Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #1  
Old 8 March 2017, 11:49
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,287
Internet of Things (IoT)

In light of recent disclosures, I've been getting asked more about IoT devices such as Smart TVs, and others that connect to the internet (Fit-Bit, Xbox, and even light-bulbs).

As everything moves towards being internet-connected, previously mundane items are now connected to the world. These devices have an operating system on them that facilitates either an Ethernet or wireless (WiFi or Bluetooth) connection.

The two major problems with IoT in general is that there's a rush to get it to market before any meaningful testing is done, and they are rarely (if ever) updated after being manufactured.

Keep awareness about anything you connect to WiFi (that includes your phone, when you're trying to save those minutes). You're connecting a device that may have sensitive information to the greater world. Even if you don't have sensitive information, your device can be used to pivot to other resources, or even amplify other activities (look up Mirai botnet via home routers).

Should you freak out? Not necessarily. Just understand the risks, and try to keep your devices updated where possible. Make demands of manufacturers to fix their shit and get it correct before going to market.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #2  
Old 8 March 2017, 12:54
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is online now
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 4,908
Some IoT devices have mics and cameras on them. What could go wrong?

In 2015, I almost bricked my own TV trying to get some... umm.. let's just say..."unapproved code" to run on that bastard.

http://socnet.com/showthread.php?t=125175

I was lucky to recover from that experiment but it did give a feel for what can be done. Permanent note to self: buy separate devices to futz around on. Haha.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
  #3  
Old 8 March 2017, 13:46
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 742
And those operating systems can be exploited just like every other OS. But, but... it's a device. Right.

Totally agree with your statements CV. Pressure needs to be applied to the vendors to implement an SDLC that includes system design, secure defaults, incident handling and patch releases. Hopefully the industry fixes itself before .gov decides to pass yet more legislation on this topic. Schneier and others suggested this a few months back - I think it's a bad idea. We already have enough compliance crap to deal with.

Then there is the Industrial IoT. Which is another problem - but no better. In these scenarios, you have systems with legacy code bases and insecure OS configs that are full of vulns and - by classification - cannot be managed or patched like traditional IT systems. Or PLC/ICS systems that are also easy to exploit once access is attained. As "Industry 4.0" takes shape, and the integration of these environments into enterprise IT occurs - it's gonna be "fun". At least we'll have job security...
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #4  
Old 8 March 2017, 15:16
Purple36's Avatar
Purple36 Purple36 is offline
Swimming Upstream
 
Join Date: Nov 2002
Location: East Coast
Posts: 8,746
I refuse to buy smart devices, Alexa, etc. worse there are Children's toys that are smart and collecting data
__________________
- Faith involves believing in the veracity of the unprovable and unobservable, whether that consists of religion or theoretical physics, which at the very subatomic level start looking rather similar. -ET1/SS Nuke
Reply With Quote
  #5  
Old 8 March 2017, 15:19
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,287
Quote:
Originally Posted by Purple36 View Post
I refuse to buy smart devices, Alexa, etc. worse there are Children's toys that are smart and collecting data
Not a bad policy. It's fairly interesting just how much data those devices can divine about your patterns-of-life.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #6  
Old 8 March 2017, 16:46
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,070
Quote:
Originally Posted by usmc_3m View Post
At least we'll have job security...
Indeed.
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when Iím attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #7  
Old 8 March 2017, 16:48
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,070
Quote:
Originally Posted by usmc_3m View Post
At least we'll have job security...
As long as we have IT Mexicans writing code for IoT, we'll always have job security.
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when Iím attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #8  
Old 13 March 2017, 11:19
lowercaseb lowercaseb is offline
Registered User
 
Join Date: May 2015
Location: Northern VA
Posts: 5
Another aspect to consider is the cloud component. If you have devices like baby video monitors that you can view locally and from the cloud, it's best to keep it local and disable internet access for those devices at your router.

We've seen instances where you crack them open, extract the firmware, and discover that the cloud encryption keys are static, and shared across all their devices.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 18:04.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET