SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Consumers Urged to Junk Insecure IoT Devices
A security researcher who disclosed flaws impacting 2 million IoT devices in April – and has yet to see a patch or even hear back from the manufacturers contacted – is sounding off on the dire state of IoT security.
More than 2 million connected security cameras, baby monitors and other IoT devices have serious vulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.
Security researcher Paul Marrapese, who disclosed the flaws in April and has yet to hear back from any impacted vendors, is sounding off that consumers throw the devices away. The flaws could enable an attacker to hijack the devices and spy on their owners – or further pivot into the network and carry out more malicious actions.
“I 100 percent suggest that people throw them out,” he told Threatpost in a podcast interview. “I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue.”
Marrapese said that he sent an initial advisory to device vendors in January, and after coordinating with CERT eventually disclosed the flaws in April due to their severity. However, even in the months after disclosure he has yet to receive any responses from any impacted vendors despite multiple attempts at contact. The incident points to a dire outlook when it comes to security, vendor responsibility, and the IoT market in general, he told Threatpost.
b-b-b-b-but it is still working!
(Score: 2) by SomeGuy on Wednesday June 19 2019, @12:17PM (14 children)
A better question is what should consumertards do after they junk these IoT gadgets. They will refuse to go back to non-IoT devices "because old", and new IoT shit will just have the exact same problem.
Of course, manufacturers WANT people to wastefully throw out their old stuff and buy all new stuff, but they want it to be done on their schedule.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @01:17PM (12 children)
I'm probably not your typical consumer. I would really like some new high-quality dumb appliances. Could you point me at a quality (at least on par with Samsung) 75 inch 4K dumb TV with at least 4 HDMI inputs and a North American OTA TV tuner built in?
Once I find that we can talk about the fridge, stove, microwave, toaster, light bulbs, clock, radio, and garage door opener.
But you will have to pry my privacy violating always-on front door video monitor from my cold dead hands.
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @01:36PM
You should build those devices yourself from scratch, and write the software too, if you wish to trust them in full spectrum of meaning of trust.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 19 2019, @02:51PM (8 children)
You get a dumb TV by taking a smart TV and not allowing it to connect to the internet.
(Score: 1, Interesting) by Anonymous Coward on Wednesday June 19 2019, @03:03PM (6 children)
You may not get that choice if they start coming with SIM modules that let them connect to wireless data networks.
(Score: 2) by RS3 on Wednesday June 19 2019, @07:37PM (5 children)
Just like cars.
If anything, including cars, tries that on me, I'll find and disable it.
But who's paying for the cell network data (air time)?
(Score: 0) by Anonymous Coward on Wednesday June 19 2019, @07:56PM (4 children)
The marketers of your data, of course. And no, it is not going to cost them $30 for unlimited data per person, per device, per month. They'll get volume pricing for something like $20 million for unlimited data, unlimited people, unlimited devices, per five years.
(Score: 2) by RS3 on Wednesday June 19 2019, @08:52PM (2 children)
And the fact is, the data they need to move would be in the low-ks of bytes, so it would phone in maybe once a day and take seconds to transfer the data.
Again, find that module.
(Score: 0) by Anonymous Coward on Thursday June 20 2019, @01:05AM (1 child)
Some car companies apparently let the owner obtain a hotspot, so thrifty use of bandwidth is probably not a necessity.
The modules are getting quite small, if I'm not mistaken they just have to be a blob on the circuit board, with an antenna possibly included. I'd be real interested how to continue defeating data exfiltration.
(Score: 2) by RS3 on Thursday June 20 2019, @04:52AM
Yes, I know several people who have cars with hotspots, including a Chevy Bolt.
Well, I have an automotive tracker module in my hand. It's made by Enfora. It plugs into the OBD-II connector in the car. It's about 5 cm x 5 cm x 2 cm. It's mostly empty space. There are 2 circuit boards with active circuits, including a SIM socket. 2 circuit boards are printed antennas. It has GPS and GSM cell network and possibly bluetooth or some other local communications, and also a micro-USB port.
Many (most?) cell phones are using ceramic antennas, which are quite tiny. https://www.johansontechnology.com/antennas [johansontechnology.com]
The point being the cell communication electronics can be quite small. So to find them in a car you might search the web for info from others who figured it out. Or someone would need an RF field detector with a small directional antenna. The RF won't be on all the time, but possibly when ignition is switched ON, or OFF.
I have a pair of wireless 900MHz headphones through which you can hear sounds from both cell phones and WiFi, so it might be good enough to locate the little bug. The antenna might have an accident at that point.
All that said, I worked on a friends 2007 Mercedes recently and under the rear seat we found fairly large electronics modules with antenna cables going to antennas in the rear window. So in some cases the bugger (literally) might be easy to find and disable.
I bet someone sells RF transmitter locators.
(Score: 3, Interesting) by fido_dogstoyevsky on Wednesday June 19 2019, @11:51PM
Which is a euphemism for "You, of course".
It's NOT a conspiracy... it's a plot.
(Score: 2) by Mykl on Thursday June 20 2019, @07:43AM
Better yet, enclose your TV in a Faraday cage!
(Score: 2) by legont on Wednesday June 19 2019, @04:09PM (1 child)
I am way less ambitious. I just want a dumb car. Any mid-range late last century will do.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Dr Spin on Thursday June 20 2019, @06:49AM
I just want a dumb car. Any mid-range late last century will do.
So do I.
But here in the UK, they are working hard on banning older cars completely.
Currently, cars prior to Euro6 (2015) are effectively banned from central London,
with plans to extend this to most of London in 2021. I believe other cities will
be drawn into the net because it is supposedly about pollution.
Unfortunately, while we know Euro6 engines are lower pollution in a Lab
there is no scientific data whatever that they are better on the road.
(Note that we are also told that electric cars produce less pollution - although
most of the bad pollution these days is particulates -which are produced by the tyres and
brakes - and, since electric cars are much heavier, they will produce a lot more
of these particulates).
And we are told that Diesels are bad because of NO2 - but older diesel engines did not
produce NO2 - it is only the more recent ones that run the engine extremely hot.
Euro6 engines use urea injection to neutralise the the NO2 - but who knows if they use
the right about of Urea on the road? You cannot measure how much is required,
since it depends on the amount of gas and temperature in the combustion chamber,
which is too hot for sensors to measure - so the microprocessor has to guess.
And, guess what, reports of asthma and other breathing problems have increased
enormously since Euro6 engines were introduced, although NO2 has gone down.
We have also seen car theft go up 50% because of keyless "locks" - which are
completely useless as security devices (unlike a mechanical key which is known
to work perfectly well, and cost less than 1/10 the price to replace).
I don't dispute that older diesel engines produce particulates - but they did not
have DPFs.
[Petrol engines produce masses of NO2, but allegedly the catalytic converters
are effective at removing it. Again, not much field data on petrol cars in real life
situations, either].
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by HiThere on Wednesday June 19 2019, @04:35PM
Don't junk them, return them to the seller as "defective" and "unfit for purpose". And don't buy an IoT replacement.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.