• Def Con: Do smart devices mean dumb security?
    9 replies, posted
[url]http://www.bbc.co.uk/news/technology-36995288[/url]
Smart devices mean dumb users. Having all your information at your fingertips sure is nice if you're lazy or have a severe case of paranoia. DDoS/flooding is one way to exploit device security. Depending on what layer they're doing this, they can be especially hard to thwart for your home user who barely knows how to handle Windows firewall. Who would bet they would have a better routing solution in their house that can mitigate these types of attacks with a minor cost of convenience? And its not like they're going to find someone in network security to help harden their own homes network. Another bit they never brush up against is user stupidity. Leaving cameras on default passwords/users, using things on their standard ports, not hardening their router/software to brute force attacks. So all in all, in a world of smart devices, their security is not only compromised by rushed security implementations, but rushed and incompetent users.
[QUOTE=Richard Simmons;50838535]Another bit they never brush up against is user stupidity. Leaving cameras on default passwords/users, using things on their standard ports, not hardening their router/software to brute force attacks.[/QUOTE] And when they finally do, they end up fucking over power users big-time instead, while the dumber of the dumb users still fucks up royally. It's a cavalcade of half-assed solutions in the hope of quick money and/or fame.
[QUOTE=Van-man;50838673]And when they finally do, they end up fucking over power users big-time instead, while the dumber of the dumb users still fucks up royally. It's a cavalcade of half-assed solutions in the hope of quick money and/or fame.[/QUOTE] I can imagine the engineering behind IoT devices would be a hard challenge. First you need to make sure a product does as advertised. THen when they get to the management side of things, an advanced interface will often scare an end user by the complexity. A basic interface would be more welcoming, but in the end you end up with simple fixes that can be done with very little config work. And security would need to come to the point where lockout policies (too many failed attempts will lock out access) would hinder users accessing their device. Leaving them with their lights out, or their doors locked. There is no simple balance. The best bet is to keep an basic and an advanced interface that complies with modern standards in device/network security. Even though things won't be 100%, their simple camera sitting in their bedroom won't be accessible through a search engine that has a spider crawling around gathering the IPs and device information of previously unindexed devices. And in the article they where talking about enterprise security where companies employing IoT devices such as thermostats, lights etc would be crucial for these companies to have their own IT staff. Not simple L1 or 2 helpdesk guys, but a competent network/systems administrator should be able to lock devices down well. But they're put against heightened security since they're public facing in many ways.
I completely agree with this article, and this is a subject that I have recently been feeling very concerned about.
Huh, so that DDOS thing is interesting. Even better and easier than turning someones personal computer into a botnet, because it's much harder for them to notice anything running amok. Also have no idea how to fix this. You can't force people to be secure and many have convinced themselves that ANYTHING computer related is just wizardry that petty mortals such as they shant bother with which is wrong. Device manufacters are at blame too for some bad practices.
[QUOTE=thelurker1234;50839029]Also have no idea how to fix this. You can't force people to be secure and many have convinced themselves that ANYTHING computer related is just wizardry that petty mortals such as they shant bother with which is wrong. Device manufacters are at blame too for some bad practices.[/QUOTE] If all the manufacturers decided in unison that their devices should insult the users if they're being borderline purposely idiotic while using the devices, then we wouldn't have such a big problem. BUT they also wouldn't sell as much of the devices then. The dark side of the relationship between capitalism and tech.
Home users can't mitigate DDoS attacks. Don't care what kind of routing system you have, thats not how you mitigate a DDoS.
[QUOTE=Map in a box;50840389]Home users can't mitigate DDoS attacks. Don't care what kind of routing system you have, thats not how you mitigate a DDoS.[/QUOTE] They can protect themselves from some flows, but yeah you can't just hookup a mitigation appliance with your residential 20Mbit service.
its not a bad idea to have hardware limiters on things like thermostats/etc
Sorry, you need to Log In to post a reply to this thread.