from the internet-of-things-that-shouldn't-need-internet dept.
TechDirt: Not Even Your 'Smart' Jacuzzi Is Safe From The Internet Of Broken Things
The Internet of things — aka the tendency to bring Internet connectivity to devices whether they need them or not — has provided no shortage of both tragedy and comedy. "Smart" locks that are easy to bypass, "smart" fridges that leak your email credentials, or even "smart" barbies that spy on toddlers are all pretty much par for the course in an industry with lax privacy and security standards.
Even your traditional hot tub isn't immune from the stupidity. Hot tub vendor SmartTub thought it might be nice to control your hot tub from your phone (because walking to the tub and quickly turning a dial is clearly too much to ask).
But like so many IOT vendors more interested in the marketing potential than the reality, they allegedly implemented it without including basic levels of security standards for their website administration panel, allowing hackers to access and control hot tubs, all over the planet. And not just SmartTub brands, but numerous brands from numerous manufacturers, everywhere [. . . .]
For those who need reminders, let us not forget prior SN (horror) stories:
- IoT Pet feeders that stop feeding pets
- Peloton treadmills
- Insteon smart home lighting and other controls
- Smart male chastity devices that won't unlock, need metal grinder to remove
After prolonged service outage, Petnet shuts down, citing coronavirus:
Cloud-connected, "smart" automated pet-feeder system Petnet has had a rough spring. The service not only went offline in February, but all its customer service vanished, too, leaving users in the dark until the company apologized and pushed a patch more than a week later. The service briefly returned for some users but fell off again in March. Now, after weeks of silence, the company is blaming COVID-19 for driving it offline for good—even though its problems started weeks or months before the novel coronavirus became a significant concern.
[...] "Last week on April 14, 2020, we briefed all of our customers regarding one of our third-party connected vendor's inability to fully resource their company and stay functionally online," the message reads. "As of this writing, this situation remains unresolved but we are confident it will be overcome soon."
But due to the exceptional circumstances the COVID-19 pandemic has created, Petnet went on, many of its vendors—largely startups like itself—were "severely and negatively affected in their day to day operations." In short: the funding dried up. Due to a lack of funds, Petnet said, it "re-prioritized and reorganized [its] resources," including:
- We have furloughed 100% of our remaining staff
- We have ceased all future product development, including bug fixes
- We have turned off all non-infrastructure related expenses
- We have terminated our office lease and are working remotely
- We have applied for all available CARES stimulus funding
(2020-02-28) Petnet's Smart Pet Feeder System Back after Week-Long Outage
(2016-07-30) Cats, Dogs Go Hungry as Internet-Connected PetNet Plays Dead
Cellmate: Male chastity gadget hack could lock users in:
A security flaw in a hi-tech chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously.
The internet-linked sheath has no manual override, so owners might have been faced with the prospect of having to use a grinder or bolt cutter to free themselves from its metal clamp.
The sex toy's app has been fixed by its Chinese developer after a team of UK security professionals flagged the bug.
This could be useful to anyone still using the old version of the app who finds themselves locked in as a result of an attacker making use of the revelation.
Any other attempt to cut through the device's plastic body poses a risk of harm.
[...] The security researchers said they discovered a way to fool the server into disclosing the registered name of each device owner, among other personal details, as well as the co-ordinates of every location from where the app had been used.
In addition, they said, they could reveal a unique code that had been assigned to each device.
These could be used to make the server ignore app requests to unlock any of the identified chastity toys, they added, leaving wearers locked in.
Also at The Verge and gizmodo.
Peloton Outage Prevents Customers From Using $2,500 Exercise Bikes:
Peloton hasn't been having a great run lately. While business boomed during the pandemic, things have taken a sour turn of late on a bizarre host of fronts.
[...] adding insult to injury, connectivity issues this week prevented Peloton bike and treadmill owners from being able to use their $2000-$5000 luxury exercise equipment for several hours Tuesday morning. The official Peloton Twitter account tried to downplay the scope of the issues:
We are currently investigating an issue with Peloton services. This may impact your ability to take classes or access pages on the web.
We apologize for any impact this may have on your workout and appreciate your patience. Please check https://t.co/Dxcht2tQB0 for updates.
— Peloton (@onepeloton) February 22, 2022
[...] For much of Tuesday morning the pricey equipment simply wouldn't work. While the company's app still worked (For some people), Bike, Bike+, and Peloton Tread owners not only couldn't ride in live classes, they couldn't participate in recorded classes because there's no way to download a class to local storage (despite the devices being glorified Android tablets). The outage (which occurred at the same time as a major Slack outage) was ultimately resolved after several hours, but not before owners got another notable reminder that dumb tech can often be the smarter option.
Perhaps one day in the future, scientists will invent a way to make exercise machines that do not require internet access. Such a fantastic invention would be locked up behind patents.
Peloton Admits It's in Hot Water With DOJ, DHS, and SEC Over Its Treadmill Mess
Peloton treadmill owners will be able to run again without a subscription
Peloton disabled a free running feature on its treadmills, forcing owners to pay up
Peloton disabled a free feature on its $4,000 Tread+, forcing owners to pay a $39 monthly fee to use the machine
Peloton faces backlash after disabling free running feature on its $4,000 treadmills
Music Publishers Say Peloton Stole Even More Music, Ask for $300 Million
Peloton's Countersuit Against Music Publishers Over Song Copyrights Just Got Thrown Out
Shameful: Insteon looks dead—just like its users' smart homes
The app and servers are dead. The CEO scrubbed his LinkedIn page. No one is responding.
The entire company seems to have abruptly shut down just before the weekend, breaking users' cloud-dependent smart-home setups without warning. Users say the service has been down for three days now despite the company status page saying, "All Services Online." The company forums are down, and no one is replying to users on social media.
[....] Insteon is (or, more likely, "was") a smart home company that produced a variety of Internet-connected lights, thermostats, plugs, sensors, and of course, the Insteon Hub. At the core of the company was Insteon's propriety networking protocol, which was a competitor to more popular and licensable alternatives like Z-Wave and Zigbee.
[....] With its servers down, the Insteon app appears worthless, and users' automations and schedules have stopped working. Many of Insteon's wall switches were actual electrical switches, so the worst that will ever happen is that they become dumb switches.
Every dark internet cloud has a cat 6 lining. This isn't as bad as cloud connected pet feed fooders no longer working. Or cloud connected exercise machines not working or restricting features with new pay walls. Or Smart TVs spying on you and displaying ads during a live sporting event.
(Score: 5, Insightful) by Opportunist on Thursday June 30 2022, @09:09AM (4 children)
Why the hell would you expect a Jacuzzi maker to know the first thing about security? It's the usual problem: You have engineers that have done nothing their whole life but design a certain appliance. A TV set, a fridge, a toaster or, as in this case, a Jacuzzi. They're probably very good at this, even, because they have been doing that for years. Honing their skills, trying stuff, figuring out things that work and others that don't work so well. They have plenty of experience making really great appliances.
In comes marketing and demands that their appliance now needs to be "on the internet" because not only is it the big new thing and another tick in the feature checkbox list (and we all know, customers buy the appliance that has more checkboxes ticked, even and especially if they don't have the first clue what the four-letter-acronym next to the checkbox even means) and of course we can also use it to siphon data from the customer that we can sell. Awesome, we have to have that!
Now you have engineers who don't know jack about making something "on the internet" but have to add "internet" to their appliance. They take whatever thing they find somewhere and stick it in. It works? Great. Ship it. Security? Yeah, the Jacuzzi is safe against overflowing and you can't get hurt by the nozzles, why do you ask?
(Score: 3, Insightful) by PiMuNu on Thursday June 30 2022, @10:19AM (3 children)
Worse still - PHB brings in IoT contractors to implement internet control loop over the top of the regular control loop. The contractors then charge/blackmail $$$ for server maintenance/etc forcing jacuzzi maker into stupid decisions like dropping support for older purchases/etc.
(Score: 1) by anubi on Thursday June 30 2022, @11:27AM (2 children)
To me, "internet enabled" means another ~$30/month subscription will be required or some function will be disabled.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 5, Informative) by maxwell demon on Thursday June 30 2022, @11:49AM
To me, "internet enabled" means that I should probably not buy it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by Opportunist on Thursday June 30 2022, @05:32PM
"Internet enabled" essentially means "disabled without internet".
(Score: 5, Insightful) by Thexalon on Thursday June 30 2022, @11:30AM (1 child)
1. An average appliance lasts over a decade.
2. An average appliance will receive no software updates.
3. Ergo, you'll have Internet-connected devices running software 10 years out of date. Even if you had what seemed like good security when you sold the appliance (doubtful), you're utterly screwed by the time it's been in the wild for a while.
It doesn't matter what device you're talking about, that's the fate of it.
And no, you can't put in an auto-update mechanism, because if you do there's a good chance that bad guys will hijack it to install their favorite backdoor. Especially if FlyByNight Inc goes out of business and lets the domain name lapse.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by drussell on Thursday June 30 2022, @02:34PM
... or you have an auto-update mechanism in which your factory update ends up bricking people's existing, working appliances like making your microwave think it's a steam oven with a bungled update forcing technician visits to re-flash or swap out boards.
(Score: 2) by DannyB on Thursday June 30 2022, @02:06PM (4 children)
Wait until we have insecure IoT for . . .
* Traffic signals
* Railroad crossings
* Power generation plants
* Industrial processes involving dangerous substances
* Medical equipment that uses radiation
* Everything in the US Military top to bottom
Congress will believe they can fix this with some legislation that does exactly the opposite of what it is supposed to do. IoT devices must be required to be updated by the manufacturer. Thus it is required that all IoT devices have a remote update capability to run Telnet on a non standard port so that nobody can find it. There should be a note in the packaged product with the login credentials so that the end user knows NOT to use them!
The thing about landline phones is that they never get lost. No air tag necessary.
(Score: 2) by Spamalope on Thursday June 30 2022, @03:34PM
Not to mention the for your NSAfety back-door.
(Score: 2) by Mojibake Tengu on Thursday June 30 2022, @03:49PM
You already have all of that on Internets.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 3, Interesting) by PiMuNu on Friday July 01 2022, @01:20PM
> * Medical equipment that uses radiation
There was a rumour circulating that up until 20 years ago or so, the CERN accelerator complex control system all had a single username and password.
While not *the* brightest radiation source in the world, LHC is probably pretty high up the list.
ps: https://home.cern/news/news/accelerators/autopsy-lhc-beam-dump [home.cern]
(Score: 3, Interesting) by kazzie on Friday July 01 2022, @07:32PM
Most of what you list are more likely to be operated by proper Programmable Logic Controllers rather than fly-by-night IoT microcontroller lashups. Some of which may already be part of large-scale SCADA networks.
Having said that, the drift to more internetworking and the use of Ethernet-based protocols rather than bespoke serial stuff like Profibus, Modbus etc. does mean that there's a fresh attack surface opening up there.
(Score: 0) by Anonymous Coward on Friday July 01 2022, @07:19PM
Let's also not forget the large number of surveillance cameras that are... wide open. No security. See whatever you want.