Prize winning security
Surely the time is ripe for someone to start something along the lines of the Ignobel prize but for IoT security? Certainly plenty of contenders. Right up your street ElReg?
Not long ago, top computer security researcher Jonathan Zdziarski was blessed with a new baby and did what a lot of parents do – spent money on gizmos to keep an eye on it. One of the devices was an Owlet – a sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to a nearby hub. This …
To be fair to Owlet, they are not selling (and it would be either very expensive, or very stupid) their baby monitor as a medical device.
Also to be fair to them, this is horribly bad security that arguably "compromises the average use case and expectation for a device of this type" regardless of any large-type disclaimer of responsibility.
To be fair to Owlet, they probably spent far more time and money on an adorable name, a cute website and lots of fab marketing than they spent on writing the actual baby monitoring software. So they can't be blamed for every tiny little fault with the product, can they?
I'm sure their (offshore) Data Team are providing best practices on twitter even as I write this.
the industry that bilks new parents for useless shit that they either don't need and often doesn't even solve the non-problem that it claims to has been around for years.
After market cycling accessories are quite similar.
But lots of people have buying stuff as their hobby which gets expressed through a series of obsessions, ostensibly with some or other activity but actually with buy accessories.
New parenthood is similar but a lot more participants are emotionally vulnerable so the take-up rate (and presumably turnover/profit) is better.
I suspect there are not many actual parents contributing to this topic, and don't appreciate the worry that new parents feel every time they put their babies down to sleep
Cot death is a very small risk for most families, certainly not enough to hooking your child up to a medical grade ECG machine every time it's put in a cot. But so as you don't feel guilty for not checking them every 10 minutes during their sleep for the first year of their life, particularly when you are out and leaving the duty to a baby sitter, some sort of unobtrusive and reliable monitor would good, and that's why there is a market for these sorts of things.
We don't expect these things to have FIPS 140-2 security certifications, but not being wide open to anyone if WiFi range would be a good start.
As a new parent who's survived the first 10 months so far without incident, I was considering buying one of these devices (not Owlet mind you, as they're overpriced). SIDS is always lingering in the back of your mind. There's a "back to sleep" program that teaches new parents to ensure their baby is sleeping on their back while still in swaddling age that has reduced SIDS significantly. A baby O2 and heart/breathing monitor and alert system was alluring for sure. We settled on a (wired) 1080p security camera on the ceiling of the baby's room for visual monitoring and a traditional audio baby monitor that we leave always on (which obviously isn't secure). Is an open wifi device like Owlet less secure though? Yes, definitely.
To be fair to Owlet, they are not selling ... their baby monitor as a medical device.
No, but (I assume) they are selling it on it's features which effectively means they ARE selling it to parents who expect a certain level of functionality. Ah, checks website, they most certainly are - with statements like "Designed to alert you if your baby stops breathing", "Proactively Monitors your baby’s heart rate and oxygen levels so you can have peace of mind", and "83% of parents who report better sleep while using the Owlet Baby Monitor". No doubt there that the expectation intended to be set is that you can fit this device and you can relax a bit "safe" in the knowledge that it'll alert you to problems.
Put another way, if you aren't going to rely on any of it's monitoring functions, then "why" buy it ? So if you assume that the device can't reliably alert you if the baby stops breathing, then your option is to check regularly - clearly if 83% of parents say they sleep better, a heck of a lot of parents are using the device to reduce the frequency they need to check.
OK, so you could argue that it may provide an alert in between your regular checks. Well unless there is some certainty (which it appears there isn't), then you can equally say that "the baby may die without any alert" which I assume won't be appearing on their website as a testimonial !
As to the disclaimer in the agreement - we all know how many people read those. So maybe the sort of person to be found in ElReg's forums will understand the limitations - the "average" person will believe this this device is something they can "rely" on.
How easy is it to send de-auth packets? A flood of them? You want to trust your baby's life to that?
Owlet has a disclaimer and indemnity clause in the EULA, which indicates to me the device should NOT be used as some parents are likely to use it and (I would hope and assume) Owlet likely does not encourage such use.
The reality, however, is wireless and cloud is becoming so ubiquitous in our society to be almost inescapable, and thus implicitly trusted, even with all of its faults. Who should carry the burden of culpability for this: the vendors who push and push, the users who push and push onto others, or the poor suckers who just think things should work like magic?
No, the first problem is using a gadget instead of an actual medical device. The Independent ran an article a couple of years ago that these monitors were mostly useless.
Honestly, the old nursery rhyme has it right: put your child in a rickety basket in the top of a tree during a wind storm, and if the kid survives that fall, you'll have no worries. If you want a gadget, add a Raspberry Pi to monitor wind speed, cradle movement, and precipitation.
"No, the first problem is using a gadget instead of an actual medical device. The Independent ran an article a couple of years ago that these monitors were mostly useless."
I said security problem, not usage problem of the device in question. Our points are complementary.
"our data team"? You sure you don't want to capitalize those words to make them sound a tad more confident? You don't need a "Data Team", you need software developers, testers and at least a security consultant. I bet someone's flipping through their Rolodex for the number to that Chinese company who made the software for them...
No, no, what they want is exactly a *data* team, *your data we gathered* team. Who cares about development?? The whole IoT stuff is about making people installing people's data gathering devices through offering some side features. Data they resell and make them earn more money than selling devices.
"The whole IoT stuff is about making people installing people's data gathering devices through offering some side features. Data they resell and make them earn more money than selling devices."
Exactly this, which is reflected in this statement:
"The Owlet base station encrypts data sent to and received from the manufacturer's servers..."
So the data they are gathering is encrypted, because it has more value to them than the actual data that is generated between the device and the base station.
I'm not sure why they created another "Solution" without a problem but realistically for about 30 pounds you can get a sound and heart monitor that works with a board underneath the baby, no internet, it just works and it works well. Alarm sounds should it stops detecting a heart beat and you can hear if baby starts crying.
This has next to no security and you are reliant on someone else's servers to be up and running along with the internet. It's about time someone informs the public of the dangers of these devices and passes laws requiring mandatory security and service level agreements. Maybe when a botnet of these things takes down a bank or a government website they might take notice.
<Rant>
"The safety, security and privacy of our customers are of the utmost importance to us"
Am I the only one getting sick to the back teeth of this phrase, or an extremely similar one, being trotted out by every bloody company that gets caught cutting corners, when the evidence points to the exact opposite? It's so blatantly disingenuous, it's almost an insult that they expect people to swallow it. There's no genuine apology, no intent to find the cause of the fault and no intent to improve on the quality of the product and the company. They might as well say "We got caught, get the lawsuits over with and bugger off. We've got another crap product we need to start not designing".
</Rant>
"The safety, security and privacy of our customers are of the utmost importance to us"
Am I the only one getting sick to the back teeth of this phrase, or an extremely similar one, being trotted out by every bloody company that gets caught cutting corners, when the evidence points to the exact opposite?
No; you aren't. Not by a very long shot, I suspect. You almost apologised for "ranting", but in reality the point you make is entirely valid, and you must avoid giving the users of the boilerplate statement any possible excuse to ignore you by suggesting that your point is a rant.
"The safety, security and privacy of our customers are of the utmost importance to us"
If I so much as hear that B***S**T once more from some lousy marketing skunk who should rightfully strung up by the b******s and t**g*r across the nearest high voltage line (maybe lv would be better - he'd last a bit longer) .....
Y'know, it makes the honesty of Linus's rants positively endearing.
Eat this - scumbags of the net >>
ps
Sorry - its friday - I'm in a good mood.
I wonder when companies start getting sued for statements like these which are blatant lies.
I would really like to see a judge hand a verdict saying that while their security is terrible, there's no law against it. Nevertheless, the company will be fined $millions due to the outright lie that safety, security and privacy were in any way important when evidence clearly proves otherwise.
At least maybe then we would get true statements such as:
We are deeply sorry that we got caught releasing a product which was clearly unfit for purpose. We don't give a rat's ass about our customers' safety, security or privacy. In fact, we will make damn sure to sell them whenever we have a chance to make a quick buck and we will cut corners to reduce our costs, suckers.
The data that we create, data that is us, is ours and should be ours alone. While we can allow others to use it we shouldn't be able to sign away all our data rights anymore than we can agree to be murdered. Yet agreeing to be murdered appears to be the present situation with IoT and will remain so until the laws and enforcement systems change to put the onus on the perpetrators rather than the victims.
SWMBO works in a store that sells babystuff, loves the job.
Personally, I'm stunned that parents buy *any* of this stuff. However it is modern days.
"our customer's contribution to our financial bottom line is incredibly important to our stockholders....."
Is the *ONLY* statement that any corporation should be making along those lines.
All that said, considering the nature of IT of late days, and the mandates I've seen from management types (based on the bottom line, always), should we as customers expect *anything* else from the large corporates in the market these days?
Almost makes me wonder if putting my heart into it is worth doing anymore.
When I was a baby, parents used to tear themselves away from a device known as the wireless and check their baby was ok. Now I suppose it is such an inconvenience to have to put down your tablet, tear yourself away from the latest restaurant food shot your friend has posted on InYourFaceBork to physically check your new real life device.
Oh the inhumanity of it all.