Home > Critical Thinking, Current Affairs, Dystopia, Links, Skepticism, Technology > Interesting Links: Jan 26, 2016

Interesting Links: Jan 26, 2016

Here are links to a few interesting articles I came across recently. They are about the ongoing giant and potentially catastrophic clusterfuck called the “Internet of Things”.

Link 1: “Internet of Things” security is hilariously broken and getting worse

Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams. The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security. “It’s all over the place,” he told Ars Technica UK. “Practically everything you can think of.”

When Mudge announced his plan to form CITL back in June, security researcher Rob Graham went so far as to call the plan a “dumb idea”: It’s not the same quality problem. UL is about accidental failures in electronics. CyberUL would be about intentional attacks against software. These are unrelated issues. Stopping accidental failures is a solved problem in many fields. Stopping attacks is something nobody has solved in any field. In other words, the UL model of accidents is totally unrelated to the cyber problem of attacks. Graham affirmed his critique in a Twitter direct message to Ars. “UL doesn’t test systems for somebody deliberately trying to attack them,” he wrote. He also argued that CITL “adds a lot of bureaucracy for little value.” Mitigating risk is not the same as eliminating it. But until someone figures out to deal with deliberate attacks, the problem of insecure IoT devices looks set to get worse before it gets better.

Link 2: Nest Thermostat Glitch Leaves Users in the Cold

The Nest Learning Thermostat is dead to me, literally. Last week, my once-beloved “smart” thermostat suffered from a mysterious software bug that drained its battery and sent our home into a chill in the middle of the night. Although I had set the thermostat to 70 degrees overnight, my wife and I were woken by a crying baby at 4 a.m. The thermometer in his room read 64 degrees, and the Nest was off. This didn’t happen to just me. The problems with the much-hyped thermostat, which allows users to monitor and adjust their thermostats on their smartphones (Google purchased Nest Labs for $3.2 billion in 2014), affected an untold number of customers when the device went haywire across America. Users vented on the company’s online forums and on social media. The glitch also coincided with plunging temperatures throughout much of the country.

But this isn’t just about the Nest. This points to a larger problem with so-called smart devices that we are inviting into our lives: Small glitches can cause huge problems. We’ve seen this before, with wireless fobs for keyless cars. They are supposed to make life easier by letting us do away with car keys, but they also make it easier for thieves to break in (by using a simple radio amplifier). It also happened recently with Fitbit, the maker of wearable activity trackers. The company was hit with a class-action lawsuit in San Francisco asserting that the wristbands failed to “consistently and accurately record wearers’ heart rates,” which is vital for those with certain medical conditions.

I’ve heard dozens of other stories from people with connected homes who were locked out by malfunctioning door touch pads, or about newfangled security alarms going off in the middle of the night because a bug (one with wings, not a digital one) flew by. Making matters worse is the lack of recourse. Buried deep in Nest’s 8,000-word service agreement is a section called “Disputes and Arbitration,” which prohibits customers from suing the company or joining a class-action suit. Instead, disputes are settled through arbitration. As a 2015 investigative series in The New York Times illustrated, the use of arbitration clauses is becoming widespread. Nest’s terms of service “are inherently unfair to consumers,” said Sonia K. Gill, a lawyer for civil justice and consumer protection at Public Citizen, a nonprofit based in Washington, D.C. The terms, she said, limit damages and specify that customers need to travel to San Francisco for arbitration. “Who can afford that?” she said.

Link 3: Police body cams found pre-installed with notorious Conficker worm

One of the world’s most prolific computer worms has been found infecting several police body cameras that were sent to security researchers, the researchers reported. According to a blog post published last week by security firm iPower, multiple police cams manufactured by Martel Electronics came pre-installed with Win32/Conficker.B!inf. When one such camera was attached to a computer in the iPower lab, it immediately triggered the PC’s antivirus program. When company researchers allowed the worm to infect the computer, the computer then attempted to spread the infection to other machines on the network. “iPower initiated a call and multiple emails to the camera manufacturer, Martel, on November 11th 2015,” the researchers wrote in the blog post. “Martel staff has yet to provide iPower with an official acknowledgement of the security vulnerability. iPower President, Jarrett Pavao, decided to take the story public due to the huge security implications of these cameras being shipped to government agencies and police departments all over the country.”

To this day, researchers aren’t sure what the purpose of the malware was. Remarkably, Conficker’s unknown operators were never observed using the worm to steal bank account credentials, passwords, or any other type of personal data from the PCs they infected. In 2009, Microsoft offered a $250,000 reward for information leading to the conviction of those responsible for the menace. A report that police cameras are shipping with Conficker.B preinstalled is testament to the worm’s relentlessness. It’s also troubling because the cameras can be crucial in criminal trials. If an attorney can prove that a camera is infected with malware, it’s plausible that the vulnerability could be grounds for the video it generated to be thrown out of court, or at least to create reasonable doubt in the minds of jurors. Infected cameras can also infect and badly bog down the networks of police forces, some of which still use outdated computers and ineffective security measures.

What do you think? Comments?

  1. January 26, 2016 at 11:05 am

  2. P Ray
    January 27, 2016 at 4:48 am

    2 circumstances contribute to “broken iOT” and “bodycam infection”:
    1. It costs a great deal of time to setup these IP (Internet Protocol) devices properly, and users don’t usually know their own settings – or even passwords, so any configuration is time-consuming and costly (especially more so for “paid-by-the-hour” economies like the US).
    2. Legacy system support is made much tougher since very few people and companies have the license or right to use older operating systems – plus very few software people bother to learn the old stuff – because … people using older systems, don’t think they need to pay a higher rate for support since the product is out of service, uses older software or isn’t manufactured anymore.

    In short,
    it’s a money problem.
    If they’re cheap customers … they should expect to be dicked on build quality, support or spare parts availability.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: