Jump to content

good piece which echos my thoughts on internet-of-everything


Recommended Posts

ross549

True, but this is the only exploit I have heard of for the Nest. It's had a good reputation thus far.

 

Adam

Link to post
Share on other sites
Guest LilBambi

Yes, but there is concern now, not only with potential hacking but also the data that's sent to the mothership and if it's identifiable, etc.

 

This is an important discussion. Back in January 2014 MIT Technology Review had the following article on it:

 

Securing the Smart Home, from Toasters to Toilets (NOTE: There is a subscription pop up but you can still close that and still see the article)

 

David Knight, general manager of Proofpoint’s information security unit, says the attackers had basically set up an Internet of things-style botnet—something we’re more familiar with seeing on PCs—where the devices are unknowingly hijacked in order to do things like send out spam or host illicit pornography. He expects to see a lot more of what he refers to as “thingbots” as connected devices spread throughout the home, especially since the security in place on so many of these gadgets is just a simple Web interface that asks you to set up a username and password.

 

 

And this one from LATimes on March 22, 2014:

 

Simple Internet-connected devices can end up in complex online crimes:

 

A home wireless router can be configured to provide some rudimentary protections, but most users typically turn on the firewall or anti-virus software on their PCs, thinking that would be enough. And as such the wireless router becomes an unlocked door of sorts for hackers to gain access to the household devices.

 

pixel.gif

 

This year, Proofpoint Inc., a Sunnyvale, Calif., cybersecurity company, tracked a global attack that sent 750,000 malicious emails from more than 100,000 gadgets — including home Wi-Fi routers, TVs, DVRs and even a refrigerator.

 

"How do you update the software on your refrigerator?" Proofpoint Chief Executive Gary Steele said. "I don't even know how you do that."

 

When Gilbert, a technician for an oil company, discovered that his baby monitor had been hacked, he ripped out the entire home network and rebuilt it from scratch.

 

Connected devices and their data needs to be encrypted and in general secured.

 

And that's just the first two I found...

Link to post
Share on other sites
ebrke

That LA Times article was disturbing. I've been leary of all the apps I've heard about that interface with home security, and stuff like Comcast advertises to monitor your home. I wouldn't trust that for a minute. I think most companies offering this type of thing are trying to get it out fast, so they can be cutting-edge, and I have no faith that they've paid any attention at all to security. To me, a hacked baby monitor is a scary thing.

Edited by ebrke
Link to post
Share on other sites
Capt.Crow

A lot of weirdos on the dark side. I always wonder why they use their >gifts< in this way.

 

They do it in IT

ditto finance

ditto food

A plague of them

Link to post
Share on other sites
ross549

That LA Times article was disturbing.

 

I honestly think it was written to be that way. Yes, the "Internet of Things" is very new, and there's a lot of uncertainty with it and how things will shake out.

 

Take Nest for example. (It's the one I am most familiar with.) Yes, it was exploited, but that exploit requires physical access to the device in order to accomplish that exploit. The same can be said for the other article that I posted the other day. That one probes the discovery of a large command and control network for exploited smartphones.

 

In each of these cases, the device must be specifically targeted. It's not a dragnet or anything like that.

 

However, we take our computers and connect them to the Internet and we go to sites like this one. This site *could* be hit with a cross-site scripting vulnerability or be compromised in such a way in order to serve up all kinds of malware or something like that. This is not a difficult attack when you consider the hacks available out there, and the Admins here (particularly LilBambi) take proactive measures to protect the users from something like this ever happening.

 

The risk is still there. It has been reduced by good practices on the part of the admins, and by your due diligence to protect your PC. This mitigates the risk by a large extent.

 

So, if we apply the same model to the Nest thermostat. We know it connects to the internet for weather and statistical purposes. I don't know where it gets the weather data, but it does "phone home" to Nest Labs.

 

So where is the risk? Could the thermostat be compromised? Possibly. What's the danger there? If someone hacks the Nest thermostat, what can they do? They could potentially view activity data via the Nest sensors. They could control your HVAC system. They could possibly get identifying information on your Nest account, and maybe even log in as you.

 

However, no one has demonstrated an exploit yet for the Nest thermostat that could be done over the Internet. It needs to be local. Considering the extremely unlikely even that someone takes the time to break through your router's firewall, the most they could do is view your Nest account or turn off your AC or something like that.

 

Considering the extremely remote chances of them gaining access and the incredibly limited "damage" that could be done, I don't think having a Nest thermostat in your house really carries any appreciable risk to you or your family.

 

That being said, there is greater risk of Nest's newest acquisition, Dropcam, of being dangerous, as a burglar could possibly gain access to your camera's feed. However, the attacker would still need to either compromise your account on Dropcam's site (good passwords lessen that risk), or break in through your router and somehow break through the camera's SSL connection to the Dropcam servers.

 

In that case, the risk is higher, but still very low.

 

When considering technology in your home, one has to make a risk assessment and consider all angles before doing so. You also accept some risk in every situation. In some cases, the risk is better known, and we still do it.

 

Just because an Xbox One could possibly catch on fire does not mean I am not going to put it in my living room.

 

Adam

Link to post
Share on other sites
ebrke

Biggest problem may be that we won't always have a choice or be able to weigh the risks and decide for ourselves. If more isn't said/done now, I can see a day coming when hypothetically I won't be able to buy a thermostat that doesn't phone home. That probably won't happen given my age, but my feeling is that we should be able to decide these things for ourselves, not be left at the mercy of a market that may determine that we have no alternative to taking these security/privacy risks because everything is "connected".

Link to post
Share on other sites
Guest LilBambi

I hear ya Adam, but if you give them an inch they will take a mile.

 

The point is that if they need to secure these things well from the start, they will say they didn't know ... and that is just BS.

 

Many of these internet of things are out there and not safe yet. Nest is mostly safe unless someone gets physical access. But not everything is like that. And not all are ones you should give a pass on. Some are just made cheaply and don't think of security.

 

Security needs to be baked in from the start.

Link to post
Share on other sites
ross549

In the case of Dropcam, the feed to Dropcam's servers is encrypted by default, and in order to access it, you have to have the username/password for the device. I don't understand how this is not secure by default. Encrypting data is the name of the game right now. Just because the Nest thermostat was compromised by someone loading in a different bootloader with it in DFU mode does not mean it is not secure....

 

I am having a hard time understanding this.

 

Adam

Link to post
Share on other sites
Guest LilBambi

Yes, for Dropcam, that should be good unless an insecure password is used. :thumbsup:

 

But, is it 256-AES encrypted? Or the already cracked earlier ones?

Link to post
Share on other sites
Guest LilBambi

End-to-end SSL/TLS encryption, requiring user login/password (as long as secure passwords are used), and over the air updates will certainly help a lot.

 

Example at CloudFlare:

 

http://blog.cloudfla...-origin-traffic

 

BTW: SSL/TLS is what is used at StartPage.com to encrypt your searches too. The only search engine that even claims to use the better SSL/TLS encryption as well as not logging IP addresses. 10 Ways Start Page Protects Your Security.

Edited by LilBambi
Link to post
Share on other sites
ross549

From the Article linked by temmu-

 

In an interview on Wednesday, George Yianni, head of technology for connected lighting at Philips, told Ars the Hue lighting system was intentionally designed to grant access to any device connected to a user's home network. Company designers went about doing this by using security tokens that are generated without requiring a user to take press a special authentication button on the wireless bridge of the system.

 

That is awful... a conscious business decision to bypass a better authentication/security model.

 

Note, however, the method of attack. The code must be executed from within the network. A random stranger is not going to be able to walk up to your house and randomly turn off your lights, he must attack through a compromised website on a computer on the network, or gain entry into the network itself. Having solid encryption on your wifi is a good first step to remain more secure.

Link to post
Share on other sites
Guest LilBambi

See what I mean! That's just one of many examples of the idiocy of some of these companies making products for the connected home!

Link to post
Share on other sites
Capt.Crow

On the pragmatic side I suppose the only folks who are going to have this sort of stuff in the home are the showoff over wealthy.

Link to post
Share on other sites

On the pragmatic side I suppose the only folks who are going to have this sort of stuff in the home are the showoff over wealthy.

with the Nest, yeah I agree. what a boondoggle. Really people, just because it says in shiny letters connected to Internet-of-Everything does not mean it is better or more sophisticated than appliances that have been around for years. DropCam is a bit different, or at least it used to be.

 

Anyway, the point about access to me means that any repair or utility person that comes into a smart home needs to be bonded. Else, easy enough for them to get the hooks into the home.

 

WiFi is going to be a problem, an access point surveyor would not need to be in the home and given the presumed purposes of these devices , the surveyor would not need to be within 15 feet of the home but a lot more away.

 

This whole 'smart home' when it comes to receiving control-and-command from outside the home is just reeking of risky business to me.

  • Like 2
Link to post
Share on other sites
Guest LilBambi

On the pragmatic side I suppose the only folks who are going to have this sort of stuff in the home are the showoff over wealthy.

 

Don't think so. ;)

 

This will depend on the need. Some people have needs for these types of things. Not only wealthy folks, but also some geeky folks with complex lives.

Edited by LilBambi
Link to post
Share on other sites
ross549

WiFi is going to be a problem, an access point surveyor would not need to be in the home and given the presumed purposes of these devices , the surveyor would not need to be within 15 feet of the home but a lot more away.

 

So? If the wifi is secured with WPA, no one with any handheld gadget is going to be able to crack the key.....

 

Adam

Link to post
Share on other sites
ross549

I can assure you that WPA2 has not been compromised. Considering we use passwords on wifi, they are vulnerable to a dictionary attack, but the success therein relies in the strength of your password.

 

Most of those results you see are using a dictionary attack to crack the password.

 

WEP, on the other hand has been completely compromised.

 

Adam

Link to post
Share on other sites
Guest LilBambi

Wouldn't go that far ... WEP and WPA have been hacked already, and WPA2 partially hacked.

 

And as you say, humans really are the real issue ... weak passwords.

Link to post
Share on other sites
Guest LilBambi

Think Your WPA2-encrypted Wireless Network is Secure? Think Again.

 

Most of you have taken the advice of security geeks such as myself and have stepped up to Wi-Fi Protected Access 2 (WPA2) encryption as a means to protect your wireless network. WPA2 is the most current and robust wireless encryption method available at this time.

 

Well I hate to be the bearer of bad news, but hackers have been toiling away at cracking the shell of WPA2 and have succeeded (to a degree).

 

To be clear, hackers have managed to crack WPA2-PSK (Pre Shared Key), which is primarily used by most home and small business users. WPA2-Enterprise, used in the corporate world, has a much more complicated setup involving the use of a RADIUS authentication server and is still a safe bet for wireless protection. WPA2-Enterprise has not yet been cracked to my knowledge.

 

"But Andy, you told me in your other articles that WPA2 was the best way to go for protecting my wireless home network. What am I to do now?", you say.

 

Don't panic, it's not as bad as it sounds, there are still ways to protect your WPA2-PSK-based network to prevent most hackers from breaking your encryption and getting into your network. We'll get to that in a minute.

 

The ways to protect ourselves is in the article...so read on.

Edited by LilBambi
Link to post
Share on other sites
Guest LilBambi

WPA2 wireless security cracked - Science Daily - March 20, 2014

 

There are various ways to protect a wireless network. Some are generally considered to be more secure than others. Some, such as WEP (Wired Equivalent Privacy), were broken several years ago and are not recommended as a way to keep intruders away from private networks. Now, a new study reveals that one of the previously strongest wireless security systems, Wi-Fi protected access 2 (WPA2) can also be easily broken into on wireless local area networks (WLANs).

 

...

 

There are thus various entry points for the WPA2 protocol, which the team details in their paper. In the meantime, users should continue to use the strongest encryption protocol available with the most complex password and to limit access to known devices via MAC address. It might also be worth crossing one's fingers…at least until a new security system becomes available.

 

Much more in the article.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...