Monday, February 29, 2016

Internet Of Things "Security" device wipes out your security

Oh, boy:
Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.
The FI9286P, a Foscam camera that includes P2P communication by default.
The FI9286P, a Foscam camera that includes P2P communication by default.
This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!
Well, well, well.  No doubt those "security" videos will be popular on the P2P network.  Social networking FTW.  Err, or something.
Turns out, this Focscam camera was one of several newer models the company makes that comes with peer-to-peer networking capabilities baked in. This fact is not exactly spelled out for the user (although some of the models listed do say “P2P” in the product name, others do not).
But the bigger issue with these P2P -based cameras is that while the user interface for the camera has a setting to disable P2P traffic (it is enabled by default), Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online (see screenshot below).
You need a patch to disable the stupid thing.  Here's the Double Plus Ungood part:
ThroughTek did not respond to requests for comment. A ThroughTek press release from October 2015 announced that the company’s P2P network — which it calls the Kalay Network — had grown to support more than seven million connected devices and 100 million “IoT connections.”
So your security cameras are chillaxin' with 100 million (!) other devices of some sort, all on some sort of peer-to-peer network that tunnels out through your firewall, and the only way to turn it off is to apply a patch to the "plug and play" cameras you dropped good dough on.

Other than that, it's awesome.

My advice:  Never buy a product made by Foscam, and block all outbound traffic from devices you have not explicitly authorized to go onto the 'net.


Old NFO said...

Oh isn't THAT lovely...

Eric Wilner said...

I developed a profound distrust for Internet Things when I worked on one a couple of years back, pondered how to handle various necessary features right, and realized that it would be all too easy to handle them wrong (maliciously or otherwise) and have a bunch of ill-behaved net-connected computers deployed inside people's firewalls.
The one I was working on (the company went bust early on) was meant to have strong privacy protections, and of course we would have informed the customers of the ways the devices were to communicate with the service... but it seems that so informing customers is not so obvious to a lot of the vendors out there.
Should I find it necessary to deploy other people's IoT gadgets on my next network, I think I'll give them a network of their own, with carefully restricted access to anything but each other.

Steve Sky said...

The Internet of Things falls into a few categories:
1) Devices that are to be used against you.
Example: The "Smart Meters", which form a 'mesh' network, and can be turned off remotely to 'save power', etc. Expect them to first be 'voluntary', and then 'manditory'.

2) Devices that function like the extension of the supermarket loyalty card.
Example: The "Smart refrigerator" which keeps track of your diet, what's inside, and what your ordering from the supermarket. All helpfully passed onto 3rd party marketeers. You are the product being sold.

3) Devices that monitor you for 3rd parties.
Examples: Smart TVs & Consoles. The smart device watches you, while you watch it. I've read that some refuse to work if they are unplugged from the internet (I think one example was LG TV). I've also read that the manufacturers have worked on image recognition, so they can keep track of who comes & goes during which program segments, to help tailor the audience for advertisers.

Obviously, I'm a Luddite, and have none of these devices. But I also don't believe that my personal life is any business of an uninvited 3rd party.

-- Steve