The Nightmare on Connected Home Street

From: Rod-Lists 
------------------------------------------------------
This could be so true! That strawbale house is looking better all the time.
Francis McDonald built a 3 story one in North chatt.
http://www.wired.com/2014/06/the-nightmare-on-connected-home-street/

=============================================================== From: Mike Harrison ------------------------------------------------------ Hilarious. Thanks, I needed that reminder.

=============================================================== From: Stephen Kraus ------------------------------------------------------ Shouldn't this be called "The Nightmare on Default Password Street?"

=============================================================== From: Rod-Lists ------------------------------------------------------ Have you seen the security presentations on IP cameras? ----- Stephen Kraus wrote:

=============================================================== From: Mike Harrison ------------------------------------------------------ Yep, I have one of the hacked/hackable Chinese IP Cam=92s. But it=92s = out on the street, monitoring the traffic in the neighborhood.=20 It watches public space and uploads images to an almost public (password = required). It takes over 300 pictures a day.=20 And there are others that monitor the house, and when needed, the inside = of the house.=20 Specifically leave the inside the house ones off when we are home, I = have their remote monitoring turned off, they send emails with pics.=20 Assume anything with a remote monitoring/access portal/capability is = compromised.=20 Side note: For outside use: unless the camera is good enough to read = license plates, it=92s worthless. =97 Every time I see a light bulb, home appliance, home energy system.. = etc.. that can be controlled, and often can only be controlled, by an = Android or iOS application, I cringe at the short lived nature of these = things for the average consumer.=20

=============================================================== From: Andrew Rodgers ------------------------------------------------------ Behind every Android or iOS app is an api... :) =E1=90=A7 Andrew Rodgers GIGTANK 2014 Technologist-in-Residence 256-508-7610 =E2=80=99s out on r he

=============================================================== From: Rod-Lists ------------------------------------------------------ What shocked me is even the pricey corporate type ones were compromised. http://www.youtube.com/watch?v=B8DjTcANBx0 ----- Mike Harrison wrote:

=============================================================== From: Mike Harrison ------------------------------------------------------ compromised. Actually, the pricey corporate bespoke anything technical is usually = worse than anything else on the market.=20 Often on purpose.=20 Acme Consumer Support:=20 I=92m sorry, your $39.00 widget is considered =93yours=94, we can = send you a new one for $39, or you can download a new image and install = it yourself, wiping to defaults in the process.=20 Big Acme Corporate Support: Yes sir, we can update your $5,000 widget with the $750 cogs module = for you from remote, we just need an Amex card and/or sign our = maintenance agreement. That=92s why you chose Big Acme, because we = support our customers (that buy our crappy overmarketed/overhyped = gear/software). How do you think they can perform that support?=20 Both scenarios are valid. I make a living off the second one.

=============================================================== From: Andrew Rodgers ------------------------------------------------------ The most I've played in this space has been either custom stuff on Raspberry Pi/Arduino/BeagleBone or this stuff: http://www.ubnt.com/mfi Which I must say, if you want an easy to use 120v line controller, it's a package that's hard to beat. Not a huge fan of their management platform, but that's why I started this: https://github.com/acedrew/ubnt-mfi-py If you lock access down to port 22, it's as secure as any passworded ssh connection, and I know busybox supports key based, but haven't got around to implementing setup in my config scripts yet. I have far more experience on the industrial side of this, which is even more scary at times. =E1=90=A7 Andrew Rodgers GIGTANK 2014 Technologist-in-Residence 256-508-7610 . e =80=9D, we can send you a customers

=============================================================== From: Ed King ------------------------------------------------------ Have you seen the security presentations on IP cameras? I've been monitoring someone's home cam since last December. Now before you call me a voyeuristic psycho, let me tell ya how I found this camera. Within minutes of setting up a seconday driveway monitor last December, I noticed a strange IP in my logs. I geoip'd it to Connecticut. I put that IP in a webbrowser and voila. There's a password on the config menu, but the camera itself is wide open. So maybe that person WANTS to be monitored? Like that 2002 movie My Little Eye. Yeah.

=============================================================== From: Dan Lyke ------------------------------------------------------ On Sat, 14 Jun 2014 23:51:22 -0400 Stephen Kraus wrote: So I recently saw a situation where a certain brand of modem was participating in some reflection attacks. This attack involved firmware that shouldn't have been listening and participating on a particular port, but had absolutely nothing to do with default passwords. Users didn't know, indeed couldn't know, except that their upstream bandwidth was disappearing somewhere on the far side of their CPE, the ISP only figured it out when a user called to complain, unplugged all of their devices from the CPE, and there was still choking traffic. There are plenty of similar exploits out there that are endemic to bad practices in the devices, not user practices. Sure, some bugs are users allowing the wrong executable to run, but far too many of them are flat out buggy firmware, wrong practices that allow devices to become exploited. These days the battle is a race between the hardware vendors and the exploiters, with the users on the sidelines. And it isn't at all clear that the hardware vendors are the stronger participants.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Was this customer supplied or ISP supplied CPE? If you're talking about the SOHO "Router" Market, the hardware vendors aren't even participating, except when they play the role of exploiter with undocumented back doors. We'll be nice and assume leaving NTP/DNS open on the "outside" was an oversight, not malicious. If you want real network hardware, with some semblance of QA or at least enough people working on it for enough years to weed out the stupid shit, you aren't going to find it in sub $100 CPE. Unless you 100% build (and configure) it yourself. The exploiters have known this for years. The hardware guys do shit like the Sercomm/32764 "fix". I rest my case. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTndkMAAoJEMP+wtEOVbcdDL4IAI5xKvmR2wjmp/QCxoVaBfdW 2pzflxYhSf6QLRQddY6L4UQ8EAgoZkHN3/0ssQc1qsEhHdJiUEe0wJtSwOGI8nCg A5t1Y4L0dS44iY95tj+/0wjX2Nas8EEj4pgemWQJnIguNejp5KC50R6KVjJS57BI SgP7+a82Hu5DyOkD/biaboAgQdOXhnDt2T9HBisF0bVBCzVLkdFrqgAJ2J6g6jkY 1SEfPxNJzDMalQuz7nBn8eZpwRWyv9MaLexl+bmB9jLbIi1qxwiQeTGnRw1//u+6 WJ2WDu48pULzbOSNSIB+FbP6b/Gr8vKoyruGPe+Sjm28DkNY7vVgYl8nfi8tvrQ= =MxaZ -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All I'm going to say is, (the generic) you/ya'll can put whatever you want on the public Net. Myself, I'm going to continue building my encrypted tunneled Net on the Net and only deal with devices that are managed directly. Remember, the Internet is just a network of networks, can be a gateway to other networks and as I choose to use it, a transport layer for other networks. This blind abstraction of every bit beyond your CPE is some mysterious mass of condensed vapor is the world's largest cup of Kool-Aid, and everyone's thirsty. The Internet has never been a more hostile place, don't let images of smiling clouds lull or fool you for one second. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTnduNAAoJEMP+wtEOVbcd9KUH/iKlNj0xfFFzwgZt3PsfX9Tp TIH0QJN29i/jduQkAoKJ7lz6V9RfdqhcwpKiQXhGvGm89QWU+taXSN/pwNCfmTzu Nw7HQlI66Gl4O3h5WFrwFSsd7G179+opR1bNtPWOQO8X+61GQtHW8oZbnao2kmH0 piyJHVzziufngRdBihRSd222mpxpMhjuasKEkIDxAQHnhG7Hns0B7gYqSzFS5J3F DUzttwCnO0iuKcvYniU9dkrsU7YxFK2CzcW+LrsBx2iAfyw445P43ZN3/k9ONuJr FYsTKtJlyZ7c+1ZPU18mwfYLbOr/RGI7g+dPLz9gyYpeDQdv5SmQYcvAgy4sF14= =32Y9 -----END PGP SIGNATURE-----

=============================================================== From: Dan Lyke ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 15 Jun 2014 13:34:04 -0400 Dave Brockman wrote: ISP supplied. There was eventually a rolling firmware upgrade via TR-O69. Pretty much any consumer device. Cameras. NAS. Home Automation... Dan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJTneNkAAoJEAvds6IeGLPDM5oH/2xCDyt2BdOez5TvlIt22R/M NLceQenK5h9ac5WYlxJOfQk04uzCqvHf/mUZsiFj3hg/hP3WF2kc2C4tjgHMvEwg HHDdM1f4eVHWwYdjUd4WT81aR+zW17mmdmuqoQyghvZkUTURd2ht4/i0COf9rhyJ MFO1hUIRQaJup66mumZ3TUvBlZTzOAmPqBkf19DLlC9mx6R7Mu48jFJQ/SC8bZ09 5rMA3sX8s3hRxefpRv2XWNUfIHGCDF6OHMpX91Vw198lRY8oLVJWcgFnkj+CPmRy 7ZWgakacaUmYUrXdKUILUh3PgGymVLHmWxWmAbLwQHADRX8POt+yL7pUZ/bMzVE= =Bhu3 -----END PGP SIGNATURE-----