Forget Huawei, The Internet Of Things Is The Real Security Threat
from the somebody's-watching-you dept
We've noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn't supported by much in the way of hard data. And while it's certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don't really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.
Week after week we've documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.
The latest case in point: a popular Chinese GPS tracker, used to track everything from vehicles to kids and the elderly, has been found to contain a significant flaw that can trick the device into handing over GPS data using little more than a text message. The devices, which are made in China and rebranded and sold by more than a dozen companies, can also be used as remote surveillance devices, notes cybersecurity researchers:
"Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.
Another command can remotely kill the cell signal altogether, rendering the device effectively useless."
While the device can be protected with a PIN, that setting isn't enabled by default, and the researchers found the devices can be remotely reset, bypassing the pin anyway. This is, if you hadn't been paying attention, kind of the norm when it comes to IOT devices. By the time flaws like this are exposed the company involved has usually moved on to marketing new devices with an entirely new array of vulnerabilities. And since most such devices don't offer much in the way of transparency, consumers usually are largely clueless to the fact that their devices are putting their private data at risk.
Security researchers keep warning us that the check is going to come due on the internet of things front, and we're not taking the warnings seriously:
"This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”
As security researchers have been saying for several years, it's likely going to take a major attack on significant infrastructure and some significant fatalities before we wake up out of our collective stupor. In the interim DC is obsessed with whether companies like Huawei are covert Chinese spies, but largely apathetic to the fact that the internet of broken things already provides all the spying opportunities a nosy government or rogue actor would ever need.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: computer security, internet of things, iot, security
Companies: huawei
Reader Comments
Subscribe: RSS
View by: Time | Thread
college help
If you find it hard to cope with your studies, then I have an excellent online service https://studymoose.com/malincho-case-study-analysis-essay that will help you solve problems with writing various types of written works.
[ link to this | view in chronology ]
Both things are a threat.
I think one of the major concerns is of China having control of our telecom infrastructure.
Don't forget, Huawwei doesn't just help the Chinese government, it is part of the Chinese government.
[ link to this | view in chronology ]
People with the power to do something about those concerns could invest their influence into getting flaws in the IoT infrastructure fixed. If they refuse to do so, perhaps they want to spy on the American public, too.
[ link to this | view in chronology ]
Re:
Are you really that worried about people spying on you?
I'm far more concerned about the Chinese government being a major equipment supplier to our telecom companies.
[ link to this | view in chronology ]
Re: Re:
Why, because of spying? Or did you have something more nefarious in mind? What would that be?
[ link to this | view in chronology ]
Re: Re: Re:
Considering Google has pulled the plug on Huawei it seems likely they may fold.
So the Internet of (Shitty) Things is a bigger threat to safety.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I think the evil genius mindset behind these security blunders is the big threat to everyone including those who support the insane world domination silliness.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Why would Google fold?
[ link to this | view in chronology ]
Re: Re: Re: Re:
"Considering Google has pulled the plug on Huawei it seems likely they may fold."
That's very unlikely. They will just create their own store and clone whatever non-FOSS components they need to retain compatibility. I wouldn't be surprised if some Chinese organisation has already created a homegrown fork of the OS in preparation for a move like this.
[ link to this | view in chronology ]
Re: Re: Re:
Do you think the Air Force would buy fighters from China if they came in with a lower bid?
Why should the government allow our telecom infrastructure to built by the Chinese? There's a big national security component to it as well.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Do you understand there is a big difference between the government purchasing something for the military and the phone company purchasing something for the phone company - right?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Are you saying there isn't any national security component to our telecom infrastructure?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Are you saying there isn't any national security component to our telecom infrastructure?
None. At least according to the actions of the CIA and NSA -- and national government itself. Leaving companies for three years with open vulnerabilities. On purpose. So they can spy on them. Wannacry?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Every vulnerability and zero-day that comes to the attention of the NSA goes before a board that weighs the value against the potential danger. Disclosure is negotiated on a case-by-case basis with a bias for disclosing.
The defense department and homeland security worry a great deal about the security of our infrastructure but the concern isn't necessarily about spying as much as it is of control.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
"Are you saying there isn't any national security component to our telecom infrastructure?"
No - I do not recall making that statement.
Why do you expect the two things to be treated in the same manner?
[ link to this | view in chronology ]
Re: Re: Re:
How about logic bombs that can be remotely activated?
A state actor may be more interested in shutting down communications rather than just spying.
[ link to this | view in chronology ]
Re: Re:
Yes. If researching new trade secrets, starting up a company, building strategic plans, there is expectation that some things are confidential. Without this the major tech players can simply keep a finger to the pulse and rip off innovative development before competitor brings it to market. Complete transparency breaks the market.
On personal level the media routinely takes partial statements out of context. Complete transparency provides too much opportunity for character assassination, a trend we see increasing in use to destroy livelihood of the population speaking out against establishment politics.
[ link to this | view in chronology ]
Re: Who to depend on?
So..Who would you depend on..
Do you understand that the programming of devices ISNT setup At the maker/builder..
In the USA you have 5 people in a New corp, design and send the data TO China. It is up to those 5 people to Evaluate the product BEFORE, they have it shipped TO the USA for sales.
Go look up the 'BARBIE', that was connected to the internet. That listened to Everything in the house. That the Corp said Saved the data and shipped it, so that the Corp could Adjust and fix any REMOTE problem, and improve the language..
Look around your home, and Find 1 thing, that IS MADE in the USA, that is IOT.. Dont look at the Flower pot, that Connects to your Router to tell you the DIRT NEEDS WATER...
Look at all the Security cameras, that HAVE TO HAVE A REMOTE ACCESS TO ANOTHER COMPANY, to save pictures and video, and send them to your phone.. I would rather have a Small wireless NAS in my home that would Save the data, and a Rasp Pi, to send the data DIRECT to my phone..
[ link to this | view in chronology ]
Most 'Smart' devices are designed to spy on the end purchaser. No hack needed. Whether it is your viewing habits, things you buy, how often you leave the house, etc, the data is being collected, aggregated with other data, and the result sold to other companies.
All one has to do is look at Facebook and Google's announcements about future 'features' to learn some of the things the data is being used for. I think it was FB that recently announced a 'Who you are about to meet with' feature being worked on.
If they know who you are about to meet with, very likely they know who your kids are about to meet with.
And it is likely that most folks have little idea this data collection is happening. After all, for most people, things like TVs, refrigerators, microwaves, etc are passive gizmos. Not even in their thoughts that the new TV is spying on them.
And most Congress critters are still buying the 'Computer companies needs special laws that exempt them from normal laws' line that was bought off on when Microsoft was still a small upstart company competing with IBM for the OS market.
[ link to this | view in chronology ]
Re:
See .... I told you so !!!!
Everyone laughed at me for suggesting Obama was spying on Donald via the microwave oven that is capable of turning into a camera.
[ link to this | view in chronology ]
Re:
Consider..
Cellphone with full remote access to your GPS..
(its said it can be turned on remotely..)
Any device that has a NAME to respond to..
Google, Windows, Iphone..Name it, even your barbie.
Your car have a NAV system?? A built in computer to ask directions?? or do other things..
What would it take to LET IT, talk directly to the cellphone system...NOT ALLOT... how about bypass your Router password..NOT ALLOT...(most people dont change the orig passwords..) ADMIN/PASSWORD will get you into 50% of them.
Do you really know whats in your Hardware?? how easy it is to install a BUG..software or hardware..
DONT ASK.. you wont like it.
[ link to this | view in chronology ]
From the government's viewpoint, the lack of security in the IoT is a valued feature, not a threat or a bug.
[ link to this | view in chronology ]
Re:
Have you ever watched Congress question a tech executive? I'm not confident that they could spell IoT let alone tell you what it means.
Plus, why would they care about my connected light bulbs and garage door opener when the greatest spy device ever is in almost everybody's pocket and contains GPS, a camera, a microphone, and logins to every service imaginable?
[ link to this | view in chronology ]
Re: Re:
The Government != Congress
One is a small part of the other.
You are correct in that Congress does not care about your IOT devices, they care about the kickbacks they get from industry in return for not regulating the IOT POS.
[ link to this | view in chronology ]
Re: Re:
I've tried to watch it but every time I do all I hear is "Entrance of the Gladiators".
[ link to this | view in chronology ]
Re: Re:
and one more thing ... not all congress members are the same - DUH
Some of them actually hire knowledgeable and experienced people to fill the staff positions thus allowing them access to technical details, analyses and possible actions that make sense. I know, it's hard to believe but it happens.
[ link to this | view in chronology ]
Action? I don't know... fatalities every year related to Daylight Saving time change (spring forward) haven't resulted in any action whatsoever. Maybe something will happen if you can show a loss in profits associated with it (fines, for example).
[ link to this | view in chronology ]
Re:
I was unaware of fatalities related to any sort of time change, are there any details?
[ link to this | view in chronology ]