IoT Devices Are Secretly Phoning Home

An anonymous reader writes: A popular internet-enabled security camera "secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware," according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it's still extremely hard to turn off. Krebs notes that the same behavior has been detected in DVRs and smart plugs -- they're secretly connecting to the same IP address in China, apparently without any mention of this in the product's packaging. One security researcher told Krebs the behavior is an "insanely bad idea," and that it opens an attack vector into home networks.

it's not a secret

[turkeydance]

c'mon, man. they're all doing it. damn you ET.

Re:it's not a secret

Things are worse these days. ET never anally probed Elliott, after all. (maybe that was in the deleted scenes; I never watch those)

Re:it's not a secret

[arglebargle_xiv]

You're only saying that because you've never seen "ET Porn Home" in all its VHS glory.

Re:it's not a secret

I had Betamax back then, you insensitive clod!

Re:it's not a secret

[wonkey_monkey]

it opens an attack vector into home networks.

ET pwn home.

Re:it's not a secret

I thought you just made this up on the fly. An unfortunate Google proved this assumption wrong. Very, very wrong.

Not new

[penguinoid]

Anyone familiar with IoT knows that most of them phone home to report.

Re:Not new

[ls671]

Just put those IoT on their own VLAN and do not allow them to connect anywhere!

Re:Not new

[Dutch+Gun]

Agreed. This doesn't surprise me one bit. Maybe the name gives it away... you know... that these Things communicate over the Internet?

I'm going to take a potentially contrary position, though, and argue that if a device is internet enabled, it absolutely should be phoning home on a regular basis, and for very good reasons. The recent glibc library vulnerability only helps to validate my opinion, in fact, which is that it's absolutely inevitable that serious vulnerabilities will be found in ANY internet-facing device, and so these devices MUST be able to automatically update themselves. What's more, manufacturers should be responsible for providing security updates for a reasonable product lifetime - otherwise, they're no longer fit to stay connected, and essentially must be discarded in order to keep your network secure.

I'm sure there are those who would argue against such a policy, but these are *consumer* devices, and we damn well know by now that a typical consumer will never update the firmware on their own device. We now accept that browsers must self-update in order to remain secure, and we're just now grappling with the notion that OSes must do it too. Frankly, anything that's internet-facing needs to be treated the same way. The manufacturer must take responsibility for this. Otherwise, we're going to have billions of tiny infection vectors that will last as long as the devices do, which could be decades. Look at how much of a problem this is for old desktops, servers, and routers sitting on the internet, spewing botnet-controlled traffic because they've never been updated. Granted, this has to be done in a secure manner, so that MITM attacks are not possible, but it's absolutely possible to do it right.

Of course, we all know what's really going to happen, which is that these companies with absolutely no clue how to do internet security are going to get many thousands of people infected through these crappy little internet-enabled gizmos, and the people who get infected with the Zeus banking trojan or crypto-ransomware will be outraged, and articles will be written, and eventually things *may* improve slightly. I'm sure as hell not going to be one of the early-adoption suckers.

Re: Not new

[nehumanuscrede]

Easy for the typical /. reader perhaps, not so much for your everyday consumer. Go ask random folks what a Vlan is and you'll understand pretty quickly.

The typical user isn't even aware of the possibility of this sort of thing.

Re:Not new

Then they don't work. Some have to have a 24/7 Internet connection, and if it gets cut, the devices turn off. I'm just waiting for everything out there, be it fridges, TVs, and anything else to either follow suit, or have a 3G antenna, so it has its own private pipe to tattle user info on.

Re:Not new

[mlts]

Perhaps an even better thing would be to go to a hub and spoke topology? That way, devices can communicate with the center hub (or hubs, if redundancy is desired), and if there is a fix, the hub asks for it on behalf of one device, caches it, so other devices can use that same fix without issue. It is basically what happens when devices communicate through an access point, but the devices would use a low power, low range protocol as opposed to Wi-Fi, or even opening themselves for attack by touching the Internet directly. Plus, with a hub and spoke, an IDS/IPS mechanism can be places so if one device starts behaving suspiciously that is out of the design parameters (nmapping everything it can find), its connection gets dropped, and life goes on. As an added bonus, an attacker would either have to be physically nearer to intercept the low power protocol, or would have to attack the hardened hub (which could run on fairly modest hardware and use virtual machines to separate the firewall instance from the instance that deals with the devices.)

Re:Not new

[arglebargle_xiv]

Doesn't work, they either need to connect out to report data or you need to connect in to read data from them. You then end up with this ghastly mishmash of per-device firewall config rules to handle the requirements of each unit.

Re: Not new

I'll just take that sim out and use it in my phone for free data. Then they'll learn not to over engineer when they get a huge bill.

Re:Not new

[wisnoskij]

That's assuming that the device does has an offline mode, and will work without that connection to a Chinese server.

Re: Not new

[retchdog]

so hype up the dangers and sell the "titaniumShield security appliance" for $300. it doesn't even have to work very well. who cares?

Re: Not new

Just configure it to phone home so you can update its configuration periodically to cover new IoT devices that phone home....

Re:Not new

[AmiMoJo]

I like your idea but I think it misses the fundamental problem with IoT devices: Lifespan.

Older wifi chipsets don't support WPA2 and can't be upgraded. The only option is to replace them, which fortunately is an option with most laptops/computers. Old phones, games consoles, TVs though... You are screwed. The only options are to disable the functionality or use WEP which can be cracked in minutes.

Unless people are going to be happy replacing their IoT doorbell, light switches, smoke alarms, thermostat, cooker, fridge, coffee machine, bathroom scales, toilet, bed, light bulbs, robot vacuum cleaner, car, garage door, CCTV cameras and more every few years we are going to have a problem.

Consumers are short sighted. They won't pay more for a product that uses parts with upgradable firmware and long term support from the manufacturer. Often it's multiple manufacturers that need to keep supporting the device, because if the company making the coffee machine buys a wifi chipset that doesn't get security fixes in the firmware/driver from its manufacturer there isn't much they can do.

Not to mention the difficulty of reporting vulnerabilities to customers.

It's really not an easy one to solve. Your hub idea is a lot better than what we have now, but will only work if the hub is willing to be ruthless about cutting vulnerable devices off, including itself. But then who do you trust to maintain the list of vulnerable devices?

Re:Not new

[MitchDev]

Don't connect them in the first place.

Better yet, DON'T EVEN BUY these things...

Re:Not new

[mlts]

Very true. The hub idea isn't perfect... but it is better than nothing, and with IoT, virtually anything is better than what we have now. Who owns the list is important, but hopefully it can be changed to whomever the consumer wants to maintain it. The key is having some way to not just block devices that have vulnerable firmware, but also limit devices from communicating directly with the outside world. That way if someone's smart toaster has a vulnerability, because it never directly communicates to the Internet, an attacker would have to attack the destination or the smart hub, as opposed to now, where if an attacker gets LAN access, that device is theirs.

Re:Not new

[Gr8Apes]

Not exactly true. Don't buy the devices that are pure clients of a central server. Everything else works standalone, and generally is already or can be hacked. After all, if you buy it, it is yours. "Violating" the EULA merely means that it is likely you won't be under warranty.

Re:Not new

[Slashdot+Junky]

Not buying isn't a practical choice in the general sense. It might be if all the shitty features and behavior was spelled out on the box. Since they aren't, the consumer must discover them after purchase.

Re:Not new

[Gr8Apes]

Agreed. This doesn't surprise me one bit. Maybe the name gives it away... you know... that these Things communicate over the Internet?

I would disagree entirely with your premise. In most cases, people would be perfectly happy to have LAN only connected devices. That is how mine are setup, regardless of what they might "want" to do.

Re:Not new

[Gr8Apes]

if it "requires an internet connection" you can be pretty sure it's not what you want, unless you know enough to hack it.

Re: Not new

[ChickPea]

My neighbours don't have unsecured networks. Otherwise, they'd not be "neighbours"; they'd be "people who live near me."

If don't have the source you don't own the device.

It's really simple. It's separate from source code quality. If you have proprietary software running free on your device then you don't own the device, whoever set up the software owns it. Windows phones home because it's working for Microsoft. Your IOT devices phone home because they are working for a Chinese company. Your Android phone phones home because it's working for Samsung and your mobile operator. This is not different and it's not complicated.

Checking for Firmware Updates

The government has declared that the Chinese are trustworthy and that there is nothing to worry about. The devices are probably just checking for firmware updates.

Who are we kidding. The Chinese know about everything that goes on in this country - probably even moreso than the NSA. Every piece of hardware that enters this country from China should be assumed to be a spy device.

Re:Checking for Firmware Updates

Why look through several million? Just geo-locate the ones in areas of interest.

IoT devices

[ickleberry]

These used to be just IP Cameras, they have been around for years, but now they are suddenly being called IoT devices. I wish this I(di)oT fad would die off and people would just call a spade a spade (or even an IP Spade)

Re:IoT devices

[wbr1]

Spade eh? http://i.imgur.com/HEOJs.gifv

Re:IoT devices

[ArylAkamov]

But...but the hype!

I need more Internet of Things on the Cloud* so I can control my scary DRONE!

Re:IoT devices

[KGIII]

The turn of phrase existed long before the word spade was an ethnic slur.

Re:IoT devices

[ceoyoyo]

Kind of like social networking, Web x.0 and "the cloud?" People get paid the big bucks to come up with these things!

Re:IoT devices

[houghi]

It is just a name.. Language is not binary or logical. It is a tool of comunication. If people talk about IoT, do you or don't you know what people are talking about? Hint: it is not just camera's anymore. It is your toaster as well. It could very well be that you do not like the name, but renaming it to something you like will not really change, becasue then somebody else might not like it. Remember that a rose by any other name is still a rose.

And calling a spade a spade might be good for you or me, but for others this is very bad. That is why people call some things a shovel or a turfing iron. Look at https://en.wikipedia.org/wiki/... for other uses of the name spade.

So as long as you are aware what it means, it is fullfilling its purpose, regardless if it is called IoT or IP Spade (I know that is not what you proposed) or whatever name you like to come up with.

I personally do not like the word pineapple. It is not a pine, it is not an apple, but I do know what they mean with it, so it is fullfilling its function.

Re:IoT devices

[apoc.famine]

I'm a day late, but

* 3D printed DRONE!

Re:IoT devices

[KGIII]

Do you sneak up behind the mentally handicapped and tie their shoelaces together? Do you go to the Special Olympics and change the tape that they run through to an electric fence? Probably not, right? So, what are you picking on that particular group of mentally handicapped for? ;-)

Re:IoT devices

[ArylAkamov]

But are the files for printing it stored ON THE CLOUD?

"insanely bad idea"

[Bruce66423]

Depends on your perspective, doesn't it? If you are aiming to ensure that a cyber attack by the People's Liberation Army on the Imperialists will do a lot of damage, it seems like a GREAT idea...

If you think

[Ol+Olsoc]

That Internet of Things phoning home is some sort of secret, you've been living under a rock the last few years. Phoning home is what they are designed to do. It's the core principle of the IoT.

Re:If you think

[thegarbz]

That core principle was never meant to define IoT as some company monetizing your data.

Re:If you think

[jones_supa]

That's not true at all. IoT simply means an embedded device connected to Internet.

Re:If you think

[wonkey_monkey]

Hey, he's got his smugly-sarcastic-narrative-that-makes-him-feel-smart-on-teh-internet and he's sticking with it.

Re:If you think

[Ol+Olsoc]

That core principle was never meant to define IoT as some company monetizing your data.

But it has become that.

Because an IoT device could probably function just as well without phoning home and selling your data.

Or in the cameras case, they don't have to punch through firewalls (I'd really like some more data on that one) in search of other cameras and constantly phone home. But they do, for some mysterious reason.

Re:If you think

[Ol+Olsoc]

Hey, he's got his smugly-sarcastic-narrative-that-makes-him-feel-smart-on-teh-internet and he's sticking with it.

What really pisses people of is when I'm smug, sarcastic, and right.

Sorta like an honest feedback mechanism for me.

Re:If you think

[Ol+Olsoc]

That's not true at all. IoT simply means an embedded device connected to Internet.

That's a definition, not a principle.

Now in an ideal world, this simple device would be under your control, secure, and the limit of phoning home would be checking for updates (under your control) and sending diagnostics when requested, and also under your control.

But is that what these devices are doing? We don't even know why they are seeking out other cameras. We do know that they phone home even when told not to. So right away, not as simple as you claim. No security, doing odd things.

Nest Thermostats phoning home with unencrypted data http://mashable.com/2016/01/20...

Are you talking in front of your smart TV? Better watch what you say. http://www.computerworld.com/a...

And what could be cuter than a IoT teddy bear for your kids? http://www.dailymail.co.uk/sci...

http://www.dailymail.co.uk/sci...

So then we move on to the established Internet of things. Hospital equipment. That's a hot steaming mess and going to get worse. already hacked multiple times, and ransom paid in at least one case. Or are you going to deny like some, that the embedded systems that hospitals use are magically not part of the IoT?

POS systems,

Re:If you think

[thegarbz]

But it has become that.

In a commercial sense yes. But the principle of IoT is little more than a network of sensors + data aggregation. The core concepts are free of control from any single organisation and there are still companies that offer things, without bolting their version of the internet on its back end.

But they do, for some mysterious reason.

The reason is not mysterious at all. Functionality is requested by users, companies implement functionality in an easy way, and security researchers freak out because the device "phone's home". In the large majority of the cases, "Phones home" is to allow the associated iPhone / Android app to work without the end user requiring any networking knowledge. This is done for much of the same reasons that a Skype session is now initiated by talking to a Microsoft server first rather than attempting to directly connecting to the peer, and much the same reason games that run peer-to-peer do so by first connecting to a lobby.

NAT destroyed end-to-end connectivity for us, companies code around it in simple ways. Security researchers freak out. The world keeps on turning because end users are happy.

DDNS

[110010001000]

This "secret network" is a "DDNS network" so you can more easily connect to your camera from the Internet. Clickbait.

Re:DDNS

[Obfuscant]

It is pretty much a requirement for this kind of thing given the normal NAT operation of most, if not many, home routers and internet connections. How can you monitor your front doorbell from your phone if your home network is behind a NAT router and your phone is on the cellular data network? No, how can Joe Regular User do it?

I am using a network power switch which does exactly this. It pings a server in China on a regular basis (3gstore.com). When I got my first status report from it, I wondered how it was reporting its external WAN address as part of its identification, and then I remembered that a long time ago I had monitored and detected this external traffic. I blocked the first three of these devices I was using at the router, but I decided it wasn't worth it when I added the last one.

Total FUD

[Theaetetus]

Just because something says P2P doesn't mean it "connects to a vast peer-to-peer network". These particular cameras are made to work with a smartphone or tablet app: the camera connects to the company's servers to tell them its IP address; your tablet connects to the server to find out the IP address of your camera; and then your tablet and the camera establish a peer-to-peer connection, so that none of the video travels via the company's servers.

That's it - the two peers are your camera and your mobile device, not some fast torrent network or something.

Now, sure, this could've been documented better, but Krebs should also know better than to jump to hyperbole based on two letters and a number in a configuration screen.

Re:Total FUD

[mikael]

A "vast peer-to-peer network" sounds like cloud computing. Cisco once tried to get their users to configure their Linksys routers through "The Cloud". Unless told to do otherwise, routers would auto-update the firmware so that all configuration settings could only be controlled from Cisco's router management website.

Re:Total FUD

[Bert64]

How would you configure your router to actually work (ie before it has working connectivity)?

Re:Total FUD

[mikael]

Normally you just connect to the local IP address eg. 192.168.1.1 via webpage. Cisco tried to get rid of this and have you register a username/password with their corporate website to access your own router.

Re:Total FUD

[Obfuscant]

Cisco once tried to get their users to configure their Linksys routers through "The Cloud".

Cisco still forces people to configure some of their switches through the cloud. I bought an MS220 (IIRC) and found it was busy transmitting my home network configuration (with a list of systems and MAC addresses) off to Cisco for some reason I can only guess at. This is to avoid having a full-featured web interface on the switch itself, and to gather target data about their users. Once I got it configured I blocked it at the router. If I ever power cycle it it will take a few minutes to come back online as a switch because it is busy trying to call home to Momma, but eventually it stops and does the job it was designed to do.

Updates

[phorm]

Phoning home isn't notable unless you know what it's doing so for. It could be to send information back, or it could just be to just for updates etc.

Re:Updates

Yeah let's not forget last year's favorite headlines: "IoT devices vulnerable because they don't ever update their firmware". Every device was automatically an insecure spy-on-your-daughter device that should burn in a fire if it didn't have automagic firmware updates.

Reasons why I don't like the Internet of Things.

Here's a list of reasons why I don't like the Internet of Things:

1) Internet of Things devices could watch me while I sleep.

2) Internet of Things devices could watch me while I pee.

3) Internet of Things devices could watch me while I make kaka.

4) Internet of Things devices could watch me while I pleasure myself.

5) Internet of Things devices could watch me while I wash my body in the shower.

6) Internet of Things devices could watch me while I relax in the tub.

7) Internet of Things devices could watch me while I brush my teeth.

8) Internet of Things devices could watch me while I make passionate love to my wife.

9) Internet of Things devices could watch me while I brush my hair.

10) Internet of Things devices could watch me while I read a book.

11) Internet of Things devices could watch me while I read Slashdot.

12) Internet of Things devices could watch me while I bake cake.

13) Internet of Things devices could watch me while I put in my contact lenses.

14) Internet of Things devices could watch me while I get ready to play golf.

15) Internet of Things devices could watch me while I do my laundry.

16) Internet of Things devices could watch me while I think about rugby.

17) Internet of Things devices could watch me while I tie my shoes.

18) Internet of Things devices could watch me while I celebrate the 4th of July.

19) Internet of Things devices could watch me while I water my flowers.

20) Internet of Things devices could watch me while I eat ham.

21) Internet of Things devices could watch me while I use my stapler to staple documents.

22) Internet of Things devices could watch me while I chew bubble gum.

23) Internet of Things devices could watch me while I check the oil in my car.

24) Internet of Things devices could watch me while I look for my TV remote.

25) Internet of Things devices could watch me while I blow my nose.

26) Internet of Things devices could watch me while I rearrange my stamp collection.

27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

28) Internet of Things devices could watch me while I do my calisthenics.

29) Internet of Things devices could watch me while I search for a paper clip.

30) Internet of Things devices could send information about me to advertisers.

31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

43) Internet of Things devices could let advertisers use the data unsuspectingly coll

Insanely bad idea?

[gstoddart]

the behavior is an "insanely bad idea," and that it opens an attack vector into home networks

I'm sorry, but based on what we've been seeing, so far the entire Internet of Things is an insanely bad idea ... shoddy security by incompetent idiots who want more analytics data and ad revenue, and don't give a crap about your security.

Fuck that, I want my toaster connected to the internet why again?

That this is happening should no longer come as a surprise to anybody who has paid even the smallest amount of attention to how much of a mess the IoT is.

Re:Insanely bad idea?

[ChunderDownunder]

Since you didn't get the meme, here 'tis.

NetBSD has been running on toasters for over a decade.

Re:Insanely bad idea?

[gstoddart]

Awww, pookie ... do you make internet connected toasters.

Wah wah wah, the mean old man made fun of IoT.

Seriously? Get over it. I know what IoT is, I just don't think it's worth all the hype.

A bunch of random crap connected to the internet so a bunch of idiots with no attention span can feel cool because they can control it from their phone? Yeah, don't care. Your technology fetish is your damned problem.

The only value I see in IoT is the endless amusement I get as everybody howls about how they've been taken and sold cheap crap with non-existent security.

For that, it's priceless.

Re:Insanely bad idea?

[bigdavex]

Fuck that, I want my toaster connected to the internet why again?

How else do you think it will keep its antivirus software up-to-date?

Re:Insanely bad idea?

[WaffleMonster]

Fuck that, I want my toaster connected to the internet why again?

You don't.
No one does.
And the fact that you think IoT = toaster connected to the internet shows how little you understand of the concept.

So what exactly is the point of IoT in consumer space? I've been trying to figure it out for a while and honestly have no idea.

Or maybe you are just picking a useless edge case to try and make an anti-IoT point.

Trade rags seem unable to communicate a coherent value proposition other than data collection and ads. Always fridges, light bulbs, thermostats and similarly useless crap.

I go to browse the "connected home" section at my local electronics store and all I see are overpriced worthless gadgets not so dissimilar in value to an Internet connected toaster.

So what exactly is the point? What don't I understand?

In non consumer contexts "IoT" is fundamentally equivalent to 20+ year old "sensor network" meme that brought us SLAAC in IPv6.

Re:Insanely bad idea?

[thegarbz]

Oh I know there's a meme. But I also know that an unfortunate majority here on slashdot don't think it is one.

Re:Insanely bad idea?

[thegarbz]

A bunch of random crap connected to the internet so a bunch of idiots with no attention span can feel cool because they can control it from their phone? Yeah, don't care.

Yep. Failed. Thought so. The vast majority of IoT stuff I've come across with can't be controlled from a phone. Heck it can't be remotely controlled at all. Ignorance is bliss isn't it.

Re:Insanely bad idea?

[thegarbz]

So what exactly is the point of IoT in consumer space?

For most products it's the same as it is in the commercial space. The only difference is that assets under monitor and control are physical things you own rather than a mix of customer connected monitoring devices ala "sensor network".

Ultimately "sensor network" is it. Data aggregation of your life and monitoring of your things is the goal of IoT. (Though admittedly many corporations believe that "them monitoring you" is what it's all about and that is just fucking with an otherwise good concept).
Examples from my house:
- Trends from the temperature in my apartment show I had the heater turned on a good hour before I got home from work. But in the week the heater was off I realised I spent that hour leeching heat from the neighbours anyway and while it normally took an hour to get the apartment up to temperature on a week day at 4pm I could do it in 15min.
- Trends from my water meter shows a leaking pipe under ground costing me money I would likely have not noticed before something actually got damaged.
- Trends from my power meter showed my fridge was set to the wrong temperature after a power outage. I could see that due to the duty cycle changing.
- Video monitoring of my old house showed that it wasn't the cat stealing food at night, it was a possum.

If none of this sounds like a new concept, it isn't. IoT is nothing more than the sensor networks discussed 20 years ago... around about the same time as we were discussion the damn internet connected toaster.

In the commercial space it is far more important but ultimately the same. Microsoft + ThyssenKrupp have a great presentation they like to show of how they used some IoT hardware and Azure's management platform to pro-actively predict failures of elevators. All the additional data they've gathered means they not only predict failures, but can accurately schedule maintenance for hours where the elevator are shown to be used the least.

IoT is a shitty name for something otherwise quite good and useful.
IoT is a great concept that unfortunately some companies are shitting on by collecting and selling your data to 3rd parties.

Re:Insanely bad idea?

[Endymion]

Ultimately "sensor network" is it. Data aggregation of your life and monitoring of your things is the goal of IoT.

That's exactly why we call it an "insanely bad idea". When you aggregate that much data about people, the risks are huge while the benefits are small and in many cases, still theoretical. Unfortunately, humans are bad at evaluating risk, which may be why you react strongly to the claim that the IoT is and will be full of "shoddy security by incompetent idiots who want more analytics data and ad revenue, and don't give a crap about your security".

It is patently obvious the data that "sensor network" produces will be exfiltrated quickly and easily. We have seen a many cases in the last year where data was stolen from business and government agencies. Only a total fool would claim that they have perfect security and will be able protect all that personal data forever. Even worse, current products show how the data will be exfiltrated by the manufacturer, as a "feature". By centralizing data, they make a better target and a single point of failure that only needs to be attacked once. Of course, attacking a network of cheap mass-produced IoT devices shouldn't be hard - it's a monoculture that will all fall to the same type of attack.

This security problem should be obvious, and anybody involved in making these 1oT "sensor networks" is either wilfully negligent or has another agenda. A responsible person would notice that "ease of use" never overrides "safety".

Trends ...

Yet again, you do not need internet access to make devices that logs trends in sensor data. The only reason that is so important is that you either don't understand the various hardware possibilities you could be using instead, or you are hiding that you are a thief trying to "monetize" the "analytics" produced by these devices.

Re:Insanely bad idea?

[WaffleMonster]

Data aggregation of your life and monitoring of your things is the goal of IoT

To what end?

- Trends from the temperature in my apartment show I had the heater turned on a good hour before I got home from work. But in the week the heater was off I realised I spent that hour leeching heat from the neighbours anyway and while it normally took an hour to get the apartment up to temperature on a week day at 4pm I could do it in 15min.

Leeching from thy neighbor in principal sounds like a great use of technology. I imagine at some point you can expect the dreaded "WARN: THERE IS ANOTHER SYSTEM" message to flash across your console as your neighbor gets wise and introduces retaliatory AI into the control loop of their heater.

Trends from my water meter shows a leaking pipe under ground costing me money I would likely have not noticed before something actually got damaged.

A little old fashioned but you could look at the little spinning leak detector triangle on your meter.

- Trends from my power meter showed my fridge was set to the wrong temperature after a power outage. I could see that due to the duty cycle changing.

Are there fridges on the market which lack non volatile temperature settings? Or is it just the IoT models which need to download temperature settings from "the cloud" before they will even start? The excuses for caring are always like this so crazy and far fetched as to be practically indistinguishable from useless.

IoT is a great concept that unfortunately some companies are shitting on by collecting and selling your data to 3rd parties.

This isn't just a case of a few bad actors. It is the entirety of the market.

Re:Insanely bad idea?

[thegarbz]

When you aggregate that much data about people

Woah who are "people"? I aggregate my data and my data alone. Or did you miss the part of the post where I talked about the fundamental concept as distinctly different from having a corporation hold the data for you? Read my last line.

Yet again, you do not need internet access to make devices that logs trends in sensor data.

No you don't. Again this idea isn't new. It's a "sensor network". But "network" is not a trendy buzzword like it used to be. "Sensor internet" didn't have the same ring to it. Wait ... you thought the title "Internet of Things" actually defines the way it works?

The only reason that is so important is that you either don't understand the various hardware possibilities you could be using instead

You're making a lot of assumptions. Your first failure is thinking that any of my Internet of Things devices are actually connected to the internet. Internet of Things does not mean someone else is in control of your data if you know what you're buying.

Re:Insanely bad idea?

[Endymion]

stored local to the sensor network

That still creates an exfiltration risk. Pretending that risk doesn't exist is negligence. Don't pretend any device has perfect security; most embedded hardware runs ancient kernels that have know exploits.

aggregating sensor data is not a bad idea as long as the data is ... anonymized

Yes, that's still a terrible idea. It is very difficult to "anonymize" personal data, as it can usual be re-correlated back to whomever generated the data. Even simple traffic analysis - without knowing the content of the network packets - can betray important information to the world.

Even combining a bunch of sensor data so that you can reconstruct someone's whole schedule is useless without knowing who that person is

I don't believe you are really this stupid. Of course you can connect it back to the person. Listen to when the packets were sent from their house and correlate that with the timestamps on the server. That's only one way to de-anonymize records; some creative thinking will reveal more.

"Anonymized data" is magic pixie dust that internet businesses use to disguise how they monetizing user data.

On Taxis and Rainbows

“Anonymized” data really isn’t

Re:Insanely bad idea?

[thegarbz]

To what end?

The examples speak (and in my case paid) for themselves.

Leeching from thy neighbor in principal sounds like a great use of technology. I imagine at some point you can expect the dreaded "WARN: THERE IS ANOTHER SYSTEM" message to flash across your console as your neighbor gets wise and introduces retaliatory AI into the control loop of their heater.

Thy neighbour could install better insulation. But saving money is about being smart. If thy neighbour is not smart chances are they aren't looking for ways to save money. There's a reason when I had the choice of 2 apartments in the building I chose the centre one.

A little old fashioned but you could look at the little spinning leak detector triangle on your meter.

IoT doesn't create anything new. Heck most of technology we have now hasn't really created much "new" stuff. It's about making things easier. Do you check your water meter every day? Every week? How often do you check for leaks? This is about baby steps and minor improvements, not some earth shattering change to the way of your life.

Are there fridges on the market which lack non volatile temperature settings? Or is it just the IoT models which need to download temperature settings from "the cloud" before they will even start?

Yeah about every fridge where the temperature is set via push button and not via big dial, which pretty much includes every fridge on the market over $500. Nothing internet connected about them. Heck nothing even EEPROM about them. But the point is not about the technology in the fridge, it's about what can be seen from data. You can just as well identify leaking fridge seals in a 50 year old analogue model with this method if you do the analytics right. But it comes down to what level you're looking at. I've got every saving lights in my entire house, low energy everything. So chasing the last few bits of efficiency suddenly becomes a trickier problem than looking at my quarterly bill.

This isn't just a case of a few bad actors. It is the entirety of the market.

IoT is a concept not a market. In the above case one of the options is a commercial product used as intended which doesn't phone home. Another is a commerical product NOT used as intended which doesn't phone home, and the remaining 2 are home made and DIY kit.
The market is huge. Don't try to claim that the "entirety" of the market is the same, especially when talking about a concept that extends beyond the market.

Re:Insanely bad idea?

[Endymion]

Wait ... you thought the title "Internet of Things" actually defines the way it works?

Nope. Making an ubiquitous "sensor network" is a problem by itself, because those sense will be put on the internet eventually. Why would you believe your sensors will somehow stay off the internet, in defiance to the trend of the last decade to put an 802.x or 8011.x NIC on absolutely everything?

distinctly different from having a corporation hold the data

Just like how personal webpages are now self-hosted? Oh, that's right, the entire concept of having a personal webpage was appropriated by Facebook and other corporations with centralized hosting.

You're making a lot of assumptions.

And you seem to have a negligent attitude toward security, and a terribly naive view of corporate world.

Here's how your IoT can proceed without being socially irresponsible: accept liability for the problem your "sensor network" produces. You shouldn't have a problem doing this if you believe the risks are small. If, however, you think this would be too much liability, then we must conclude the IoT industry, like coal based power, is externalizing its costs.

Re:Insanely bad idea?

[thegarbz]

Just like how personal webpages are now self-hosted? Oh, that's right, the entire concept of having a personal webpage was appropriated by Facebook and other corporations with centralized hosting.

You're conflating choice and appropriation. You're more than welcome to host something on blogspot. Just like you're more than welcome to host something on your home PC. The choice is yours and the trade offs are yours and yours alone to decide. Don't blame the evil corporations for providing you options.

And you seem to have a negligent attitude toward security, and a terribly naive view of corporate world.

That's funny because you're making assumptions about the security model I employ... again. Given I've just told you that my choice of IoT hardware and services involve personal control, nothing internet related, and picking a product that doesn't phone home I'm just going to conclude that you're now just arguing for arguing's sake. Well you can keep projecting your idea of what I am thinking and argue with yourself.

ESP 8266-12E to invade the world!

[MindPrison]

I'm a user of the now Arduino compatible ESP 8266-12E ever so popular IoT 2$ device. It's a WiFi on a chip + a nice 80 MHz microcontroller (32 bit) with 4MBit flash ram to boot, it's insanely cheap for what you actually get...

If you just use them as they are (With the AT+ command set, hayes compatible) - they already phone home because they can Upgrade the firmware - albeit you can initiate that yourself).

But unless you've got a WiFi hotspot with a firewall where you can Wireshark monitor your network traffic - you will have NO idea whether this thing is phoning home with a few extra details about your network, it's bad enough that it actually phones "home" with your IP address, I'm not sure if it does that - but it's def. worth an extra look. Anyone know the details about this? Have anyone tried looking into the ESP8266 series to see if they even phone home after they've been bootloaded with the Arduino Bootloader?

We've got to be a little careful about this - I agree completely - It's so tempting to just insert those wonderful all-in-one IoT devices here and there...and forget about the advanced details...because lets face it - they've made it wonderfully practical for us to use with very little skill or knowledge required to get these things talking to each other (while - perhaps...hiding a darker side).

Re:ESP 8266-12E to invade the world!

[silas_moeckel]

IoT Subnet, it needs not be able to reach the internet ever.

Re:ESP 8266-12E to invade the world!

[ceoyoyo]

Not much of an internet of things then, is it?

Re:ESP 8266-12E to invade the world!

[silas_moeckel]

I've got a couple hundred devices that work that way and seems pretty internet of things to me. Only they are my things and only allowed to talk to what I allow them to.

So CCTV camera only talk to NVR's and an application specific gateway. Why would some wifi camera need to talk to the internet as a whole? If I wanted to access it directly I can VPN in. In general the application gateway thats part of my home automation give me all the live info I need. The NVR's deal with long term encryption and retention. They keep trying to sell this kit as disposable flash in the pan junk that quickly becomes useless as standard evolve etc. I still have an IP camera that is 14+ years old, sure when the hardware fails I'll replace it with some multi megapixel unit. The basic concept of of an IoT devices talking directly to anything else is pretty broken. These are devices that should be expect to just work for a long time. App specific gateways can and should be updated on a regular basis but those tend to be mostly software that can run in a VM if IoT takes off probably a function of the wifi AP for normal home users. Firmware updates for CCTV can generally be done from the NVR, with commercial systems this is the default with the NVR also acting as the gateway, POE switch etc etc on the low - medium end.

Security system is mostly stand alone as I want the UL listing for the insurance company to be happy, it has internet access for signaling the alarm company.

HA needed talk to anything but the app gateway. Considering that it's running on 4 or more RF + several wired standards beside IP based it's pretty much a requirement. Picking out gear that works while not connected to the internet can be tricky at times as some of the IP based kit has no local interface. The ESP-8266's actualy work rather well for the homebrew kit they have plenty of brains to do the job autonomously but the system works better on the whole with an overall controller. Simple example, I've got wired motion sensors around the house as part of the security system, I have zwave 6 in 1 sensors where those wired ones do not cover, the overall controller has access to both, it also has access to bluetooth and a number of other inputs to make decisions. That gateway does need some internet access, weather forecasting and a connection to my cellphone being the big ones. But why my lightswitch needs an internet connection?

Re:ESP 8266-12E to invade the world!

[ceoyoyo]

That's all well and good, but the manufacturers want to sell IP cameras and other "Internet of things" stuff to regular consumers. Regular consumers don't "VPN into" things. They tap on an app on their smartphone.

Besides which, unless you're extraordinarily lucky or for some reason spend multiple times the regular rate for Internet service, you have a dynamic DNS address. That means something on your network, whether it's a toaster, desktop computer or your router, has to talk to an external DDNS server to update your IP address in order for you to have something to VPN into. So there's something, probably Chinese made, on your LAN "phoning home" anyway.

Re:ESP 8266-12E to invade the world!

[silas_moeckel]

Point being IoT end devices should not be exposed to the internet it's a horrid design for something that should work for 10+ years without modification. App specific controllers make sense thus why zwave etc does just that.

Setting up a singular VPN to a dynamic IP is pretty easy and thats one thing updating one service to do so. My app gateway just works with my phone. Besides who wants to install and maintain a pile of different apps. My garage door opener has an app, I just use the single app gateway. Same goes for some fancy light bulbs, the widget that lets me know when the BBQ is running low on gas, etc etc. The IoT will die as a pile of silo's with all the logic in the cloud. The usefulness is it in all working together seamlessly not vendor lock in.

Why is this a surprise?

[Brett+Buck]

That's what the whole point of the IoT. If you are going to control your lights or toaster or whatever with your phone, OF COURSE it has to connect to an external server - so that you can connect to the device. Naturally, it's stupid, but that's the IoT for you.

Re:Why is this a surprise?

[fyngyrz]

Wrong.

Re: Why is this a surprise?

[techabuse]

Nope. VPN.

Now that kids is why ...

[dbIII]

Now that kids is why you don't tell any device that doesn't need to get out on the net what the gateway address is.

If you need to access it via the internet, then fair enough, but now we've got yet another example as to why we should use firewall settings to make sure they can only contact what you want them to contact.

Re:Now that kids is why ...

[Endymion]

We're seeing the current wave of WiFi-enabled devices because the cheap SoC parts now include a WiFi NIC. At some point in the future (I believe prototype hardware already exists) a new SoC will include a baseband processor and software defined radio. When that happens, all of these devices will no longer need your permission and LAN access to steal data - they will simply use the cellular networks.

If you buy these WiFi devices - regardless of your plans to deny them your gateway address - you are supporting the development of the next generation of devices that will be much harder to block. Stop giving them money. Yes, this might mean you have to give up some luxuries in the short-term, but it['s only going to get worse if you don't fight this now.

Re:Now that kids is why ...

[dbIII]

they will simply use the cellular networks.

Greed of phone companies is currently a very effective barrier to that. For it to phone home (literally) non-trivial cash has to be put up for each device.
That may change and may already be worked around via opportunistic connection to free WiFi if the device is at some point in range, but for now it's a distant worry.

Philips Hue does this too

[james_marsh]

Any IOT device that has access from a smartphone does something like this. If you look at the traffic from a Philips Hue hub you'll see SSDP broadcasts, NTP synchronisation and phoning home with details of it's local IP address and checking for updated firmware.

This article seems to be yet more anti-Chinese nonsense. There was a very similar one recently by an American "journalist" that didn't understand that NTP is a distributed protocol either and implied these devices were somehow infiltrating US homes and forming a secret network. It possibly inspired this article, though unfortunately I can't find the original just now to link to.

The answer is to put IOT devices in a DMZ/restricted guest network which more and more routers are supporting out of the box.

Re:Philips Hue does this too

[mikael]

https://tools.cisco.com/securi...

https://social.technet.microso...

http://www.kb.cert.org/vuls/id...

It's just a harmless protocol - nothing to worry about.

Re:Philips Hue does this too

[james_marsh]

Pretty sure these devices won't be running a full blown ntpd; it's most likely busybox-ntp on the Hue according to the open source licenses listed. Similarly unless you make a real mess of your home router setup, incoming WAN packets will never reach the IOT device's NTP daemon, so I don't see an enormous threat from it.

Historically Netgear was the worst NTP offender and is still spamming the University of Wisconsinâ"Madison with a hardcoded server address in old routers.

There are a lot of crap IOT devices out there, but being made in China is not the main issue. Frankly they're probably more trustworthy than devices coming from a country like the UK where new legislation will seek to force companies to add backdoors and will force them to keep it secret. (And the US is pretty close behind the UK in wishing to weaken security.)

IoT devops = security nightmare

[JesseEnjaian]

At the current state of affairs, almost all IoT devices are programmed using development environments provided by the semiconductor (e.g., http://www.nxp.com/products/so...). And most of these are a composition of open-source tools (i.e., GCC, Eclipse, etc.) with some proprietary interfacing software (e.g., something like JTAG to program the chip with). The vendor-specific IDEs (e.g., customized Eclipse) often come with networking libraries (i.e., something BSD sockets-esque for Internet) they made and /maybe/ some simple threading library (i.e., no operating system). The programs compile to real-time code and this code is then "flashed" to the chip/flash using something like JTAG. That's it. Security nightmare. The "obfuscation" of JTAG and compiling to ARM (versus x86) has let A LOT of companies do some crazy programming on IoT devices. My IoT camera has a physical kill-switch I use when I get home (i.e., I unplug it).

Massive DDOS

[Etherwalk]

But unless you've got a WiFi hotspot with a firewall where you can Wireshark monitor your network traffic - you will have NO idea whether this thing is phoning home with a few extra details about your network, it's bad enough that it actually phones "home" with your IP address, I'm not sure if it does that - but it's def. worth an extra look.

And there's the rub. If you plant software in a million devices that come out of China, you have access to a million US Networks (usually in wealthier, higher-bandwidth homes) for attacks within those networks and attacks that use the network bandwidth to attack other targets. If you were in charge of corporate or state espionage in China, wouldn't you like to have access to the network of every software engineer or wealthy businessman who buys a new toy? How many IoT devices create a new vulnerability that can be exploited en masse or even for targeted attacks? How many can monitor wireless keyboard signals and read banking passwords?

No need to phone home.

[fyngyrz]

And it is completely, absolutely, 100% unnecessary.

o Plug in not-yet configured device.

o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

If you were out of your damned mind.

If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

Re: No need to phone home.

[guruevi]

You're describing Bonjour/mDNS and yes it works within LANs but not if you want to connect from outside your network. People want convenience, punching a hole in your firewall is a "lot of work" and sometimes impossible depending on your configuration.

And yes, anyone with the information could possibly have your camera talking to them but most people don't care or refuse to understand the issue. Whether it's China or the NSA, as long as people have "bread and circuses" they'll be fine.

Re: No need to phone home.

[techabuse]

I own a few Chinese IP cameras i bought for experimenting, and no two of them work with the same app/P2P cloud bullshit/whatever. They do, however, all expose Telnet and SSH to the world. There's no way I'd let them anywhere near the WAN because they're all running Linux on a decently snappy ARM SOC and phoning home. Can you say beach head?

Re: No need to phone home.

[fyngyrz]

Smart. But you are (and I am) the exception. People are ignorant and gullible and dishonest marketing is a complementary protein for that particular receptor.

Re:No need to phone home.

[Theaetetus]

And it is completely, absolutely, 100% unnecessary.

o Plug in not-yet configured device.

o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

If you were out of your damned mind.

If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

That's a really long and condescending way to say "I don't understand how subnets work". While it may work fine on your household network, this camera is designed to be accessed over the public internet. Most people don't need to check security cameras that are in the same room as them.

Re: No need to phone home.

[nehumanuscrede]

Same reason you lock down everything. Especially those things which are dual network capable. ( eg cellular equipped )

There is a very good reason the smartphones and the alarm system reside on Private vlans.

They can easily be utilized as a " beach head " or jump server into your network bypassing your firewall completely.

Re: No need to phone home.

[nehumanuscrede]

Setup a VPN.

Connect to VPN, check your camera, disconnect from VPN. Tada. Want to go a step further ? Configure VPN to only allow access to camera.

No open ports on the edge router, can easily route outbound traffic from suspect device to a black hole or just deny it completely.

Re: No need to phone home.

There seems to be an inconsistent level of detail between the grandparent post, which described a reasonable set of steps for automatic UDP-based discovery on a single broadcast network, and your post here which condenses the much more complex process to "setup a VPN" into a single step.

Securely exposing a VPN endpoint is in fact exactly the same problem as securely exposing an IP camera. Would you suggest that I use a VPN to access my VPN too?

Re: No need to phone home.

[ceoyoyo]

Trivial, is it? As the GP explained, the vast majority of people do not have static IP addresses so it's absolutely necessary to use a DDNS type service. Since the DDNS service has to be a server somewhere that DOES have a static IP address, that is indeed what the kids today call "the cloud."

Re:No need to phone home.

[tlhIngan]

And it is completely, absolutely, 100% unnecessary.

o Plug in not-yet configured device.

o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

If you were out of your damned mind.

If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

which makes the device useless to the people who buy it. People buy security cameras with IP connectivity so they can view their camera from a remote location, for alerts and the ability to view and control devices remotely.

Like you have a camera on your front door. It sends you an alert someone is there, to which you access your camera to see who it is. Generally, this is useful if the UPS or FedEx guy comes while you're at work, at which point you can ask them to drop the package off in the garage (which you open and close remotely). No package left on the door stop, and the garage door is closed by you so it's safe and waiting for you.

And that's the reason why people are going for the "cloud" stuff. Sure there's probably a few lazy asses using it inside their home (or their home is a huge mansion that takes 10 minutes to get from one side to the other), but the key selling point of this "IoT" devices is remote access.

Remotely turn on the lights. Remotely turn on the heat or AC so you come home to a warm or cool house. View cameras and recordings while you're out.

What you propose is secure, but gives consumers none of that. They're buying it for the remote accessibility and giving them only local access until they do a bunch of fancy stuff is basically counter to what consumers are buying the things for.

Re: No need to phone home.

[vtcodger]

You can never be too rich, too thin, or have too many VPNs.

Re:No need to phone home.

[thegarbz]

o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

Ease of use: 1 star
Device required some weird configuration. Couldn't connect to it via my iPhone when I wasn't at home out of the box. Should come pre-configured in a way that most people want. Would not buy again.

Re:No need to phone home.

[CRC'99]

... because I only ever want to watch my video cameras while I'm in front of them.

The whole idea of this is to get out of NAT systems - so the real solution is just use IPv6 - but we all know how long thats going to take.

Re:No need to phone home.

[houghi]

So let me get this straight. It just needs to broadcast its IP adress untill there is a connection and restarts when it gets a new IP untill it gets an autentification.

So I have a garagedooropener and i,agine I do not have a domainname liked to it and I am married.

I install it and my wife and I configure the IP adress at home. We go to work. It changes IP adress as my provider does randomly. So it starts spewing its IP over UDP all day long. I get home first, have to wait on average 30 seconds. I get the new IP and the system stops sending. I leave to pick up something from the store.

Now my wife comes home. The system does not send anything anymore. She does not have the IP. She can not open the door.

The obvious solution for this is to have a dyndns or similar service, so we can use a standard domain name. That is a tech solution/ The second is to use a server as middle man where you can pick up info.

Both are not that different One uses a domain name, the other a login and password.

That said, waiting on average (with 60 seconds as max) to open a door or turn on a light is a LONG time. Having a fixed IP would solve all that, but providers like to resell stuff they do not need to pay for as you would have an IP adress anyway.

Do you NEED these things? No. I bet you do not need the majority of stuff you have either, unless you live 100% frugal. Bt that is a complete different discussion.

Re: No need to phone home.

[edtice1559]

Indeed if it were trivial, there wouldn't be entire DDNS businesses! Even with DDNS you have some work to do. AFAIK the default configuration on most wireless APs is to use NAT. So even if I know unrouetable IP address of the camera it wouldn't help. I'd venture that the manufacturers get way more calls saying its too hard to get configured than requests for the information necessary to secure these things.

Re: No need to phone home.

[ceoyoyo]

It used to be for sure. Configuring port forwarding manually isn't for the average person. Now there are a bunch of ways to poke holes in NAT though. One of the most common is a UPnP IGD, which is a protocol for asking the router to pretty please forward a port for you.

Re: No need to phone home.

[edtice1559]

Right. So somebody makes a device that does this automatically and also has built-in DDNS to make it super-easy. And it gets put on the front page of /. as "secret phoning home." You just can't win!

Re:No need to phone home.

[Bert64]

So someone needs to market an easy to use but otherwise secure home firewall device which has a dmz network to put questionable devices in, and an easily configured vpn that you can use to access things remotely...
I have all of this setup at home, and some very shady cctv cameras in their own vlan isolated away from anything else.

Re: No need to phone home.

[Obfuscant]

One of the most common is a UPnP IGD, which is a protocol for asking the router to pretty please forward a port for you.

Which would cause more cries of dismay do you think? Some average Joe finding out that his IoT device is reporting some trivial information to China, or Roger InternetGuru who found out his latest IoT is busy telling his firewall to create port forwarding rules without his knowledge or approval?

Re:No need to phone home.

[Obfuscant]

So someone needs to market an easy to use but otherwise secure home firewall device which has a dmz network to put questionable devices in, and an easily configured vpn that you can use to access things remotely...

Hi. I'm your customer. I just bought your easy to use firewall. What do you mean by "questionable device"? How do I know which devices are "questionable"? Isn't it much safer to put all my devices in this "questionable" category? I mean, I've heard so many bad things about Windows 10, surely it must be "questionable". But that means my entire home network is now in a "questionable" network. What's DMZ?

And VPN? Isn't that a television network? I'm very confused. But your device is marketed as "easy to use".

Re:No need to phone home.

[thegarbz]

So someone needs to market an easy to use but otherwise secure home firewall device which has a dmz network to put questionable devices in, and an easily configured vpn that you can use to access things remotely...
I have all of this setup at home, and some very shady cctv cameras in their own vlan isolated away from anything else.

DMZ? Network? VPN? VLAN?

What the hell language are you talking man! All I want is a bloody camera connected to my iPhone. Why can't you provide that when your competitors can?

Re: No need to phone home.

[guruevi]

It is trivial for "us", but for people that have no idea how their systems work, this isn't. If it's not available within a click or by installing a program from a CD, they won't be able to do it.

It's Foscam you /.pussys

[EvilSS]

Really Dice, scared shitless to mention the manufacturer?

Here is the Krebs link if you want the actual details and don't want to dig it out of the articles linked in the summary: http://krebsonsecurity.com/201...

Re:It's Foscam you /.pussys

[EvilSS]

Dice sold the site...

Pay attention.

Really? lol. Guess I don't pay attention. So who bought it now? Who's more of a sucker than Dice?

Re:It's Foscam you /.pussys

[EvilSS]

Something called BIZX. There's a staffer called "whipslash" going around and answering people's question. He's promising a lot.

They were bought out by Limp Bizkit?

why singled out chinese?

[sittingnut]

by this, one can get a false impression that this sort of thing is confined to a "chinese manufacturer ", when it isn't.

Re: WoW, after all THAT, you give ME guff?

[techabuse]

Welcome back, buddy. We missed you.

From the

[fisted]

from the no-shit-sherlock dept?

Start to fix this ...

[Alain+Williams]

with legislation: (a) that this must be documented (what, where to, ...) and (b) how to switch it off. However that will not happen: (1) most of the legislators do not understand the problem; (2) those that do realise that this would stop $OurCountry products from doing this at the behest of GCHQ/NSA/... So it shall be ignored.

There might be some movement when some government high ups are, through one of these, exposed: in bed with a hooker; snorting white powder; accepting money\Wcampaign-contributions from a known crook; ... although I suspect that it will be easier to sue/bribe the media than fix the problem.

Re: Start to fix this ...

[nehumanuscrede]

A better way to fix this is to forgo legislation ( think of the level of tech expertise within Congress for just a moment ) and start teaching the average user about the security concerns that comes with convenience.

Re:Start to fix this ...

[Obfuscant]

with legislation:

And you will wind up with the kind of legislation where wireless router manufacturers can't allow user firmware to be loaded because there's a radio involved.

Obviousl...

[Locke2005]

Big Blothel is watching you!

Have some fun

[PPH]

Set up a honeypot consisting of a Chinese DVR and a bunch of security cams pointing at pictures of Minuteman ICBMs sitting in their silos. Sit back and watch your IP address get hacked.

Re:Have some fun

[rossz]

Better idea. Set it on a long video loop that shows a bunch of missiles launching after several hours of just sitting there.

Re:WoW, after all THAT, you give ME guff?

[gstoddart]

Skippy ... if you think I waste any fucking time giving a crazy idiot like you any "guff", you sorely over-value your place in your universe.

I'm not your personal stalker, I just ignore your stupid drivel and inane bullshit. Don't flatter yourself.

Re:Internet of Security Nightmares

Internet of Worthless Shit that Doesn't Need to be on the Internet

Re: WoW, after all THAT, you give ME guff?

[ColdWetDog]

We did?

Re:If don't have the source you don't own the devi

[TheRaven64]

And that's not just Free Software Foundation propaganda, it's simple capitalism. If only the device vendor can control the software that runs on the device then it's a monopoly situation and we've all seen how well they work. If you have the source and the ability to reflash the device, then there is competition among third-party firmware vendors and only the ones that provide value to the end user will succeed.

And in other news...

[MitchDev]

It gets dark at night, and water is wet...

Giant fucking DUH! to the idiots who didn't think would happen...

Re:And in other news...

[wonkey_monkey]

It gets dark at night, and water is wet...

Except at the poles.

Re:And in other news...

[MitchDev]

Wet, but frozen, and while there are times at the poles it doesn't get dark at "clock" night, what percentage of the world's population actually lives there :)

Can't turn it off?

[wonkey_monkey]

Even if the user discovers it, it's still extremely hard to turn off.

Why? Does it continue to draw energy from the ether after you unplug it?

Sounds like an 80s episode of The Twilight Zone...

Dumb quote

[ArchieBunker]

Spy features could just as easily be hidden in hardware. Unless you want to verify the die and masks used, you still have no clue what this device can do.

Re:Reasons why I don't like the Internet of Things

[wyHunter]

Oh but wait, civil libertarians and privacy advocates are "concerned!" There now, don't you feel better?

Re:If don't have the source you don't own the devi

[ThatAblaze]

This is a red herring. If everything you bought was open source, would that INCREASE or DECREASE you level of security? The EULAs I agree to every day are open source, but do I bother reading them? Even if the code was available for every little thing you used, you would still be relying on trust.. or else you would be spending all day fiddling with every little thing.

Phone home functionality can be hidden in the hardware, on a remote server, in a text file, or literally anywhere. The only way to control all your electronics is to make them all yourself, and anyone who even tries doing that is basically living in the stone age.

And thus it begins

[kriegs]

Want to know when Skynet was born? Ask the IoT.