News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Dangers of Home "Smart" Devices

    Posted on MrJimPhelps Comment on the AskWoody Lounge

    Tagged: ,

    This topic contains 13 replies, has 5 voices, and was last updated by  Kirsty 2 years, 4 months ago.

    • Author
      Posts
    • #92844 Reply

      MrJimPhelps
      AskWoody_MVP

      One of the current dangers out there with all of the “smart” devices in your home is that they can be taken over by hackers, usually very easily. The problem is, most of these “smart” devices have very poor security built in; that’s why it is easy for hackers to take control of them.

      http://www.pcworld.com/article/3118763/security/hackers-found-47-new-vulnerabilities-in-23-iot-devices-at-def-con.html

      http://ns.umich.edu/new/multimedia/videos/23748-hacking-into-homes-smart-home-security-flaws-found-in-popular-system

      Once that happens, your “smart” devices have become “bots”, part of a “botnet”, available to the hacker for launching attacks.

      The hacker then waits till someone pays him to launch a DoS (Denial of Service) attack against someone; he will then instruct his “botnet” to start sending traffic to the target of his attack. So much traffic will go to the target that it will overwhelm his network and shut him down.

      Thousands of different “smart” devices could be part of the “botnet”, so it will be next to impossible to determine where the attack is originating from.

      There is also the danger that a hacker could use your “smart” devices to spy on you, or install ransomware on them, making you pay to regain control of your device.

      Do you really need “smart” light bulbs, “smart” electrical outlets, a “smart” refrigerator, a “smart” door lock, or a “smart” thermostat? The only real benefit to having these “smart” devices is that you gain some convenience in your life. But at what cost?

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      4 users thanked author for this post.
    • #92903 Reply

      MrJimPhelps
      AskWoody_MVP

      Some other negatives with “smart” home devices:

      * They complicate your life. In order to adjust your “smart” thermostat, you’ll need to connect it to your home network, run the app on your smart phone, and adjust it. Why not just walk over to the thermostat and adjust it?

      * Someone could pick your lock and walk right into your house, if they hack your “smart” door lock.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      2 users thanked author for this post.
    • #93088 Reply

      JohnR
      AskWoody Plus

      Why bother with the Internet of Things at all? There is no need for any of these ‘smart’ devices. It is just a marketing exercise to sell stuff to people who don’t need it. The IoT for homes is a solution to a problem that doesn’t exist. It may have some uses in large commercial premises to (for example) reduce energy consumption, but all the devices will have to be much more hack-proof than they appear to be at present. The Iot will probably cause more problems than it solves.

      4 users thanked author for this post.
    • #93242 Reply

      Doug Terborg
      AskWoody Plus

      Some other negatives with “smart” home devices:

      * They complicate your life. In order to adjust your “smart” thermostat, you’ll need to connect it to your home network, run the app on your smart phone, and adjust it. Why not just walk over to the thermostat and adjust it?

      * Someone could pick your lock and walk right into your house, if they hack your “smart” door lock.

      The idea of “walking over and adjusting it” is nice…if you are home.

      The reason many people want a smart thermostat is because they aren’t home. So if they’re getting home an hour earlier than usual, they can turn it up. Or if it’s summer, and the temperature soars unexpectedly, they can turn on the AC so their pets don’t go into heat exhaustion mode. These are the kinds of reasons I have a (basic) smart thermostat. Mine isn’t the level of a Nest or an Ecobee, but it does let me do a few basic things remotely.

      Of course, I also have a business-level firewall at home, and am hoping to put devices like this on a VLAN to prevent them from talking with my regular network. But I know that’s not always feasible for the average user. What really needs to happen is that IoT vendors need to start with security as the baseline for their products.

      1). Not allowing a blank or default password; forcing a change the first time the system is set up through the actual setup process.
      2). Ensuring logins to the device use encrypted standards (these days, TLS 1.1/1.2) so that nothing is sent in clear text.
      3). Enforcing strong passwords (and then just providing the user with a note card in the box to write it down to store somewhere, and/or a way of recovery that isn’t insecure).
      4). Regular audits of code by either QA or a third-party contractor under NDA to ensure their devices can’t be hacked trivially.

      We are SysAdmins.
      We walk in the wiring closets no others will enter.
      We stand on the bridge, and no malware may pass.
      We engage in tech support, we do not retreat.
      We live for the LAN.
      We die for the LAN.

      2 users thanked author for this post.
      • #93253 Reply

        MrJimPhelps
        AskWoody_MVP

        LoneWolf:

        You make some good points.

        As you said, they MUST do better with security on these devices. But from what I’ve read, the rush to get them to market works against taking the time to make sure that they have good security features.

        Jim

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        3 users thanked author for this post.
    • #111364 Reply

      Kirsty
      Da Boss

      A new article on zdnet.com today, discussing passwords and security on IoT.

      No wonder there has been an endemic of cyberattackers hijacking Internet of Things (IoT) devices when default passwords are this poor and users aren’t bothering to change them — or worse, don’t have the option to.

       
      With the increase of botnets such as Hajime and Mirai, and malware like BrickerBot, now is not the time for complacency or default passwords!

       
      Good reading from zdnet.com on IoT security, in addition to today’s link above:

      Hajime:
      http://www.zdnet.com/article/a-mysterious-botnet-has-hijacked-thousands-of-devices/ (April 26, 2017)
      BrickerBot:
      http://www.zdnet.com/article/homeland-security-warns-of-brickerbot-malware-that-destroys-unsecured-internet-connected-devices/ (April 19, 2017)
      Mirai:
      http://www.zdnet.com/article/mirai-botnet-attack-hits-thousands-of-home-routers-throwing-users-offline/ (November 29, 2016)

      • #112743 Reply

        MrJimPhelps
        AskWoody_MVP

        With the increase of botnets such as Hajime and Mirai, and malware like BrickerBot, now is not the time for complacency or default passwords!

        Kirsty, it’s so bad with these devices that I would say that “now is not the time for IoT devices.”

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        3 users thanked author for this post.
        • #112765 Reply

          Bill C.
          AskWoody Plus

          Best advice yet!!!

          Unfortunately, I believe the ‘convenience’ will slowly addict the users and there they go. I am not a ‘tin-foiler’ but not building doors is more effective than locking them.

          I am becoming a true believer in that which is connected, can be hacked. Maybe not by the local tech fan or prankster, but there is always someone better financed, with an ulterior motive, to make it worth their while. Why give them a new tool.

          I never gave network access to my smart TV for that reason. It can access the net only, but has never been given access to the network group or any PC or device.

          1 user thanked author for this post.
        • #112801 Reply

          Kirsty
          Da Boss

          @mrjimphelps
          I came across something that pricked up the ol’ ears… It will be interesting to see its impact (launched Feb. 20, 2017):

           
          KasperskyOS (11-11)
          https://eugene.kaspersky.com/2017/02/20/qa-on-11-11/

          “We’ve officially launched a secure operating system for network devices, industrial control systems, and the IoT.

          What matters most for Linux, Windows, macOS and the like is compatibility and universality. The developers do their utmost to popularize their solutions by oversimplifying app development and toolsets. But when it comes to our target audiences (hardware developers, SCADA systems, IoT, etc.), this approach is a no-go: What matters most here is security.”

           
          Might be worth adding to your reading list?

          • #112815 Reply

            MrJimPhelps
            AskWoody_MVP

            The danger with IoT has always been that these devices connected directly to your network (router), but they had little to no security. This enabled hackers to get onto your network with ease.

            What has been needed has been a secure gateway for these devices to connect through. If the CloudFlare or Kaspersky systems do what they say they do, then this should secure you from all but the most highly-skilled hackers.

            I’m guessing that you’ll need a separate computer for the Kaspersky or CloudFlare OS, and that the IoT devices will then connect through that computer.

            Even with all that, I still don’t want to have an “online” house. My home is my refuge, my place to disconnect and to be with my family. Sorry, no internet house for me.

            Group "L" (Linux Mint)
            with Windows 8.1 running in a VM
            3 users thanked author for this post.
        • #112803 Reply

          Kirsty
          Da Boss

          Cloudflare Orbit is now available for IoT manufacturers to deploy security – it will be interesting to see how long until protection like this becomes commonplace, if not demanded by customers:

           
          I*oT protection by Cloudflare
          https://www.cloudflare.com/orbit/

          Technology is changing — shifting towards a world where low cost, connected chips power products used by billions of people around the world. Everything from jet turbines and oil rigs, to cars, cameras, and clothing are coming online. And while these tiny chips unlock incredible potential, they are a liability if not secure.

          When PC vulnerabilities are discovered, software vendors issue a patch, which end users are required to download and install. These patches keep PC software up-to-date and secure. IoT devices also require patches, but the PC security model can’t scale to 22 billion devices; IoT manufacturers often haven’t built over-the-air (OTA) update mechanisms and are terrified that updates will brick a user’s device. In the meantime, consumers never think about having to upgrade their internet-connected “toaster.”

          Cloudflare Orbit solves this problem at the network level by creating a secure and authenticated connection between an IoT device and its origin server. Orbit takes the Internet out of IoT: Behind Orbit, devices are I*oT.

          Orbit allows device manufacturers to instantly deploy “virtual patches” and block vulnerabilities across all devices on the network simultaneously. This keeps malicious requests from reaching devices, buys time for IoT manufacturers to carefully QA their updates, and keeps devices from leaking data or launching DDoS attacks…

           
          Read the rest here

          1 user thanked author for this post.
    • #116072 Reply

      Kirsty
      Da Boss

      The Looming Threat of Health Care IoT Devices
      May 15, 2017 | By Michael Ash

       
      Are Health Care IoT Devices Secure?
      …a complete inventory of all IoT devices must become part of an overarching security risk assessment. You cannot manage or control what you don’t know exists. Only an assessment can yield this kind of information, with details on each device.

      As more IoT devices enter the hospital, they need be systematically cataloged and incorporated into the broader security-focused inventory. As part of the risk assessment, consider conducting penetration tests of IoT devices — the results of which can serve as proof points for gaining support for security measures.

      For practical purposes, there is no holding back the flood of IoT devices, both authorized and otherwise. The best security strategy is to get out front of this wave with practices and governance designed to secure what is already in place as well as what’s coming.

       
      Read the full article, and access podcast series on IoT Security on securityintelligence.com

      • #116181 Reply

        MrJimPhelps
        AskWoody_MVP

        In hospitals, there are two kinds of IoT devices: those purchased by the hospital for patient care, and those increasingly brought into the workplace as convenience devices. Both types are often linked directly to the hospital’s Wi-Fi, which is often part of a flat network topology connecting all the hospital’s digital devices. It is entirely possibly for cybercriminals to gain access to that network via the less secure convenience devices.

        The “looming threat” is that the hospital allows people to bring their own devices and connect them to the corporate wifi. If they do that, they are vulnerable to attack — no question — and it will be difficult to defend against these attacks.

        They could very easily stop this “threat” by not allowing ANY devices to get onto the network in any way, unless they are first checked by the IT dept and then whitelisted. With the sensitive information that hospitals deal with on a daily basis, they cannot afford to allow these vulnerabilities into their network.

        Another way would be to implement a system like Cisco ISE, which, when set up correctly, totally locks down everything on the network, allowing only legitimate devices to have access. But Cisco ISE is very expensive.

        As the author stated, if you must allow non-verified devices onto the network, you could set up a totally separate network, unconnected to the hospital’s working network, to allow people to get onto the internet with their iPhone or personal laptop. But that’s a lot of money to be spending just to appease employees who are demanding to be able to use their own personal devices on the company network.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
    • #117838 Reply

      Kirsty
      Da Boss

      EU chipmakers propose IoT cybersecurity baseline ahead of new regulations

      Liam Tung (CSO Online) | 23 May, 2017

       
      European semiconductor makers have agreed on a proposal to standardize Internet of Things (IoT) cybersecurity.

      Infineon, Qualcomm-owned NXP, STMicroelectronics, and the EU Agency for Network and Information Security (ENISA) have released a joint proposal to introduce baseline cybersecurity for connected things.

      The semiconductor makers agreed that a European scheme for IoT security certification and labelling should be evaluated by the European Commission (EC).

      The EC should also encourage the development of “mandatory staged requirements” for IoT security and privacy through new European legislation, the organizations said in a position paper aimed at policy makers as Europe prepares to introduce new IoT cybersecurity laws.

      The paper outlines support for the proposed “Trusted IoT” cybersecurity labelling system, akin to Europe’s CE labeling for products sold in the EU. It also supports the introduction of minimum security requirements and standardized security processes and services.

      They also want an incentive system to reward IoT device makers that improve cybersecurity and a framework to correct the “market failure” in IoT cybersecurity and privacy reflected by the unwillingness of suppliers and buyers to pay extra for security.

       
      Read the full article here

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Dangers of Home "Smart" Devices

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.