Slashdot Mirror
Research Finds Shoddy Security On Connected Home Gateways
chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.
Well, that gets a big frickin' DUH.
Until companies bear legal liability for writing shitty security code, this is exactly what will happen.
The Internet of Stuff is lots of hype, and little security.
The overwhelming majority of consumer products which want to connect to the internet have absolutely crap security, because companies want to get products out the door and don't care if they have lousy security.
The solution is to treat the Internet of Stuff as exactly what it is ... a marketing term, driving products geared towards analytics and ad revenue, implemented by companies who don't give a crap about your security.
Just don't buy it if you want security.
I am completely un-surprised by this. In fact, I expected it.
Lost at C:>. Found at C.
Anyone that understands the economics of software/embedded device development understands that it's a market for lemons with respect to security (https://en.wikipedia.org/wiki/The_Market_for_Lemons).
The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.
Instead of just fucking around on someone's wifi, the 21st-century's wardriving kids will be heating your house to 90 F, freezing your vegetables, and ruining your coffee!
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I've been looking at OpenHAB. It is pretty comprehensive and compatible with many current IoT protocols. Being OSS it's open to peer/security revue. I am hoping it or something like it will gain mass scale adoption.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Every single time something wants to cross the boundary between "sheltered device" and "available to the Internet", you have to see what it's doing or you'll run into this.
This is the whole problem with things like UPnP, default "ALLOW ALL OUT" rules, etc. Devices want to talk out, and they'll punch holes to do it, and you don't have to be a genius here - connect their capabilities to find out what COULD happen.
The Chromecast dongle has your wifi password in it. It has access to your network. It has access to your Google account. It has access to the HDMI port of your TV (which may include Ethernet?). Three of those are DANGEROUS (the fourth probably isn't but a lot of people have said similar things and been wrong).
Now consider that it doesn't even need to be be Google that's malicious / incompetent to be a problem. Oh, look, all Chrome browsers on your local net can discover Chromecasts. And send data. Data encoded in complicated codecs which I've often seen in Changelogs because they allow overflows. Oh, look, third-party apps in Chrome are allowed to jump onto the Chromecast too.
Join the dots. Unless you have security against those steps in the chain, there's nothing stopping the mere presence of a Chromecast dongle on your network being a vulnerability. They cost £30 so I doubt they could have a massively-overarching security audit that covers them for years in the future.
Now apply that to your Nest equipment. To the apps on your phone (that game can read from SD card, allow in-app purchases, send text messages to your friends, whatever.... join the dots on ALL that it can do and see what could potentially happen!). To the junk that you plug into the network or wireless. It's a nightmare. And as soon as you break the line and let those things talk out (or be port-forwarded to) you have an Internet-facing vulnerability that amplifies everything a thousand-fold.
This isn't shocking, unless you've been blind to the potential for the fifty years.
In order to be consumer-friendly, they cannot be complex devices. Good security w/out complexity would lock most users out of their stuff. Good security w/out locking users out of their stuff requires complexity.
An internal system operation returned the error "The operation completed successfully.".
The biggest problem I have seen with these connected devices is that many of them need to "call the mothership". While that does make it easier for the device vendors to support their products, it also means that could be used to determine when you are least likely to be home is being sent over the Internet.
I have 3, separate, wired networks in my house. One is for the home automation system, and has NO connection to the Internet.
The system does have IR receivers, so could be vulnerable to a phone or tablet app that sends IR signals using something like an IRED, so the IR receivers accept a very limited set of commands. BUT, the IR communications are one-way: Simple commands in, nothing out.
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
Simplicity.
Interoperability.
Security.
Pick two.
Companies want to turn a profit - security makes things complicated for typical end users, which translates into profit-sapping support calls and product returns.
Why does anyone find this attitude surprising?
This sig left unintentionally blank.
Yes, you can do it securely... I personally use a Crestron system behind a Cisco router and remotely connect through SSL VPN. I can control the whole house on my iPhone from anywhere in the world securely.
Would it have been too hard to have explained "IoT" in TFS? I spent a long time trying to parse it until I hit on "Internet of Things". Really? What we used to call a bridge or router, is now a "IoT" hub or gateway (maybe both? TFS is vague). IoT is NOT widespread enough to be dropped like this.
Come on, guys. At least make TFS standalone.
Unless we're talking about base stations that connect to some online cloud service so you can control it from work, I want less security, not more. Really, the job of security should be left up to the router/gateway between my network and the internet. If the attacker's on my local wifi, I'm already hosed anyway.
More importantly, leaving these devices open is good for extensibility. If the devices become secure, they become locked down. As it is, if my smartbrand a doorbell goes off I can have it tell my smartbrand b lights to turn on, etc. Security will solve a problem of a hacker getting in, but you can bet we won't get the keys for our own legitimate use.
Secure your network, and let the devices do what they do best. Also don't connect them to the internet because damn, that sounds like a mess waiting to happen, security or not.
What does that really hurt? I suppose if a neighbor mooches off my wifi, that hurts my ISP, but not really me.
If it becomes a problem, at best I might wanna put up a wifi password to keep my neighbors off, but I don't really understand why my wifi (not the computers on it but the wifi itself) needs to have industrial-strength security.
But isn't this mostly alleviated if you secure your home WiFi network?
Let's be clear, companies try and make these products to be setup by dummies. Its why for years we had WiFi routers coming out of boxes with no security enabled. Its why we had PnP so as to help the dummies communicate and setup their stuff in home correctly without spending 10 hours on a help line.
The other aspect with remote controlled devices such as adjusting your thermostat from your smartphone, or locking your doors, or turning on your lights. Is that this ads another layer of complexity to the home network because it takes control outside of the home. Is this really needed? Or have we managed to become too dependent on technology that we can't remember to leave a light on or adjust a t-stat or we can't remember to lock our doors? Sometimes, you look at technology and need to ask is this really beneficial? and to whom is it beneficial? I think too many times we assume too much about our technology being secure.
Because you are trying to balance reasonable security with some ability to manage all the stuff in your house, including locking doors and closing garages that your kids leave open. If you think of absolute security as a currency, you spend some of it to get the convenience of remote lock/unlock.
sigs are for losers (except to point out that sigs are for losers)