cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

IoT

Possible finalist for "Dumbest Thing to Put on the Internet" ...

 


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
9 Replies
CraginS
Defender I

I hope a hacker team with a sense of humor hacks the app and keeps telling lazy-@$$ parents to go check the kids' diapers, only to find them dry.

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
K-Med
Newcomer II

Everything is an IoT device nowadays. Adult toys, diapers, clocks..you name it. Some of them make me scratch my head.

Caute_cautim
Community Champion

But the stupid thing is we simply let it happen - it is part of the supply chain and we continue to progressively and technologically grow and accept the invasion of such systems into our homes, organisations without thinking about it at all.   Look at the affects of the latest Mirai Bot and IOT preparations to exploit even more systems in 2019?  

 

https://securityintelligence.com/news/new-variant-of-mirai-malware-exploits-weak-iot-device-password...

 

Are we plain stupid or we don't care at all?  

 

If anyone has read https://www.schneier.com/books/click_here/   "Click here to kill everybody"

 

The silly thing is we simply just permit it to happen and by the time we realise it i.e. wake up to reality.   They will be firmly embedded into most household items and possibly controlled by persons with malicious intent to do harm unto others.

 

HNY by the way

 

Regards

 

Caute_cautim

rslade
Influencer II

> Caute_cautim (Advocate I) posted a new reply in Industry News on 01-03-2019

>      If anyone has read
> https://www.schneier.com/books/click_here/   "Click here to kill everybody"  

Anything Bruce writes is worth reading ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
It is the greatest of all mistakes to do nothing because you can
only do a little. Do what you can. - Sydney Smith (1771 - 1845)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
K-Med
Newcomer II

Convenience is much more appealing to the general population than security. We will always, as a race, give up security for convenience.

Caute_cautim
Community Champion

I agree, but this now branches into privacy, trust and security and it is certainly about time, a lot of people and organisations simply wake up and realised the implications - or certainly commence writing a whole set of new security and privacy policies to provide direction and guidance.

 

Regards

 

Caute_cautim

mgorman
Contributor II

Do we really need new anything, or do we need to ensure people apply the rules they should already be applying?  That is, is there any real difference between an IoT enabled world, a mobile phone enabled world, and a PC enabled world?  Other than numbers?  What I have seen from IoT hacks and issues are the same things we were fighting 20 years ago.  Change default passwords, turn off unused services, and authenticate connections.  If every IoT device had these 3 things done, we would have a vastly safer world.  There are people out there that will always push the boundaries and find ways around the simple steps, but its statistical.  If we can stop the script kiddies from being able to utilize the devices, we'll knock out 85-95% of the actors.

 

My $.02

rslade
Influencer II

> mgorman (Newcomer II) posted a new reply in Industry News on 01-04-2019 06:48 AM

> Do we really need new anything

Yes! Absolutely! We need Internet-enabled ... will "sex toys" get past the pr0n
filter? (I'm pretty sure the d-word won't ...) We need Internet-enabled hammers!
Why? Because we can!

(I recall one social commentator who said that, for any new invention we should
ask the question "What is the problem to which this technology is the solution?")

>   Change default passwords, turn off
> unused services, and authenticate connections.  If every IoT device had these 3
> things done, we would have a vastly safer world.

Of course, the problem is that lots of IoT manufacturers are making "Things"
where you *can't* do these three actions ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
You have zero privacy anyway - Get over it. - Scott McNealy, Sun
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

I believe the issue, is not that we understand what should happen in the case of IoT.  It comes down to the bare facts that it is far cheaper for a manufacturer on mass apply firmware attributes in the production line i.e. web interface with default settings, digital certificates - self signed, or with default settings; default passwords, defaults protocols including many protocols which specific to IoT devices and still being defined and many have never been through the engineering specifications or any standards scrutiny at all.  

 

As stated previously look how cheap an ARM chip is these days per unit - and then look at their specifications i.e. two 1 Gigabit interfaces on board ready to go - sufficient to cause a DoS within a device or organisation etc.

 

Although the issue has been known back in 2012, with NIST producing bare bones standards this was plainly ignored and only now in 2018/2019 is the implications being felt with standards being endorsed for Medical devices via the USA and UK, but this has previously never been enforced - it was simply allowed to run away.

 

There are many instances as @rslade has indicated including the famous London Council who introduced Wi-Fi enabled dustbins, which had the capability to track and locate any one with a mobile phone, until it was found out that the council were making money via advertising by selling the collected information - a breach of privacy etc.   We are producing Smart Buildings, which uses IoT devices - which have operational cost savings in terms of monitoring and when to call out the Service Engineer (JIT) etc.  

 

What we are concerned with the rate that technology is being introduced, without the full implications being realised as to whether we should be applying controls at manufacturing time etc.   We are running into situations, whereby it seemed to be a good idea, until someone realises the implications normally far too late or it is too costly to apply etc. 

 

With the convergence of Privacy by Design and Security by Design being thrown at us, with GDPR and other Privacy issues - we simply carry on doing the same old thing again and again, without understanding the implications and the associated risks balanced against the benefits. 

 

Who gains? We must apply good security design by default to each and every situation - which probably marks us as the the bad guys in terms of an organisation, as they want to make clients happy, meet their every customized needs, and keep them on board.   However, we cannot stop or slow down progress, we have to be part of it and be the voice of sanity, ready to deal with some very interesting challenges, clearing up the mess when the full implications are realised and by then it may be too far gone. 

 

Increased legislation and the implications of privacy breaches along with a whole host of API's in 2019, will come be top of mind to us.  However, most organisations will be monitoring the wider economic down turn carefully, and looking for increased innovative means of using overcoming these issues, whilst keeping the share holders happy.     As the old adage goes, if it costs 500K in what ever currency to put in resilience and safe controls vs 30 million cleaning up, I know which one I would prefer.

 

But once again the human condition, we must feel the pain, before something is done about - often too late.

 

Regards

 

Caute_cautim