Monday, January 25, 2016

"Nannycam" security so bad, there's a search engine for bedroom video monitors

I keep talking about how when it comes to the new "Internet Of Things", security wasn't an afterthought.  It wasn't thought of at all. Internet of Things security is so bad, there’s a search engine for sleeping kids:
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
We've seen Shodan here before.  It's the All Seeing Eye to identify which devices are connected to the 'net.  As you see here, there are a whole lot of devices that should not be connected to the 'net, at least without better security.  And for an easily understandable reason:
Tentler told Ars that webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20.
"The consumers are saying 'we're not supposed to know anything about this stuff [cybersecurity]," he said. "The vendors don't want to lift a finger to help users because it costs them money."
So what do you do?  One thing is simply not to get any of this sort of thing.  No Internet-connected webcams, security systems, light bulbs, refrigerators, TVs, etc.  Some of these products are frivolous, like Philips' Internet controllable light bulbs that change color via command from your iPhone app.

But others are not.  The Queen Of The World likes her Netflix and Amazon Fire TV, and we have a new TV that will give her than.  What's the risk?  I guess I need to figure that out.  What I'm thinking is to block outbound traffic at the Internet router.  Probably to do this I will need to build a box to put in front of that, with appropriate tools and logging.

That takes a pretty high skill set, and a lot of time.  That's not something that, say, Mom could do.  I'm thinking more and more that I should have gone to Law school.  This might make a good class action suit.

6 comments:

Guffaw in AZ said...

I'm beginning to think anything with a camera or microphone needs to be carefully dealt with, lest BIGGOV or CORPAmerica, or one's neighbor's link in!
Heard stories years ago about folks private moments in the boudoir being overheard on baby monitors - now it's much worse.
Perhaps these folks who go Luddite have the right idea?

gfa

Anonymous said...

This might make a good class action suit.

Or, maybe, a good business opportunity, as in a simple user-controllable firmware box that goes between the router and the internet connection, something along the lines of NoScript. Make it reliable, easy to use, updates to keep it current, back it with a little bit of online support and I'll buy one for $50-$100. Nothing goes back out except from an authorized user ID.

Trust me, someone will start making one at some point. I'm guessing the money would look better in Ted's pocket than Harvey's or Sally's.

Long story, but some friends discovered - after a year living there - that the previous owner's sooper dooper ultra-custom security system - what they considered a "feature" - complete with motion sensing cameras inside and out, was uploading the video to "the cloud" in addition to storing it on the system's DVR. The DVR kept 7 days, "the cloud" kept everything. Forever. As for what constituted "everything", use your imagination for a 6-person household. Also use your imagination for "cloud security".....

Archer said...

Nosmo King beat me to it. Instead of getting a law degree and initiating a class-action suit, figure out how to build that box at an affordable price point and market the hell out of it.

See a need, fill a need. And there's a definite need here.

R.K. Brumbelow said...

Are Technica to the rescue: http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/ Seems to be a timely article. I do prefer BSD to Linux though for anything security wise exposed to the net.

After all Netcraft confirms BSD is dying right? :)

R.K. Brumbelow said...

For those interested in building their own router, the fork of Sense for BSD is available at https://forum.opnsense.org/index.php?topic=2086.0 in case you want a nice firewall to run on that home built router. Again, for anything exposed to the net I simply prefer BSD to Linux.

kx59 said...

RK beat me to it.
Build a configuration for an open source firewall, like monowall and sell on a Usb thumb drive.
Log the crap out of the traffic and just dial it down short of the break point.