Measuring the Security of IoT Devices

In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software.

Data Collected:

  • 22 Vendors
  • 1,294 Products
  • 4,956 Firmware versions
  • 3,333,411 Binaries analyzed
  • Date range of data: 2003-03-24 to 2019-01-24 (varies by vendor, most up to 2018 releases)

[…]

This dataset contains products such as home routers, enterprise equipment, smart cameras, security devices, and more. It represents a wide range of either found in the home, enterprise or government deployments.

Vendors are Asus, Belkin, DLink, Linksys, Moxa, Tenda, Trendnet, and Ubiquiti.

CyberITL’s methodology is not source code analysis. They look at the actual firmware. And they don’t look for vulnerabilities; they look for secure coding practices that indicate that the company is taking security seriously, and whose lack pretty much guarantees that there will be vulnerabilities. These include address space layout randomization and stack guards.

A summary of their results.

CITL identified a number of important takeaways from this study:

  • On average, updates were more likely to remove hardening features than add them.
  • Within our 15 year data set, there have been no positive trends from any one vendor.
  • MIPS is both the most common CPU architecture and least hardened on average.
  • There are a large number of duplicate binaries across multiple vendors, indicating a common build system or toolchain.

Their website contains the raw data.

Tags: , ,

Posted on October 3, 2019 at 6:28 AM33 Comments

Comments

Rj Brown October 3, 2019 7:26 AM

The large number of duplicate binaries can also be attributed to the fact that most of these devices are made in the western Pacific Rim countries, where intellectual property protections are miniscule; therefore, another reason for the large number of duplicate binaries could well be blatant plagerism, or in the case of one certain large country, government control of multiple corporations resulting in sharing of information that would otherwise be trade secret of an individual corporation.

austin October 3, 2019 7:35 AM

Unfortunately,

Not a big surprise… worse, its unlikely much will be done about it any time soon. the odds of any standard ‘hardening’ approach or enough visiblity into the systems to provide security hooks is pretty much zero.

A ‘walled garden’ approach…brute force and inconsistent though it may be might be the only way to lift the security of these device

Sok Puppette October 3, 2019 9:12 AM

Yeah, so that’s not a good way to measure “security”. It’s a sort of OK way to measure the spread of nonexecutable stacks, ASLR, and so forth. But that is all it is.

All of the things they measure are ad-hoc, partial mitigations for basically one vulnerability: the buffer overflow (OK, with some closely related stuff, but basically scribbling on memory). They say nothing about any of the many, many other security issues in the real world. Not only that, but they’re mostly not very effective, even if you have more than one of them. There are tons of published papers with titles like “exploiting systems with $all-that-stuff present”. Defeating nonexecutable stacks is a basic skill these days. ASLR can be tricky, but is very brittle, because it’s shockingly easy to leak the tiny amount of information you need to defeat it. And so forth.

And there are other ways to deal with the same issues. If, for example, you had a way to formally prove that your code could not ever write outside of the area it was supposed to write in, you could perfectly reasonably turn off all of the things they’re counting… in which case your completely invulnerable code would score zero. Not that I believe any of those vendors have done that. But they might at least have, for example, rewritten most of their code in languages that handle memory better than C.

I’m not saying people shouldn’t use those “hardening” measures. Most projects should absolutely do all of them as a matter of course. They’re cheap, especially in a new project and often in an old one. But they’re horrible as a measure of whether anybody is “taking security seriously”.

I used to work at a company where we had a “buffer overflow guy” (later on I think he got some minions). His whole job was basically to push those exact measures into a very diverse product line with many well established code bases as well as many new ones.

Their method would have measured that guy’s success. It would have said nothing about the success of the dozens of other people trying full time to improve security in other ways. If that one guy had happened to be more effective, the whole company would have gotten a higher score. If he’d quit or something, the whole company would have gotten a lower score, even if they replaced him promptly, because his leaving would have set back his program no matter what.

In fact, if he’d managed to badger the developers into ignoring something more pressing in favor of those measures, the whole company would still have gotten a higher score. There were plenty of default passwords, stupid half-controlled debug modes, poorly anchored or incorrectly implemented crypto authentication, stupid origin bugs in built-in Web applications, barely authenticated updates, and just plain general horror in all that code to compete with those particular measures for attention.

And, no, that company was not unusual in any way.

If people start paying a lot of attention to this particular metric as a measure of “taking security seriously”, and using it as a major way to decide what to buy, it will trigger Goodhart’s law. If vendors notice people paying attention to these particular mitigations, they will divert resources into having them… even if there are other things that are actually more important for their particular products. That is the opposite of “taking security seriously”.

Please don’t oversell this stuff, and don’t encourage others to do so.

Matteo October 3, 2019 10:08 AM

@Sok Puppette

they look for secure coding practices that indicate that the company is taking security seriously, and whose lack pretty much guarantees that there will be vulnerabilities

they’re horrible as a measure of whether anybody is “taking security seriously”.

I agree that checking if mitigations are active doesn’t measure very well the security of a product.
It also does’t measure correctly if someone is taking security seriously because some vendor might use a compiler that enable by default NX so it will have higher score even if they don’t care/don’t look at security at all.
while some other as you said might use a language that have better memory managment[1] and chosed that language excactly for security reasons.

but i don’t find it useless metric, don’t having nx/aslr active is a dumb thing and there is no reason to not enable it.
it’s a damn flag in compiler and it’s 2019 why they still compile with nx off?

If people start paying a lot of attention

There are two problems with this:
-people are no expert in security
-security can’t be seen, especially by normal people thus can’t be marketed
this bring us to: nobody adds security

@Rj Brown
I don’t think its ip theft, it’s just that every router has busybox inside, and all other linux things like httpd…

[1] it’s not easy in embedded devices to use something other than C because of memory/cpu/compatibility

jkreuscher October 3, 2019 10:11 AM

The large amount of common code is likely due to the vendors’ use of the “reference software” furnished by a chip supplier. Nowadays it is impossible to sell a complicated programmable chip without also providing plenty of working examples of how to program it. Without that help, development would be more costly and the time to market for a product would cause a severe reduction in sales.

Long ago I wrote reference software for network equipment. It was obvious that some vendors did little more than fiddle with the user interface to remove access to some features.

Sok Puppette October 3, 2019 10:34 AM

it’s a damn flag in compiler and it’s 2019 why they still compile with nx off?

  1. They may be using a compiler that doesn’t have that flag. Embedded systems tend to use weird OEM toolchains. The object file format may not support NX at all. It’s hard to be sure of getting useful ASLR, and things like stack guards may not exist in any given compiler. Should they get a new compiler (and maybe a new, or at least updated, OS to go with it)? Yes. Is it free to do that, fix whatever stops working, and test it? No.
  2. In some cases, their hardware won’t support things like nonexecutable stacks. Should they have used a different CPU? Yes. But they can’t undo it now.
  3. They may have old weird code that breaks if they use some “hardening” flags. NX tends to break JITs, which means you can’t have universal NX in a browser. It also breaks weird ad-hoc code loading stuff that you sometimes find in embedded systems. Yeah, you can do it for the stack. Which is pretty close to useless if you don’t do it for the heap as well, and not all that compelling even if you do. As for the non-NX ones, there’s C code out there that just assumes it can locate stuff after the end of a struct. Should that code be refactored? Yes. Is it free, especially if you don’t want to create a bunch of new bugs? Nope.
  4. They may be using code from upstream sources that don’t set those flags. If they mess with the build, they “void the warranty” and have to retest everything themselves. And the first fork you make from any upstream code should always worry you, regardless of how minor that fork seems.
  5. They may not even be compiling that upstream code; they may get it as a binary blob. Should they raise hell with their own vendors to get better compilation options (and probably source code). Yes. Is it free or fast? No.
  6. They may not understand their toolchain. They may have 10 million lines of code that somebody got to build 10 years ago using all kinds of arcane compiler and build system options. That person’s gone. Nobody on the project now understands the build system. It’s not free to figure it out. Should they do that? Yes. Is it free? No.

And, yeah, all of that is still true in 2019. Less than in 2018 or 2017, but still real.

Meanwhile, setting any of those flags provides an unquantifiable, but in the case of NX definitely small, amount of protection.

Matteo October 3, 2019 10:50 AM

@Sok Puppette
everything you said makes sense.

Even if this metric is imperfect is better than nothing.
I’d like to buy a secure router instead of a crappy one, but how do i find a secure router?
I really have no idea how to evaluate the security of a product and i’m someone who understands security.
I could buy one and start checking it manually, and i do, in fact i found a bug in my router, asked the vendor to fix it, they fixed in few days, but they never published the update on the website so i’m the only one who has the fix…
i know what nx and aslr are, i have also made working exploit that bypass them on x86 windows programs but still i can’t figure out how to score two routers.
which one should i buy? this from company A or this other from company B?

@Schneier (searching public interest technology)
THIS is the question that needs to be answered.
because if me “security person” can evaluate the security of a product before buying it i could also tell to friends to avoid or buying some product because of its security, many might no care but many others do, me included.
but right now i have no idea how to chose a good router except chosing a “random” one and hoping that i will not find terrible bugs fwe days later.

Phaete October 3, 2019 5:26 PM

I already knew these results and don’t expect them to improve.

If you compare it against locks it is even favourable, more then 90% of the locks have vulnerabilities more then 50 years old.
Police gun holding locks defeated by a simple magnet. A wave rake opens more then half of the locks worldwide.

The trend is not favourable for locks, if 99.99% of the world can’t exploit the vulnerability (like lockpicking), it will continue to exist due to economical viability.
Any IoT will follow this trend.

Goverments are no exception, just a bit higher threshold depending on budget.

Clive Robinson October 3, 2019 7:25 PM

@ Bruce, ALL,

What you might call “IoT Design and Development practices” are without doubt not just a “rabbit hole” they are rapidly turning into “A short slide into the cesspit”.

What is worse, this style of development is “back flowing” into other embedded markets. Which also includes the wast majority of the telecommunications industry.

The simple fact is things are at such a frantic rate of development most equipment will be obsolete within a very short period of time.

You only have to look at just how fast telecommunications standards are being developed to see where this is all going to end up. Thus,

    The final tipping point to disaster will realy be when obsolescence occurs befor software patches can be released.

Because there can be know hope of recovery from the resulting death spiral the market has become.

You can see this for real in some areas of FMCE IoT being the most obvious this is already the default behaviour…

What happens is much as in the film industry a consulting organisation comes up with a concept. They then form a company, and it totes the concept around untill the it is sold to a customer who will put the product on the consumer market. The company in effect outsources much of the development builds pre-production prototypes the customer signs off on, and it then outsources the production and delivers the goods to the customer (Amazon being just one of this type). When the cheque cashes the company for various reasons then ceases to exist. Thus the product is de-facto obsolete before it is even “put on the market”.

Hank October 3, 2019 7:57 PM

I use the Comcast router with a second router for my work/home network. From the outside you see the Comcast router and if you poke around it exposes a device or two. The second router (XyXEL) then separates my network and logs the occasional attempt. Maybe it’s not more secure but I feel better about it and I can tweak one or the other router if I watching someone poking around.

oklein October 3, 2019 8:03 PM

I’d like to buy a secure router instead of a crappy one, but how do i find a secure router?

A good start would be to throw away whatever software comes with it. Look for something supported by third-party firmware communities. Vendors have little reason to care about security unless it’s causing bad PR (ie: don’t report it to them via email, report it via a public Twitter message), nor to support the hardware for more than a year or two.

Even if this metric is imperfect is better than nothing.

This isn’t obvious. I’ve seen people plow ahead with enabling “hardening” features while ignoring known security bugs that don’t follow easy-to-detect patterns. Sure, any client of our server can compromise the whole system because we don’t do authentication properly, but at least the server’s not running with uid 0. We have ASLR, nevermind that anyone who knows Berlekamp-Massey can predict it.

Sometimes the people in charge see security as a marketing feature, so they’ll have people follow a cargo-cult checklist of “best practices” but won’t fund serious efforts. (Anything that gets past the checklist hardening features must have been done by an “advanced persistent threat” who couldn’t have been stopped anyway, right?)

Clive Robinson October 3, 2019 9:11 PM

@ Hank,

Maybe it’s not more secure but I feel better about it and I can tweak one or the other router if I watching someone poking around.

Unless the two routers have “faults in common” yes it is more secure, even if it is just making the attacker work harder. Put simply as low hanging fruit is what your average cyber-criminal is mainly about and such fruit exist as a “target rich” environment you do gain some advantage.

The problem is those who are making targeted attacks specifically against you, be the commiting cyber-crime or cyber-espionage. Just having the two routers will not keep them out, but then no determanistic security system is realy secure against an unchallenged persistant attacker any way.

Thus you take a leaf out of the “physical security” book. The basis of all physical security devices is not that they stop attacks, but they delay attacks sufficiently for a “human response”.

I designed a two router security idea that I called “The Garden Path” method. Put simply the first router is your “front gate” and the second router is your “front door”. Between the two you have the guarden path which you monitor for unauthorised entry. If you see persistent on the path then you know you are under attack. That is in physical security you would have motion sensors and CCTV along the path. For the Internet version you put an IDS on the network segment between the two routers.

It is the IDS that gives you “eyes and ears” and you can configure it such that if the IDS detects any attack, it can block or physically gap –via relay etc– the second router, thus any attack quite literally has “no where to go” except back where it came from.

Now you could build a system with only one router and the IDS on the Internet side of it… But the first router realy acts as a partial deterant by screening out much of the traffic. So by cutting out most trivial attacks, as a front gate keeps stray dogs out of your front garden. Thus it significantly limits what the IDS gets to see thus log, which eases a lot of preasure on the IDS and backend system that pulls the plug on the Internet by a definable amount, thus preventing any further attack.

The idea is not exactly new, as you could consider it a variation of the old “DMZ method” from back when firewalls were a lot lot simpler.

Ismar October 4, 2019 1:16 AM

It seems to me that the blog is becoming increasingly self deficits and that we need to keep the bigger picture in mind . Namely, despite all of these shortcomings the vast majority of the internet is still operational and keeps supporting very complex interchange of valuable information , hence I draw a conclusion that not all is lost yet and we still have time to act and prevent the digital apocalypse.
I would advise that having a bit of a change (I am looking at you Clive ????) in attitude may help in improving our digital outlook in the long run.
So, yes , while the state actors can hack into my $100 router and monitor my internet traffic, I can still do my online banking from home and be pretty confident that my money is spent only by me.

Matteo October 4, 2019 2:24 AM

@Ismar

while the state actors can hack into my $100 router and monitor my internet traffic, I can still do my online banking from home and be pretty confident that my money is spent only by me.

true because websites uses https, they don’t trust the network and encrypt all the data in transit.
A hacked router is not that useful to attack you, it’s much more useful as botnet to attack others.
while we all focused on routers as example, the IOT is not just router, you might have ip camera, iot house/garage lock, iot oven, or any other iot device.
if someone hacks your camera you can still do home banking safely but it’s terrible anyway

@oklein

Even if this metric is imperfect is better than nothing.
This isn’t obvious. I’ve seen people plow ahead with enabling “hardening” features while ignoring known security bugs that don’t follow easy-to-detect patterns

i understand your point but i think that this research want to conclude something different:
“if you turn on hardening you probably know something and care a bit about security and probably you will not have stupid strcpy overflow bugs or other bugs, we don’t even need to look we can trust you more than others because of hardening”
on the other side “if you don’t turn on hardening we think that probably you will have lots of other mistakes in it”
this is their whole point:
they look for secure coding practices … whose lack pretty much guarantees that there will be vulnerabilities

Patriot October 4, 2019 7:07 AM

Breaking that trail of electronic data is what stopping eavesdropping is all about. So, we are going in the opposite direction: multiply the routes in, make those routes undefendable, standardize the weaknesses, tell people you give them security when you do the opposite, and get that data. That folks, is where it is all headed: a panopticon.

Only this time the panopticon is not going to be some nasty Victorian institution like a prison, it is going to be your living room. A single guard will be able to view all of the cells at once.

Clive Robinson October 4, 2019 7:25 AM

@ Ismar,

I would advise that having a bit of a change (I am looking at you Clive ????) in attitude may help in improving our digital outlook in the long run.

I’m assuming you don’t live under a tarp or tent and pack your home up every morning and put it on your back befor disappearing to somewhere else[1]. Thus a question arises about your front door. That is what it is made of how thick what type of hinges and how many locks?

The answers usually depend on the geographic location and if your front door is protected by a guarded building door, or closed community guarded estate gates. That is your frontdoor represents what you, the previous occupier or building supervisor considers to meet the risk of where you are.

Strangly to many the risk is in reality not measured in terms of effort required by criminals to break the door down but actually by how much delay it provides. That is the better the response of the local law enforcment authorities, generally the less substantial the front door needs to be.

There are two points to note in respect to this about the Internet,

1, There are no law enforcment authorities you can call upon.

2, There is no physical “locality” thus there are no “good neighborhoods, they are all as bad as each other.

This second point has further consequences. As the criminal population is around 1/1000th of the general population[2] locality has effected risk. But without locality both the number of criminals and number of targets are effectively at maximum.

From a cyber-criminal perspective there are currently way to many easy targets to attack thus even a small increase in security as long as you maintain it will decrease not your probability of being attacked, but your probability of being successfuly attacked.

Which is actually more important? Well for most actually the latter. I would also argue that all cyber-crimes actually start as a “Denial of Service” (DoS) attack because they actually use your resources against you. It is only when they find a vulnerability they can exploit does an attack become something else. Thus each attack, most of which will fail, is infact “noise in the logs”, which unless you are looking for realy smart attackers[3] you can more or less ignore.

So using two different routers in series is actually very inexpensive when you do the math. The cost of the IDS and “kill switch” are more expensive but they take your level of security up several notches.

Even most “script kiddy attacks” will quickly detect that there has been a response to their attack, and thus will move on to the next IP address etc. Thus although automated it is a response, the attacker does not know why thus the “low hanging fruit” mentality says “to much trouble move on”. That is most cyber-criminals are simply playing an ROI adjusted “numbers game”. They invest as short a period of time as possible in finding out if you are vulnerable to their chosen attack. If you are not it’s better for them to move on than try to build more complex attacks. The sort of people who do that are those who have targeted you for a specific reason, we sometimes call them “State level”, “type III attackers”, or just “APT” and you need a very different security strategy for them.

Whilst I would agree this sort of defence system against basic cyber-criminals is not for every one, I’m kind of “future forecasting”. As such I can see that the low hanging fruit gets culled and over the next 5-10years even cyber-criminals will have to be smarter and spend longer on their attacks to get effective returns. Thus having a “garden path” system in place means not only do you remain that little bit more secure than the current majority, you do get fair warning when the attack types are changing, because you get a much better “signal to noise ratio” than others who just use an IDS or their firewall logs.

What ever people might think in terms of what they might perceive as “my level of paranoia” or “seeing dark clouds not rainbows”, at the end of the day “optimism” is just another form of “snake oil”. Because of points 1&2 above, if and when those points might change then you might have a limited time chance with “pretty rainbow” optomistic thinking as we did in the early days of the Internet (but in the end it will be shown to have been a bad idea as history has a myriad of examples why).

Put another way “it’s a numbers game” as any probablistic system is. Saying the world is wonderfull because it’s not yet happened to you is nice for those that dream of rainbows and unicorns and castles on fluffy clouds. But it hides the fact there are people that have to face the grim reality of our vastly inadiquate cyber-defenses. Those of us who have to design systems that keep working are “pesimistic-optimists” we would just love you to have a world full of rainbows, but we know there are a percentage of people[2] that want to make your life a hell on earth for one reason or another. We also know what is required in the way of engineering to help nudge the balance point so you see more rainbows than demons. We also know just how long it takes to engineer systems with that sort of balance and it’s years not weeks or months.

The fact “quick buck, fly by nights” who most definitely do not have your interests at heart want to sell you insecurity by the bucket load as they steal your privacy is not something that should be either ignored or ultimately alowed to happen. It is after all why we have consumer legislation and regulation to stop harmfull products getting onto the market. The one thing we should be aware of and not delude ourselves about is that as far as “consumer products with software in them” are concerned the majority are “Not Fit for Purpose” and won’t be as long as legislators and regulators fail to act. Likewise it should also be obvious that the legislators have been “bought and their opinions payed for” by large corporate lobbyists and worse, thus are in effect payed not to act.

Thus as long as legislators are payed not to act in the common intetest, others have to find solutions to the shysters like Alphabet / Google and it’s Android OS spyware and Microsoft and it’s Consumer grade Windows 10 OS spyware. Likewise some of the stuff Ubuntu have been slipping into Linux Distro’s. With god only knows what “conceptual fools” churning out IoT crud as fast as their fingers can type.

Saying “oh look how pretty the display is” etc and ignoring the spyware/telemetry pushing out your private details to the corporate mothership to be packaged and sold without your permission is as far as I am concerned “theft” which the last time I looked was a criminal act… So arguably not talking about such quite deliberate insecurity would be “aiding and abetting criminal activity” or if you prefere “Criminal Conspiracy”.

The fact that one or two people can think as well if not better than the smartest of criminals without actually being criminals, and thus can give you a decade or so of warning as to where things are going, whilst not bright and chearfull, is still a very necessary service to the average citizen even if they don’t get to directly hear it… As long as it makes those who can make a change for the better take it onboard and think and act on it to the general citizens betterment, a great service is done quietly and without fuss for the many. At the end of the day that is what most engineers do, which is why you can have a nice home with a front door you can drive your car upto, all without thinking about the great deal of work that has gone into the safety/security of every single component part that enables you to have such a life style.

[1] Yes I have lived like this but I’ve always had a barracks or house to return to eventually.

[2] There are lots of arguments over trying to work out how many criminals there are in a given population. Thus I generally go for the easy to work out,

    Percentage of the population in jail as a percentage of the general population in any given area.

It’s very obviously wrong and the real figure is two to three times higher if not more for many but varied reasons. But it’s atleast generally understandable and gives a baseline that can be argued in an upwards direction, thus it’s a kind of “low water mark” figure.

[3] Some years ago I posted an outline of a quite sophisticated probe attack, that to most who got attacked by it, it would look like a very dumb “script kiddy attack”. It’s actual purpose was not to gain entry but to enumerate the likely defences, by finding if “Virtual Machines” are in use. That is how many network host IDs that shared the same hardware. At the time this covered two basic networks types, the first was “Honey-Pots”, and the second was low cost “Web-Hosting”. Both of which would be more likely to have much better intrusion logging etc. These days it also covers “cloud services” and other “High Performance Clusters”. The point of the attack was that a smart attacker with a new “zero-day” or similar would want to avoid using it on a “Honey-Pot” or other collection of machines that used VM because they were more likely to use IDS and similar the attacker could not see, that would pin their new zero day attack down in it’s logs like a butterfly to a cork. Thus make it usless in a much shorter period of time. Because the probing attacj used very dumb / brain dead looking script kiddy attacks that were well known you as an attacker don’t care about anyone seeing them in their logs. Because unless those reading them are sufficiently smart they won’t realise what the pattern in their logs is actually telling them.

Sherman Jay October 4, 2019 5:16 PM

@Bruce and all,

I just read a good ‘consumer’ article on the IOT disaster (link below). It credits Bruce Schneier a number of times for being at the forefront of this debacle.

h t t p s://www.techdirt.com/articles/20190923/09092543042/yet-another-study-shows-internet-things-is-privacy-shitshow.shtml

I just bought an LED floodlight and at the common consumer stores all I could find, with the lumens rating I wanted, were ‘smart’ bulbs. Oh, excrement! Just what we need, our kitchen lights spying on us!

Think October 4, 2019 6:21 PM

@Clive

‘Saying “oh look how pretty the display is” etc and ignoring the spyware/telemetry pushing out your private details to the corporate mothership to be packaged and sold without your permission is as far as I am concerned “theft” which the last time I looked was a criminal act… So arguably not talking about such quite deliberate insecurity would be “aiding and abetting criminal activity” or if you prefere “Criminal Conspiracy”.’

Call it, “Korporate Kleptocracy“

Only when a powerful group of people or supremely powerful and connected individual changes the law or societal customs because they are not getting what they want and that law happens to align with your interests will things change for a subset of people in the future. If your identify gets stolen or if your PII is lifted through insecure devices, it’s your problem. It is happens to the rich, powerful and connected – they protect themselves by creating a law or having the standing government that wields the power of societies’ institutions (hopefully through public law) protect them and maybe you and me or maybe not.

https://www.google.com/amp/s/www.history.com/.amp/news/henry-viii-divorce-reformation-catholic-church

@Bruce – I was surprised that you didn’t include this case in your recent Book, ‘Click Here to Kill Everybody’ when you touched on hacking back.

A great article for those that don’t know the story—

https://www.google.com/amp/s/www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back/amp

A must for all interested in security mythos and history.

Think October 5, 2019 8:41 AM

@clive

Agree. Those that own the data will own the world.

The mighty iris of the google icon is always watching.

lurker October 5, 2019 12:47 PM

@ShermanJ: I wouldn’t be worried about lightbulbs watching me; I’d be interested in how many of them would have to be “bricked” to cause social and financial disruption…

SpaceLifeForm October 5, 2019 1:40 PM

@CLive @Sok Puppette

Not sure if you are doppelgangers.

Anyway, yes, toolchains are an issue.

And I prefer 3 routers. Defense in depth.

ISP tech people hate double router setup.

They will tell customer that it not work.

They are flat out misdirecting.

As per their ‘training’.

Multi-router setup works perfectly fine.

If you know what you are doing.

But most ISP users have no clue.

Clive Robinson October 5, 2019 1:58 PM

@ lurker,

I’d be interested in how many of them would have to be “bricked” to cause social and financial disruption…

From which side of the fence?

We now know that IoT devices such as CCTV devices, can function as the user thinks it should, whilst still being part of a DDoS “net”.

The microcontrolers they use now are sufficiently powerfull the BotNet Herders no longer need have them “lobotomized” to be of use…

Thus “bricking” IoT devives is not something that needs to be done by attackers…

But some on the other side of the fence are those that think it should be legal to “Hack Back” hard and fast with maximum prejudicr. They appear to be of the opinion/view that “bricking IoT” is fully justified, even those that carry the financial burden of such –currently– criminal activity are in effect blaimless. Our host @Bruce has pointed out it is a form of “externalizing cost”[1]…

As history shows such “externalisation” onto others is in fact a form of “vigilantism” and that usually begets not just injustice but retaliation. Thus we get a downward spiral of inappropriate behavior with each turn becoming more extream.

Society does not need such behaviours, and a millennium or so ago even the “landed barons” realised that such behaviour is unacceptable.

[1] Having been subject to such “cost extetnalisation” behaviour by the UK Metropolitan Police who decided doing several thousand GBP damage to the front of my property not just the door because they thought they could get away with such excess based on the excuse they thought there was a burglar in my house… Did not amuse me in the slightest, especially when the Met Police legal representative said that I “should have insurance for such eventualities”. I think a few could guess my response (it was two fold, firstly in effect that he should have private health care for the eventuality that was likely to befall him… And secondly he provide me with the home addresses of the officers concerned so that I could respond in kind to retrieve “goods and chattles” from their homes to three times the loss they had inflicted on me, neither of which he thought was “proportionate”… Showing the ingrained stupidity of a certain mindset).

Sherman Jay October 5, 2019 6:56 PM

@Clive Robinson, @lurker, et. al.,

Do either of you have an opinion on my ‘bricking’ IOT devices I own: washing machine, smart TV, etc.?

It is getting harder and harder to find major appliances that aren’t part of the IOT spyware network. I called General Electric, they said that the IOT and connectivity features in their washing machines cannot be ‘turned-off’. They and other manufacturers I contacted (while researching purchase of washing machines) said that physically ruining the ‘IOT/phone home’ chips in the appliances would destroy the use of the washer entirely and at the very least void any warranty. I am not sophisticated enough to use a ‘software attack’ to disable the phone home capabilities.

I’ve searched and not found a way. Does anyone have a simple, practical way to disable the IOT spyware features of all these appliances without making it unusable? I would like to be able to help non-saavy people at the computer clinics I hold do that.

Clive Robinson October 6, 2019 8:57 AM

@ Sherman Jay,

I called General Electric, they said that the IOT and connectivity features in their washing machines cannot be ‘turned-off’.

Either they are lying to you or they have sold you a defective product.

As some know there are places in the US where WiFi / Bluetooth / Zig-bee and even mobile phone signals must not be radiated allegedly for “Radio Astronomy” reasons, but there are others. All equipment on the US market is supposed to abide by those regulations.

But look at it another way. If there is nothing for the eashimg machine to connect to are they claiming it will not work?

If not finding and removing it’s antenna and shorting it to ground will probably not be that difficult to do…

I’ve found “customer services” generally “run by script” and have no clue about the real state of play, which can work to your advantage.

Bystander October 6, 2019 9:37 AM

How long will it take until people recognize that any electronic device with software and network connection tends to be ‘owned’ by someone else?
Probably when some widely used product is messed up by hackers and/or incompetence of the manufacturer…

IoT is a no go for me.

Will it ever be safe? Probably not.
IT security for mostly unattended devices such as IoT should be handled like functional safety…

Sherman Jay October 6, 2019 5:45 PM

@Clive Robinson,
Thanks for the great reply. You are a national treasure (both sides of the pond).

I didn’t and wouldn’t buy the G.E. Washer. I don’t doubt that they might be lying and didn’t even want to spend the time finding out how the G.E. washer would connect to the internet. And, I don’t want to spend $1000+usd on a washer and void the warranty by shorting the wifi antenna (and my old soldering iron has a tip that is too big for tiny surface mount antenna traces on the circuit board. If I tried, I’d probably brick the whole control system).

If it cannot connect, I would suspect that at some time in the future, if it didn’t get the ‘critically needed updates’ over the internet it would either whine at me endlessly or maybe even be programmed to degrade or disable functioning.

I know there are some ‘no wifi’ zones, but a residential area in the wilds of Northern Arizona is probably not one of them.

Just as a side note: Broadband Internet is available from 2 sources a cable company that serves only a few larger cities and a telecom ‘centuries linked’ which provides high speed fiber for 3 small areas in the city and 1.5mbps speeds for everywhere else. But, as an offset the crummy service, at least they charge more!

We ended up buying a speedqueen washer with a better warranty, mechanical controls and NO IOT. It does a great job.

Sherman Jay October 6, 2019 5:56 PM

@Clive Robinson, et. al.,

Thinking further, if only IOT devices are available, it might be possible (with an Xacto hobby knife) to cut the traces of the wi-fi antenna on the circuit board to de-tune and disable it. But, you’d have to open the case and get to the buried circuit board of the device.

Or, (he jested feebly), just go and pound your clothes on a rock down at the creek!

Me October 7, 2019 6:57 AM

Why cutting the antenna or modding the device?
I have a smart tv, i just never connected it to the wifi so it can’t spy me.
It’s probably less smart but i don’t care, it works perfectly.
I guess that with a washing machine you can do the same: never connect it to the internet and problem solved.
To be 100% sure you could create an open wireless and check that it doesn’t autoconnect.

Clive Robinson October 8, 2019 6:05 AM

@ Alejandro,

Netgear got a pass? Why?

Did they? Perhaps not, either way it’s a good question as it raises issues about the linked to article. Which talks of 22 vendors but does not list them all in any one place, thus several names are probably not included.

In the case of Netgear their name appears in one pie-chart in the article which shows they represent 6.5% of their “Vendor binary corpus”. Which made them the the sixth largrest by Vendor binary.

However Netgear’s name did not come up again in the rest of the article…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.