSM to VoIP gateway which is on a separate network with one server and an ISDN to VoIP gateway... all with no Internet access.
"I find the "Fake News" term boils down to sloppy reporting combined with indifferent editing"
Erm, no. That's not what fake news is. It originally was used to describe events that did not happen, that are being presented as having occurred, in order to elicit a particular response or confirm a particular viewpoint. It's the latest new/old thing in terms of propaganda and misinformation.
Most "proper" reporting involves some element of cherry picking or selectively ignoring facts that don't suit your narrative, rather than outright lies. Outlets that deliberately lie for satirical effect only get away with it because it is considered clear that it is not to be trusted. Same for gossip mags and Weird News type publications. Places like InfoWars and Breitbart (and equivalents from the loony left) should come with the same "pinch of salt" type deal.
What the Donald does is declare any story he dislikes, or feels does not 100% represent his views as "fake news", which also helpfully distracts from the issue of how certain countries are using fake news articles as propaganda to forward their own goals. Still better than him calling the free press "enemies of the people"
Obviously the USA and the Ruskies are the ones at the forefront of these shenanigans.
Contribute the the ever-changing definition of IoT: Define IoT
... 86 pages PDF!
Reporters often know very little about the "news" they report but in this case they would have had to know nothing about it which seems unlikely.
But if you want your "fake news" to go viral all you need is to write the story people want or expect. It does not matter if it has any basis in fact. Find something that sounds like it could be turned into click bait or the next viral story and the reporter is good to go.
In this case reporting that a single manufacturer of VoIP GSM Gateway equipment is building their equipment with a hidden backdoor isn't nearly as interesting as suggesting Chinese vendors are accessing your baby camera's.
That's the story that sells so that's news. Has it ever really mattered if or how the news story was true?
Remind me - how many little IP cameras have an open telnet port with the baked in login root (or admin) and the password 123456 (or admin).
My cute little Verbatim media sharer has a baked in telnet with known password (it's a date).
I think this sort of thing is extremely widespread.
This is why we NEED to push for rejecting any IoT devices that aren't fully open source...
That's as likely as going to happen as having fully open sourced PCs, down to the firmware....
"Devices with a network ports" (because I do not like the meaningless IoT designation): Always behind firewalls, with an IDS in the vicinity, walled off, on separate VLANs, in "novelty" roles, or "as open as possible".
Then again, there are "mobiles"....
"rejecting any IoT devices that aren't fully open source"
I thought the manufacturers of these devices were using open source, they sure as hell can't be bothered to actually waste time developing software longer than needed or contributing to the projects they use source from.
Last time I checked, all equipment like this, if sold in china is required to have back doors that their government can access. This is required for routers, switches, and anything else that connects to the internet. Nothing bad, nothing good, just the law. So you can expect most of this equipment coming out of China to have hooks like this buried in it.
Just assume everything has a backdoor at this point. Your IoT gadget. Your hard drive firmware. Your Intel Management Engine CPU. Your EFI BIOS'd motherboard. Your Cisco router. Your Windows 10 OS. Your remote access and antivirus software.
Best bet is to hope they all fight each other for control and none of them work.
I agree in so far as I expect that things probably do have backdoors.
However I also expect that sourcing a perimeter security/firewall (from a different manufacturer) to prevent remote access to those backdoors unless there is widespread and deliberate coordination to expose backdoors to the internet.
"However, I somehow doubt that knowledge of their dodgy hardware will progress much beyond El Reg, so it will be business as usual for them."
Hah! TalkTalk made mainstream news and 12 months later your average punter thinks "TalkTalk? Heard of them, they must be good". Brand awareness works.
the gadget tries to connect to UDP port 11000 on 192.168.2.1 on its local network
So, as an exercise for the class, name me any business of over a very small size that's going to use the 192.168 range for it's LAN?
Maybe a DMZ (and that's also pretty much of a stretch[1]), but a main LAN? Only one company I've ever worked at did that (network was set up by someone using various tutorials as a guide and, since they all used 192.168.1 as their network, he did likewise. By the time I came along 20+ years later, it was far, far too late to do anything about it as there were lots of hardcoded IP addresses[1] in our internal systems and it would break everything if I re-IP'd. I did consider putting up a 2nd network for new kit but didn't actually have any budget for new kit..). Everywhere else has used one of the other private ranges - the range used being dependent on how many sites/VLANs they were planning to have.
Plus, being vulnerable to such a small attack surface ( UDP port 11000 on 192.168.2.1 on its local network) means that the only people most likely to exploit it are local network admins or firewall bods that can reverse-NAT that to somewhere interesting outside the firewall.
[1] Which came back to bite us badly when some of the senior people went to a conference that mentioned VPNs and wanted me to give them access from home. Turns out that having a 192.168.1.x[2] network on two side of a VPN tunnel doesn't work too well. Who'd a thunk it?
[2] Most UK home ISPs seem to use that for the home-facing side of their routers..
name me any business of over a very small size that's going to use the 192.168 range for it's LAN
That's the point, almost no corporate lans use 192.168.2.0/24, so it's wide open for another infected machine to assume that as a secondary IP.
We have to overlay 192.168.1.0/24 on one of our other subnets, on the same vlan, and provide a tftp server on it, for reinstalling certain voip phones. When you factory reset them, they don't even dhcp, they use a fixed ip on that subnet, and try to tftp their OS image from a fixed server ip.
> So, as an exercise for the class, name me any business of over a very small size that's going to use the 192.168 range for it's LAN?
Probably very few, which makes this all the easier to exploit as the IP will definitely not be taken. If you are on the same segment of the network (physical or VLAN) and there is no routing between you and the device, just allocate a second IP. None of the intervening switches will care (they just switch packets based on MAC address unless you have some form of NAC set up) and no one will notice an IP conflict.
Check out the video online:
https://youtu.be/Yz-I8Q3rhEU
Consumer Webcam Alert - The reason why Bayit Home Automation marketer of the IOT Bayit Pro HD BH1826 and BH1818 released a mandatory security vulnerability fix for their popular webcam line on Friday March 3rd. An affected Consumer FIRST brought to their attention on Sunday February 26, 2017 a major security breach and exposed vulnerability of their very popular Bayit Pro HD 1080p BH1826 model that was a result of a major lax of security and testing on their part.
The Security vulnerability exposes (2) additional undocumented default login user/passwords access methods over an insecure internet facing web Port 81 without encryption to their webcam when setup of the Camera is completely using the Bayit iPhone app. This immediately exposed the consumer to the internet and making them vulnerable for invasion of privacy. The lax of security of Bayit software of their BH1826/BH181 camera firmware may have existed since the camera was released to the public as far back as 2015. The affected consumer had owned this Bayit Pro HD BH1826 since Nov, 2015 and had done the right thing to secure the camera following all of Bayit instructions for du-diligence by ensuring a password was set. Him and his family of your children privacy of their personal lives were exposed for anyone to see on the internet since Nov, 2015 with no hack required and was finally caught as a result of the camera being operated remotely by changing pan and tilt positions.
This is a case of the consumer doing the right thing and the IOT vendor Bayit Home Automation recklessly neglecting to reasonably secure and protect their devices as a result of very weak security and testing practices.
This consumer should not have been the person to expose their negligence this late. This should have been caught much earlier and stricter security standard should have been practiced to secure and protect the privacy of their consumers.
I called this company twice in early 2016 to report the issue! I had a HELL of a time getting a phone number but was eventually able to get a number. In both instances I had to leave a message on a voicemail and never received a return phone call. I started noticing that my camera was repositioning itself. I would set it so it was looking at the wall behind it and when I would come back into the room to check, it would be facing forward. I tested this NUMEROUS times and am concerned about what video(s) might be out there of my family and me. Has there been any talk of a class action lawsuit? Knowing that I attempted to contact this company several times about this issue, and never getting a return call, has me furious!
Most of the top search results for product reviews are written by bots or idiot bloggers that have done nothing but hash a press release to get a few micropayments on referrals. That's where these crap IOT products come in. Maybe you can find a fanatic who does in-depth reviews for free, but that's on page 15 of your search results. (Consumer Reports asks for real money but they rarely have the expertise needed to properly review anything.)