A hub might get patches, but the doodads? Your light bulbs, door switches, door locks! will all be... patch? It's 6 months old! buy a new one. The fancy fridge that cost $2000? Maybe if you can get it on the NEWS so it's hard to ignore.
If you live in a smart home you may as well take all the locks off your doors and hang up a sign saying "burglars, free swag here". At least that's the thrust of a report by Trend Micro into the security threats posed by "complex IoT environments". Those environments are what peddlers of IoT home gadgetry would describe as the …
The burglar would first have to break in and disconnect my cable modem for 15mins to force a network reset, then turn it off and on again to get a new IP, before they were able to hack my smart home.
Rogers telecom: not only an expensive unreliable monopoly - but now my partner in security
Can you explain your reasoning for those who aren't familiar with Rogers? Is there some reason why your wifi is completely unhackable when everyone else's is vulnerable to known exploits that aren't addressed until WPA3 is out, for instance?
Once they're inside your network, if you have a smart lock with a known exploit they can open it. Though some smart locks have had exploits that don't even require network access...
Obviously IOT introduces vulnerability, but it's hardly groundbreaking. A smart burglar can hack a camera, work out when you are in your garage and 'just walk in'? Of course. A smarter burglar might just sit on a park bench over the street and notice when you walk out to the garage, which would have the advantage of them being nearby*. If I want to identify people with a regular 'habit' I could sit at the train station and watch who it is who gets on the 7:38 each day. Clearly setting up an impersonal-able way of unlocking a door is a bad idea. So just don't do that.
* Visions of the stereotypical hacker in his pants and vests in mum's basement. 'Oh Mr AC has gone into the garage... I'll go round and rob him'. Tripping over the pizza boxes, pulling on a hoody, getting onto moped, driving round, sneaking into the house... 'Oh he's not in the garage any more, he's in the house with a hammer in his hand that he went into the garage for......'
Yes, it's changed quite a lot! First, the so-called "stereotypical hacker" you describe has not been a notable player or serious threat for years. The Good Stuff is written by well-funded professionals, for whom it is a BUSINESS. It's not about individuals on pathetic ego trips, but well-run outfits making sophisticated malware to steal millions. And hoodies? Seriously?
Second, nobody will sit outside a house on the off chance the residents will leave, that's NOT convenient and is a good way to get questioned by cops. Instead, they can sit comfortably at home, in their van, etc. and monitor dozens of potential burglary sites.
The world has changed indeed. Never could so much info be easily gathered from so many sources, stored in searchable form and shared around with a click. Dystopia doesn't begin to cover it.
Well - locally the preferred modus operandi is to walk up to the door and ring the bell. If no answer try the side gate and if that's open stroll round the back. If challenged choose from 'I saw the gate open and thought there might be a problem' or 'isn't this Fred's house - he said I could pick up his wheel barrow'.
Hoodies are pretty much obligatory.
Cops? I saw one once when I went to the big city.
Has anyone EVER actually been burgled by an IOT literate burglar? (FoF , man in pub's FOF or Facebook memes don't count).
And good luck hacking your way in via Alexa - 'Alexa unlock the back door' - 'Back Door Man by the Doors isn't avialble on Amazon Prime - subscribe to Amazon Music to receive unlimited downloads' ....repeat ad infinitum.
The real challenge here is that technical capability of devices is increasing at an incredible pace, while for all but the most savvy users default settings and blind trust seem to prevail.
In some cases the technology implementation may be completely wrong and insecure, regardless of the implementation.
In other cases it will be configuration.
Most ordinary users will not be able to recognise the first and properly mitigate the second.
This post has been deleted by its author
This is just like the early versions of multi-user Windows - allow everyone to do anything, then try to restrict then from doing something they shouldn't be doing.
Should really be the same as any properly designed OS where no-one apart from the administrator can do anything at all, and they then you allow you to do specific things as necessary.
It isn't rocket science.
For most people, if they are the subject of crime it is likely to be opportunistic. Complex attacks against chains of IoT devices designed to allow access to a property are unlikely. Blackmail or attempting to obtain your banking credentials are more likely, but until its easier to find insecure IoT devices to attack than it is to just phone up members of the public and tell them you are from their bank and please give your pin, it's not going to be a big thing.
If someone is targeting you specifically, and they are prepared to go to the effort of compromising IoT devices they probably are going to find a way to get to you anyway.
That being said, IoT security is very important, and as the number of devices increases, it will become more popular. It is just that these current first and second generation devices aren't going to be when IoT crime really takes off, and so the manufacturers have a few years to get things right still.
The point of all this.. is to encourage people to spend money on Trend.. but potentially, someone finds a gaping hole in IoT configurations, sets up a script and sells it, and every hoodie wearing illegal immigrant can use their mobile phones to select opportunistic attacks by simply checking an app.
Att the moment I woud rank the probability of professional break in merchants having the IT skills ncessary to exploit the IoT gizmo flaws as very low.
Howver, when most of these IoT security gizmo merchants go bust, there may well be a surfeit of out of work IoT people whoi have the knowledge needed to turn to a life of crime. And due to the devices all needing personal info to be given to the supplier, they will possibly have useful lists of the installed user base to hand too.
Personally, I prefer to have an actual dog make barking noises if I'm not at home..
(I'd love the cats to also participate in home security duties but I'm not holding my breath. After all, they don't bother to keep out the neighbours cats let alone burglars..)
Biting the hand that feeds IT © 1998–2020