Set phasers to 'colour me surprised' and phasers to 'deny it all' as we approach the scrapheap planet 'Junk'.
Tens of millions of Internet-of-Things, network-connected gizmos at risk of remote hijacking? Computer, engage shocked mode
A bunch of flaws in a commonly used TCP/IP software stack have put potentially tens of millions of Internet-of-Things devices, healthcare equipment, industrial control systems, and other network-connected gear at risk of remote attack, it is claimed. The vulnerabilities are dubbed Ripple20 – because hey, what's a bug reveal …
COMMENTS
-
-
-
Wednesday 17th June 2020 18:34 GMT Anonymous Coward
Tat for Tit (sup)
That most IoT tat has security issues of varying degrees is not surprising .
Keep in mind that vendors have almost zero interest in fixing old tat and, even if they wanted to, even in their new gizmos, they often can't push updates, especially firmware, and most gizmos don't allow even a knowledgeable user to pull updates.
Intelligent gizmos (e.g. temperature control on my fridge) make sense; IoT gizmos (e.g. a shopping list app on my fridge) rarely do.
-
-
-
Wednesday 17th June 2020 05:32 GMT Anonymous Coward
Just another reason
for me NOT to spend my [insert funding method here] money on this IoT tat.
Why should my lightbulb need get permission from some server out there on the internet to allow me to control it?
Oh wait... planned obsolescence. Just turn off the server and all that kit/tat you spent your hard earned on is now junk and destined as the Americans say, for Landfill (but preferably your local recycling centre provided you can book a time slot to go that is... that is the new normal in Hampshire)
Turn off the server and sit back and wait for the proles to buy more of your Internet Connected TAT. Then in 18 months (or less), rinse and repeat.
-
-
Wednesday 17th June 2020 07:32 GMT Anonymous Coward
Re: 'tip' time
Yep. The numpties in charge at Hampshire County Council have decided in their infinite (/s) wisdom that you now have to book a time slot to drop off your recycling/waste. One trip per household per week. Thankfully, they have postponed the introduction of their ANPR system.
IMHO, they really don't want to take your recycling and would prefer you to fly tip it. /sarcastic
They say that it is to reduce the queues at the recycling centres. If there are queues then why not increase the opening hours? They are still not back to their normal ones and with only 3 vehicles allowed at a time (at my local tip) then Doh! It does not take a blind man on a dark night to realise that you are going to have problems. Numpties the lot of them.
-
Wednesday 17th June 2020 17:02 GMT John Brown (no body)
Re: 'tip' time
Our local one is fully open as normal in terms of days and hours, but have limited the numbers of cars on site at one time and there's some arrangement where odd or even numbered car number plates are allowed each day. I've not had a need to go so didn't read the notice fully.
-
Wednesday 17th June 2020 22:52 GMT Anonymous Coward
Re: 'tip' time
Not everyone has a car. On one occasion I was refused entry to our local council recycling centre because I was on foot. They didn't even ask me to prove I was a local resident - rather than someone who had hidden their vehicle round the corner. An official complaint elicited a reply that the centre had consequently been "given reminder" that pedestrians were allowed.
-
-
Thursday 18th June 2020 09:30 GMT hoola
Re: 'tip' time
The same for Leicestershire and by all accounts there are still people queuing for hours even though they don't have an appointment getting pissed off when they are refused entry. Maybe these are the same people that queued for hours just to get a Big Mac.
You really cannot help some members of society.
-
-
-
-
-
Wednesday 17th June 2020 09:00 GMT Mike 137
"Some of the programming blunders..."
Thank you Shaun - thank you a thousand times! It's about time we all faced up to the fact that that's just what "exploitable bugs" are - no more no less.
Until software development becomes a genuine engineering discipline with formally ratified standards and an expectation of their universal application by qualified practitioners, we'll never have safe, or even adequate IT systems. Every other branch of engineering demands this - even plumbing.
-
Thursday 18th June 2020 12:27 GMT P. Lee
Re: "Some of the programming blunders..."
>Every other branch of engineering demands this - even plumbing.
I suspect plumbers make more money than programmers.
The attack surface is always going to be a problem. It is why you want a tunnel vpn rather than expose every service. A vpn stack has one function which all users have an interest in, not just IoT makers. Hence, it is likely to be better quality and have fewer bugs.
We also need better firewall mechanisms. Something like a JSON description of requirements a phone can take a picture of and use to program even rubbish little home routers.
-
-
Wednesday 17th June 2020 09:27 GMT batfink
How many of these things actually have a mechanism for firmware updates?
Ok, so your Samsung TV probably has a facility for firmware updates, and Samsung probably have servers to do the pushing. But what about the other tat? Baby monitors? Lightbulbs? "Security" cameras? Doorbells?
Not to mention access - baked-in admin passwords? Or if not, do they rely on the user not having changed the admin password? Either way, you're in trouble.
-
-
Wednesday 17th June 2020 14:10 GMT BenDwire
Re: How many of these things actually have a mechanism for firmware updates?
My Samsung TV still can't use iPlayer, despite it being supported. Even the support department have run out of ideas.
On the plus side all my smart lightbubs have nice fresh firmware - I replaced it with Tasmota that allows cloud-free operation behind a nice secure firewall. I'm guessing that's not what the IoT vendors were hoping for ...
-
Wednesday 17th June 2020 17:45 GMT doublelayer
Re: How many of these things actually have a mechanism for firmware updates?
>> your Samsung TV probably has a facility for firmware updates, and Samsung probably have servers to do the pushing
> But do they have the intention to update anything but their latest kit?...
I can say from experience that they do update older devices. Just a couple weeks ago, a family member asked for my help to update the firmware on a six year old TV from Samsung, and I found firmware for it that is only two weeks old. Of course, this firmware has exactly the same problem that caused them to want to update it, and appears functionally the same in every respect including most of the version number. There is no change log or anything, so it's possible that the server just picks a random date and slaps it on. This seems to be a frequent model for making and releasing firmware updates. Nobody seems to know what it does differently from the last version, but the number's higher so it must do something.
-
-
Wednesday 17th June 2020 17:53 GMT doublelayer
Re: How many of these things actually have a mechanism for firmware updates?
Usually, they go with one of the following models:
1. There is a firmware update mechanism that operates online, either directly if the device has network connectivity or through a phone app if not. You never get told what update you're installing, what it does, what it fixes, or even when such an update is occurring. Either the code just changes randomly, or you get an update button with no additional context.
2. Any firmware updates are published on the manufacturer's website. Sometimes, your product is a rebadged thing, so you have to look for a model number that's not your model number. If you finally navigate that maze, there's a 90% chance that the last firmware file is one you already have. If it's not, you can download a blob which can be uploaded to your device in some way that is not clearly explained. This will have a higher version number or sometimes a completely mutilated one, but no information on what it does. Check whether your device has a card slot, USB port, or a firmware update page on the internal HTTP server. When you provide this blob to your device, it will go unresponsive for thirty seconds while it looks at it. If it doesn't like it, it will brick itself. Then the file will be verified several times to make it hard to put your own firmware in. Then the device will restart. Then the device will see a firmware update file on your USB disk and start the update procedure again...
-
-
Wednesday 17th June 2020 10:14 GMT TeeCee
There I was thinking that the real risk was my IoT fridge becoming prematurely obsolete[1]. Turns out that some miscreant resetting the freezer temperature to something likely to promote bacterial growth is the real danger.
Turns out we need a "Montezuma's Revenge" icon. Who knew?
[1] aka Last week's scare story to sell Which? subscriptions.
-
Wednesday 17th June 2020 13:13 GMT Cynic_999
Details needed
Pity there are no details of the bugs in question. I'd like to know whether or not such bugs would be exploitable over a NAT router, which is how most IoT devices would connect to the Internet. (NAT routers have to modify the IP and TCP or UDP headers of all packets, and so may well not pass whatever malformation is required to exploit the bug).
-
Wednesday 17th June 2020 19:21 GMT It's just me
Re: Details needed
On the JSOF site they have a video of them exploiting the flaw against a HP printer, a UPS, a smart light, a Digi board and a medical pump. According to the messages displayed during the exploit the devices were behind a NAT and the exploit was delivered in DNS replies from a malicious DNS server. Other methods mentioned in their "Risk Evaluation and Mitigations" include fragmented packets, broadcast & multicast traffic and ICMP.
-
-
Wednesday 17th June 2020 23:07 GMT Anonymous Coward
lol
VLAN and a properly configured firewall.
I have several VLANs at home. There's THINGS (802.1Q tag: 15) for the usual IoT stuff and there's SEWER (Tag: 16) for stuff that scares me even more. SERVERS, LAN, MANAGEMENT, PHONES and a few others are obvious, along with DMZ, DMZ2 and more. There's also a ROFLCOPTER VLAN (tag: 22). That's for the wife and her laptop. Her laptop sports Arch Linux and has done for about eight years now.
Anyone who wants to improve their sysadmin fu should try to please their SO first (lol, fnar). If you want to play with IoT and Home Automation etc then get it approved by the Boss. Think you can do Internets? Ask the Boss. Want to mess around with web proxies and MitM? Get the Boss to test the end experience.
-
Thursday 18th June 2020 11:22 GMT Anonymous Coward
MIB for devices
There is mandatory requirement for cars to have insurance. If an accident happens with an uninsured vehicle, an industry fund MIB picks up the tab.
Perhaps there should be a mandatory insurance scheme for vendors of electronic equipment to pay into. It could operate similarly to the Green Dot scheme for recycling where a portion of revenue goes to the fund ?
For devices registered as above a threshold of importance/criticality, should the manufacturer be unable to remedy in a sufficiently prompt manner, the fund should be available to pay for the costs of updating said devices - also companies that have gone bust, or closed etc.
Allow fund to recoup costs from vendors etc
-
Friday 19th June 2020 01:40 GMT RLWatkins
Quick solution:
Stop connecting all your damn' "Things" to the Internet.
Have yourself a network-of-things instead, monitor it with your own computer, and if you need to ask your computer what or how they're doing, then do that using secure communications via the Internet.
Try to remember that the people who decided we should call networks-of-things "The Internet of Things" are all data-collection companies who'd *love* for you to connect all your things to the Internet so they can snoop on them.
Don't let them get away with it. Hell is already full....
-
Sunday 5th July 2020 21:25 GMT Anonymous Coward
Phil Knight Re-Written -- JUST DON'T DO IT!!!!!
@RLWatkins
*
....or don't buy that IoT light bulb. Just use the wall switch. And if you are away from home....why are you worried about the light bulb anyway?
*
....or about opening/starting your BMW with your smartphone? What was so bad about that old-fashioned metal key?
*
....or Alexa? Do you really want Amazon to record everything you utter?
*
.....and so on.......