Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday June 19 2019, @10:28AM   Printer-friendly
from the seems-ok-to-me dept.

Submitted via IRC for Bytram

Consumers Urged to Junk Insecure IoT Devices

A security researcher who disclosed flaws impacting 2 million IoT devices in April – and has yet to see a patch or even hear back from the manufacturers contacted – is sounding off on the dire state of IoT security.

More than 2 million connected security cameras, baby monitors and other IoT devices have serious vulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.

Security researcher Paul Marrapese, who disclosed the flaws in April and has yet to hear back from any impacted vendors, is sounding off that consumers throw the devices away. The flaws could enable an attacker to hijack the devices and spy on their owners – or further pivot into the network and carry out more malicious actions.

“I 100 percent suggest that people throw them out,” he told Threatpost in a podcast interview. “I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue.”

Marrapese said that he sent an initial advisory to device vendors in January, and after coordinating with CERT eventually disclosed the flaws in April due to their severity. However, even in the months after disclosure he has yet to receive any responses from any impacted vendors despite multiple attempts at contact. The incident points to a dire outlook when it comes to security, vendor responsibility, and the IoT market in general, he told Threatpost.

b-b-b-b-but it is still working!


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Bot on Wednesday June 19 2019, @11:03AM (12 children)

    by Bot (3902) on Wednesday June 19 2019, @11:03AM (#857392) Journal

    Working as intended.
    Why should the consumer pay for defective items? write a one line law that allows the consumer to return a FAULTY item when the fault emerges, no matter the warranty. But ofc for all the spouting of principles no politician of whatever area is going to go against his masters this way.

    In the meantime, any IOT device put on the public network is not good practice. A VPN solution as tinc is powerful and easy to set up.

    --
    Account abandoned.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Wednesday June 19 2019, @11:11AM (2 children)

    by Anonymous Coward on Wednesday June 19 2019, @11:11AM (#857394)

    No. VPN setups are technically difficult to tap into for ordinary enforcement. You cannot overload special task forces by boring daily operations on all over the landscape. Everything must be criminally transparent for any possible meaning of transparency. And let the consumer pay for that transparency, of course.

    • (Score: 2) by isostatic on Wednesday June 19 2019, @11:19AM (1 child)

      by isostatic (365) on Wednesday June 19 2019, @11:19AM (#857395) Journal

      No. VPN setups are technically difficult to tap into for ordinary enforcement.

      The UK's porn block will dramatically increase the amount of VPN traffic in the UK, it's a great thing.

      • (Score: 2) by Webweasel on Thursday June 20 2019, @09:04AM

        by Webweasel (567) on Thursday June 20 2019, @09:04AM (#857830) Homepage Journal

        It won't happen. They pushed it back again today, no reason given.

        We all know the real reasons. It won't work and its pointless if you don't include reddit.

        --
        Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
  • (Score: 1, Informative) by Anonymous Coward on Wednesday June 19 2019, @12:00PM (8 children)

    by Anonymous Coward on Wednesday June 19 2019, @12:00PM (#857399)

    write a one line law

    Why write a law that already exists?
    Consumers can return any items with defects within 2 years (or 1 if you live in the US). After those 2 years, you can still return items with defects and expect free fixes/refunds under certain conditions, which I think may be met in this case.
    (I don't recall the exact conditions, but some of them: fault present during manufacturing, normal service life of the device is expected to exceed current time frame.)

    • (Score: 1, Insightful) by Anonymous Coward on Wednesday June 19 2019, @12:21PM

      by Anonymous Coward on Wednesday June 19 2019, @12:21PM (#857408)

      I think is that these devices are relative cheap (they talk about $20 devices in the article), in that returning them isn't just worth it.

    • (Score: 3, Interesting) by Thexalon on Wednesday June 19 2019, @01:17PM (3 children)

      by Thexalon (636) on Wednesday June 19 2019, @01:17PM (#857420)

      Consumers can return any items with defects within 2 years (or 1 if you live in the US). After those 2 years, you can still return items with defects and expect free fixes/refunds under certain conditions, which I think may be met in this case.

      Not really In the US at least.

      That's part of the implied warranties that are part of the Universal Commercial Code, e.g. the warranty of merchantability. However, the boilerplate of any EULA you've ever accepted specifically says that those warranties do not apply to the product in question if you want it to do anything useful, which means that while in theory those rules apply, in practice they don't.

      And to add insult to injury, again in the US, once you've signed any kind of consumer contract in the last 10 years or so, you have now agreed that you will not be able to sue the company for any reason whatsoever. Instead, if there's a dispute, you are required to go through binding arbitration where the company selected the arbitrator, and you can be certain that the arbitrator was not picked for their fairness to you. And they also maxed out damages at whatever you paid them for the service, so after a lot of time and hassle and possibly legal expenses you might win your $30 back. So even if the seller broke the rules, and the rules applied because no EULA was involved, you will be completely unable to do anything useful about it.

      Don't you love late-stage capitalism?

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 0) by Anonymous Coward on Wednesday June 19 2019, @02:48PM (2 children)

        by Anonymous Coward on Wednesday June 19 2019, @02:48PM (#857446)

        And to add insult to injury, again in the US, once you've signed any kind of consumer contract in the last 10 years or so, you have now agreed that you will not be able to sue the company for any reason whatsoever.

        I still wonder how such a clause can even be legal.

        • (Score: 4, Informative) by Thexalon on Wednesday June 19 2019, @03:14PM

          by Thexalon (636) on Wednesday June 19 2019, @03:14PM (#857466)

          Because SCOTUS has repeatedly said, in 5-4 decisions, that both no-class-action and binding-arbitration clauses are A-OK in all kinds of contracts, including consumer contracts and employee contracts. Those are among the most consequential Supreme Court cases you've never heard of, like Directv v. Imburgia which states that those binding arbitration clauses are valid even in states that passed laws saying they're not.

          They're consequential, of course, because they effectively make it so the companies that write those contracts no longer have to obey the civil laws of the US. You should try to avoid signing those kinds of contracts as much as you can, but it's difficult when signing those kinds of contracts is necessary to get things like Internet access or electric power to your home.

          --
          The only thing that stops a bad guy with a compiler is a good guy with a compiler.
        • (Score: 3, Insightful) by fido_dogstoyevsky on Wednesday June 19 2019, @11:48PM

          by fido_dogstoyevsky (131) <axehandleNO@SPAMgmail.com> on Wednesday June 19 2019, @11:48PM (#857669)

          ...in the US, once you've signed any kind of consumer contract in the last 10 years or so, you have now agreed that you will not be able to sue the company...

          I still wonder how such a clause can even be legal.

          It isn't, in other parts of the world, where the consumer can't waive consumer protection legislation.

          --
          It's NOT a conspiracy... it's a plot.
    • (Score: 0) by Anonymous Coward on Wednesday June 19 2019, @02:01PM

      by Anonymous Coward on Wednesday June 19 2019, @02:01PM (#857433)

      I'm not going to swear to this, but I think it's two minutes in the US. Buyer beware.

    • (Score: 2) by driverless on Thursday June 20 2019, @06:04AM (1 child)

      by driverless (4770) on Thursday June 20 2019, @06:04AM (#857784)

      Consumers can return any items with defects within 2 years (or 1 if you live in the US).

      How do you return an item to "Doorway 3, Alley #2, Yu-Shiang Whole Fish District, Shenzhen, China"?