TechDirt: Not Even Your 'Smart' Jacuzzi Is Safe From The Internet Of Broken Things
The Internet of things — aka the tendency to bring Internet connectivity to devices whether they need them or not — has provided no shortage of both tragedy and comedy. "Smart" locks that are easy to bypass, "smart" fridges that leak your email credentials, or even "smart" barbies that spy on toddlers are all pretty much par for the course in an industry with lax privacy and security standards.
Even your traditional hot tub isn't immune from the stupidity. Hot tub vendor SmartTub thought it might be nice to control your hot tub from your phone (because walking to the tub and quickly turning a dial is clearly too much to ask).
But like so many IOT vendors more interested in the marketing potential than the reality, they allegedly implemented it without including basic levels of security standards for their website administration panel, allowing hackers to access and control hot tubs, all over the planet. And not just SmartTub brands, but numerous brands from numerous manufacturers, everywhere [. . . .]
For those who need reminders, let us not forget prior SN (horror) stories:
(Score: 2) by DannyB on Thursday June 30 2022, @02:06PM (4 children)
Wait until we have insecure IoT for . . .
* Traffic signals
* Railroad crossings
* Power generation plants
* Industrial processes involving dangerous substances
* Medical equipment that uses radiation
* Everything in the US Military top to bottom
Congress will believe they can fix this with some legislation that does exactly the opposite of what it is supposed to do. IoT devices must be required to be updated by the manufacturer. Thus it is required that all IoT devices have a remote update capability to run Telnet on a non standard port so that nobody can find it. There should be a note in the packaged product with the login credentials so that the end user knows NOT to use them!
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by Spamalope on Thursday June 30 2022, @03:34PM
Not to mention the for your NSAfety back-door.
(Score: 2) by Mojibake Tengu on Thursday June 30 2022, @03:49PM
You already have all of that on Internets.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 3, Interesting) by PiMuNu on Friday July 01 2022, @01:20PM
> * Medical equipment that uses radiation
There was a rumour circulating that up until 20 years ago or so, the CERN accelerator complex control system all had a single username and password.
While not *the* brightest radiation source in the world, LHC is probably pretty high up the list.
ps: https://home.cern/news/news/accelerators/autopsy-lhc-beam-dump [home.cern]
(Score: 3, Interesting) by kazzie on Friday July 01 2022, @07:32PM
Most of what you list are more likely to be operated by proper Programmable Logic Controllers rather than fly-by-night IoT microcontroller lashups. Some of which may already be part of large-scale SCADA networks.
Having said that, the drift to more internetworking and the use of Ethernet-based protocols rather than bespoke serial stuff like Profibus, Modbus etc. does mean that there's a fresh attack surface opening up there.