Why are IoT devices so easily hacked???

Werewolf said:
I must admit the thought of an internet connected door lock, that requires registration with the manufacturer sends a chill down my spine as so far the manufacturers of IOT stuff have not got a good record for their security.
Click to expand...


Not to mention the even more likely: they do a remote upgrade of your lock firmware and brick it, so you can't get into or out of your own house.
 
I do not understand as to why you would ever want a 'smart' front door lock. They are not more secure, they are vulnerable to other types of attack. They are no easier than having a key or any cheaper. They are no better VS. a crowbar or a big red key so if someone wants to get in, they will or just go through a window or patio door. Need more keys? Go down Timpson and they will sort you out in a few mins.

Same things goes for kettle, microwave, fridge or oven. They just don't do anything remotely useful yet.

Nest/Hive on the other hand a pretty decent. Anything running on the network has the ability to be hacked.

I wonder how many people will update their routers or even have updates available even though it is widely publicised that WiFi/WPA2 implementations are vulnerable.
 
Last edited:
b0rn2sk8 said:
I do not understand as to why you would ever want a 'smart' front door lock.
Click to expand...

I don't have one, but quite like the idea of being able to generate single use temporary access codes for tradesmen and the like, rather than entrusting them with a physical (easily duplicated) key.
 
FishFluff said:
I don't have one, but quite like the idea of being able to generate single use temporary access codes for tradesmen and the like, rather than entrusting them with a physical (easily duplicated) key.
Click to expand...

That is the one use case that is a positive but but being realistic I wouldn't leave a tradesman in my house unattended. Just isn't worth the risk to me.
 
What's the incentive for fly-by-night Chinese vendors to ensure their Wi-Fi light bulb is secure, when a large proportion of the market for the product makes the decision solely on price.

Turn UPnP off, put the things on an isolated network, make sure you can do outbound firewalling.
 
So there are secure IoT devices, but they are rare (biomedical tends to be okayish), and as stated it's normally down to the cost of implementing good security that causes the problems. The other problem is that customers don't like good security measures, if you needed 2FA each time you switched on a lightbulb you'd probably not buy the thing in the first place. Ease of use currently trumps security on IoT which is disappointing.

Attacks are tricky though even with poorly secured devices, because normally they are sat behind NAT'd routers (like your home hubs etc). Lets say you have some light bulbs and they sit on your network can you can chance the colour by sending a HTTP request on some odd port without any auth, if your router doesn't port forward that port the chances of attack are tiny.

If you ever want to do a quick check, port scan your public IP from a device (E.g. your mobile) not on your LAN.
 
Edward78 said:
https://thehackernews.com/2017/10/iot-botnet-malware-attack.html anyway, this is prob. over estimating (I hope) like a camera takes pics, it shouldn't beable to do a dos attack,,,
Click to expand...

Sooner or later stuff like crypto malware will come packaged with malware that attempts to hijack these devices to hide away copies so that it can reinfect a network once people think they've cleaned up the PCs, etc. on it. I've seen some preliminary attempts at it but doesn't seem to be (unless its successfully hidden heh) very common at the moment other than some stuff that tries to hijack NAS boxes and the odd router firmware.
 
jonneymendoza said:
Are raspberry pi's safe?
Click to expand...
Probably a lot safer than most IOT things as you have to set them up for connection to the internet and generally turn on any apps/services in a similar way to your PC, just keep it's OS up to date like your PC (they are after all basically mini computers with a proper OS.
 
It was released a couple of months ago that several of the foscam IP cameras that were manufactured in China had hidden and hard coded dev log in credentials that needed a firmware update to fix, the advice was to remove them from the internet until such a FW update was released (we are still waiting). I think as far as cameras are concerned all you can really do is only access them from the lan and if you need remote access then start looking at VPN capable routers.

http://images.news.f-secure.com/Web...lnerabilities-in-foscam-IP-cameras_report.pdf
 
b0rn2sk8 said:
I do not understand as to why you would ever want a 'smart' front door lock. They are not more secure, they are vulnerable to other types of attack. They are no easier than having a key or any cheaper. They are no better VS. a crowbar or a big red key so if someone wants to get in, they will or just go through a window or patio door. Need more keys? Go down Timpson and they will sort you out in a few mins.

Same things goes for kettle, microwave, fridge or oven. They just don't do anything remotely useful yet.

Nest/Hive on the other hand a pretty decent. Anything running on the network has the ability to be hacked.

I wonder how many people will update their routers or even have updates available even though it is widely publicised that WiFi/WPA2 implementations are vulnerable.
Click to expand...
keys are horrible things, and smart locks have a number of features that make them easier. Have cleaners/dog walkers etc you can give them access at certain times without handing over a key, you can see when they come and go. It would also be usefull if parcel delivery companies signed upto it, if they phoned you, you could unlock the door so they can drop the parcel in.
personally, I cant wait to be both keyless and walletless and just have phone and smartwatch. Other than car key, i can see that day coming in the next couple of years for myself if not sooner.

On top of that, you have argued very well why they are not an issue with security. Locks etc are to stop opportunistic theifs which smart locks do just as well.
For a determined thief they will get in one way or another, and there's a lot more people able to lock pick than hack. o you have any idea how easy it is to lock pic. an old flatmate had a training lock, and after just a couple of hours we could get into are shed in under a minute, and into the house in a few minutes. imagine how easy it is with more than a few hours of training and some more equipment.

However, thats not to say I wouldn't like them to be even more secure and updated regularly with security.
 
Companies are more concerned with putting out something that works as soon as possible, not something that works "well" or "properly".
Almost willing to bet money somebody will have raised security concerns at some point during development that will have been summarily dismissed.
 
kaku said:
Companies are more concerned with putting out something that works as soon as possible, not something that works "well" or "properly".
Almost willing to bet money somebody will have raised security concerns at some point during development that will have been summarily dismissed.
Click to expand...

Quick, Cheap, Secure. Pick any two. If you're lucky.
 
You must log in or register to reply here.
Back
Top Bottom