One threat model I think is being missed here: the fact that scanners and geolocation services both exist, makes the job of burglars much simpler in an insecure IOT world.
Basically they go to their friendly shodan-alike and get a list of ip running IOT cameras (etc). Then they pipe that list through a geolocation service and grep for their target region. Then they just monitor for good targets, and when they are unoccupied.
Much like the big hubub when people pointed out that mentioning vacations on an open facebook feed was burglar bait.
Both take away a lot of effort for reconning homes, so they are probably being used to narrow the search for good potential targets.
This isn't the threat it is made out to be. Most homes are empty every day when people are at work. It isn't really necessary to perform advanced analysis to find an empty home.
Most homes, but not all homes, especially with home offices being an actual thing that's becoming more popular. I doubt many burglars want the risk of running into somebody during their "heist", so they will stake out possible targets. Staking out a target used to be time-consuming and a bit risky, because the burglar needed to be on location for quite some time to conduct surveillance themselves, in person. Now they can stake out multiple targets at the same time, from anywhere they want, with all the anonymity the Internets allow for.
While the addition of anonymity would certainly be appreciated by would-be burglars you seem to be leaving out a small detail. It is trivially easy for a burglar to determine if someone is home. They can just walk up to the front door, knock and see if anyone answers.
If someone is there ask for a glass of water, ask if they have accepted Jesus, ask if Steve lives there or whatever other BS excuse they have ready before simply moving on to another prospect. If no one comes to the door then the home is very likely empty and they can proceed.
This has the added benefit for the burglar that anyone seeing them enter the property will assume they have good reason to be there. After all they marched straight up to the front door and rang the doorbell which is what non-thieves do so its less suspicious if they then go around the side of the house when no one answers.
In some ways, this is just another class of "Thieves are following you on Twitter so don't let anyone know if you're going on a trip." Sure, for some high profile individuals, keeping your movements secret may make sense. But for most people this is sufficiently far down on the list of threats that it probably doesn't matter.
I think you way overestimate how clever or diligent criminals are. If you have the skills and persistence to pull something like this off there are almost certainly more profitable (and quite possibly legal) avenues of work available to you than breaking and entering.
Not necessarily - research shows that burglars enter a flow state when robbing a house, meaning that they have expertise and routines familiar enough to get pushed to subconcious processing.
Skills and persistence get used for many things, from english phds, triathlons to code.
This article, like many security articles, shows an unwillingness to reason about security in a non-extreme manner. All aspects of life include risk, internet or IoT security are just one axis of risk that must be weighed when making decisions and, well, living. I find The Wirecutter's advice to be perfectly sound and reasonable.
Most people aren't sufficiently informed to be able to make those decisions in a reasonable way, and having the Wirecutter provide this kind of advice without explaining that there are cases where some people do need to be more paranoid is harming those people. Telling people that everything will be fine when we know that for some people there's a much higher probability that it won't be shouldn't be acceptable.
>>Most people aren't sufficiently informed to be able to make those decisions in a reasonable way
Exactly. The vast majority of people aren't aware that their "smart thermostat" can be hacked and used to perform a denial of service attack on websites.
I'd wager that the vast majority of people also does not care the slightest about that. The manufacturer is at fault for that, not the person who bought the device. Unless people themselves get any drawback, why should they care?
Well, it's like how people used to not care about leaving their wifi access points unprotected back in the day. It took several years of news stories of neighbors downloading child porn through those WAPs (and things like that) before people became aware of the risks and password protection became standard practice.
You lost it in a minute you came to a conclusion you need or may need a IoT device in you home.
Please do not get me wrong. I am big fan of smart homes and there is long history in this market, but sorry, what happens in my home must stay in my home and not leak out to some remote server.
An IoT device in our home is perhaps not a huge security risk for an individual, but it is even larger risk for the society as a whole.
It is likely that you will never be in a car crash with your current car. It is likely that the money you spent on crumple zones, airbags, and seat belts was entirely wasted.
But if we conclude from that that we should remove these things from cars, we would be wrong, because we have to reason at scale about these things. At scale, the extreme events happen with some frequency.
It should also be pointed out that we are now living in a world where we are not hypothesizing that someday IoT devices may have serious insecurities that lead to real problems for people, but one where we know it is true because it happens. When the Internet basically went down on the east coast and some other places last week, plenty of people who were affected by that were also the ones who owned the devices that caused it. At scale, they made a decision to buy something that ended up taking the Internet out for themselves and others. It does no good to reason that each of them only took a small risk individually when what affects us all is the collective risk of those actions.
Just like in the automotive case, where we must consider the effects of various safety interventions on society as a whole and at scale, we must consider the effects of this security on society as a whole and at scale. Unlike the automotive case, computers have extra concerns about their ability to interact in ways that physical devices can not. And at that scale and with those concerns, no, there's nothing unreasonable about this analysis, especially in the face of the existing Mirai botnet. It's not just the visual-imagination compelling stories like burglars breaking into your house because they saw you weren't home from your camera (and then, presumably, remotely shut it off); it's all the possibilities.
You shouldn't buy a device that is open to the internet with a default root password that can't be changed and has no firmware update mechanism even available. It's not hard to take the Kantian imperative and actually show that to be unethical of you. (While the Kantian imperative is philosophically controversial, I think this is one of those cases where it applies pretty well.)
Can someone fill me in on this IOT hacking phenomenon. Surely the vast majority of devices sit behind a NATted router with a firewall on consumer premises, they don't have dedicated IPv4 addresses and don't touch the internet unless they are requested to (or already have a bad binary on install). How is this hacking happening?
Also consider the hubs. To take a well known example, Phillips Hue lightbulbs don't connect to the net directly and don't have any significant computational resources to speak of. They are just an 8-bit Atmel microprocessor with a Zigbee radio to talk to the hub ( https://blog.adafruit.com/2016/06/14/teardown-of-a-philips-h... ).
On the other hand, the Hue hub is running a full embedded Linux distro (which has even been rooted, though it requires physical access http://colinoflynn.com/2016/07/getting-root-on-philips-hue-b... ). A lot of the "real" smart home gadgets are using this model and they will gleefully punch a hole in you firewall, so it comes down to the security of the hub(s).
From what I know, Mirai is mostly hitting stuff that isn't what I think of as IoT - stuff like routers, security cameras and DVRs. Seems like it's being misrepresented, though that's not to say that an attack on something more in line with what I think of as IoT/smart home isn't possible. I have no doubt that tons of refrigerators with Wifi and connected coffee makers are vulnerable. Part of me wonders if Mirai was meant as a grey hat warning since it's just showing what's possible only picking on low hanging fruit ("Mirai" means "future" in Japanese).
Generally the devices poke holes in the firewall with UPnP. There are also other vectors (ZeroConf, STUN, CWMP).
The problem is that, once past the firewall, many of these devices have weak to no security, e.g. open telnet daemons, root:root default user/password, and other trivial vulnerabilities.
There were some worms spreading through IoT devices, lots of foreshadowing. The Hajime and Mirai worms, combined with the utter lack of response, were a pretty good indication some shit was about to go down.
I've been Cassandra yelling into the wind on this one for a while, so there is some schadenfreude involved for me.
A long, long time ago - before JohnCompanies and rsync.net and Oh By - I was a windows sysadmin.
One thing I noticed was, for the most part, the intelligence of a user was inversely correlated to how much shit they had running in their windows system tray.
The smarter you were, the fewer little blinking mini-icons you had down in the lower-right corner of the desktop. You didn't need those gimmicks and you understood the value of simplicity in a running system.
I wonder how smart homes and smart people correlate ?
Perhaps I can be one data point for you. I install & service EMS systems(automated controls) for big box retail stores. This does not necessarily make me smart, just knowledgable of what can be done w/out a new SaaS mining my life. My home automation? A programmable Tstat(with adaptive controls disabled) & a couple photovalic night lights. Anything more for <10,000 sq ft is just trivial, IMO. Perhaps that just makes me lazy. What consumer level automation offers is sub-par potential designed to foster reliance on a SaaS provider, and most often making me & my life the product for sale is their best working achievement. No thanks.
I always get annoyed at how many things want a system tray icon now. There's no reason for my mouse to need a piece of software that lives in the system tray. There's no reason for my IM client to live in the system tray. There's no reason for my video card driver to have an updater service that lives in the system tray. It's ridiculous. Of the 12 things in my system tray, I've only ever clicked on three of them. It's infuriating.
Get into Services and set unessentials to manual, bloatware to disabled(if cannot uninstall & keep functionality or driver). Some searching[0] around will show more than a few MS services can be disabled without anything of value lost.
My favorite piece of HP software was some printer "accessory" that would hang out on the desktop, overlaying the icons there, and on occasion overlaying every other piece of software as well, taking up pretty valuable screen real estate and mindscape, too.
I was going to say "at least IoT devices can't driveby install themselves", but I'm sure someone will find a way. Maybe people can have Bonzi Buddy for their thermostat.
It will probably become a selling point for new construction once it gets cheap enough. So it will be more like crapware installed on a new PC, except inside your walls. :)
It doesn't have to be crap if it is modular and upgradeable. Executive controller, hardware controllers, sensors and switches need to be serviceable/upgradeable. The paramount feature(or lack of) would be to keep it air gapped. As soon as you connect it to the net, all is lost & you are now a slave to fees from an SaaS that may be gone in a year, security updates and haxor shenanigans. A truly automated system doesnt require your input after roll-out & dialing. Of course, that does mean no cool app to fiddle with.
Computers are modular and upgradeable, but we still have Bonzi Buddy and the AdSearchMoneyDollars browser toolbars, and pre-installed bloatware (and backdoors!) bundled by manufacturers.
Yep, everything changes when you network w/ the outside world. My point is a home-rolled, air-gapped system has no chronic needs for updates, bloat purges & pen-testing. A static platform, set it & forget it, is the benefit I value. That and nobody indexing my activities for profit.
> A static platform, set it & forget it, is the benefit I value.
Wait, you just said above:
> It doesn't have to be crap if it is modular and upgradeable. Executive controller, hardware controllers, sensors and switches need to be serviceable/upgradeable.
Components break, sensors die, contacts get rough. 3rd party applications are unnecessary for the specifically coded purpose. Not being connected negates the need for security updates. And over time, the operator may choose to upgrade the platform at his or her sole discretion.
I think that you get the same situation here. There are people who understand what is going on and people who do not and people who do but do not care.
I'm always amazed at how cynical HN can be on IoT.
I work at a facility with tens of thousands of sensors that are critical to safely and efficiently running the operation. IoT is spilling into the residential sector because of how successful it has been in the commercial world and because many people find it to be a useful addition to their household.
Are there issues that the industry needs to resolve? Absolutely. Should the buyer made an educated purchase? Sure. But the answer to some IoT systems being insecure is not that the whole field is a gimmick only for the "smart"! I wouldn't even call residential IoT a mature technology yet - of course there are going to be issues.
I am not sure I follow - is the implication that some "creepy" person I met at a bar/cafe/etc. who knows only my first name will somehow exploit $RANDOM_IOT_DEVICE in my home? Even if you allow that they might be able to ID me accurately (say with a phone camera), they'd need to find my IP (which changes regularly, DHCP from my ISP), get through the firewall, and compromise the device. That isn't impossible, but it would make a better subplot for Mr. Robot than something I should spend time worrying about. It seems much more likely IoT devices will be exploited by scripts, running over ranges of IPs, and their "creepy" owners will be thousands of miles away from my home.
Do you have anything in your home that you might wish to keep private? Any texts with loved ones? How about any intimate moments, whispered nothings that you would prefer not be recorded?
Oh, you say you have nothing to hide.
Do you have a bank account? An investment portfolio? College funds for your kids?
A skilled attacker can make all of that vanish.
Without many people noticing, the IoT has slowly invaded the average American home. Almost every TV is a Smart TV, internet gateways are smarter, Alexa, Siri, Cortana, light bulbs, door locks, refrigerators, thermostats...
With a little effort, an average pen tester could own your system, publish your secrets, steal your life savings, record you with your wife, and brick your iPhone, TV, and furnace just for good measure.
It's time to take IoT security seriously.
*It actually was on Mr. Robot. There was a subplot wherein Darlene compromises an E-Corp exec's smart home, causes the appliances and security system to malfunction to drive away the occupant, and then uses the place as a hideout.
Even if you literally have nothing valuable to hide, consider that a hacked device on your network could be used for malicious things like DDOS, hosting illegal content, proxies for other attacks, etc etc.
More importantly, consider how much more empowered malicious state-backed entities become. At the moment we can only be surveilled (which is plenty terrifying). What happens when we can be physically influened remotely at scale
> It seems much more likely IoT devices will be exploited by scripts, running over ranges of IPs, and their "creepy" owners will be thousands of miles away from my home.
It seems much more likely that it's not an either/or proposition.
Does it seem that unreasonable that someone can go from name to email to spearfishing attempts to ip to firewall exploit to home security camera/refrigerator/every out-of-date piece-of-garbage IoThing in your house if they're specifically trying to get you? That was pretty much each of the 100 stories behind the Fappening. You think a rival startup wouldn't go through the effort, or a creepy neighbor? Isn't that the entire concept behing RATting (minus the easy way in provided by the IoT)?
You think it won't be turned into a 1-click app with notifications after each stage is passed?
No, the implication is that your abusive partner, or perhaps a stalker, might turn your IoT devices against you & use them to watch you in your own home.
It’s easy for people to be completely oblivious to this reality if they have never experienced it themselves or had someone they knew be on the receiving end of this kind of behaviour. It really is not that uncommon.
If your threat model includes an abusive partner, then it has to include physical and authorised access, device replacement, device replacement with completely different hardware... basically, this is woefully insufficient.
I think the general concern is both that the IoT devices provide incredibly poor security combined with the general availability of personal information getting tied across the IoT infrastructure. Federated Facebook/G+ logins for IoT devices are just around the corner, if they're not already here, and more and more IoT devices show up on Shodan every day.
I will concur the article is a bit of IoT fear mongering combine with general paranoia over the current state of web services, but it's not really like this is much of a stretch for the near future.
Just don't buy smart-house equipment in the first place, if you ask me. Dumb houses are good enough; and unless you're talking about panic buttons to call the police, more connectivity means more vulnerability.
(Now, to find a TV that doesn't have a microphone.)
I am afraid that most of them are not even given any option very soon. Try to find a TV without reflective screen these days. It is impossible as nobody is making them even where there is certainly a market for them.
It entirely depends on the thing. If someone hacks my light switch all they can do is turn the light off and on while revealing to me I have a problem I have to fix. Anyone can call my home phone number and turn on my car plug for 4 hours. All they will do is waste a small amount of electricity. If they want to disable my alarm and open my door, well that will be a lot harder, particularly if they want to try to do it remotely.
If there is anything that can, say, let someone remotely cause a fire then the problem isn't security. The problem is that you have something under software control that can cause a fire. Chances are that regular faults will burn down the house much more often than "hackers" will. Note that such faults can be caused by things like lighting hitting the power lines somewhere in your city. They don't have to be actual bugs.
Of course the "internet of things" is kind of a joke right now. What with the lack of any sort of standardization it is unlikely that the owner will be able to usefully control things much less some remote attacker.
> If someone hacks my light switch all they can do is turn the light off and on
Or maybe they can monitor your light switch without changing its state. That data could be used to estimate when you are home with reasonable accuracy.
Or maybe they don't care about you at all and simply use your device in a DDoS or as a relay in an attack on someone else.
So? Observing from the outside would require local observations, which increasingly is tracked (ALPR, CCTV). With a network attack the knowledge can be gained (in bulk!) with a lot less risk. Monitoring many lights (even those not visible from the street) in hundreds of houses without the risk of creating a local data trail is very different than driving by a few houses and observing for yourself.
However, that's just one way an insecure device could be abused that uses the data we know is available. I'm sure there are subtle and clever ways to abuse these devices that are still unknown.
Why would anyone possibly care that someone knows what the state of their lights are from far away? We care because of something that happens locally; burglary.
>I'm sure there are subtle and clever ways to abuse these devices that are still unknown.
The security of residences as fairly well understood at this point. The attacks have been occurring for centuries. My point is that we can't treat this as an IT problem. We have to take the old cultural knowledge into account as well.
> If someone hacks my light switch all they can do is turn the light off
That depends. If your light switch runs an out of date stack, it can be compromised and used as a beachhead to attack other things on your network or to run whatever software they want.
I think you have illustrated exactly why the IoT is becoming such a huge problem for the world at large.
Neither a toaster manufacturer nor the end-user care at all whether the manufacturer hooks a device to the toaster which gives them some bragging rights but can be used to bring down some portion of the Internet when it's security fails.
This is called an "externality" by economists[1]. Similarly to pollution, it's an effect whose cost is not born by those who produce or who consume a given product. And it pretty much require regulation to stop, though the chance of regulation in the present environment seems rather small.
Yes, and it's been a problem for well over a decade. E.g. a while ago the clowns at D-Link decided to hammer NTP servers, then had the chutzpah to call it "extortion" when one operator attempted to get them to stop. https://www.lightbluetouchpaper.org/2006/04/07/when-firmware...
Of course the "internet of things" is kind of a joke right now. What with the lack of any sort of standardization it is unlikely that the owner will be able to usefully control things much less some remote attacker.
Unless the attacker doesn't want to use the IoT device for its usual purpose, but instead as, say, a vehicle for a DoS attack, or an attack path into other devices connected to the same home network.
We just do not need any IoT, standardised or not. Our private information must stay in our homes. It is just that simple. I am not saying that we do not need smart homes (they keyword you are looking for is "home automation"), just these do not have to leak our private information out of our homes. Our home is our final stronghold.
I looked into electronically controlling the lights in my house 15 years ago. I was hard pressed to see any value in it. Walk into a room, flick it on. Walk out, flick it off. The light is for the person in the room - why flick it on and off when nobody is there?
My roommate has an extremely annoying habit of leaving lights on, despite constant reminders of "hey turn off the light." We otherwise get along pretty well, so it wasn't worth fighting over. So I modified the switch to add remote control using a simple wifi controlled switch and also added a motion detector. Now the light turns itself of. Sure it's overkill, but it really is convenient and made for a fun project, plus it only cost about $10.
Similarly, our HVAC puts out most of its air upstairs and we use a fan to help move air down the stairwell. I set it up to coordinate with the HVAC to turn on and off in time with the cycles and also to turn itself off in the evening when we are all asleep and back on in the morning. Again, not essential but fun and handy.
The HVAC itself is also controlled by a somewhat complex system that I made over the course of about 6 months. It makes a big difference in keeping the house temperature even and also saves something like $10 per month in electricity. My point here is that well targeted smart home devices can be really handy. On the other hand I made this stuff myself specifically tailored to my needs. IMO, it's hard for commercial products to really hit the sweet spot between being easy to use and yet adaptable enough to fit into everybody's life tightly enough to not be annoying.
LED lights consume not much power. How does that compare with the power used by a wifi + motion detector system running 24/7?
It's pretty clear that an HVAC system that is on a timer can save considerable power. I have a programmable thermostat for that reason, but the user interface for it is so awful I need to reread the manual every time. It would be better if it was wifi and presented a web page as a UI.
I also bought a programmable cat feeder. Again, one needs a manual to figure it out. What is wrong with those engineers? You shouldn't need a freakin' manual to set up a cat feeder. And the UI couldn't be satisfied with 5 buttons, no, you've got to do chording and hold buttons for various amounts of time to do various things. It's complete madness.
(I don't want the cat feeder hooked to the internet, though. I'm suspicious the cat has been plotting against me, and it might be able to coordinate with other cats via the cat feeder interface, which could spark the cataclysm.)
> LED lights consume not much power. How does that compare with the power used by a wifi + motion detector system running 24/7?
It's barely a rounding error. Sleeping the microcontroller, average current draw is a couple mA. LED lights draw around 500 mA.
Regarding the HVAC, what I made is more focused on keeping the temperature balanced by taking a weighted average of temperatures across the house, with the weights adapting to where people are, similar to the Ecobee thermostats but DIY. It also has a web interface where you can view temperatures and power usage, which is far more useful than I thought it would be.
I think the biggest change in the past year (vs. 15 years ago) is the ability to interface with products like Amazon Echo and Google Home.
It's very convenient to be able to control lights from anywhere in the room by issuing a voice command. Not just turn them on and off but also dim, change colours, etc.
Granted this is from the perspective of living in an apartment :)
The author poses some interesting questions, but unfortunately doesn't provide really useful answers.
How is the avarage consumer going to find out the security reputation of a vendor of smart home devices? How to find a reputable vendor for such or such device like a baby monitor, security cam, smart lightning or wifi repeater? In an easy way and easy to comprehend?
Is there a website to check to security of smart home devices, or a list of reputable vendors? That would be a first step.
Let me grab this occasion to ask: WTF is going on in general? I readily presume most people have a wifi router with these iot devices and while obviously those are not the best security wise (I presume again most don't run pfsense or openwrt) but still they are there, NATting away happily. How would a baby monitor appear on the open web...? I can't imagine the average user setting them up in DMZ or port forward or ... what is happening here? I am obviously missing some primarily home networking oriented protocol probably because I am configuring my own routers and I am simply unaware of some feature of the factory firmware that allows traffic inwards.
I don't use those products, but I can imagine many of them automatically doing port forwards (https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_tr... ) and possibly even automatically registering in a dynamic DNS service, all for the "convenience" of the "I don't know what a port is and I don't want to know" user.
> Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings.
Are you bloody kidding me? Why do you even have a firewall, rudimentary as it is, then?
UPnP comes from the view that NAT is an unfortunate artifact of residential ISPs only giving out one IPv4 address per household, not a crucial security strategy.
If you really think of your NATing router as a security device, turn off UPnP. Though I'm not sure how much good that will do, as any device can still phone home or reverse tunnel.
Sure but port scanning and forming a massive botnet is impossible if they are not even capable of listening on an open port which NAT gives you for free. It's like the lemonade you could make when life you gives you lemons. Except now it's spoiled too.
On the other hand, UPnP is the only currently viable strategy for average people to run devices on their home networks and control them from the internet without looping in a third party server.
Not all home routers are allowing this by default. I don't have any hard numbers to offer, but my feeling is that only very old and today's very crappy ones do.
Basically they go to their friendly shodan-alike and get a list of ip running IOT cameras (etc). Then they pipe that list through a geolocation service and grep for their target region. Then they just monitor for good targets, and when they are unoccupied.
Much like the big hubub when people pointed out that mentioning vacations on an open facebook feed was burglar bait.
Both take away a lot of effort for reconning homes, so they are probably being used to narrow the search for good potential targets.