Tuesday, February 9, 2021

Ees Internet. Ees not safe

ASM826 pointed out that a town's water purification system was connected to the Internet, to make it easier to manage.  Hilarity ensued.

It is very easy to do that in this day and age, and so we can expect that for most things remote access will not be set up by IT professionals but rather by people who spell "security" with a k.  People seem to think that it's a big Internet, and what are the chances that someone will find their little device on it?  Well, the chances are pretty damn good:

Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.

Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!

I've posted before about Shodan.  If something is connected to the 'net, Shodan finds it and you can browse their database. This is child's play - you can sign up for a free Shodan account and see for yourself.  The problem is that most people can't set things up to protect themselves.  As I wrote:

So what do you do?  One thing is simply not to get any of this sort of thing.  No Internet-connected webcams, security systems, light bulbs, refrigerators, TVs, etc.  Some of these products are frivolous, like Philips' Internet controllable light bulbs that change color via command from your iPhone app.

But others are not.  The Queen Of The World likes her Netflix and Amazon Fire TV, and we have a new TV that will give her than.  What's the risk?  I guess I need to figure that out.  What I'm thinking is to block outbound traffic at the Internet router.  Probably to do this I will need to build a box to put in front of that, with appropriate tools and logging.

That takes a pretty high skill set, and a lot of time.

It's a pain in the butt but I could set up a home firewall and put all the stupid Internet Of Things nonsense (like Netflix TVs and the like) on a separate WiFi that is essentially a DMZ.  At least that will keep Bad Guys from getting into the rest of the house network.  And I can have the firewall block any device I haven't explicitly enabled.

But what a pain in the tail end.  And not a lot of folks have a skill set like this.  While I am not a lawyer, it sure seems like IoT security is creating an "attractive nuisance".

7 comments:

Fredrick said...

"Attractive nuisance" would make the possessor of the device liable, not the manufacturer. Though surely in these cases that is where the nisance begins.

WL Emery said...

Right.

Some years back I was working in an office in Madison, WI. We had a decent connection to the Internet. An office worker discovered a live cam that showed a bunch of puppies. How cute! The puppies each had a name, and they'd do things that puppies do. The owner of the puppies set up the cam so he could keep an eye on things from work.

It seems that there's this thing called band width, and it's important. So when certain executives starting complaining that their system was slow, the SysAdmin inevitably discovered the puppy cam, and subsequently discovered that the employees believed that if they weren't actually watching the cam (minimized the window) they weren't using the Internet. So...

The cam got blocked.

Old NFO said...

Yes, there are so many holes... Smart meters for example... Robbers have accessed those to find out when a house is unoccupied so they can rob it at leisure... One of many holes.

Ratus said...

I got one word for you.

Pi-hole.

Randall said...

Ratus got there before me. I use a Pi-hole and I think it's great. It's primary purpose is to block internet ads, but it's a great tool for finding what device is automatically contacting what internet site. It made it much easier to limit what mother-ships my smart-tv was reporting back to.

Ed Bonderenka said...

Gee, it's a good thing are voting machines aren't connected to the internet,

Kurt said...

Smart TVs - figure out how to disable to microphone. It listens to all sounds coming its way, and transmits to the mothership.

That's one of the main reasons why they're so much cheaper than a comparable monitor - they monetize your environment.