Slashdot Mirror

← Back to Stories (view on slashdot.org)

IoT Devices Are Secretly Phoning Home (thenewstack.io)

Posted by BeauHD on from the fear-the-internet dept.

An anonymous reader writes: A popular internet-enabled security camera "secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware," according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it's still extremely hard to turn off. Krebs notes that the same behavior has been detected in DVRs and smart plugs -- they're secretly connecting to the same IP address in China, apparently without any mention of this in the product's packaging. One security researcher told Krebs the behavior is an "insanely bad idea," and that it opens an attack vector into home networks.

8 of 196 comments (clear)

  1. Not new by penguinoid · · Score: 3, Informative

    Anyone familiar with IoT knows that most of them phone home to report.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  2. DDNS by 110010001000 · · Score: 5, Informative

    This "secret network" is a "DDNS network" so you can more easily connect to your camera from the Internet. Clickbait.

  3. Total FUD by Theaetetus · · Score: 5, Informative
    Just because something says P2P doesn't mean it "connects to a vast peer-to-peer network". These particular cameras are made to work with a smartphone or tablet app: the camera connects to the company's servers to tell them its IP address; your tablet connects to the server to find out the IP address of your camera; and then your tablet and the camera establish a peer-to-peer connection, so that none of the video travels via the company's servers.

    That's it - the two peers are your camera and your mobile device, not some fast torrent network or something.

    Now, sure, this could've been documented better, but Krebs should also know better than to jump to hyperbole based on two letters and a number in a configuration screen.

  4. It's Foscam you /.pussys by EvilSS · · Score: 3, Informative

    Really Dice, scared shitless to mention the manufacturer?

    Here is the Krebs link if you want the actual details and don't want to dig it out of the articles linked in the summary: http://krebsonsecurity.com/201...

    --
    I browse on +1 so AC's need not respond, I won't see it.
  5. Re:Internet of Security Nightmares by Anonymous Coward · · Score: 1, Informative

    Internet of Worthless Shit that Doesn't Need to be on the Internet

  6. Re: No need to phone home. by ceoyoyo · · Score: 1, Informative

    Trivial, is it? As the GP explained, the vast majority of people do not have static IP addresses so it's absolutely necessary to use a DDNS type service. Since the DDNS service has to be a server somewhere that DOES have a static IP address, that is indeed what the kids today call "the cloud."

  7. Re:No need to phone home. by tlhIngan · · Score: 3, Informative

    And it is completely, absolutely, 100% unnecessary.

    o Plug in not-yet configured device.

    o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

    o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

    o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

    That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

    If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

    If you were out of your damned mind.

    If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

    which makes the device useless to the people who buy it. People buy security cameras with IP connectivity so they can view their camera from a remote location, for alerts and the ability to view and control devices remotely.

    Like you have a camera on your front door. It sends you an alert someone is there, to which you access your camera to see who it is. Generally, this is useful if the UPS or FedEx guy comes while you're at work, at which point you can ask them to drop the package off in the garage (which you open and close remotely). No package left on the door stop, and the garage door is closed by you so it's safe and waiting for you.

    And that's the reason why people are going for the "cloud" stuff. Sure there's probably a few lazy asses using it inside their home (or their home is a huge mansion that takes 10 minutes to get from one side to the other), but the key selling point of this "IoT" devices is remote access.

    Remotely turn on the lights. Remotely turn on the heat or AC so you come home to a warm or cool house. View cameras and recordings while you're out.

    What you propose is secure, but gives consumers none of that. They're buying it for the remote accessibility and giving them only local access until they do a bunch of fancy stuff is basically counter to what consumers are buying the things for.

  8. Re:If you think by jones_supa · · Score: 3, Informative

    That's not true at all. IoT simply means an embedded device connected to Internet.