• The Internet of Things is laughably insecure
    105 replies, posted
[QUOTE=MTSS;49592872]Yeah, but then people would shitpost to get their count up to be a part of that "10k Elite".[/QUOTE] that's ok, only the 30,000+ members are true elite class shitposters anyways
[QUOTE=wauterboi;49592637]Saying "Internet of Things" is a pretty good description of connecting random things to the internet, and it's becoming more common for a reason. I'm seeing these articles pop up more and more, and for good reason. "Things" randomly being hooked up to the internet without security can enable bad stuff. It's a legitimate concern. You're suggesting using more words for... what? What's wrong with the shorter phrase?[/QUOTE] Well I would think Internet of Objects would make more sense. The normal internet is already an "internet of things", because things is like the most vague term in the english language. At least the word "objects" implies physicality. That's just nitpicking though.
IoT is one of those things that sounds cool on paper, but in practice...not so much. It's the epitome of the battle between convenience and security.
the "Internet of Things" problem is that security takes third place to pricing and functionality. In fact you say that people forget the password for them, some don't even have password, and some of them have a hardcoded password. There is now talk of a "IoT Regulation wave" coming and a Consumer Electronic Test the Pentagon might do.
[QUOTE=MTSS;49592872]Yeah, but then people would shitpost to get their count up to be a part of that "10k Elite".[/QUOTE] Then they would get banned and only very few would get to 10K thus making the 10K Elite even more exclusive and powerful.
[QUOTE=Amiga OS;49592201][video=youtube;8mzBS0DXxnc]https://www.youtube.com/watch?v=8mzBS0DXxnc[/video] School ipcam in question. Fast forward to an hour in.[/QUOTE] I remember taking place in this thread. The guy in question was supposedly arrested, or something happened to him because he never streamed again
[QUOTE=wauterboi;49592637]You're suggesting using more words for... what? What's wrong with the shorter phrase?[/QUOTE][QUOTE=SGTNAPALM;49592801]Yeah, I'll just carefully explain that I have connected appliances and devices within my home to the world wide web in order to access them remotely via cable or fiber optic link every single time I refer to the concept instead of using a perfectly valid term that makes you personally angry for no real reason.[/QUOTE]There's been a term for that and it's been around for most of the 20th century: [I]remote control.[/I] You don't need to carefully explain anything at all, here, let's compare: "I have an internet of things for all of my appliances!" You sound like you belong on a short bus. versus "I've hooked my appliances up to the internet." You sound like you're a hobbyist. I fail to see the benefits of this silly phrase, especially since, [QUOTE=Turnips5;49592638]I recommend not building an internet of things, it's a fundamentally atrocious idea[/QUOTE]Really, if you're smart enough to network your toaster you're smart enough to go through with the extra effort and make it automated. Rarely would you need true remote access anyway and if it's unsecured (which is clearly a problem) then really you're asking for trouble. [editline]23rd January 2016[/editline] That said, everything I have that's a part of my "internet of things" is fully automated because it's easier to just make it run by itself rather than micromanage it. Why go through all that extra effort for no gain? Plus I don't have a smartphone so I really can't tell anything I have to do stuff, so that's just further incentive to make it all play nice without my supervision.
[QUOTE=JumpinJackFlash;49593266]"I have an internet of things for all of my appliances!" You sound like you belong on a short bus.[/QUOTE] Do you have anything else you want off your chest? Maybe some racial slurs you want out in the open? I was really trying to be nice and discuss this despite your general approach to arguing, but I don't think you have the capacity to view other people's opinions without seriously degrading them in some condescending way. I'm not offended as much as I am impressed.
You'd think companies would learn, this was a big thing in 2003/2004 too, but back then some companies, like Panasonic, gave you a public/dynamic name like "cam12345.something.net" - yes, it was sequential and easily indexable.
Companies making dumb insecure implementations doesn't make the entire "Internet of Things" concept dumb or a gimmick. It's like saying Sports are violent or dumb after watching a match of Handeggball or Baseball.
some cams would let you set a region for motion sensing. and that sensing could activate a trigger. one of the triggers was to play a sound through a integrated speaker these cameras had attached.
You think webcams are bad? How about [url=http://wolfstreet.com/2015/07/31/internet-of-hacked-things-medical-devices-hospira-symbiq-cyber-vulnerability] drug pump carts in hospitals with default passwords that let you literally kill patients by making them OD?[/url]
[QUOTE=wauterboi;49593335]Do you have anything else you want off your chest? Maybe some racial slurs you want out in the open? I was really trying to be nice and discuss this despite your general approach to arguing, but I don't think you have the capacity to view other people's opinions without seriously degrading them in some condescending way. I'm not offended as much as I am impressed.[/QUOTE]I'm sorry, you're right that was a little mean but it really does sound that juvenile to me and it is that irritating. We didn't need a new term for "a new class of devices" because this isn't a new thing and these are not new devices. Assuming that you're describing some device that has an ESP8266 or something crammed in, wouldn't you specifically mention the wifi capability anyway? I think it should be a given that it's able to be remote-controlled or at least send some telemetry if it has wifi capability. (both of which qualify for "the internet of things" and you'd need to specify what it would do anyway) [editline]23rd January 2016[/editline] [QUOTE=phygon;49593418]You think webcams are bad? How about [url=http://wolfstreet.com/2015/07/31/internet-of-hacked-things-medical-devices-hospira-symbiq-cyber-vulnerability] drug pump carts in hospitals with default passwords that let you literally kill patients by making them OD?[/url][/QUOTE]Holy shit what the fuck is wrong with people. Why would an IV pump even need this? A patient on an IV drip needs to be monitored anyway, there isn't any reason at all to have a pump like this.
The problem isn't that they're insecure, it's that people are too dumb to properly secure them or just don't bother.
[QUOTE=JumpinJackFlash;49593424]I'm sorry, you're right that was a little mean but it really does sound that juvenile to me and it is that irritating. We didn't need a new term for "a new class of devices" because this isn't a new thing and these are not new devices. Assuming that you're describing some device that has an ESP2866 or something crammed in, wouldn't you specifically mention the wifi capability anyway? I think it should be a given that it's able to be remote-controlled or at least send some telemetry if it has wifi capability.[/QUOTE] Actually we do need that term. As much as I think it sounds stupid, it makes a really important distinction. IoT causes a lot of strain to be put on networks, but usually don't require all that much data to be moved around. This creates some technical issues you don't have with normal internet connected devices. Low memory + low computation power creates a lot of security risks and a whole lot of other issues, it led to remote attestation systems to be developed with all this in mind. Basically, aside from being a dumb marketing buzzword, it's useful for people like researchers and people in the industry to have a blanket term for all this stuff.
[QUOTE=JumpinJackFlash;49593424] Holy shit what the fuck is wrong with people. Why would an IV pump even need this? A patient on an IV drip needs to be monitored anyway, t[B]here isn't any reason at all to have a pump like this.[/B][/QUOTE] Eh. That's not really true. These machines are fantastic tools for anesthesiologists and they do a lot of the regulation themselves. That being said, adding "WIFI ENABLED!!!!" or "NOW WITH BLUETOOTH" to a product as extra features is a shit idea because that's just more and more vectors through which one could hack the carts and kill people.
[QUOTE=Electrocuter;49593450]The problem isn't that they're insecure, it's that people are too dumb to properly secure them or just don't bother.[/QUOTE]There is no such thing as a secure device if it's connected to the internet. Sure, you can make things impractical for a bad guy wanting to do bad shit but at some point you do need to ask, "do we really, really need IV pumps that are connected to a network?" [QUOTE=judgeofdeath;49593459]IoT causes a lot of strain to be put on networks, but usually don't require all that much data to be moved around. This creates some technical issues you don't have with normal internet connected devices. Low memory + low computation power creates a lot of security risks and a whole lot of other issues, it led to remote attestation systems to be developed with all this in mind.[/QUOTE]I don't know, I'm not seeing a distinction between "normal internet connected devices" (I assume you mean computers, routers, etc) and something a hobbyist cooked up. They actually interface with the network the same way, they use the same protocols, for all intents and purposes an automatic feeding machine for somebody's cats is digitally no different than a laptop aside from it's performance. Maybe if they had a fundamentally different way of interfacing with an internet connection I'd concede the point, but they really don't. Security risks are another bag, if you're doing this sort of thing and you don't at least put a password lock on something then really it's your own damn fault. [QUOTE=phygon;49593492]Eh. That's not really true. These machines are fantastic tools for anesthesiologists and they do a lot of the regulation themselves. That being said, adding "WIFI ENABLED!!!!" or "NOW WITH BLUETOOTH" to a product as extra features is a shit idea because that's just more and more vectors through which one could hack the carts and kill people.[/QUOTE]Yeah I don't disagree, automated IV pumps are cool beans but I meant adding in some network capability beyond just spitting out telemetry for patient monitoring purposes. (which really shouldn't even be unsecured to begin with) I don't see a point in a remote access of any kind for a device like this.
[QUOTE=JumpinJackFlash;49593517] Yeah I don't disagree, automated IV pumps are cool beans but I meant adding in some network capability beyond just spitting out telemetry for patient monitoring purposes. (which really shouldn't even be unsecured to begin with) I don't see a point in a remote access of any kind for a device like this.[/QUOTE] Oh yeah, internet IV machines is a recipe for disaster. Intranet? Possibly a good idea. But no, these things are open for the internet as a whole. The IoT was a mistake
I could see it being helpful in larger hospitals. Can just have the doctors / nurses adjust patient's medications as appropriate without going up to it which improves efficiency a bit, saving time and allowing more time for more pressing issues. Obviously security is a big issue for any medical device.
[QUOTE=phygon;49593543]Oh yeah, internet IV machines is a recipe for disaster. Intranet? Possibly a good idea. But no, these things are open for the internet as a whole. The IoT was a mistake[/QUOTE]I don't know, the concept of hooking stuff up to control it remotely isn't a bad one it's just that most of this is gimmicky bullshit. Sure it's cool to play around with but I've yet to see anything really special happen with it, more harm than good I suppose. I [I]could[/I] give my lovely little greenhouse the ability to be controlled remotely but what's the point? The airflow and temperature are automatic, the holding tanks for the water are monitored, the pumps are each individually controlled and the pipe systems will pump in a closed or open cycle as needed, and I'm even playing with filtration setups so I can put in fertilizer without killing the fish in the aquaculture half of the system. I think telling something to run all by itself is a much, much more useful thing to do rather than make it pester you and force you to do all the thinking and guesswork. Most of these devices are controlled by an arduino or raspi, both of which can either do that by themselves or be swapped out for a board that is more capable. [QUOTE=Morgen;49593570]I could see it being helpful in larger hospitals. Can just have the doctors / nurses adjust patient's medications as appropriate without going up to it which improves efficiency a bit, saving time and allowing more time for more pressing issues. Obviously security is a big issue for any medical device.[/QUOTE]That raises an argument for having a hospital intranet like phygon said though, and if that's the case I don't see a problem aside from it could possibly encourage nurses or doctors to become lazy and neglect a patient's care. That's not really an issue with the system itself but instead is an issue with the people involved, completely different system with a completely different solution.
I wonder if I should plant an IoT camera that's totally open with full control + speakers somewhere I'm actually interested in the shit people would do with one
If I ever do figure out how to get a robotic arm to pick a tomato or a strawberry off a plant then I'd be even more wary of connecting that to the internet. That security risk could mean some shithead from 4chan (not sure how they'd find me but whatever, let's say they did) gleefully spends hours making my robotic arms tear up all my plants and kill everything in my greenhouse. It just seems like an excessive risk.
Not really that much difference between an Intranet and an Internet connected device really. Someone with malicious intentions could connect to the network, someone could open all the ports pointing to a specific device that is only intended to be used locally ect..
[QUOTE=JumpinJackFlash;49593597]If I ever do figure out how to get a robotic arm to pick a tomato or a strawberry off a plant then I'd be even more wary of connecting that to the internet. That security risk could mean some shithead from 4chan (not sure how they'd find me but whatever, let's say they did) gleefully spends hours making my robotic arms tear up all my plants and kill everything in my greenhouse. It just seems like an excessive risk.[/QUOTE] At the end of the day, reasonable precautions are all you really need (I.E. a good password, not using software with gaping security holes) [editline]s[/editline] [QUOTE=Morgen;49593600]Not really that much difference between an Intranet and an Internet connected device really. Someone with malicious intentions could connect to the network, someone could open all the ports pointing to a specific device that is only intended to be used locally ect..[/QUOTE] You could have them on a separate, non-internet connected network
[QUOTE=J!NX;49593589]I wonder if I should plant an IoT camera that's totally open with full control + speakers somewhere I'm actually interested in the shit people would do with one[/QUOTE]Rickrolls, JOHN CENA, and other obnoxious noises all day every day?
[QUOTE=JumpinJackFlash;49593605]Rickrolls, JOHN CENA, and other obnoxious noises all day every day?[/QUOTE] gotta love those EXCELLENT MEMES
[QUOTE=JumpinJackFlash;49593597]If I ever do figure out how to get a robotic arm to pick a tomato or a strawberry off a plant then I'd be even more wary of connecting that to the internet. That security risk could mean some shithead from 4chan (not sure how they'd find me but whatever, let's say they did) gleefully spends hours making my robotic arms tear up all my plants and kill everything in my greenhouse. It just seems like an excessive risk.[/QUOTE] [URL="http://www.zdnet.com/article/remote-robotic-surgery-is-both-practical-and-safe/"]You're gonna love robosurgeons then. [/URL] Well, not absolutely robotic. A surgeon could be controlling them from some distance. I think this shows that IoT does have some applications. Safety and security are issues, but this does show that IoT does have practical applications besides connecting your dishwasher to your smartphone.
[QUOTE=Morgen;49593600]Not really that much difference between an Intranet and an Internet connected device really. Someone with malicious intentions could connect to the network, someone could open all the ports pointing to a specific device that is only intended to be used locally ect..[/QUOTE]This is true, but now we're getting into the realm of physical security which is another layer of defense that has very different rules. Plus internal security on the hospital intranet would also be there (hopefully) so that's two layers of shit somebody would have to get through just because the hospital decided to keep their sensitive stuff away from the internet. [QUOTE=phygon;49593602]At the end of the day, reasonable precautions are all you really need (I.E. a good password, not using software with gaping security holes)[/QUOTE]I'm one of those people who subscribe to the "nothing is ever secure" school of thought, it's always a risk versus reward thing for me and there really isn't any reward for being able to remotely control a robotic fruit-picking arm. That little guy should be happily working by himself all day and all night, all he should need from me is maintenance care and keeping his happy home powered and running smoothly.
[QUOTE=JumpinJackFlash;49593266]There's been a term for that and it's been around for most of the 20th century: [I]remote control.[/I] You don't need to carefully explain anything at all, here, let's compare: "I have an internet of things for all of my appliances!" You sound like you belong on a short bus. versus "I've hooked my appliances up to the internet." You sound like you're a hobbyist. I fail to see the benefits of this silly phrase, especially since, Really, if you're smart enough to network your toaster you're smart enough to go through with the extra effort and make it automated. Rarely would you need true remote access anyway and if it's unsecured (which is clearly a problem) then really you're asking for trouble. [editline]23rd January 2016[/editline] That said, everything I have that's a part of my "internet of things" is fully automated because it's easier to just make it run by itself rather than micromanage it. Why go through all that extra effort for no gain? Plus I don't have a smartphone so I really can't tell anything I have to do stuff, so that's just further incentive to make it all play nice without my supervision.[/QUOTE] Sigh. Guys, the phrase Internet of Things is not a noun describing what you have or don't have in your home. Noone says that they have 'an internet of things for all their appliances' because that is completely the wrong use of the term IoT and if you say that you're retarded. The term internet of things is a short phrase to describe the general phenomena and movement whereby people are hooking up their appliances to the net or their LANs to control over the net, which is different. For example I would never tell someone at a bar that I 'own' an internet of things, but my boss might ask me to present on how Internet of Things could be employed in the workplace for greater convenience. [QUOTE=JumpinJackFlash;49593587]I don't know, the concept of hooking stuff up to control it remotely isn't a bad one it's just that most of this is gimmicky bullshit. Sure it's cool to play around with but I've yet to see anything really special happen with it, more harm than good I suppose. I [I]could[/I] give my lovely little greenhouse the ability to be controlled remotely but what's the point? The airflow and temperature are automatic, the holding tanks for the water are monitored, the pumps are each individually controlled and the pipe systems will pump in a closed or open cycle as needed, and I'm even playing with filtration setups so I can put in fertilizer without killing the fish in the aquaculture half of the system. I think telling something to run all by itself is a much, much more useful thing to do rather than make it pester you and force you to do all the thinking and guesswork. Most of these devices are controlled by an arduino or raspi, both of which can either do that by themselves or be swapped out for a board that is more capable. That raises an argument for having a hospital intranet like phygon said though, and if that's the case I don't see a problem aside from it could possibly encourage nurses or doctors to become lazy and neglect a patient's care. That's not really an issue with the system itself but instead is an issue with the people involved, completely different system with a completely different solution.[/QUOTE] You're looking at it from a hobbyist perspective though. Sure maybe it would be easier for you to just ditch controlling your greenhouse remotely, but a guy I know at uni is/was interning on a team a couple years ago that employed some IoT techniques in order to make a remote monitoring system for a nuclear reactor over the internet using Python. In that situation it makes it not only more convenient but more safe
[QUOTE=JumpinJackFlash;49593266]There's been a term for that and it's been around for most of the 20th century: [I]remote control.[/I] You don't need to carefully explain anything at all, here, let's compare: "I have an internet of things for all of my appliances!" You sound like you belong on a short bus. versus "I've hooked my appliances up to the internet." You sound like you're a hobbyist. I fail to see the benefits of this silly phrase, especially since, Really, if you're smart enough to network your toaster you're smart enough to go through with the extra effort and make it automated. Rarely would you need true remote access anyway and if it's unsecured (which is clearly a problem) then really you're asking for trouble. [editline]23rd January 2016[/editline] That said, everything I have that's a part of my "internet of things" is fully automated because it's easier to just make it run by itself rather than micromanage it. Why go through all that extra effort for no gain? Plus I don't have a smartphone so I really can't tell anything I have to do stuff, so that's just further incentive to make it all play nice without my supervision.[/QUOTE] It's interesting how hard you're railing against the term "Internet of things" on the basis of, I don't know, immaturity? Considering how absolutely juvenile and condescending you've been during this entire thing. People don't think better of you just because you make fun of other people. Take out your insecurities elsewhere.
Sorry, you need to Log In to post a reply to this thread.