Slashdot Mirror
IoT Security Is So Bad, There's a Search Engine For Sleeping Kids (arstechnica.com)
An anonymous reader writes: Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams. The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores. While IoT manufacturers are to blame, this also highlights the creepy stuff you can do with Shodan these days. At the start of January, Check Point recommended companies to block Shodan's crawlers. The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.
These are some of the same terrified idiots who support things like the TSA and NSA spying. You know, to win the war against terror...
Now that the FBI's kiddie porn site got shutdown, that task-force needed a new project that exploits children.
I'm not a member of the site, but I don't think it's specifically for certain types of images as far as I can tell.
This must not be an article about ad-blockers.
Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install. Frankly I'm not surprised. Nor do I have a solution. As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.
-- Thou hast strayed far from the path of the Avatar.
The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.
It won't matter to the families of the children you have exposed that other scanning tools are available. Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.
Calm yourself and then understand one thing: there is no breaking in going on, here. These cameras are broadcasting this shit directly to all comers, wide open to the world. No one is "tak[ing] a hammer and break[ing] into someone's home," they're standing on the sidewalk looking into the front windows where the home builder didn't bother to install any blinds.
People who don't secure their systems and devices are to blame for someone breaking into them? Go fuck yourself, if that's how fucking much of a dick you are for believing that shit. And here's why:
Anyone can take a hammer and break into someone's home. I don't see anyone blaming architects, glass blowers, window manufactuers, installers, washers, etc., or the owner of the property
These are, conceptually and practically, completely different acts.
If I break into a home, I am forcing myself past a lock - i.e. destroying property - and ending up in else's property. (N.B. If there's no lock, entering a home is not illegal in many countries, although it is trespassing and you must leave when asked.)
If I "break into" a computer, I'm not actually intruding on property - which is why crimes tend to be defined in terms of "unauthorised access". Unauthorised access involves making a request from a computer which the computer responds to, because its owner has willingly installed it AND provided a method to communicate with it. No force is involved - I'm just saying, "Hey, computer, will you please give me XYZ?" and the computer says, "Sure here you go." It just happens that the owner decides at some point that they don't want the computer to be accessed in that way, even though they provided that method of access.
The solutions? Well, here are some I propose:
1) Unenforceability of disclaimer of liability clauses. If the user has read the manual and something still goes wrong, the manufacturer is responsible for clearing up the mess.
2) Stop putting everything on the Internet, asshats. It's not needed. Capitalism may have an insatiable desire to shovel ever more shit at people, rather than allow people to live in peaceful luxury, but not every trend is necessary to follow!
The only thing broken here is your analogy. If a company sold locks that couldn't be locked or were too trivially pickable, and advertised them as locks, you can guarantee there would be (and historically has been) more or less equivalent blowback. The only real difference being that if you forget to lock your car or don't even fucking try, nobody would be surprised to get their shit stolen.
If I were to create a device that can be hacked by someone else, then my customers and I are to blame for the act of someone hacking it?
If you make a house that opens the door and throws the owner's jewelry at the person who rang the bell, damn straight you are at fault for making the stupid thing in the first place, and the owner for not locking the door when he goes out.
Nobody is "hacking". The act of a port screen is more like door knock or doorbell ring than walking through a parking lot trying every door handle for one that's unlocked.
Learn to love Alaska
If a company sold locks that couldn't be locked or were too trivially pickable, and advertised them as locks, you can guarantee there would be (and historically has been) more or less equivalent blowback.
Electronic locks used on hotels? Or the programmable key locks that a lot of people use on their house? You can still bust them open with $50 of off the shelf hardware. That's been going on for 4 or 5 years now, and the amount of blowback has been minimal.
Om, nomnomnom...
I'm not sure if everyone already knew this but Shodan *started* as an non-secured webcam search engine back in 2009.
Kriston
The feds will shut down the sleeping-kids search engine in a couple of weeks, after they infect a bunch of computers with phone-home-ware.
What's that you say? I'm posting in the wrong thread? Sorry, saw "kids" and "cameras" and "creepy" and they sort of blended together there for a minute.
Strange but true: My captcha is warrants. Now THAT is creepy!
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
An AC wrote:
There was no breaking in.
If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.
This isn't anything like breaking and entering, nor even like someone walking through a door which you left wide open. It's much more intentional on your part than that:-- you offered data to the public by creating an unrestricted access port on the Internet, your offer was accepted when someone opened that port, and then you deliberately sent your data out to that recipient. It was your choice, before and after you made the offer to the public. Nobody can force you to send your data if you don't want to. Your system wasn't hacked to change its code to something that you did not intend.
The closest analogy I can make is to imagine yourself standing on the sidewalk in the high street, an open sweet jar in one hand, and the other hand outstretched offering sweets to passers by. The highstreet is the public Internet, and your invitingly outstretched hand is the open port. If someone takes hold of the sweet, you can still prevent it from being taken by holding tightly onto the wrapper (an access restriction, perhaps you want to check that recipients are smiling first).
But if you first offer a sweet and then release it, you don't get to complain --- it was your visible intention to hand out sweets to passers by, and nobody can read your mind, only your actions. If you don't understand this then perhaps you don't grasp how Internet protocols work, and you would be best advised to stay well clear of the Internet.
You may wish that Internet protocols worked some other way, perhaps using ESP, but they don't. They work as they were defined.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
You are quite right, the makers of the items throwing valuable stuff around unsecured are doing wrong.
But, someone taking advantage of this problem is still doing wrong.
I don't think you are arguing that it is ethical to take that which is thrown at you, but that the owner had no intention of you having.
I understand that this is a "technicality", that it isn't expected to stop this wrong.
And someone publishing a directory ( or web site ) with directions on how to get to such ill secured items, especially to encourage, even allow viewing something like sleeping kids is doing wrong, verging on evil.
Chorus of above.
emt 377 emt 4
...front gardens, back gardens...
Aha! But not side gardens! Those have better privacy...
Correct me if I'm wrong (and I know you will, 'cause you're always right and I'm always wrong, according to your POV): Isn't an IP address purchased by ISPs the property of the ISP, and thus, anyone who violates the trust of contract between the ISP and the consumer someone considered liable for violating that contract?
What are you even talking about? If I open my browser and tell it to go to slashdot.org, a web page comes up. I don't have a contract with Slashdot, and I don't have a contract with Slashdot's ISP. I don't really care what contract Slashdot has with its ISP. I'm not violating any contracts by loading slashdot.org in my web browser.
If I open my browser and tell it to go to 12.34.56.78 and up pops a webcam showing the break room in a convenience store, how is this any different? I don't have a contract with the convenience store and I don't have a contract with their ISP. I don't care what contract they have with each other. My web browser asked a server to display some content, and it did. Nobody violated any contracts.
I guess you agree with the analogy that if a woman dresses sexy and is raped, "She was askin' for it," right?
No. I do agree with the analogy that if I ask a woman for sex and she says "OK, let's do it" then everything is fine.
Publicizing these problems would hopefully convince the owners to turn on the security features of their non-IoT items.
I hate how these are called IoT. IoT is for things talking to things. Not people talking to servers. That's just the Internet. The camera only talks to people or things pretending to be people.
The current trend is the Internet of tiny servers. The IoT refrigerator is a server. You connect to it via an app. Or it's a client device in a 3rd party network, where your LG appliances talk to an LG server that your app connects to. Your things *never* talk to your other things. When that happens, that's an IoT. Until then, it's more client-server apps, with the clients and servers getting smaller and more interchangeable.
Learn to love Alaska
Because sweeping this under the rug means bad guys won't ever attack these devices. *rolls eyes* Their point won't have been made until these *groan* IoT *groan* device making shitheads secure their crapware.
The geek makes this argument whenever one of his pet "white hat" hacking projects is clearly open to abuse.
The problem here is that the argument appeals only to other geeks --- not to those who see only an invasion of privacy made possible --- made easier --- by a search engine like Shodan. That a door was unlocked or the lock was broken does not imply a right to enter.
The geek needs to learn that others see him as the shithead whether he is wearing the white hat or the black.
Like electricians who need a license to work (atleast where I live), IoT devices should require a license to install.
...they they don't need to worry about the surveillance.
And the parents who put these protections in place, that's just like our big brother the NSA and GCHQ putting protections in place for us. No encryption necessary. Hope no bad guys get a hold of this.
But if you're doing nothing wrong... ...you have no reason to worry.
E
Of course, I know your counter argument: "They left it wide open, so they're responsible."
Please think about this carefully:
The webcam
delivers
the pictures.
One more time:
The client says, "May I watch you?"
And the webcam server says, "Sure, here are the pictures."
A suitable analogy is me asking, "May I watch you?" and you saying, "Yeah, go ahead."
If you take Ä'own the blinds and curtains and someone can stand on the sidewalk and watch your dauhhter undress there is nothing illegal about it and you are at fault, not the guy watching and not the guy who told him.
These cameras broadcast their video to the internet, just like leaving the blinds off.
Closer akin to you posting her pictures to facebook but don't give anyone her name, then someone finds the page and tells other people. I put up a webpage with a webcam using a raspberry pi with an open port on my cable router and it took google less than two days to find it.
It is as the IoT people never even have heard of the, by now, 30+ years of history of Internet security fails. These must be the dumbest, most arrogant and most clueless developers, lead by managers of the same quality. It is high time that we get legally actionable gross negligence for manufacturers that ignore Internet security best practices.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A service like shodan only increases public awareness, anyone who actually has malicious intent will have their own method of discovering insecure devices and no intention of publicising their activity. Publicity does not benefit those with malicious intent, as the publicity will cause at least some people to improve the configuration of their devices.
If you keep this information out of the public eye, it gets forgotten and overlooked and then the number of vulnerable devices only increases to the benefit of the actually malicious people who want to take advantage of them.
And yes often the device manufacturer is at fault, some devices cannot be reasonably secured and for others the manufacturer provides weak defaults and doesnt do enough to force users to change them.
Some devices these days come with a random password printed on the device, that's perfectly reasonable and prevents casual attackers using blank or default passwords.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The problem is that hacking isn't even involved.
To stay in your house analogy, the current situation is more like every door in your home being unlocked with a butler at the door greeting people and handing them whatever they ask him for. They're not even "illegally entering" your home. They ask your butler "may I take a look at little Cindy?" and he delightedly says "But of course!" without even asking who they are or why they want to take a look at your child.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
.io domains are british, so I just concluded that 99% of the pedophiles are living there. (UK includes US too... it's like... a big transcontinental isle full of shitty people anyways)
"Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors."
'I am the Calvery' criteria for Secure by Design includes some good stuff, but to compensate then says:
All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.
I'm not sure what their threat model is for a consumer device.
Are they worried about somebody in the supply chain compromising the device?
It seems like the first thing for putting a camera on the Internet is to give it a strong, unique password out of the box and not have any bugs that let folks in in other ways. The above might be useful for hiding any such bugs, but ultimately it seems like security thru obscurity. Just put really simple s/w in the camera that has a good chance of being safe, provide the above debug interfaces, and provide a bug bounty.
If the Calvery wanted to fix this, they could publish open source camera s/w with the above bug bounty. Then the race to the bottom vendors would not have to sacrifice security fro cost.
Of course, I know your counter argument: "They left it wide open, so they're responsible."
Please think about this carefully:
The webcam
delivers
the pictures.
One more time:
The client says, "May I watch you?"
And the webcam server says, "Sure, here are the pictures."
A suitable analogy is me asking, "May I watch you?" and you saying, "Yeah, go ahead."
An even more suitable analogy is me asking a Magic 8-Ball "May I watch this guy?"...but all other responses in the 8-ball other than "Yes, definitely" have been removed by the manufacturer.
The person who should be giving the consent is not consulted, or is not aware that consent is being automatically provided by a third party.
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
IoT: Internet of Trouble
Lets see....cheaply-made products produced and sold with barely a nod to security, installed by users who are likely to be as clueless as they could possibly be, all connected to a worldwide network easily accessible by lots and lots and lots and lots of malicious people with too much time on their hands.
What could possibly go wrong??
Trust me, you ain't seen nothin' yet. I'd wager that 98% of all of these consumer-grade gadgets are going to be easily hackable in their default configuration. It's only a matter of time- eventually one of them will cause a serious injury or death, or at the very least some kind of significant property damage.
You want your refrigerator to be internet enabled? Great! But should it also have the unfettered ability to turn the temperature down and spoil all the food?
You want door locks you can control from the other side of the world? Great! But should any Joe Blow with a free hacking kit be able to unlock your doors at will?
You want to be able to remotely turn on your stove and start heating some water? Great! But should it blindly start "heating" a cardboard box left sitting on the burner because some dickhead in Moldavia can bypass your login?
You want an internet-enabled thermostat? Great! But should some malicious asshole be able to turn off your heat in the dead of winter when you're on vacation, freezing your house and causing your water pipes to burst?
Don't get me wrong- I think the overall idea of IoT is fascinating and holds great promise, but mark my words... like anything else it's gonna be abused too. Unfortunately I think it's going to take some major-league lawsuits before manufacturers start taking the security aspect of it seriously.
Just cruising through this digital world at 33 1/3 rpm...
Internet traffic on the Vatican City grew 500% in 15 minutes.
If you run a webserver on your computer, visible to the internet at large, and someone else accesses that webserver, you literally have nothing to complain about. That's what webservers are FOR. If you put pictures of your daughter on that webserver, and Google comes along and indexes them, how is that different than anyone else putting any other pictures on any other webserver and Google indexing them? Google can't read minds; neither can Shodan.
In this case it's a webserver being run on a shitty internet-connected webcam, but I can run a webserver on my Raspberry Pi and hook it up to a camera just as well and make that available to the internet at large if I want. The problem is shitty internet-connected cameras, not search engines.
The analogy is not broken, companies DO make and sell locks that are trivially pickable with as little as a pen. These locks are sold for indoor use only, such as bathrooms and bedrooms with the expectation that you put a more secure lock on your external doors. Cameras sold with little to no security are similarly expected to be used on a LAN on which the external gateway is secured (such as a firewall and/or NAT).
Don't these webcam servers ask 'What's the password?'?
That to me is a lock, no matter how trivial the password may be. Meaning someone is sticking hairpins into doorknobs to see how good the locks are, which is wrong. Sure there's some onus on the purchaser to choose a good lock, but that doesn't mean the intruder isn't in the wrong.
Giving the default password a try is indeed hacking. Any password barrier at all says "not welcome" - the exact opposite of throwing valuables out.
And when there's no password set at all?
Learn to love Alaska
Here's a car analogy for you: This is like having a car that automatically starts up for you and opens the doors when you walk by. The manufacturer, however, neglected to require the key fob to be anywhere nearby, so any time ANYONE walks by, the car door opens and the car starts up.