Jump to content

Another reason why the IoT may not be that good an idea ...


jaclaz

Recommended Posts

The tech law podcast This Week in Law recently discussed an Internet-connected refrigerator. The brief discussion begins at 1:33:54:

Quote

I mentioned a while ago that I had purchased a new Samsung refrigerator and talked about it in the context of the Internet of Things, as it has a video display on the refrigerator that's actually Internet-connected and it delivers you things like recipes and news and weather. And -- importantly for what I'm about to let you know -- it delivers your e-mail and a calendar, if you put your Google credentials into it.

So, over at Techdirt, they've written up the fact that some security researchers (at Samsung's urging actually), trying to find vulnerabilities in the system -- Samsung invited them to try and find things that might be wrong. And lo and behold, they did find that at least the Google integration part of it was vulnerable to man-in-the-middle attack, that if someone could get on your network they could potentially steal your Gmail login information -- from your refrigerator! So our Tip of the Week is: beware of fridges with superflouous tiny speakers, which this particular one has. In addition to integrating with Gmail, it also integrates with Pandora and plays music through its ridiculously small speakers next to the water and ice dispenser.

So the good news is that Samsung is aware of this, that they invited folks to kick around on their system and find vulnerabilities, and having found them, presumably they will patch and fix them. But for anyone who is rushing out to join me in the ranks of owners of a refrigerator that is actually connected to the Web and this particular brand of refrigerator, just know that it is subject to this vulnerability

Here's the article referenced in the podcast. The writer's conclusion there:

Quote

These endless IOT security issues may have the opposite effect of that intended: actively marketing the need for many devices to be dumber. And those dumb devices are getting harder to find. Many of the latest and greatest 4K television sets, for example, simply can't be purchased without intelligent internals that integrate functionality the user may not want. So while Wired magazine's endless 1990's obsession with intelligent refrigerators may have finally come to fruition, they may be unwitting pitchmen for how sometimes it's better for things to simply remain utterly analog -- and beautifully, simply stupid.

:thumbup

--JorgeA

Link to comment
Share on other sites


Scotts Miracle-Gro unveils open 'Gro' Internet of Things platform for the connected smart yard

Apparently, this is not a joke!

Quote

Yes, many homeowners have yards -- grass, gardens, ponds, and more -- where they can enjoy the outdoors and spend time with family. If the inside of your home can be "smart", why can't your yard? Well, good news, folks -- Scotts Miracle-Gro is launching an open IoT platform, called 'Gro', that focuses on the outdoors. Yes, the connected smart yard is here.

--JorgeA

 

Link to comment
Share on other sites

And this one -- be mindful of where you are located when you view this:

Spoiler

How to hack a sex toy: tech firms warn public on growing cyber-risks

Quote

HANOVER, Germany (Reuters) - It's not just computers and mobile phones that are vulnerable to cyber attack, according to software firm Trend Micro. As more devices are hooked up to the Internet, it could be anything from medical equipment to industrial machinery - and even sex toys.

To illustrate the point, Trend Micro spokesman Udo Schneider surprised journalists at a news conference this week by placing a large, neon-pink vibrator on the desk in front of him and then bringing it to life by typing out a few lines of code on his laptop.

 

 

:whistle:

--JorgeA

 

Edited by JorgeA
add spoiler
Link to comment
Share on other sites

It's official, PSA here:

http://www.ic3.gov/media/2016/160317.aspx

many, many pearls of wisdom in it.

Particularly in the context of a risk of a Wi-Fi or however radio carried intrusion, I would like to cite/highlight:

Quote

4. Be aware of who has physical access to your vehicle

In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.

jaclaz

Link to comment
Share on other sites

And now, radio amplifier attack:

http://www.telegraph.co.uk/technology/2016/03/23/hackers-can-unlock-and-start-dozens-of-high-end-cars-through-the/ 

                                                       Models that can be hacked

  • Audi: A3, A4, A6
  • BMW: 730d
  • Citroen: DS4 CrossBack
  • Ford: Galaxy, Eco-Sport
  • Honda: HR-V
  • Hyundai: Santa Fe CRDi
  • Kia: Optima
  • Lexus: RX 450h
  • Mazda: CX-5
  • Mini: Clubman
  • Mistubishi: Outlander
  • Nissan: Qashqai, Leaf
  • Opel: Ampera
  • Range Rover: Evoque
  • Renault: Traffic
  • Ssangyong: Tivoli XDi
  • Subaru: Levorg
  • Toyota: Rav4
  • Volkswagen: Golf GTD, Touran 5T

https://www.adac.de/infotestrat/adac-im-einsatz/motorwelt/test_keyless.aspx

jaclaz

Link to comment
Share on other sites

And, it had to happen, before or later:
https://cve.mitre.org/

Quote

The recent explosion of Internet-enabled devices—known as the Internet of Things—as well as the propagation of software-based functionality in systems has led to a huge increase in the number of CVE requests we have been receiving on a daily basis. We did not anticipate this rate of growth, and, as a result, were not as prepared for the latest surge in requests over the past 12 months as we had hoped. The result has been some of the delay in CVE assignments that the software security community has recently witnessed. We recognize the inconvenience that has resulted, and are working hard to come up with a solution. Last week, we proposed a possible option to our CVE Editorial Board, but some members raised concerns about the approach, and we have withdrawn it from consideration. We are working diligently to come up with a solution that will meet the needs of all the various use cases of CVE.޷

more or less "there are too many bugs in the wild and we cannot even list them in a timely fashion anymore".
jaclaz

Link to comment
Share on other sites

I just understood how this thread and overall this "consolidating" or "mono-themed" approach is considered not welcome/advised on MSFN, see:

I apologize for any inconvenience, sorry :(.

A moderator/Admin will hopefully soon close this thread in order to minimize possible further disruption or disturbance to the intended way of working of the board.

jaclaz

Link to comment
Share on other sites

Just now, Tripredacus said:

This thread is fine for now. :P

And it will remain fine, at least - with this one time exception - personally I am not going to make it longer.

jaclaz
 

Link to comment
Share on other sites

  • 10 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...