Coming Attacks

  • jasona.work (10/3/2016)


    ...

    Which, really, comes around to "why in the H*LL does my refrigerator need to be on the internet in the first place?" So I can remotely check my groceries? MAKE A FRICKIN' LIST before you go shopping!

    ...

    Hey, you may not give a damn about what's in your refridgerator, but fortunately there are some dedicated and loving people in our government and marketing conglomerates who do. Can't you see that they're only here to help make your life better?

    :satisfied:

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (10/3/2016)


    The Internet is a wonderful, collaborative resource, and will be for a long time if the criminals don't fundamentally ruin our trust in it.

    Also, put this all into the perspective of cloud computing. The Internet is a wonderful platform for public information exchange and collaboration... if that's what you're essentially needing to do. However, over time corporations and governments have leveraged this network platform for running their enterprise infrastructure, even using it for internal applications and databases that should never be accessed by the public. Not only are these enterprises vulnerable to things like intentional denial of service attacks, but they have to compete for bandwidth with children streaming episodes of Scooby Doo.

    Scooby Doo? I like it.

  • Steve Jones - SSC Editor (10/3/2016)


    jasona.work (10/3/2016)


    Which, really, comes around to "why in the H*LL does my refrigerator need to be on the internet in the first place?" So I can remotely check my groceries? MAKE A FRICKIN' LIST before you go shopping!

    Worse, it's only going to get worse and I really doubt it will ever get better...

    I am sure things will get worse. Apart from criminals, we have bored and smart people that are vandals, just wanting to cause trouble, or experiment, for fun.

    I dislike you, or anyone, making a decision about what is good or bad. Plenty of people do want some devices attached to a network. Turn the oven off, change the heat, etc. Some people want to do this remotely, or double check. I'll admit I think locking my car doors remotely was dumb.

    Until I was in a hurry at the airport, got on the shuttle and couldn't remember if I'd locked anything. I appreciated it then.

    What I'd wish for is a minimal security framework that we mandate for devices sold. I can't do anything about what you build, but I'd want routers and fridges, and webcams to require a certain level of authentication. And mandate a way to update, preferably physical, that ensures we can secure these when we find issues.

    I'd also require that any EOL produce must release the source code as open source for patching by users. I would be not asking this to be public domain for anyone to use in their own product, but open source, with the original vendor retaining copyright control over how the code can be used. They just can't maintain closed source if they won't patch the system.

    Edit : clarified open source v public domain. Reworded.

    Please note, I'm not (despite my slight rant) averse to the IoT world. My thermostat, living room lights, and lawn sprinkler controller are both IoT devices. I think perhaps it was more intended to be a "slow down and think if having device X connected to the internet in some way is really going to be beneficial or is it just a gimmick to draw attention" sort of rant.

    Granted, though, it does come across as a "git off ma lawn you young whippersnappers" rant...

    Part of where IoT is going to be a problem is, companies putting out these devices without thinking about the "how long will someone likely have one and how long will we need to / should we / have to support the *software* side of the device." Software companies like MS and Apple generally support an OS for around 5-10 years, most appliance companies give you a 5yr warranty. But, unlike PCs where the user generally replaces the device every several years for the newer, faster model (and thus a new OS with a new support period,) most people keep their refrigerator or thermostat or sprinkler controller or router until it outright fails beyond repair.

    Plus, add in the complexity of updating such devices. It doesn't have to be complex, but in some cases the only way to get an update might be to download a specialized application onto a PC to run to update the device. *IF* the manufacturer even puts out updates.

    So, from that, it's fairly obvious that if / when a vulnerability is found (ie something that lets a malicious entity use your refrigerator as part of a botnet to DDoS attack) that either the appliance manufacturer will say "tough luck if you're part of this, just disconnect it from the internet," or "the update to fix that issue requires an on-site service tech visit and isn't covered under warranty," or "that model is no longer under warranty and the hole will not be patched," or the ever popular "you can download the latest firmware update from here, the application will only run on Windows XP or older."

    Basically, all these companies rushing to create the next great IoT things, need to also start thinking about how to secure and keep secure these devices, they can't just hand it off to the user and tell them "have fun figuring out how to lock this down!"

  • I agree and don't.

    First, companies can do what they want. That's part of having a free market. What I think we should also have, perhaps just more of, is responsibility and accountability for the devices being secure, or at least being fixed (patched) when they are shown to be not secure.

    I'm all for companies doing what they want, but they have to represent their system adequately, which means certain safety standards. We haven't built a good framework for that in the digital world.

    However, I do think that if companies cease to support their products, and open source the code, then it's not that you or I need to figure out how to patch things, but maybe we can take open source patches.

    Or better yet, perhaps we could get a secondary market of companies that sell patches (and stand behind them) for things like routers. If DLink (for example) doesn't want to patch their routers, they need to open source the code and let Jason's Router Repair sell patches.

  • So now everyone and their grandma is going to ask us to secure their IoT lightbulb because it is going to be "their" responsibility. Legally, would it then make it ours? (I know this is hypothetical.)

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Steve Jones - SSC Editor (10/3/2016)


    I agree and don't.

    First, companies can do what they want. That's part of having a free market. What I think we should also have, perhaps just more of, is responsibility and accountability for the devices being secure, or at least being fixed (patched) when they are shown to be not secure.

    I'm all for companies doing what they want, but they have to represent their system adequately, which means certain safety standards. We haven't built a good framework for that in the digital world.

    However, I do think that if companies cease to support their products, and open source the code, then it's not that you or I need to figure out how to patch things, but maybe we can take open source patches.

    Or better yet, perhaps we could get a secondary market of companies that sell patches (and stand behind them) for things like routers. If DLink (for example) doesn't want to patch their routers, they need to open source the code and let Jason's Router Repair sell patches.

    I think, Steve, you and I are rather closer together on this than it might sound.

    I'd agree that companies open-sourcing their source code for a no-longer supported device would likely go a long ways towards mitigating the various issues. After all, look how long the Linksys 54G router held on once people figured out how to replace the Linksys firmware with open-sourced firmware (DD-WRT, etc) I'd bet at some point someone at Linksys seriously considered keeping the assembly line for the 54G going, and selling them with no firmware to 3rd-party vendors. The tooling and such was likely completely paid for, so the overall costs would've been low.

  • Gary Varga (10/4/2016)


    So now everyone and their grandma is going to ask us to secure their IoT lightbulb because it is going to be "their" responsibility. Legally, would it then make it ours? (I know this is hypothetical.)

    I guess I'll eventually have no choice when it comes to IoT kitchen appliances; it will soon become a standard embedded component on even the cheapest models. There is always the option of taping over the sensors the same way most of us here tape over the camera hole on our laptops. However, I don't picture myself ever having IoT lightbulbs.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • The source code of the botnet that compromised IoT devices that knocked Brian Krebs off the internet is now available online, so expect to see more of this in the future. Myself, I don't have much of a need for IoT devices. If others want them, fine. The only thing at my house plugged in to my router is my satellite DVR. My TV isn't that smart, and that's fine by me. I suppose I'll have to plug in my Bluray player occasionally to update encryption keys, but that's about it.

    And there was an article on Ars Technica[/url] saying that DVRs are compromised at a fierce rate. So basically if it has a CPU, an OS, and a network connection: it can probably be compromised.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • Eric M Russell (10/4/2016)


    Gary Varga (10/4/2016)


    So now everyone and their grandma is going to ask us to secure their IoT lightbulb because it is going to be "their" responsibility. Legally, would it then make it ours? (I know this is hypothetical.)

    I guess I'll eventually have no choice when it comes to IoT kitchen appliances; it will soon become a standard embedded component on even the cheapest models. There is always the option of taping over the sensors the same way most of us here tape over the camera hole on our laptops. However, I don't picture myself ever having IoT lightbulbs.

    Feb 3, 2015 - IoT Invades the Kitchen 😎

    http://www.eetimes.com/author.asp?section_id=36&doc_id=1325527

    May 4, 2015 - IKEA is hoping new 'intuitive and unobtrusive' technology will augment the kitchens of the future. :smooooth:

    http://www.networkworld.com/article/2917281/internet-of-things/ikea-has-plans-for-iot-first-up-networked-kitchen.html

    Well, it now hackers have found a way to spike the IoT Kool-Aid. :pinch::unsure::crying:

    https://redmondmag.com/blogs/the-schwartz-report/2016/10/ddos-attack-exploited-iot-vulnerabilities.aspx

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 9 posts - 16 through 23 (of 23 total)

You must be logged in to reply to this topic. Login to reply