Slashdot Mirror

← Back to Stories (view on slashdot.org)

IoT Devices Are Secretly Phoning Home (thenewstack.io)

Posted by BeauHD on from the fear-the-internet dept.

An anonymous reader writes: A popular internet-enabled security camera "secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware," according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it's still extremely hard to turn off. Krebs notes that the same behavior has been detected in DVRs and smart plugs -- they're secretly connecting to the same IP address in China, apparently without any mention of this in the product's packaging. One security researcher told Krebs the behavior is an "insanely bad idea," and that it opens an attack vector into home networks.

24 of 196 comments (clear)

  1. it's not a secret by turkeydance · · Score: 3, Insightful

    c'mon, man. they're all doing it. damn you ET.

    1. Re:it's not a secret by arglebargle_xiv · · Score: 3, Funny

      You're only saying that because you've never seen "ET Porn Home" in all its VHS glory.

  2. Not new by penguinoid · · Score: 3, Informative

    Anyone familiar with IoT knows that most of them phone home to report.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:Not new by Dutch+Gun · · Score: 4, Interesting

      Agreed. This doesn't surprise me one bit. Maybe the name gives it away... you know... that these Things communicate over the Internet?

      I'm going to take a potentially contrary position, though, and argue that if a device is internet enabled, it absolutely should be phoning home on a regular basis, and for very good reasons. The recent glibc library vulnerability only helps to validate my opinion, in fact, which is that it's absolutely inevitable that serious vulnerabilities will be found in ANY internet-facing device, and so these devices MUST be able to automatically update themselves. What's more, manufacturers should be responsible for providing security updates for a reasonable product lifetime - otherwise, they're no longer fit to stay connected, and essentially must be discarded in order to keep your network secure.

      I'm sure there are those who would argue against such a policy, but these are *consumer* devices, and we damn well know by now that a typical consumer will never update the firmware on their own device. We now accept that browsers must self-update in order to remain secure, and we're just now grappling with the notion that OSes must do it too. Frankly, anything that's internet-facing needs to be treated the same way. The manufacturer must take responsibility for this. Otherwise, we're going to have billions of tiny infection vectors that will last as long as the devices do, which could be decades. Look at how much of a problem this is for old desktops, servers, and routers sitting on the internet, spewing botnet-controlled traffic because they've never been updated. Granted, this has to be done in a secure manner, so that MITM attacks are not possible, but it's absolutely possible to do it right.

      Of course, we all know what's really going to happen, which is that these companies with absolutely no clue how to do internet security are going to get many thousands of people infected through these crappy little internet-enabled gizmos, and the people who get infected with the Zeus banking trojan or crypto-ransomware will be outraged, and articles will be written, and eventually things *may* improve slightly. I'm sure as hell not going to be one of the early-adoption suckers.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    2. Re: Not new by nehumanuscrede · · Score: 4, Insightful

      Easy for the typical /. reader perhaps, not so much for your everyday consumer. Go ask random folks what a Vlan is and you'll understand pretty quickly.

      The typical user isn't even aware of the possibility of this sort of thing.

    3. Re:Not new by Anonymous Coward · · Score: 4, Interesting

      Then they don't work. Some have to have a 24/7 Internet connection, and if it gets cut, the devices turn off. I'm just waiting for everything out there, be it fridges, TVs, and anything else to either follow suit, or have a 3G antenna, so it has its own private pipe to tattle user info on.

    4. Re:Not new by mlts · · Score: 4, Interesting

      Perhaps an even better thing would be to go to a hub and spoke topology? That way, devices can communicate with the center hub (or hubs, if redundancy is desired), and if there is a fix, the hub asks for it on behalf of one device, caches it, so other devices can use that same fix without issue. It is basically what happens when devices communicate through an access point, but the devices would use a low power, low range protocol as opposed to Wi-Fi, or even opening themselves for attack by touching the Internet directly. Plus, with a hub and spoke, an IDS/IPS mechanism can be places so if one device starts behaving suspiciously that is out of the design parameters (nmapping everything it can find), its connection gets dropped, and life goes on. As an added bonus, an attacker would either have to be physically nearer to intercept the low power protocol, or would have to attack the hardened hub (which could run on fairly modest hardware and use virtual machines to separate the firewall instance from the instance that deals with the devices.)

  3. If don't have the source you don't own the device. by Anonymous Coward · · Score: 4, Insightful

    It's really simple. It's separate from source code quality. If you have proprietary software running free on your device then you don't own the device, whoever set up the software owns it. Windows phones home because it's working for Microsoft. Your IOT devices phone home because they are working for a Chinese company. Your Android phone phones home because it's working for Samsung and your mobile operator. This is not different and it's not complicated.

  4. IoT devices by ickleberry · · Score: 3, Insightful

    These used to be just IP Cameras, they have been around for years, but now they are suddenly being called IoT devices. I wish this I(di)oT fad would die off and people would just call a spade a spade (or even an IP Spade)

  5. "insanely bad idea" by Bruce66423 · · Score: 3, Interesting

    Depends on your perspective, doesn't it? If you are aiming to ensure that a cyber attack by the People's Liberation Army on the Imperialists will do a lot of damage, it seems like a GREAT idea...

  6. If you think by Ol+Olsoc · · Score: 3, Interesting

    That Internet of Things phoning home is some sort of secret, you've been living under a rock the last few years. Phoning home is what they are designed to do. It's the core principle of the IoT.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:If you think by jones_supa · · Score: 3, Informative

      That's not true at all. IoT simply means an embedded device connected to Internet.

  7. DDNS by 110010001000 · · Score: 5, Informative

    This "secret network" is a "DDNS network" so you can more easily connect to your camera from the Internet. Clickbait.

  8. Total FUD by Theaetetus · · Score: 5, Informative
    Just because something says P2P doesn't mean it "connects to a vast peer-to-peer network". These particular cameras are made to work with a smartphone or tablet app: the camera connects to the company's servers to tell them its IP address; your tablet connects to the server to find out the IP address of your camera; and then your tablet and the camera establish a peer-to-peer connection, so that none of the video travels via the company's servers.

    That's it - the two peers are your camera and your mobile device, not some fast torrent network or something.

    Now, sure, this could've been documented better, but Krebs should also know better than to jump to hyperbole based on two letters and a number in a configuration screen.

  9. Reasons why I don't like the Internet of Things. by Anonymous Coward · · Score: 5, Insightful

    Here's a list of reasons why I don't like the Internet of Things:

    1) Internet of Things devices could watch me while I sleep.

    2) Internet of Things devices could watch me while I pee.

    3) Internet of Things devices could watch me while I make kaka.

    4) Internet of Things devices could watch me while I pleasure myself.

    5) Internet of Things devices could watch me while I wash my body in the shower.

    6) Internet of Things devices could watch me while I relax in the tub.

    7) Internet of Things devices could watch me while I brush my teeth.

    8) Internet of Things devices could watch me while I make passionate love to my wife.

    9) Internet of Things devices could watch me while I brush my hair.

    10) Internet of Things devices could watch me while I read a book.

    11) Internet of Things devices could watch me while I read Slashdot.

    12) Internet of Things devices could watch me while I bake cake.

    13) Internet of Things devices could watch me while I put in my contact lenses.

    14) Internet of Things devices could watch me while I get ready to play golf.

    15) Internet of Things devices could watch me while I do my laundry.

    16) Internet of Things devices could watch me while I think about rugby.

    17) Internet of Things devices could watch me while I tie my shoes.

    18) Internet of Things devices could watch me while I celebrate the 4th of July.

    19) Internet of Things devices could watch me while I water my flowers.

    20) Internet of Things devices could watch me while I eat ham.

    21) Internet of Things devices could watch me while I use my stapler to staple documents.

    22) Internet of Things devices could watch me while I chew bubble gum.

    23) Internet of Things devices could watch me while I check the oil in my car.

    24) Internet of Things devices could watch me while I look for my TV remote.

    25) Internet of Things devices could watch me while I blow my nose.

    26) Internet of Things devices could watch me while I rearrange my stamp collection.

    27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

    28) Internet of Things devices could watch me while I do my calisthenics.

    29) Internet of Things devices could watch me while I search for a paper clip.

    30) Internet of Things devices could send information about me to advertisers.

    31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

    32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

    33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

    34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

    35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

    36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

    37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

    38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

    39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

    40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

    41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

    42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

    43) Internet of Things devices could let advertisers use the data unsuspectingly coll

  10. Insanely bad idea? by gstoddart · · Score: 4, Insightful

    the behavior is an "insanely bad idea," and that it opens an attack vector into home networks

    I'm sorry, but based on what we've been seeing, so far the entire Internet of Things is an insanely bad idea ... shoddy security by incompetent idiots who want more analytics data and ad revenue, and don't give a crap about your security.

    Fuck that, I want my toaster connected to the internet why again?

    That this is happening should no longer come as a surprise to anybody who has paid even the smallest amount of attention to how much of a mess the IoT is.

    --
    Lost at C:>. Found at C.
    1. Re:Insanely bad idea? by bigdavex · · Score: 3, Funny

      Fuck that, I want my toaster connected to the internet why again?

      How else do you think it will keep its antivirus software up-to-date?

      --
      -Dave
  11. No need to phone home. by fyngyrz · · Score: 3, Interesting

    And it is completely, absolutely, 100% unnecessary.

    o Plug in not-yet configured device.

    o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

    o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

    o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

    That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

    If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

    If you were out of your damned mind.

    If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re: No need to phone home. by guruevi · · Score: 3, Insightful

      You're describing Bonjour/mDNS and yes it works within LANs but not if you want to connect from outside your network. People want convenience, punching a hole in your firewall is a "lot of work" and sometimes impossible depending on your configuration.

      And yes, anyone with the information could possibly have your camera talking to them but most people don't care or refuse to understand the issue. Whether it's China or the NSA, as long as people have "bread and circuses" they'll be fine.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re: No need to phone home. by techabuse · · Score: 4, Interesting

      I own a few Chinese IP cameras i bought for experimenting, and no two of them work with the same app/P2P cloud bullshit/whatever. They do, however, all expose Telnet and SSH to the world. There's no way I'd let them anywhere near the WAN because they're all running Linux on a decently snappy ARM SOC and phoning home. Can you say beach head?

    3. Re:No need to phone home. by Theaetetus · · Score: 3, Interesting

      And it is completely, absolutely, 100% unnecessary.

      o Plug in not-yet configured device.

      o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

      o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

      o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

      That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

      If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

      If you were out of your damned mind.

      If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

      That's a really long and condescending way to say "I don't understand how subnets work". While it may work fine on your household network, this camera is designed to be accessed over the public internet. Most people don't need to check security cameras that are in the same room as them.

    4. Re:No need to phone home. by tlhIngan · · Score: 3, Informative

      And it is completely, absolutely, 100% unnecessary.

      o Plug in not-yet configured device.

      o Shortly thereafter, it accepts DHCP configuration. Now it has an IP.

      o Then it vomits out a tiny UDP (broadcast) packet every 60 seconds or so that says "I'm a WackyWidget and my IP is Yad.daY.yad.daY"

      o You start app, it listens for the UDP packet, when it hears it, it begins comm via TCP at the IP identified in the UDP broadcast. UDP broadcasts then cease until, or unless, the TCP (and possibly the DHCP) connection is dropped, in which case, begin again at whatever step is needed.

      That's it. That's ALL of it. You need nothing more for an IP camera, a smart power plug, a smart lightbulb, an aquarium controller, the garage door opener, etc., etc., ad infinitum.

      If you THEN want to expose WackyWidget to the WAN, you could enable that separately.

      If you were out of your damned mind.

      If you haven't yet figured out that "the cloud" is nothing but a way to take/get things from you -- money, data, ownership of media, etc. -- then you really need to look at all this harder.

      which makes the device useless to the people who buy it. People buy security cameras with IP connectivity so they can view their camera from a remote location, for alerts and the ability to view and control devices remotely.

      Like you have a camera on your front door. It sends you an alert someone is there, to which you access your camera to see who it is. Generally, this is useful if the UPS or FedEx guy comes while you're at work, at which point you can ask them to drop the package off in the garage (which you open and close remotely). No package left on the door stop, and the garage door is closed by you so it's safe and waiting for you.

      And that's the reason why people are going for the "cloud" stuff. Sure there's probably a few lazy asses using it inside their home (or their home is a huge mansion that takes 10 minutes to get from one side to the other), but the key selling point of this "IoT" devices is remote access.

      Remotely turn on the lights. Remotely turn on the heat or AC so you come home to a warm or cool house. View cameras and recordings while you're out.

      What you propose is secure, but gives consumers none of that. They're buying it for the remote accessibility and giving them only local access until they do a bunch of fancy stuff is basically counter to what consumers are buying the things for.

  12. It's Foscam you /.pussys by EvilSS · · Score: 3, Informative

    Really Dice, scared shitless to mention the manufacturer?

    Here is the Krebs link if you want the actual details and don't want to dig it out of the articles linked in the summary: http://krebsonsecurity.com/201...

    --
    I browse on +1 so AC's need not respond, I won't see it.
  13. Have some fun by PPH · · Score: 4, Funny

    Set up a honeypot consisting of a Chinese DVR and a bunch of security cams pointing at pictures of Minuteman ICBMs sitting in their silos. Sit back and watch your IP address get hacked.

    --
    Have gnu, will travel.