the internet of crappy, crappy things

[solarbird]

The Internet of Things is not a good thing, at least not in its current form. Events like this are why:

Record-breaking DDoS reportedly delivered by >145k hacked cameras
Ars Technica
Dan Goodin – Sep 29, 2016 12:50 am UTC

Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. Now, there’s word of a similar attack on a French Web host that peaked at a staggering 1.1 terabits per second, more than 60 percent bigger.

Internet-of-things makers are paying no attention to security, and provide no way for users of these devices to pay attention for them – or to fix them if, somehow, the people who own these devices actually figure out what’s going on. Even realising it’s happening isn’t easy to do; for most people, it’s functionally impossible.

It’s not like you can say, “oh, just put the software in ROM so it can’t be changed ever.” These things are going to send data out, that’s what they’re for, and you have customers be unable to give it a destination for that data.

The part that pisses me off the most is that makers of combination locks have been managing to send out randomised access codes for literally generations, and yet, the makers of these devices are still shipping them with stock passwords. Do you think we at least manage to get up to the safety and security of a middle-school locker Master Lock here? Apparently, no! Not yet.

jfc, 1.1 terabits. It’ll be a terabyte in another two years, all on devices somebody attached to a wall or put in a cabinet and will never look at again until it breaks. I can’t wait ’till we’re being DDOSed by ‘smart’ lightbulbs. What a clusterfuck.

Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby

Comments

[vatine]

I have not checked other cameras, but it seems that my Sony ActionCam comes with a randomised passphrase for connecting to it. Not sure if it's related to the MAC or not, not sure if it's the same random-looking gibberish for any other cameras.

But it seems to be an existence-proof that it's possible, so I can only say "others, you are not as good as you could have been".

[solarbird]

It's gonna take a lot of lawsuits, and the problem with that, even, is suing across country borders.

Krebs on Security, who got hit with the better-documented of these attacks (and had to change providers as a result) calls this whole thing the democratisation of censorship. Relatedly, the inability of Libertarians to recognise that private actors can have quasi-state powers has long been my biggest philosophical issue with them.

https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

[vatine]

Yep. Non-trivial problem to solve, in so many dimensions. I mean, I can (on a purely intellectual level, not in any sympathetic manner) understand the business that goes "shove it in, ship it; doing it properly means we are too late to market and cuts N% of our profit margin".

But the flip-side of that is that that very decision is not very different from "let's use these horrible chemicals we know are horribly toxic, because it's cheap and quick", at least on some level.

[solarbird]

I'm not convinced it's different at all. It's lower-grade now, maybe - but not for long.

[vatine]

I think you're right. The only difference I can see is that on one side we're talking about bits, on the other atoms. In terms of real harm, there's about the same scope for both of those.

Legislation pushing back some culpability on manufacturers making network-connected devices with substandard security may well be the way to make noticeable progress.

[oh6]

It's getting to the point where these devices ought to have some kind of UL listing with respect to security.