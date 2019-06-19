from the seems-ok-to-me dept.
Consumers Urged to Junk Insecure IoT Devices
A security researcher who disclosed flaws impacting 2 million IoT devices in April – and has yet to see a patch or even hear back from the manufacturers contacted – is sounding off on the dire state of IoT security.
More than 2 million connected security cameras, baby monitors and other IoT devices have serious vulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.
Security researcher Paul Marrapese, who disclosed the flaws in April and has yet to hear back from any impacted vendors, is sounding off that consumers throw the devices away. The flaws could enable an attacker to hijack the devices and spy on their owners – or further pivot into the network and carry out more malicious actions.
“I 100 percent suggest that people throw them out,” he told Threatpost in a podcast interview. “I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue.”
Marrapese said that he sent an initial advisory to device vendors in January, and after coordinating with CERT eventually disclosed the flaws in April due to their severity. However, even in the months after disclosure he has yet to receive any responses from any impacted vendors despite multiple attempts at contact. The incident points to a dire outlook when it comes to security, vendor responsibility, and the IoT market in general, he told Threatpost.
b-b-b-b-but it is still working!
(Score: 2) by MostCynical on Wednesday June 19, @10:54AM
even when these things have already been shown to reveal information, real time video feeds and more to other people, they are still being bought...
"It won't happen to me"
or
"they must have done something wrong"
or
"they must have been dumb. I'm not dumb, so it won't happen to me"
is it a good thing these won't lead to Darwin awards?
(Score: 0) by Anonymous Coward on Wednesday June 19, @10:57AM
Well, how could we regulate the cyberspace by law?
(Score: 2) by Bot on Wednesday June 19, @11:03AM (2 children)
Working as intended.
Why should the consumer pay for defective items? write a one line law that allows the consumer to return a FAULTY item when the fault emerges, no matter the warranty. But ofc for all the spouting of principles no politician of whatever area is going to go against his masters this way.
In the meantime, any IOT device put on the public network is not good practice. A VPN solution as tinc is powerful and easy to set up.
(Score: 0) by Anonymous Coward on Wednesday June 19, @11:11AM (1 child)
No. VPN setups are technically difficult to tap into for ordinary enforcement. You cannot overload special task forces by boring daily operations on all over the landscape. Everything must be criminally transparent for any possible meaning of transparency. And let the consumer pay for that transparency, of course.
(Score: 2) by isostatic on Wednesday June 19, @11:19AM
No. VPN setups are technically difficult to tap into for ordinary enforcement.
The UK's porn block will dramatically increase the amount of VPN traffic in the UK, it's a great thing.