Internet of Things thread (IoT)

[Renegade]

I suppose that it's about time to start this thread. We can all see it coming anyways.

http://www.huffingto...adget_b_6567044.html

The Useless Home Gadgets That Tell Us Not to Think For Ourselves

X-ray specs, Sea Monkeys, Crypto-rings, Whoopee Cushions, Black Eye Telescopes. I loved the comic ads that were used to entice children to part with their pocket money back in the day. They were fun, they were gimmicks, and most importantly, they were cheap and throw away. These days we have the equivalent in a much more adult form in the shape of consumer goods that are billed as wearables or the Internet of Things (or 'Everything' as some people like to say to evoke epic visions of the world seamlessly interconnected).

Well, it seems like the Internet of Things is really gaining momentum thanks to the simple things for the home like Nest Thermostats and Smoke Detectors and the suchlike. It's not just going to be a fad, it will be HUGE. Intel estimates over 200 billion connected devices by 2020 and this will usher in some real uses that aid us in healthcare, business, retail security and transportation.

That's all worth waiting for but right now we have many manufacturers creating gimmicky, nonsensical and seemingly useless gadgets, that are connected to our smartphones and tablets, and portrayed as helping our lives.

More at the link.

It's mostly a rant about crappy gadgets, but the author seems to miss what IoT is about, or perhaps he's just romanticising it as some sort of techno-wonder to solve all our problems. I think he'll be surprised when it happens (and not pleasantly so), and realises what it really is.

[Stoic Joker]

Perhaps, but the hard sell isn't always necessary. So just because the IoT is staged to groom the human race for painlessly transparent subjugation by making them weak minded and dependent on technology. Doesn't mean it's a bad idea to occasionally try soft selling a baseline of the stuff being totally pointless crap.

Since back in the beginning of time when the first important message was handed of to a second party for delivery, security has been based on a modicum of trust. Back then you would look a man in the eyes, and decide if he was lying to you...but did you really know?? And now - thousand of years later - We're all looking at a screen, hoping against all hope...that it isn't lying to us.

[40hz]

Dunno. There are specific situations where an IoT would be a godsend. Unfortunately, I don't think it will stop there.

In my head I keep hearing the words to the Alan Parsons song To One in Paradise where they go:

I believed in my dreams...
Nothing could change my mind.
Till I found what they mean.
Nothing can save me now.

[ewemoa]

All your dirts are belong to us.

[40hz]

"This will end badly." - Jorilynn ap Maredudd

[wraith808]

Renegade is a Prophet and I think you ought to listen to what he has to say to you!

Samsung smart fridge leaves Gmail logins open to attack
Failures in exploit discovery process are cold comfort for IoT fridge owners

http://www.theregist...ridge_security_fubar

Samsung has contacted us to say that they were looking into the matter: "At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”

A bit late for that mea culpa...

IoT security is RUBBISH says IoT vendor collective

[Renegade]

Renegade is a Prophet and I think you ought to listen to what he has to say to you!

-wraith808 (August 27, 2015, 10:29 AM)

That's some pretty high praise! I'll graciously accept! Thank you! 

But this is just the tip of the iceberg. It will get worse.

Somewhat off topic

I'm privileged to have some inside information from time to time, and I get to see some of what is coming to the market before most people. So, I'm not really a prophet, but I do pay some attention to what I do every day.

As I work under NDAs, I have to be careful sometimes when I speak. I have to act in the best interests of my clients when I'm paid to do so. Just today I advised a client on an issue in their best interests against my own preferences/ideals (I'm such a whore sometimes ).

The IoT specifications do not include any security at all. None. Zero. Nadda. Zip. Zilch.

Security in IoT is classified as "out of scope".

But the abuse there is just the beginning. It will get much worse.

In the future, quite literally - and I do mean LITERALLY - someone or some computer will know whether you took a pee or a poo.

• They'll know when you went to sleep.
• When you woke up.
• When and how long you showered for, or if you took a bath.
• When you left the house.
• When you got home.

And those are just the absolute most basic things. Much more advanced information will be available.

Start thinking about smart fridges and smart garbage pails, and things will get very, very dark very quickly. And that will come. It has already been nebulously outlined. It is coming.

Every now and then people ask me about what I do, and sometimes those conversations go beyond the typical 2 seconds. I invariably tell people to "RUN" when they hear "smart" or "IoT".

At the industrial level, IoT can do wonders (though there are nightmares there). At the consumer level, I see the nightmares far outweighing the benefits.

Just ask yourself if it is worth sending people to prison for taking a shower for too long. That is where it will go. People are too much busy bodies for it not to go there. People love to tell other people how to live their lives.

It ain't gonna end well.

Or people can just call me paranoid.

[xtabber]

For the paranoid who worry where the masters of the IOT universe plan to lead us, ars technica's review of Google OnHub should provide plenty of fodder.

Google’s smart home Trojan horse is a $200 leap of faith
Today it's a $200 Wi-Fi router. Tomorrow? We have no idea. (Ok, maybe some idea.)

And remember, after (or maybe before) they take over your home, they plan to take over your car.

[Renegade]

Pen Test Partners have a nice little bit about a kettle...

https://www.pentestp...security-issues-meh/

NEW WI-FI KETTLE, SAME OLD SECURITY ISSUES? MEH.

We saw that Smarter's iKettle 2.0 and Smarter Coffee machine were reviewed on ITV’s This Morning yesterday.

If you’re not familiar with the iKettle it’s a device that solves one problem (physically having to get up and switch your kettle on!) and creates a whole bunch more.

We haven’t been shy about our security research findings, you can find them covered here, here, here, and here.

The fundamental issue is that if you have this kettle it’s possible for someone to get your wireless network key, and help themselves to whatever is on your network, or use your Wi-Fi for whatever purpose they choose.

Anyway, that’s all in the past because the new iKettle 2.0 model fixes all that. …erm, except it doesn’t.

More at the link.

IoT is going to burn a lot of people.

[Shades]

Start using an old PC as a router (make sure it has 2 good NIC's) for your home. Router software such as Untangle and pfSense are perfectly able to block whatever communication takes place between IoT devices and the outside world. You know, in case you don't care about IoT, but aren't able to buy whatever device you need without IoT.

Heck, learn to use this class of software and see how much control you get over the bandwidth of your internet connection. Untangle is powerful and comes with a rather nice and easier to understand interface, while pfSense is pure awesome in getting extremely fine grained control, but it is not as easy (without a firm grasp of networking concepts and terminology). Untangle's basic package is free, for the extra's you will need to pay and there are options to buy support if you need it. Stock pfSense is much more feature complete and free to use, can be extended with free and paid for additions and there are options to buy support if you need it.

In case you are concerned about the costs of running such a device, Untangle does require a more powerful old PC to make it work, while pfSense has (much) lower hardware requirements and it is also a lot smaller download if you are into such things. Both are completely manageable by a web browser, so whether you go for Untangle or pfSense on an old PC, this PC won't need a monitor, keyboard or mouse. Whichever solution you choose, neither will add much to your electricity bill. Web interfaces make this a moot point, but Untangle is linux-based, while pfSense uses BSD as operating system.

5 Years ago I started using Untangle (v9.x) as a router on a 5 year old PC. Last week this computer broke down and there was no way to get it up and running again. So I took a look at the latest offering of Untangle (v11.x) and thought to take a look at alternatives. Now I use the pfSense router software on a old clunker I created from spare parts that I had laying around. My impressions so far are very, very good.

The insights about bandwidth usage you get from using pfSense together with the Ntop extension is nothing short of amazing. Extensive and clearly represented in different visual ways. Very helpful. Prioritizing types of network traffic, strictly or fluidly assigning only a percentage of bandwidth to applications and/or computer(s) at any given time of the day, package inspection, spam pre-filtering, parental controls...it's all there and won't cost you a dime in pfSense. Besides spending time figuring this out, that is.

So, for people that think the negatives of IoT outweigh the positives and are willing to do some work, they can get a sense of control back by getting, "grokking" and applying router software.

[wraith808]

So, for people that think the negatives of IoT outweigh the positives and are willing to do some work, they can get a sense of control back by getting, "grokking" and applying router software.

-Shades (October 24, 2015, 08:20 AM)

Why are air gaps considered one of the hardest security mechanisms to get around?

To have the hubris to think that understanding nullifies the risks- well, I'm not going to think that my understanding covers all that I don't know- or all of the ways to hack such an interconnected world.  I've seen people do some pretty scary things to secured systems.

[Stoic Joker]

So, for people that think the negatives of IoT outweigh the positives and are willing to do some work, they can get a sense of control back by getting, "grokking" and applying router software.

-Shades (October 24, 2015, 08:20 AM)

Why are air gaps considered one of the hardest security mechanisms to get around?

-wraith808 (October 24, 2015, 01:04 PM)

How did we get from locking IoT in a (Pandora's) box to the trials and tribulations of Air Gapping?? I've been thinking for a while now about angling towards Shades' plan of using a completely controllable firewall/border on/to/between the internal and internet networks to try and mitigate WTF is going on with Windows these days.. So how does air gapping - with its range restricted attack surface - play into this?

[wraith808]

So, for people that think the negatives of IoT outweigh the positives and are willing to do some work, they can get a sense of control back by getting, "grokking" and applying router software.

-Shades (October 24, 2015, 08:20 AM)

Why are air gaps considered one of the hardest security mechanisms to get around?

-wraith808 (October 24, 2015, 01:04 PM)

How did we get from locking IoT in a (Pandora's) box to the trials and tribulations of Air Gapping?? I've been thinking for a while now about angling towards Shades' plan of using a completely controllable firewall/border on/to/between the internal and internet networks to try and mitigate WTF is going on with Windows these days.. So how does air gapping - with its range restricted attack surface - play into this?

-Stoic Joker (October 24, 2015, 02:04 PM)

In... just don't.  I like the idea of IoT.  But the most secure way of engaging in IoT is... don't.  Which is for all intents and purposes, an air gap.  Between your refrigerator and the internet.  Between everything that could be exploited and the internet.  To be sure, I have some interconnections.  Hell, I just got my Onion Omega (the power switch broke off which is the reason I haven't posted anything yet).

But I'd never connect my power, refrigerator, laundry, or any appliance to the internet.  Because it's more of a risk than I want to take.  The air gap between them is not a security measure I want to do without.

And that's where the second paragraph above comes into play, which was not quoted, i.e.

To have the hubris to think that understanding nullifies the risks- well, I'm not going to think that my understanding covers all that I don't know- or all of the ways to hack such an interconnected world.  I've seen people do some pretty scary things to secured systems.

-wraith808 (October 24, 2015, 01:04 PM)

[Stoic Joker]

In... just don't.  I like the idea of IoT.  But the most secure way of engaging in IoT is... don't.

-wraith808 (October 24, 2015, 02:14 PM)

Ah! ...I'm like totally okay with that angle..

[Deozaan]

Start using an old PC as a router (make sure it has 2 good NIC's) for your home. Router software such as Untangle and pfSense are perfectly able to block whatever communication takes place between IoT devices and the outside world. You know, in case you don't care about IoT, but aren't able to buy whatever device you need without IoT.

-Shades (October 24, 2015, 08:20 AM)

Could Untangle run on something like a Raspberry Pi (or the more powerful Odroids)? That would be very low cost in both terms of the hardware and the electricity to run them.

But I'd never connect my power, refrigerator, laundry, or any appliance to the internet.  Because it's more of a risk than I want to take.  The air gap between them is not a security measure I want to do without.

-wraith808 (October 24, 2015, 02:14 PM)

Would you connect those devices to, say, your phone? If so, wouldn't having your refrigerator/coffee Pot/whatever connected to your phone (e.g., via Bluetooth) and having your phone connected to the internet, essentially the same thing as having your refrigerator connected to the internet?

[wraith808]

Would you connect those devices to, say, your phone?

-Deozaan (October 24, 2015, 06:50 PM)

No.  So I guess that answering the rest is rendered moot?

When I say I wouldn't connect those things... I really mean it.  And though I don't understand everything in regards to the security, I do know enough to prevent corruption of the non-connected method via other connections.  I don't care what advantages I'd get from doing it, unless I could be sure that it was totally inviolate, I wouldn't.  Which you can't be sure of.  So I don't.

[Renegade]

Would you connect those devices to, say, your phone?

-Deozaan (October 24, 2015, 06:50 PM)

No.  So I guess that answering the rest is rendered moot?

When I say I wouldn't connect those things... I really mean it.  And though I don't understand everything in regards to the security, I do know enough to prevent corruption of the non-connected method via other connections.  I don't care what advantages I'd get from doing it, unless I could be sure that it was totally inviolate, I wouldn't.  Which you can't be sure of.  So I don't.

-wraith808 (October 24, 2015, 07:45 PM)

I'm on board there about not connecting things, but I'm also not sure how long that option will exist if you want to have a fridge or washing machine.

Just look at cars now. They're all jammed full of computers. If you want a car that can't be hacked, you're going to have to get an older one, and probably one prior to 1996 (or round abouts).

I think all of this will be rammed down our throats just like cars have.

What will happen is some tool will start screaming about how fridges and washing machines need to be more environmentally friendly and CO2 blah blah blah. They manufacturers will have legislation rammed down their throats and will have to build in computers that monitor electricity usage, etc. etc.

Then some douchewad will propose legislation to track electricity usage for household appliances, etc. etc. All appliances will need to report to Big Brother about their electricity consumption. Those that don't have reports will have the Green Police show up at their house telling them that their old appliances are no longer legal and that they have to get new ones that spy on them.

While that may sound a bit over the top, it's probably not that far from what we'll actually see in reality.


"Choice" is the enemy of the control freak, and that's what we're seeing now. Those choices will be removed one way or another.

[Shades]

Start using an old PC as a router (make sure it has 2 good NIC's) for your home. Router software such as Untangle and pfSense are perfectly able to block whatever communication takes place between IoT devices and the outside world. You know, in case you don't care about IoT, but aren't able to buy whatever device you need without IoT.

-Shades (October 24, 2015, 08:20 AM)

Could Untangle run on something like a Raspberry Pi (or the more powerful Odroids)? That would be very low cost in both terms of the hardware and the electricity to run them.

-Deozaan (October 24, 2015, 06:50 PM)

You need at least 2 NIC's for any piece of router software. One NIC is for the internet signal (WAN), the other NIC is for your network (LAN).

The computational strengths of a RaspBerry Pi 2 should indeed be sufficient, but according to this forum post and this link I wouldn't get my hopes up.

Besides, to my knowledge any version of the RPi comes with 1 NIC only. Adding another NIC to its USB ports is not advised, because that type of NIC usually depends on a lot on the Windows operating system to function properly. However, if you know of a similar device that has already proven itself to run FreeBSD, you will have a much higher chance of success. 

[Shades]

In... just don't.  I like the idea of IoT.  But the most secure way of engaging in IoT is... don't.

-wraith808 (October 24, 2015, 02:14 PM)

On this we completely agree.

Maybe I am too grim here, but are you sure this is still an option 10 years from now? Because through planned obsolescence you are likely to have such devices in your house sooner than later. Heck, If you have millennials running around that time may come even sooner than you expect.

And with the understanding and insights you gain by deploying tools such as pfSense, you will have a better chance at stopping the flow of information either completely or to just a trickle. For most cases there is the thing: information that is easy to come by, will be easily processed (by everyone). Information that hard to come by, will hardly be processed (by anyone). When others need to spend a lot of money on hardware and know-how to get only a minimal amount of data, it is not worth the effort in most cases.

And if you are really paranoid, finding ways to introduce false information to the mix could be helpful to make the data that one does manage to capture unreliable.

Install pfSense into a virtual machine and take a look for yourself to see all the options it provides to manage the flow of information coming and going to your network. I'll bet you will be positively surprised by the level of control you can have.

With all of the above, I have no doubt that anyone with enough desire to get the information they want, will get it by whichever means necessary. My first comment was intended to show that if you care enough about the negative implications of IoT you can make it a (hell of a) lot harder for interested parties to do so.

And if you are big into pro-IoT, that is fine too. In that case it can still be a good idea to get a pfSense router in your network, but then you can set it up to make your IoT devices and/or protocols and/or applications and/or IoT-related apps have priority over all traffic generated on your network. With pfSense you can already do Software Defined Networking (a new protocol to apply your available network bandwidth (LAN and WAN) where it is needed most at any given moment automatically).

Personally, when the time comes I have to buy an IoT device I would not go so far put up Faraday cages and what not. But do expect me to shape the traffic that flows in and out my network as I see fit. The thing is that, when asked (friendly) about a subject, I am friendly enough to provide you with an honest answer about that subject. It is the unlimited snooping around by "anyone and their grandmother" that I seriously dislike and because of this I will use tools to prevent this as much as my ability allows me to do. 

[Stoic Joker]

Information that hard to come by, will hardly be processed (by anyone). When others need to spend a lot of money on hardware and know-how to get only a minimal amount of data, it is not worth the effort in most cases.

-Shades (October 25, 2015, 08:28 AM)

I'm not so sure about that, as it's usually the fringe that's the most dangerous. All information is useful, so the harder a specific piece of information is to get...the higher its value will be to the right vertical market. So as this nightmare gets closer to critical mass there will be an in veritable stampede of dot com bubble level hopefuls clamoring for the hottest vertical market for whatever bits of information they've managed to pry out of people.

All you need is an angle, a database, and a must have widget that can/will/does keep the listings fresh enough for market..

[ewemoa]

You need at least 2 NIC's for any piece of router software. One NIC is for the internet signal (WAN), the other NIC is for your network (LAN).

-Shades (October 25, 2015, 08:24 AM)

On a side note, have been looking for boards with this sort of thing for a bit now

One thing that came up was:

  https://www.indiegog...nd-wifi-becomes-easy

More expensive, but quite nice (note: AMD CPU):

  http://www.pcengines.ch/apu.htm

FWIW, have found a few things at the following too:

  http://linuxgizmos.com/