IOT and Security

[AntonK]

More evidence that the Internet of Things sucks: Discarded smart light bulbs reveal your wifi passwords, stored in the clear.

Anton

 

[umarmung]

One more reason to segment your network and treat IoT networks as highly untrustworthy. Shame most consumer routers and stock software provide little to no tools to help typical users.

Btw, LIFX eventually fixed that problem: https://www.lifx.com/pages/privacy-security

Oddly enough, this is also a slight advantage of bridge technologies rather than every single IoT device using WiFi directly, so increasing the threat surface with every new device.

 

[sfx2000]

One more reason to segment your network and treat IoT networks as highly untrustworthy. Shame most consumer routers and stock software provide little to no tools to help typical users.

I think one of the more scary things is not just the devices, but the Apps on smartphone - nobody has really taken a close look at the apps - a misbehaving app could compromise a lot of personal info stashed in the smartphone.

If the device maker isn't doing security well on the device, it's reasonable to assume that they're equally bad at the apps.

 

[sbsnb]

If the device maker isn't doing security well on the device, it's reasonable to assume that they're equally bad at the apps.

I assume that whomever developed the underlying operating system is working to enable such data theft, especially when their business model is monetizing personal information. I can't see any rational way to assume otherwise since the lack of security is plainly obvious to any competent person in the field.

Better to treat these devices as hostile.

 

[Butterfly Bones]

I think one of the more scary things is not just the devices, but the Apps on smartphone - nobody has really taken a close look at the apps - a misbehaving app could compromise a lot of personal info stashed in the smartphone.

If the device maker isn't doing security well on the device, it's reasonable to assume that they're equally bad at the apps.

Amen, serious privacy / security issues just identified.
https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

Who knows what else is doing this on Apple or Android operating systems, that no one knows, including directly from Google, Apple, Samsung, Huawei, etc., etc.

 

[FatherLandDescendant]

One more reason to segment your network and treat IoT networks as highly untrustworthy. Shame most consumer routers and stock software provide little to no tools to help typical users.

That's why you VLAN a secondary router just for IOT devices. I only use wireless for my IOT and phone, the rest of my network is hardwired.

I think one of the more scary things is not just the devices, but the Apps on smartphone - nobody has really taken a close look at the apps - a misbehaving app could compromise a lot of personal info stashed in the smartphone.

If the device maker isn't doing security well on the device, it's reasonable to assume that they're equally bad at the apps.

I've never trusted putting personal info into my phone. I do very little on the internet with my phone, solves those kind of problems all together.

 

[sbsnb]

I've never trusted putting personal info into my phone. I do very little on the internet with my phone, solves those kind of problems all together.

That's why I'll never use an app for something that can be done in a browser. I do not need to give Walmart access to my phone just to check prices - I can do that on walmart.com thank you. You'd be surprised how few apps you "need" if you do things that way.

 

[FatherLandDescendant]

That's why I'll never use an app for something that can be done in a browser. I do not need to give Walmart access to my phone just to check prices - I can do that on walmart.com thank you. You'd be surprised how few apps you "need" if you do things that way.

Doubt I'd be surprised, that's the way I do it myself

I have an app on my phone for reading the plugin I have in my trucks OBD2 port, Flipboard (gives me something to read when I'm waiting out somewhere), a TomTom app (so I can do hands free calls when using my GPS), Alexa and Eufy apps (IOT), and a weather radar app (so I can check storms when I'm fishing), and that's it.

 

[System Error Message]

More evidence that the Internet of Things sucks: Discarded smart light bulbs reveal your wifi passwords, stored in the clear.

Anton

i've been in this position in a job before, they fired me and refused to listen to me in regards to design, they were storing passwords in the clear in the database and wanted to make a multi services multi currency gateway, money/finance related.

The fault isnt in IoT but the idiots who design them, i'd say the same about dlink too.

 

[FatherLandDescendant]

they were storing passwords in the clear in the database and wanted to make a multi services multi currency gateway, money/finance related.

It's all about the data they can harvest, they don't care about the users security...

 

[sbsnb]

i've been in this position in a job before, they fired me and refused to listen to me in regards to design, they were storing passwords in the clear in the database and wanted to make a multi services multi currency gateway, money/finance related.

The fault isnt in IoT but the idiots who design them, i'd say the same about dlink too.

I worked for a company that produced software to track employee attendance via proximity cards. I discovered that they left the user/pass to the database in the clear in the config files. When I reported it they told me it was no big deal because nobody was going to abuse it at a customer's site. So I wrote a little cron script that clocked me in and out of work at the appropriate times without me even having to be at work To make sure it didn't look scripted I chose a random time that was plus or minus 5 minutes from the target times.

That taught me how seriously some businesses take security.

 

[BenNoir]

My Home security cameras are hardwired and isolated on a LAN which provides no access to the Internet, and further only allows cameras to talk to the camera DVR (not to each other). Special firewall rules allow limited access from the general network to the camera DVR. Camera's are poorly protected and make excellent attack platforms for the rest of your network. Any setup where you can access your cameras through a cloud service means others can as well.

Personal devices like phones should only be connected via a guest network. Don't give them rich access to your networks needlessly. We have separate Guest and General Purpose SSIDs. If you really really need to have an phone access other devices on your LAN, then it can connect to the GP LAN. Friends or family who normally just need Internet access should be directed to the Guest network.

Home automation devices should also be confined to a subnet with no Internet reachability. Interaction between HA devices is generally a requirement. Interaction between the HA LAN and GP LAN should be as limited as possible.

I also isolate multi-media devices (Roku, Apple TV, TV DVRs, ) onto dedicated LANs. These devices need access to the Internet, but should not be allowed to access non multi-media devices. This is an excellent LAN to watch network traffic and pi-hole obvious data mining traffic. Smart switches can be used to VLAN isolate device families together thus preventing one owned device from attacking all multi-media assets. I avoid attaching TV monitors, DVD players and other devices to the Internet just because they have an RJ45 plug or wireless capability. Today everybody wants to collect your usage data.