topic Re: Don't throw away your smart lightbulbs ... in Industry News

Don't throw away your smart lightbulbs ...

rslade — Tue, 05 Feb 2019 16:47:04 GMT

... or smart anything else in the IoT world.

Pretty much every single IoT device you have connects to your wifi. And therefore knows your wifi credentials. And where (and how) do they store your network SSID and password?

Re: Don't throw away your smart lightbulbs ...

wimremes — Wed, 06 Feb 2019 12:35:16 GMT

I don't know how this works in the US but here I bring light bulbs and other electronics to a specific location. From there, an adversary would have to :

(a) gain access to the location and find "my" bulb.

(b) extract the passwords

(d) sit outside my door (there is no obvious line of sight location that would give them distance)

(e) profit?

Given a dedicated IoT SSID when push comes to shove, I guess I'll be fine.

Re: Don't throw away your smart lightbulbs ...

rslade — Wed, 06 Feb 2019 18:38:04 GMT

> wimremes (Newcomer III) posted a new reply in Industry News on 02-06-2019 07:35

> I don't know how this works in the US but here I bring light bulbs and other
> electronics to a specific location.

Ah, yes, but where does it go after that?

And, from teaching in the States, I know that most USians are not real big on
recycling, so dead smart lightbulbs become yet another treasure for dumpster
divers.

> From there, an adversary would have to : (a)
> gain access to the location and find "my" bulb. (b) extract the passwords (c)
> war drive a zone of about 20 square km to find "my" network. (d) sit outside my
> door (there is no obvious line of sight location that would give them distance)
> (e) profit?

Given that an awful lot of our (developed nations in total) high tech waste tends
to end up in third world countries being torn apart for scrap, lots and lots and
*lots* of drives and other memory storage is available for the taking (or, at least,
very minimal cost). This is a potentially huge source of data breach material.

And, it's not that hard to profit. Oh, sure, nobody is likely to go after your
specific lightbulb to break into your specific wifi network. But they can harvest
tons of credentials and sell them. And there are many mapping sources that can
track down SSIDs without you having to war-drive all over town. (I can turn off
GPS and *still* have my location determined to within tens of metres, just by the
wifi networks around me.)

> Given a dedicated IoT SSID when push comes to shove, I guess I'll
> be fine.

I wouldn't bet on it. At least, I wouldn't bet *much* ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We die only once, and for such a long time. - Moliere
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Don't throw away your smart lightbulbs ...

wimremes — Thu, 07 Feb 2019 10:24:57 GMT

Risk is in the eye of the beholder 🙂

https://xkcd.com/538/

Re: Don't throw away your smart lightbulbs ...

Shannon — Fri, 08 Feb 2019 09:46:47 GMT

@wimremes wrote:
Risk is in the eye of the beholder 🙂

That's true; unfortunately many are blind to the risks or tend to overlook them. Most of us in IT Security are well aware of risks, and take measures to mitigate them --- but not everyone does.

In your case the probability & impact of someone exploiting the info from IoT devices is low, so the residual risk of using such devices is acceptable. I suppose there'd be little / no profit for someone ravaging through a dumpster to find an IoT light-bulb you've used...

But picture someone whose general IT Security is very lax, like in the situation below:

Single WiFi network with 1 SSID & a simple password that's rarely --- if ever --- changed.
End-points not being kept updated or secured with an EPS or firewall.
Simple account passwords, with little or no use of multi-factor authentication.
Identical / similar passwords used to secure multiple accounts,
Information --- including passwords --- stored locally and in plain text.
Use of info published on social networking sites as answers to security questions.
Preference to pay up in the event of ransomware attacks with no preventive actions after.

And the list goes on. The scenario I've painted might seem incredulous, but I've seen many like it...

If this someone is sitting on a gold mine, uses IOT devices & fails to dispose of them properly, the potential gains of retrieving the devices & extracting info from them may be well worth it to someone with motivations.