Yet Another Study Shows The Internet Of Things Is A Privacy And Security Dumpster Fire
from the the-dumber-the-better dept
Day in and day out, it's becoming increasingly clear that the smart home revolution simply isn't all that smart.
Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it's increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.
Study after study shows it's a problem that's not really getting better. For example, despite a decade of reports about the lack of real security and privacy standards in smart TVs, Consumer Reports recently found that most smart TVs remain impressively open to attack and abuse. And a new study out of the UK by Which? studied 19 different smart gadgets and found a "staggering level of corporate surveillance of your home" by devices that routinely hoovered up consumer data, then funneled it out to dozens of partner companies -- often without clear consumer permission:
"Many apps ask for your exact location when they don’t actually need it for the product or service to work. Far too often, specific information is requested about you when the justification seems arguable at best. Then there’s the galaxy of other companies busily working in the background of your smart gadgets. During our testing we saw more than 20 other operators involved behind the scenes, including marketing companies. When we used a smart TV for just 15 minutes, it connected with a staggering 700 distinct addresses on the internet.
You'll recall that a few years ago, the revelation that there was now a search engine specifically built to provide easy access to poorly secured webcams resulted in all manner of consternation about the problem of default usernames and passwords and devices with paper-mache-grade security. But despite flimsy webcam security being such a hot topic for years, many vendors still haven't gotten the message:
"We’re also concerned over how companies secure your data. In a separate test together with other consumer organisations, we found a flaw in this wireless security camera’s app (provided by a company called Sricam), which meant that we could access more than 200,000 passwords and device IDs for other ieGeek cameras. We could then see live video feeds of other users, and talk to those users via the camera’s microphone (which we didn’t do). ieGeek/Sricam fixed this flaw in late March 2018, but we’ve subsequently found and disclosed other critical vulnerabilities with the camera and app."
Security analysts like Bruce Schneier have clearly illustrated why there's no incentive to fix these problems:
"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
The reality is we're collectively more interested in making money and obsessing over the latest gadget than addressing the problem. And while there's some very good ongoing efforts to create some basic security and privacy standards in the IOT space, the prevailing attitude among IOT users and vendors alike that this is all somebody else's problem. Folks like Schneier have been warning for a while that it's likely going to take a mass casualty event (caused by hacked infrastructure) to finally motivate some changes in the internet of broken things space.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: internet of things, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
This is a most difficult issue
[ link to this | view in chronology ]
Re: This is a most difficult issue
Although I go out of my way to avoid new technology, it can get hard if not impossible to avoid 'high-tech' things. Are there any cars sold in the US, for instance, that don't have a (non-optional) advanced electronic/cumputerized backbone?
Maybe it's one reason why old cars from the 1960s are worth so much money these days, as those were the last of the "simple" vehicles before government standards for tailpipe emmissions, fuel economy, and other things kicked in. Not that government regulation is all bad. In the case of cars, people who wanted the option of seat belts had to wait six decades until the government stepped in and forced automakers to offer them (first was as an option)
[ link to this | view in chronology ]
Re: Re: This is a most difficult issue
No, everything has electronic engine control, anti lock brakes, and electronic stability control, just for a start. I believe a backup camera or sensors are now mandated. Anything but a bare bones economy car (and maybe not even those any more) will also have electronics in the cabin controlling anything from audio to climate control.
[ link to this | view in chronology ]
Re: Re: Re: This is a most difficult issue
https://www.motor1.com/news/238058/cars-emergency-services-mandatory-europe/
[ link to this | view in chronology ]
Re: This is a most difficult issue
Sure will, if for no other reason than the legislation will inevitably suck and be a 1/2-measure at best. If such a thing happens I imagine it would be started by well-meaning "nerds" and a handful of the more tech-savvy politicians, but get waylaid by excessive lobbying from large corporations who really don't want to pay to fix the problem they caused and actually kinda like the data they're gathering.. The result will be a watered-down, toothless version of whatever got proposed in the first place.
It's still better than the even more scary alternative mentioned above, though:
Can you imagine the kind of headless-chicken, knee-jerk, politician-must-DO-something-NOW abortion-of-a-law that would result from that? I'll take the weedy and ineffectual half-measure any day!
[ link to this | view in chronology ]
Think I've connected it to my internet to make use of that?
Hell no. And this article points out why. I'll take safety over convenience.
[ link to this | view in chronology ]
Re:
I can see how a hacked furnace could be used to blow up a house, unless specific safeguards are built in.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Is the wi-fi radio is actually off, or is it still decoding packet headers (and potentially vulnerable to buffer overflows etc.)?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Nothing will happen until...
[ link to this | view in chronology ]
the market... finds a way
Try as I may, I can't think of a way to suggest the possibility of ********** without making everyone think that I'm responsible when it appears.
[ link to this | view in chronology ]
Re: the market... finds a way
[ link to this | view in chronology ]
Re: Re: the market... finds a way
A camera's easy to tape and I've seen lots of people do it. A microphone isn't so easy, and it may be possible to use the built-in speakers as microphones.
I want a removable battery, so I can know that the thing's actually off (and don't have to throw the laptop in a landfill when it wears out in a few years). Stores don't sell laptops like that; I can still order them, but then I have to worry about government interdiction. Phones with removable battery have become almost unattainable.
[ link to this | view in chronology ]
Typo
You misspelled hysterically.
[ link to this | view in chronology ]
Saw it coming, rolled my own
I developed my own homestead automation instead - it's not like a lot of the ideas aren't useful. But as I'm retired on an off-grid homestead I built...no need for the internet and its attack surface anyway - for that matter I skipped the whole smartphone thing - this area has only had coverage for the last 5 or so years anyway.
Survival is the oldest profession. If you don't - that other one that makes the claim wouldn't exist.
I have different challenges than most people do, I'd assume. Not having infinite power - not a good idea to turn on a big load like AC remotely anyway (not that I spend much time off my land as is). But I do need to monitor and control the solar system, the water collection/treatment/storage/delivery plumbing, and keep track of internal and external weather on campus (eg watch if pipes are going to freeze and preempt that if so).
I added in video and motion detection because it was easy and I get what amount to game pictures of the wildlife here as a bonus. I get audio announcements of important events off my background music system and if I want - I can send email to myself - all without leaving the LAN - or even having most of this (other than one raspi that serves as access point for the slave nodes and a web server) - visible even on my main LAN. I call it LAN of things, obviously.
The only real reason I see for being "out on the inet" is so some manufacturer can make money as a "man in the middle" - a widely discussed attack vector in security circles. And maybe charge rent, if not now, later after you're locked in. Imagine having to pay to have your own house work! (I suppose many less fortunate pay rent as is, but yet another one?). I see no point giving anyone else that kind of control over me.
I don't sell these, but some old documentation on how to do some parts yourself has been published. It's way not rocket surgery, mostly a ton of sysadmin on small computers - which I don't document, as it's all over the web as is.
http://www.coultersmithing.com/forums/viewforum.php?f=59&sid=65ae80d0c2bcbb16960f301772dfad08
[ link to this | view in chronology ]
Re: Saw it coming, rolled my own
I miss the days of phpBB forums, and was sad to see the likes of Facebook, Twitter, Reddit, etc, bury them. A site that combines tech news, programming, and guns seems like an odd mix -- certainly not the kind of thing you might expect to see coming from someone from the 'tech mecca' S.F. Bay area.
[ link to this | view in chronology ]
Re: Re: Saw it coming, rolled my own
Marksmanship is what we do here in the mountains instead of golf...as any golf balls would wind up in the creek between the ridges no matter what.
It's something to do sometimes when I'm not doing fusion research or on the 23 mile round trip to the beer store.
[ link to this | view in chronology ]
Re: Re: Re: Saw it coming, rolled my own
[ link to this | view in chronology ]
Re: Saw it coming, rolled my own
Second oldest. One thing is apparently more important.
[ link to this | view in chronology ]
Jashua told us "The only way to win is no
[ link to this | view in chronology ]
Why all the outrage?
[ link to this | view in chronology ]
For those that care, buy an enterprise grade firewall and make sure your first rules block all traffic in both directions. Now add specific rules for each PC as needed, HTTPS, POP, etc. PITA but it really cuts down on the harm malware can do when it slips into your network. You will likely be surprised at the number of blocked comm attempts the default deny rule will collect.
Make sure any IOT gizmos are on their own LAN that can't talk to your main LAN. Install any needed control gizmo on the IOT LAN. Again with the default deny rule and only add needed allow rules.
[ link to this | view in chronology ]
PowerOffDevicesNotInUse
Restart the power on any device DAILY.
Check for Firmware updates.
Do Not Buy an I.o.T. device unless you understand that it probably is backdoored, has a hard coded password and can be used by anyone on the internet... e.g. don't buy into I.o.T. for another decade or more...
[ link to this | view in chronology ]
Sometimes it just feels like...
[ link to this | view in chronology ]
I wonder..
As I was told in the past and was demonstrated MANY times..
1 agency gets your info..even just a name and address..
THEY CAN SELL IT SO MANY TIMES...that they make MONEY. LOTS.
The more info they get, the more money they can get..
Even a few business's that gather from MANY companies, and resort the data collected can find aLLOT of data.
There was 1-2 things missing from much of this. BANK/credit card/Credit rating and Social security INFO..
They got it now.
Love how we have Learned to protect our computers, but the Companies DONT GET IT..
How much spam do you like?
How many dead people trying to contact you??
How many STRANGE msg. do you get with a STRANGE LINK??
How many msg from services you DO USE, that you will NEVER CLICK THE LINK IN THE MSG..(I got one from my CC company, called them and sent it to them)
Since the year 2000, how easy was it to find PORN on your computer and you had NEVER seen that lady before?? or the Dog. Its allot CLEANER now, but we learned our lessons..
I can give you a link to a LEGIT site that has over 30 3rd party links and scripts they WISH to install...
[ link to this | view in chronology ]
This is a most difficult issue
The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not hopeful
'Never blame malicious intent for that which can be blamed on stupidity.'
I used to wonder when people would start to reverse this notion. Now I wonder if people will ever realize the opposite is the truth.
[ link to this | view in chronology ]
Re: Not hopeful
[ link to this | view in chronology ]
Sometimes it just feels like...
[ link to this | view in chronology ]
Mobdro
The argument that the market will not solve this problem is probably correct, which leaves regulation, and that will incense some folks. However, even that leaves the problem of all the devices in existence that may or may not get fixed with that regulation. There are possibly a variety of reasons for that, that might include the company is now gone, the devices are so old as to not be considered important enough to update (and that age number might be laughable in and of itself) or that the company then folds in light of the extra cost and potential lack of income from selling information in the future, and therefore does nothing.
[ link to this | view in chronology ]