back to article GCHQ's infosec arm has 3 simple tips to secure those insecure smart home gadgets

Britain's National Cyber Security Centre (NCSC) wants owners of baby monitors and smart CCTV cameras to take some basic security precautions. The GCHQ-owned infosec arm of government today published what it hopes is simple guidance that can be followed by ordinary people who haven't got time to immerse themselves in the …

  1. Anonymous Coward
    Anonymous Coward

    A Hammer or better still an Angle Grinder would be more effective.

    1. wegie

      A Hammer...

      Yeah, I was hoping as well that the advice would be the classic engineering solution of "just use a bigger hammer!"

    2. GnuTzu Silver badge
      Trollface

      How about a belt sander--done in short segments and turned into a slow motion video of a thing being eaten away layer by layer. Add special effects of oozing guts to taste.

      Or, maybe a time lapse in a hydroflouric jar acid or suitable corrosive.

    3. Kevin McMurtrie Silver badge

      Thunk

      My favorite tool is a slate bar. It's large hardened steel rod with a sharp side for shattering rocks and a flat side for breaking open cracked rocks. It erases NVRAM and hard drives with a quick and satisfying thunk. Just mind your toes.

      1. I ain't Spartacus Gold badge
        Devil

        Re: Thunk

        Tell me, do you own any old carpets or quick lime? And have you been seen in the vicinity of any high windows with suspiciously loose opening mechanisms that happen to overlook a skip?

  2. ClownBeer

    Or better yet, don't buy these useless pieces of sh*t.

    1. HildyJ Silver badge
      Devil

      Internet of Twits

      Amen. I don't understand why people are so interested in internet connected devices. My baby monitor was essentially a one way walkie-talkie and it was enough. I could see getting a keypad lock if I still had kids at home but I wouldn't let anyone else in the house when I'm not there so, again, no need for internet. I don't have a problem walking to a light switch. And my programmable appliances are as smart as I need or want.

      1. Baldrickk Silver badge

        Re: Internet of Twits

        Honestly, there are actually some good uses for this stuff.

        My sister uses cams for home security, and to watch the cats, allowing them to check up on them, and make sure that they haven't gotten into the food cupboard (again... They've managed to bypass the lock when not set properly, and rip into the boxes and food pouches a couple of times now.)

        She bought my Father a set of cameras for Christmas this year, and only two nights ago, they caught and alerted us to someone getting into the back garden.

        I've given my share of warnings about updates, passwords and access as the family tech guy, up to the point where it goes from good advice to being annoying, so not going to push it further. Hopefully it's sufficient.

        1. BebopWeBop Silver badge

          Re: Internet of Twits

          The problem with watching your mogs remotely destroy the place in their search for food is that you aren't there - and believe me, after the even they will label all footage you show them as fake news. Just something to worry about that you are powerless to effect.

        2. JCitizen Bronze badge
          Happy

          Re: Internet of Twits

          The look on a pet's face, when the owner yells at them through the monitor system is priceless - I think I'll go watch videos on YouTube and get a laugh!

    2. 0laf Silver badge

      Yeah but often now they all come with this 'value added' data mining shite on by default. It's getting harder and harder to avoid. Plus feature count sells, even if the users never touch half of them.

  3. Anonymous Coward
    Anonymous Coward

    Three Random Words.

    What's the betting the most common are "mynewpassword" and "mycamerapassword"?

    1. steelpillow Silver badge
      Facepalm

      Re: Three Random Words.

      threerandomwords

      1. Steve Davies 3 Silver badge

        Re: Three Random Words.

        Go one better and use www.what3words.com to generate them. Choose a place that you know (not your home front door) and swap the words around. There is a pretty good password.

        I tried it recently with

        Ironclad, Patio, Sunbathing

        plus some numbers where needed.

        But it was a huge "disappointment".

        I ended going with [redacted],[redacted],[redacted] instead.

        1. Anonymous Coward
          Anonymous Coward

          Re: Three Random Words.

          "Ironclad, Patio, Sunbathing"

          Am I the only one who immediately thought of a certain scene in Robin Hood, Men In Tights, specifically around the word "ironclad"?

  4. DavCrav Silver badge

    Create strong password, write it on the monitor

    For a baby monitor, physical access isn't an issue. (If you are able to get to the monitor, you can probably get to the baby.) So you don't have to remember a ludicrous password, you can write it on the thing.

    This actually applies to most household gadgets; the threat is online hackers, not offline thieves, who will just steal it and factory reset it anyway.

    1. IGotOut Silver badge

      Re: Create strong password, write it on the monitor

      Why do you need an internet connected baby monitor? Unless of course your popping down the boozer for a few hours.

      1. Anonymous Coward
        Anonymous Coward

        Re: Create strong password, write it on the monitor

        DogCam, innit.

        1. BebopWeBop Silver badge

          Re: Create strong password, write it on the monitor

          Watch them and weep cam you mean?

      2. druck Silver badge
        Facepalm

        Re: Create strong password, write it on the monitor

        Obviously not many people on here have had children. When you are a first time parent, it is a big thing to go out and leave your baby in the hands of a baby sitter. No matter how much you think you wouldn't be worried or feel guilty before being in that situation, you do, you really do. Being able to just check the baby is OK when you are out, is a massive reassurance, and is a small step towards getting some sort of life back.

        I bought a cheap Chinese WiFi camera, with an abysmally insecure remote server and app, but disabled UPnP on the router and firewalled it from making any external connections. Instead I used a early Raspberry Pi to provide an SSH tunnel to the camera, with key authentication only. Now I use Raspberry Pi cameras and OpenVPN for remote access, the kids are older and we don't feel the need to check on them in the same way, it's more to give the baby sitter a ring to tell them to start tidying up before we get home!

        1. boltar Silver badge

          Re: Create strong password, write it on the monitor

          Speak for yourself. We've never used a babysitter and never will. When you have a kid you know what you're signing up for. If you still want the carefree lifestyle of going out when you want then please DONT have children. They're not a pet, they're the biggest responsibility you'll ever have and leaving them in the hands of a minimum wage stranger is NOT responsible (leaving them with family is another matter obv).

          1. Terry 6 Silver badge

            Re: Create strong password, write it on the monitor

            1.) Even the best parents need to get out sometimes and we no longer can always rely on granny/aunty as once we would have.

            2) Babysitter doesn't have to mean paid employee. Could mean responsible local teenager who wants to earn a few quid and have somewhere quiet to do a bit of homework, or watch TV without the siblings around etc.

            3.) The kids need to learn that mummy and daddy can be away from them. Otherwise separation anxiety ensues later. Helicopter parents do no good for their kids.

            1. eldakka Silver badge

              Re: Create strong password, write it on the monitor

              3.) The kids need to learn that mummy and daddy can be away from them. Otherwise separation anxiety ensues later. Helicopter parents do no good for their kids.
              The reverse is also true, that is, parents have to get over separation anxiety from their children. Which having a remotely accessible monitor isn't going to do.

              1. Terry 6 Silver badge

                Re: Create strong password, write it on the monitor

                I agree. It was an argument for baby sitters. Not baby monitors.

            2. boltar Silver badge

              Re: Create strong password, write it on the monitor

              Leave a "local teenager" in charge of a small child? Seriously??

              And its nothing to do with being a helicopter parent - its simply putting your kids welfare before your own. You have plenty of free time when they're at nursery or at school, you can always take a day off work to enjoy yourself. Dumping a child with a babysitter is no different to dumping them at boarding school when they're older - its for parents who like the idea of having children but not the reality.

              1. phuzz Silver badge

                Re: Create strong password, write it on the monitor

                "Leave a "local teenager" in charge of a small child? Seriously??"

                Believe it or not, but this was the standard way many of us were brought up. Living in a small village there was no chance of a 'professional babysitter' (if such a person even existed), so my folks hired one of the local kids who was a few years older than us and theoretically trustworthy.

                Some years later, when I was a teen, I was contracted out to sit in someone else's house and tell their kids to go to bed or I'd tell on them to their parents.

                This was between the early 80's and mid 90's by the way, perhaps it's different now.

                1. boltar Silver badge

                  Re: Create strong password, write it on the monitor

                  No doubt its different in a small village where everyone knows each other. Ask some scrote in a big city to do it and you'll probably come back to the baby in the cupboard and a house party.

                2. Terry 6 Silver badge

                  Re: Create strong password, write it on the monitor

                  No, still happens, my daughter, round GCSE, would look after the neighbours' kids for a few hours, get a few quid, do a few essays.

                  I'm guessing not as much as 20 years or so back. Too many neurotic helicopter parents these days.

              2. Terry 6 Silver badge

                Re: Create strong password, write it on the monitor

                I think that's everything to do with being a helicopter parent.

                But helicopter parents probably don't see themselves as being that. They are.

                False comparisons (boarding school) don't change that. And on El Reg we're well versed in handling that kind of false logic.

                1. boltar Silver badge

                  Re: Create strong password, write it on the monitor

                  Its nothing to do with helicopter parents, why not look up the definition. Its everything to do with Generation Me Me Me (ie millenials) being too lazy to take responsibility for their offspring and still want to live the carefree single life.

                  1. druck Silver badge

                    Re: Create strong password, write it on the monitor

                    First I'm not a millennial by a long way, although my wife qualifies. Secondly, the first few times we both went out together after having a baby, were to Council meetings, as we were both elected councillors at the time and attendance was mandatory. So it's not all about abandoning the baby to have fun.

                  2. Terry 6 Silver badge

                    Re: Create strong password, write it on the monitor

                    Nonsense. My generation ( my kids are now in their 20s) used baby sitters. Grandparents where possible, aunts, cousins or neighbours kids mostly, if not. Some had paid baby sitters, it wasn't that unusual.

                    As did my parents generation, half a century or more ago. The Babysitter was a thing.

                    1. boltar Silver badge

                      Re: Create strong password, write it on the monitor

                      It might have been "a thing" with your family and friends but it wasn't with mine. Its funny how the sort of people who dump their kids with some stranger earning a pittance would never dream of doing the same thing with their dog.

                      1. Terry 6 Silver badge

                        Re: Create strong password, write it on the monitor

                        Wrong. And in fact there's a whole issue about dog owners who are never there for their pet and leave it to professional dog walkers to manage during the day. You see them in the parks with a whole bunch of dogs on leads. These are even companies sometimes with liveried vans,

                        Your experience is far from the usual.

                  3. Anonymous Coward
                    Anonymous Coward

                    Re: Create strong password, write it on the monitor

                    "Generation Me Me Me"

                    I blame the parents.

                    1. Terry 6 Silver badge

                      Re: Create strong password, write it on the monitor

                      I was a teacher. Of course I blame the parents.

                      When a five year old comes into school swearing it's not the kid's fault.

                      When parents start fighting outside the school gate.

                      Leave their kids outside the pub door (once I saw that when it was the pub behind the school I did work in ffs)

                      When kids can barely string two words together and I see the parents walking along or sitting on the bus on their phones instead of speaking to their kids.

                      And so on and so on.

                      It's an endless list.

        2. IGotOut Silver badge

          Re: Create strong password, write it on the monitor

          "Obviously not many people on here have had children. "

          2 kids, one of those had a heart condition, occasional fits and breathing isdues. However one of the joys of going out is NOT "having" to constantly fret all the time. As someone said above, getting you life back is NOT being a helicopter parent and both you and your kids learning to be apart.

    2. Anonymous Coward
      Anonymous Coward

      Re: Create strong password, write it on the monitor

      I see your thinking until you find out it has no brute force protection.

  5. Chris G Silver badge

    Let's face it

    Joe and Josephine Bloggs are more interested in 'Ooh shiny!' and not having to get off their arses to check on the sprogs or dim the lights when their fave' reality show comes on t' telly.

    Three random words are likely to be the kids names plus that of the budgie and usually visible all over their social media accounts.

  6. Anonymous Coward
    Anonymous Coward

    Obviously ===>

    Why should I believe anything that GCHQ tells me?

    1. steelpillow Silver badge
      Devil

      Re: Obviously ===>

      You mean you believe shit that other people tell you?

      1. Yet Another Anonymous coward Silver badge

        Re: Obviously ===>

        Don't buy any of that Chinese stuff.

        Make sure you only buy from trusted Swiss suppliers like Crypto AG

    2. eldakka Silver badge

      Re: Obviously ===>

      What does it matter the source of any commonsense advice?

      This is a reminder of what people should already be doing, not some new revelation from FSM.

      1. KittenHuffer Silver badge

        Re: Obviously ===>

        There's my three random words: His Noodly Appendage!

        1. I ain't Spartacus Gold badge
          Flame

          Re: Obviously ===>

          Blasphemy! He has more than one singular noodly appendage! He has oodles of noodles.

          Heretic!

  7. Anonymous Coward
    Anonymous Coward

    Shame I'm outta there

    or I would have suggested that the "Keep your camera secure by regularly updating security software." be simplified by removing the word "security", as in "Keep your camera secure by regularly updating the software." Not every Brian Blessed can tell the difference.

    Oh, hi guys! Long time no see. Keep up the good work.

    AC for good security practice ;-)

    1. I ain't Spartacus Gold badge

      Re: Shame I'm outta there

      This advice worries me. Normally I'm all for updating software. But some of this IoT kit gets updated in order to make it worse - and more dependent on the vendor's servers. Or even to disable various abilities, in order to make you sign up for some other service, agree to new Ts&Cs or whatever.

      I suppose in general I'm still with them on update your software. It's just another reason why this stuff worries me.

  8. joe bloggs 6

    updates?

    "Keep your camera secure by regularly updating security software. Not only does this keep your devices secure, but often adds new features and other improvements."

    1) this assumes they can be updated

    2) this assumes updates will provided

    3) how long for?

    1. Someone Else Silver badge
      Flame

      Re: updates?

      4) Assumes that you want the new, shiny "features and improvements"

      4a) Assumes that the new, shiny "features and improvements" actually work.

      4b) Assumes that the new, shiny "features and improvements" aren't themselves a new pwnage vector.

      1. Korev Silver badge

        Re: updates?

        4c) That it's not the manufacturer making the product worse for the end user in some way

        1. KittenHuffer Silver badge

          Re: updates?

          4d) Assumes that the updates doesn't introduce a new security issue.

    2. Anonymous Coward
      Anonymous Coward

      Re: updates?

      4) Will it get a Sonos update to being deliberately bricked because forcing replacement is obviously a good fix amiright?

      1. phuzz Silver badge

        Re: updates?

        I guess if it's bricked then by definition it is secure. Can't be hacked if it doesn't work, right?

  9. Anonymous Coward
    Anonymous Coward

    I'm surprised

    there isn't a GCHQ division who will helpfully generate .gov-approved passwords for your devices so you know for sure you're secure.

    [Hmm, I'm going to TM "Know for sure you're secure"]

    1. smudge Silver badge
      Black Helicopters

      Re: I'm surprised

      Who says there isn't? :)

    2. eldakka Silver badge
      Black Helicopters

      Re: I'm surprised

      There is such a division.

      They'll even go in helpfully and change it to the secure password, and to ensure its security won't tell you what it is (after all, you can't be trusted to keep it safe, can you?), and as a bonus they'll monitor it on your behalf.

      1. This post has been deleted by its author

  10. HellDeskJockey
    Big Brother

    Another thing is to keep things off the Internet unless needed. Everything does not have to connect to the net.

  11. Anonymous Coward
    Anonymous Coward

    Why exactly would anyone "need" a camera in their kids bedroom...?

  12. Cynic_999 Silver badge

    Updates

    It is a big mistake to assume that the update will work better than the old firmware. Very, very often a "new feature" (that you will never use) has borked something that you *do* use, and/or opened a huge security hole that wasn't there before. Even security updates occasionally substitute one vulnerability for an even bigger one.

    I do agree with changing the password, though for me it is usually so that I can remember the password rather than having to look up the default. Because there is not always any risk from hackers - it depends where and how the hardware is used. If someone hacks the feed from the camera I use to remotely monitor a 3D printer, or my neighbour's camera that she uses to check the level of seeds in her garden bird feeder for example, that's not too serious. But where it would indeed be highly undesirable for anyone else to gain access, changing the password is as basic as changing the combination on a new padlock so that it is not the default 0-0-0-0

    I really don't understand people who put cameras in every room of the house, including bedrooms and bathrooms. I believe you have to *assume* that any Internet-connected camera stream can be intercepted by any man+dog no matter what company made the kit or what security measures you have adopted. If you must put a camera in the bathroom, at least provide a lens cap that can be fitted whenever the bathroom is occupied. (And check that the lens cap works - some types of black plastic are transparent to long wavelength light and the camera will happily switch to IR mode and supply a B&W image with the cap fitted).

    1. Chris G Silver badge

      Re: Updates

      "It is a big mistake to assume that the update will work better than the old firmware."

      Windows anyone?

      1. eldakka Silver badge

        Re: Updates

        And Sony classically on the PS3 where an update removed Linux capability.

        And Sonos (though maybe they backed down a bit?) where they are making older speakers incompatible with newer ones.

        And Google/Nest where they bricked older devices.

        And Apple with their iPhone-throttling iOS updates.

        And the list goes on.

    2. Alistair Silver badge
      Windows

      Re: Updates

      @Cynic_999

      Used to own a certain wireless sound system did we?

    3. Terry 6 Silver badge

      Re: Updates

      my neighbour's camera that she uses to check the level of seeds in her garden bird feeder

      TBH most people probably wouldn't buy tech for that kind of low level use. The 3d printer possibly, but that's a very techie thing to start with.- and presumably all the setting up, bar the actual camera, is in place.

    4. quartzz

      Re: Updates

      first thing I did with my laptop, duck't tape over the built in cam..

  13. Anonymous Coward
    Anonymous Coward

    I got hacked

    I had a strong password for my kiddy cam (anotherbadpassword123) and it was fine but then the kids hacked the adult cam in our bedroom ... I should have used a different password I guess.

  14. AdamWill

    three handy tips

    "GCHQ's infosec arm has 3 simple tips to secure those insecure smart home gadgets"

    1. Unplug it

    2. Hit it several times with a hammer

    3. Take it to the recycling depot

    OK, OK, I kid (kinda). I actually have robot door locks and a robot garage door opener now! Never thought the day would come. On the one hand, I'm sure someone sufficiently dedicated could hack them over the internet while wearing a hoody and mumbling "I'M IN". On the other hand, I eventually decided, someone sufficiently dedicated could also just chuck a rock through the large window that's right next to the door, and being able to check whether I remembered to lock the damn door when I'm ten minutes down the road (and open the garage door without remembering to take the annoyingly chunky remote out with me) does turn out to be handy...

  15. Mike 137 Silver badge

    Ahaaaaa!

    So the NCSC has just caught on to this - brilliant! Insecam (over 5 years) and shodan (over 10 years) have only been highlighting this graphically (literally graphically) for ages.

    But of course this is the official security advice agency that recently turned its entire web site into a javascript app. Not even the landing page can be read with scripting disabled. "Good thinking Batman", javascript being the primary vector for almost all drive by infections.

  16. Nolveys
    Headmaster

    Which?

    "Which? has repeatedly exposed serious security flaws..."

    What?

    Who?

    Why?

  17. Anonymous Coward
    Anonymous Coward

    "GCHQ's infosec arm,,,,,,"

    .......so here we have the fox giving the chickens in the hen house some "useful advice"!!!!

    *

    Does the word "misdirection" come to mind?

    *

    Perhaps Dr Ian Levy would be MUCH more helpful to us chickens if he could tell us something (anything!) about what actually goes on in Cheltenham.

  18. Anonymous Coward
    Anonymous Coward

    all the advice posted here is all well and good but...

    When you buy something that is phoning home at every opportunity, a lot of what you might do elsewhere in your home gets tossed in the garbage.

    https://www.bbc.co.uk/news/technology-51709247

    Ring doorbells with connected cameras log every action the bell does AND every action you make with the App. All gets sent to the mothership and added to your history profile so that Amazon can flog you more useless tat that you more than likely do not need and may even have to buy on the never-never.

    Isn't progress wonderful...

  19. Cuddles Silver badge

    3 simple tips to secure those insecure smart home gadgets

    1) Purchase or otherwise acquire lump hammer;

    2) Apply liberally to "smart" gadgets;

    3) Dispose of remains in an environmentally responsible manner.

  20. mr-slappy

    Put the onus for security on the manufacturers rather than the users

    "If your camera comes with a default password, change it to a secure one" => Require all IoTat devices to not have a default password, rather one that the user has to enter before it can be used. And reject any easily-hackable passwords.

    "Keep your camera secure by regularly updating security software" => Require all IoTat devices to update themselves automatically and make manufacturers financially liable for security breaches in the way that they would be liable if a the device electrocuted someone.

    "If you do not use the feature that lets you remotely access the camera from the internet, it is recommended you disable it" => Require all IoTat devices to have this feature switched off and only allow it to be enabled if a strong password has been assigned by the user (and maybe mandate 2FA as well).

    FTFY

  21. Anonymous Coward
    Anonymous Coward

    Don't believe anything that GCHQ tells you

    not when it comes to how to set passwords, changing passwords etc.

  22. Anonymous Coward
    Anonymous Coward

    A Message for Dr. Ian Levy (and Sir Andrew Parker)

    13N11YCh1AId0PSq1MCe1cZe0BBY1MFb0Tp60ijx

    0nha0tmO0mH$1dnl0z7f07Yl1UBC0JHv1UWG0MhU

    1H5t0cjL1S6=0o5p1NVu01e60JAT14ZK0=Hb140L

    0lev1AA20RKk0=u10YG80TBS0CJr1iJJ1KTO0yk$

    1TQm1g0T0B$G1Yxf08Xr0HYV0IvI0LQG13Cx1Fiu

    1Pdv1S7a0jD90tAw09Lr0b7g0JCv07=O1Adr0QSh

    1mh90msE01ae0Uww1DEz0WzG0mAs1J9E1GE31N0t

    1NRr176D0ey60lIE0mLK0rFU10at1dLs0qng0TPm

    0afN0k4R0U110oG90K900VFu0kq309Wh1cSG0Vxp

    19vS0IXT1KUn0W4Q1aT50yd6083u0Lzx0mnW0B3v

    0o1i0hLF10XD0lyC0YAq1O160OH$1b5s1K$J0iUz

    0$m80Xr=13lr0WL=16Yv1Iqr1Zx20ezo14v81iVg

    0nJy1WNj0r4Q0QdP0RHS1jn718lQ1F851k7I1egt

    0FU51ELM17eY1cUq17Sp19FY1kGD1mUV1Wkl1X9U

    0unn1YSI0nGi0R6R1QzU1KEG0$IM0ilT1Rvp1K1A

    0e810rfi06JR1eow1GA=0YmO0ZTV054s0q0r1XUF

    02Nj0Gyy10dv0zRi0E4Z1N6Z01pQ1iAM1AB80abY

    0J4j1cyy18$m15DF1hGT1lXZ0ieH1Qa40QO80ATV

    16hc0hGx0v$P1Xc20AN$0weX1exA0Zml15nb0etT

    0fri07x1104a0tbE0JHu0Qty1HsC0iAR1Zcf0bH7

    0Btj104Y171v1l3w0KCZ0m3z0O7J1Q3o1VWk0wBX

    08Yc18Wk1Zpl0$zb0QLx0$yN0S7k0Lxr17tp0D$X

    0MbZ1U5u0yzA1Wpw18JI00b11AIM0w3Q0TXl0QJW

    1Yuj0Coq1I6y1jxw0CAn0nZm0$nx1idp0bPc1KWU

    1VW502V10GeG0VFW0mvd01$M1QBt0l6J12aw1Ztq

    1jEB0YDb0D3w02fW1cuJ1Dxv1Prf01zB0Lf31gfs

    1OM31il50hAC1gty0HoE05D60IHs0i9R1AnD0SpP

    16fH1Uv70cxH0oDK0xbj0eQN0X561aZ51HrH17tY

    0bDh1PdN

  23. TrumpSlurp the Troll Silver badge

    One small point

    Commentards are banging on about hijacking webcam feeds.

    I thought the major problem was hijacking the devices themselves, for example for use in DDOS botnets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020