Username: Admin, password: Test
April 9, 2017 11:05 AM   Subscribe

Rash of in-the-wild attacks permanently destroys poorly secured IoT devices - which may actually be for the best if your dishwasher's webserver has unpatched vulnerabilities or your garage door opener is run by a troll.
posted by Artw (72 comments total) 26 users marked this as a favorite
 
More fun at the Internet of Shit Twitter account.
posted by Artw at 11:08 AM on April 9, 2017 [8 favorites]


As a software developer for a startup, the idea of having basic functionality of my home controlled by software from a startup is horrifying. "Move fast and break things" is different when it fucks with your own house.
posted by idiopath at 11:15 AM on April 9, 2017 [27 favorites]


Not really surprised at this. Until IPS software is running on most residential gateways the ability to police all the crappy IoT devices appearing on the internet is basically zero.
posted by vuron at 11:18 AM on April 9, 2017 [1 favorite]


The IoT is turning into a textbook illustration of "Just because you can doesn't mean you should."
posted by Thorzdad at 11:18 AM on April 9, 2017 [23 favorites]


I keep thinking about the Season 2 opener of Mr. Robot where an entire apartment gets hacked and it drives the home owner insane.
posted by Fizz at 11:22 AM on April 9, 2017 [3 favorites]


There's a reason why I follow @mikko and you should to. He's probably hiding a smirk somewhere in the back of the room.
posted by infini at 11:23 AM on April 9, 2017 [3 favorites]


Internet of Cows
posted by thelonius at 11:28 AM on April 9, 2017 [2 favorites]


I am not even sure that I understand the point of a networked dishwasher. Why would you need to do something with your dishwasher when you weren't home? I'm genuinely perplexed!
posted by ArbitraryAndCapricious at 11:28 AM on April 9, 2017 [7 favorites]


I am not even sure that I understand the point of a networked dishwasher.

To keep the networked toaster company?
posted by Thorzdad at 11:37 AM on April 9, 2017 [20 favorites]


It became necessary to destroy the IoT [in order] to save it.
posted by glonous keming at 11:38 AM on April 9, 2017 [1 favorite]


I am all about the IOT.

I would love to be able to start the heater or AC in my car when I'm stepping out of the shower in the morning or at the end of the day when my train is ten minutes out of the station -- great to have your car a cozy 72 when you sit down in the driver seat.

I would love for my staples to come with RFID and my fridge and cabinetry to be weight sensing and the groceries are on auto-refresh.

It would be nice, if not as life changing, for the dishwasher to ping my iPad when a spoon has slipped down and blocked the rotating wash arm.
posted by MattD at 11:39 AM on April 9, 2017 [1 favorite]


To keep the networked toaster company?
Is a networked toaster really a thing? Because if so, that's kind of spectacular.
posted by ArbitraryAndCapricious at 11:40 AM on April 9, 2017 [1 favorite]


First steps towards the Maker Wars of The Diamond Age, with electrons instead of nanobots.
posted by Johnny Wallflower at 11:41 AM on April 9, 2017 [1 favorite]


Couldn't you prevent these sorts of problems simply by ensuring your home network has a firewall?
posted by My Dad at 11:42 AM on April 9, 2017


It would be nice, if not as life changing, for the dishwasher to ping my iPad when a spoon has slipped down and blocked the rotating wash arm.

What kind of dishwasher do you have where this happens often enough for it to be life-changing to be notified about it? oO
posted by hippybear at 11:44 AM on April 9, 2017 [5 favorites]


A manual one probably.
posted by peeedro at 11:45 AM on April 9, 2017 [1 favorite]


Is a networked toaster really a thing? Because if so, that's kind of spectacular.

Not only networked but addicted and craving for happy emotions.
“The Addicted Toaster has a built-in Ethernet port through which it connects to a network of its peers (other smart toasters) via the internet. Through this network, hopeful users can apply to host a toaster, which will be theirs for as long as they keep it happy. The toaster can sense when other toasters in the network are being used by their hosts, which can result feelings of jealousy and contribute to overall discontent.”
posted by Fizz at 11:48 AM on April 9, 2017 [6 favorites]


Firewall won't ensure connectivity to API servers or make sure that people have their certificates updated.

To paraphrase Patton Oswalt, "IoT: all about coulda, not about shoulda."
posted by fifteen schnitzengruben is my limit at 11:48 AM on April 9, 2017 [4 favorites]


Segregate your networks.
Avoid IoT in mission critical appliances.
Don't put cameras or microphones in places you wouldn't want recorded and distributed.
posted by blue_beetle at 11:51 AM on April 9, 2017 [2 favorites]


IoT: The 'S' is for "Secure"!
posted by Horselover Fat at 11:58 AM on April 9, 2017 [46 favorites]




This connected vibrator's camera is disturbingly easy to hack
I have so many questions that I don't even know where to begin.
posted by ArbitraryAndCapricious at 12:10 PM on April 9, 2017 [5 favorites]


This connected vibrator's camera is disturbingly easy to hack

Okay, so what makes this different than Bluetooth, a way way way older technology that is also, by default, "open." Go to any mall food court, or whatever, and use your smartphone to discover Bluetooth devices.

In the case of this vibrator, the hack depends on WiFi proximity, which seems like a reasonable threat if you happen to live in an apartment building. But it also depends on whether or not someone who is both motivated and knows how to hack your vibrator being close by. It's not an unlikely threat scenario, but that doesn't make it a likely threat scenario.

As usual, while the Internet of Shit meme is amusing, it's gotten boring to talk about the most common threats out there, such as making sure your iCloud account with your sexy snaps is secured with a relatively strong password. Or ensuring you know how to recognize a phishing attack asking for your iCloud password. Etc.
posted by My Dad at 12:16 PM on April 9, 2017


Customers should not have to be geeks or IT managers to safely run IoT devices, or to presume they're secure, or presume they don't do things you wouldn't expect a device to do.

For example, you should not be able to turn on your new vibrator until you have been forced to change your user and password. Or the device gives you a genuinely random passkey which you have to manually input to get it going. In an ideal world, the device would be able to determine something about its environment (maybe a combination of inputs from cheap sensor chips) as a seed (or something like that).

The packaging should list all information the device collects and software its running. Based on that, there should be a regulated warning box which has bullet points about potential vectors and how to thwart them.

IoT devices by default should not be able to do much outgoing connectivity, especially things like connecting to remote locations, unless it's a specific feature of the device. And even then, I think you should have to manually register those locations.

Finally, devices should still be able to operate as the non-IoT thing they "disrupt". A thermostat should still be able to control a furnace if its networking is gone.

Until these things happen, it's not boring to talk about them, as unless they're talked about, nothing will ever happen.
posted by maxwelton at 12:31 PM on April 9, 2017 [14 favorites]


Finally, devices should still be able to operate as the non-IoT thing they "disrupt".

This. It's looking all but inevitable that, in the near future, it's going to be impossible to buy appliances that don't include some sort of connectivity. But, if they make the operation of the products impossible without being connected, it's war.
posted by Thorzdad at 12:37 PM on April 9, 2017 [11 favorites]


I am not even sure that I understand the point of a networked dishwasher.

To keep the networked toaster company?


Now I'm reminded of the Old World Blues section of Fallout: New Vegas where the light switches snark about each other.
posted by dirigibleman at 12:42 PM on April 9, 2017 [4 favorites]


But, if they make the operation of the products impossible without being connected, it's war.

Or farming!
posted by Artw at 12:49 PM on April 9, 2017


We spend millions on dishwashers that are whisper-silent, and you want one that can potentially yell at you from the other side of the world? I even turn my microwave buzzer off because don't call ME, I'll call YOU.
posted by RobotVoodooPower at 12:51 PM on April 9, 2017 [5 favorites]


While it'd be neat watching my bread become toast via streaming video on my phone, I can't see myself ever using the connectivity in one of these appliances. If it's required I'll look for another model. If they all have something like that I guess it's time for thrift stores/etc. I have enough devices clogging up my wifi network already.
posted by downtohisturtles at 1:02 PM on April 9, 2017


I am not even sure that I understand the point of a networked dishwasher. Why would you need to do something with your dishwasher when you weren't home? I'm genuinely perplexed!

The dishwasher in question is the Miele Professional PG 8528 Laboratory Glassware Washer. It's networked so it can log sanitation information in process documentation software.
posted by zamboni at 1:03 PM on April 9, 2017 [10 favorites]


I would rather use a three stone fire than anything in the kitchen branded Miele.

They have the most top down control freak design approach to home appliances. I was guesting in an apartment with a full Miele kitchen a few years ago and had to turn every appliance's beeping and booping off because WTF runs this kitchen, now, me or inanimate hardware meant to simplify my life rather than control my actions. *steam*

I don't care if the mug is still in the microwave 30 seconds later. Deal with it you stupid box of wires... I'll show up after I hit "publish"
posted by infini at 2:10 PM on April 9, 2017 [11 favorites]


Is a networked toaster really a thing? Because if so, that's kind of spectacular.

Maybe it's a Talkie Toaster.
posted by jabah at 2:22 PM on April 9, 2017 [4 favorites]


Couldn't you prevent these sorts of problems simply by ensuring your home network has a firewall?

Yes, certainly, assuming you chose a quality firewall, installed it yourself with all the correct configurations options, you did compile the firewall software on a secure system after validating checksums and reviewing the code yourself, right?

Ah sorry, the techno sarcastic irony could go on for paragraphs and yes a firewall is great but just having code running on a device that connects to some sever out there for updates or better (worse) interactivity even over https, provides vectors for infection.

Security is hard. There is NO absolute security, not firewall, not at the Pentagon, not at that super secure code name lab that I was.... ooo skip that... it's all a balance of features against problems. Problems that often no one can fully imagine, it was a botnet on lightbulbs that brought down a chunk of the internet a few months ago, lightbulbs!

Device companies are so far terrible, they want to sell a unit and no one will buy web cams, baby cams, any device that takes even trivial configuration let alone good or even trivial configuration. (just change the passwords folks) So the IoT hardware makers have not just no reason to implement quantity software while getting out the newest whizbang at an offshore (china) factory in the shortest possible time but NEGATIVE impetus to add security as it'll destroy profits.
posted by sammyo at 3:26 PM on April 9, 2017 [2 favorites]


Back in the seventies, while working for the second personal computer company - IMSAI (you don't want to know,) at lunch we were discussing the future of the microprocessor. I proclaimed that the PC revolution will be over when you can get a toaster with a microprocessor in it. Hmmmm... Maybe I was unto something then?
posted by njohnson23 at 3:30 PM on April 9, 2017 [2 favorites]


In the case of this vibrator, the hack depends on WiFi proximity, which seems like a reasonable threat if you happen to live in an apartment building. But it also depends on whether or not someone who is both motivated and knows how to hack your vibrator being close by. It's not an unlikely threat scenario, but that doesn't make it a likely threat scenario.

or until someone writes a worm to automatically scan for and exploit other vulnerable devices from compromised TVs or printers or whatever.
posted by indubitable at 3:42 PM on April 9, 2017 [1 favorite]


MetaFilter: I'll show up after I hit "publish"
posted by Johnny Wallflower at 3:47 PM on April 9, 2017 [4 favorites]


In the case of this vibrator, the hack depends on WiFi proximity, which seems like a reasonable threat if you happen to live in an apartment building. But it also depends on whether or not someone who is both motivated and knows how to hack your vibrator being close by. It's not an unlikely threat scenario, but that doesn't make it a likely threat scenario.
I took a microcontroller, GPS, Wi-Fi, Battery, and storage and got it down to a form factor that would fit on a cat collar. I sent the cat wandering around Washington DC doing Wi-Fi Scanning for me. The product worked, the talk was very successful and soon people were asking me to make these things—so I created WarCollar Industries.
WarCollar founder Gene Bransfield

There's an industry building appliances that seek out and catalog vulnerable devices within a neighborhood. Wardriving is a currently active threat scenario. Are they looking specifically for dildo-mounted cameras? Probably not. But the existence of that device is likely to be discovered, logged, and opportunistically exploited. Given that wardriving has been around as long as WiFi, it's pretty irresponsible for a device to ship so easily exploited.
posted by CBrachyrhynchos at 5:09 PM on April 9, 2017 [6 favorites]


We installed a couple of stupefyingly expense digital audio mixers a few years ago and our IT people were firmly insistent that they be networked because they could be. Their argument was that if the systems were on the network they'd be able to detect any malicious traffic and alert us. It literally never occurred to them that an air gap was a secure option.
posted by the duck by the oboe at 5:15 PM on April 9, 2017 [12 favorites]


Not really surprised at this. Until IPS software is running on most residential gateways the ability to police all the crappy IoT devices appearing on the internet is basically zero.
posted by straight at 5:38 PM on April 9, 2017


This. It's looking all but inevitable that, in the near future, it's going to be impossible to buy appliances that don't include some sort of connectivity. But, if they make the operation of the products impossible without being connected, it's war.

I have heard it is already difficult to buy a TV that is not a "Smart TV".
posted by thelonius at 6:47 PM on April 9, 2017


Love my 9 year old tv and 25 year old stereo. Pls don't make me upgrade
posted by Existential Dread at 6:53 PM on April 9, 2017 [2 favorites]


If you bought a dishwasher that is susceptible to goatse and meatspin then you deserve to have cloudy wine glasses.
posted by turbid dahlia at 7:25 PM on April 9, 2017 [3 favorites]




I always thought IoT was a setup for a Pixar movie.
posted by yueliang at 8:17 PM on April 9, 2017 [2 favorites]


Apparently the Dallas thing was a result of an old, insecure system not a new IoT thing.

I told my friends "Please let it be a random 14-year-old and not the Russians."

They were on for a long time, too, on a clear night, causing much annoyance.
posted by emjaybee at 8:26 PM on April 9, 2017 [1 favorite]


All IoT devices go on their own VLAN with white-listed access to whatever cloud servers they need (or no access, if you don't need remote access to your dishwasher).
posted by ryanrs at 9:06 PM on April 9, 2017 [4 favorites]


Intrigued to note that the coffee machine now shows a $5 cap when you wave your credit card around it for a 50 cent cup of hot chocolate. I was bringing my own premix for the longest time because I didn't want my information in that stupid machine and it's free floating consumer data.

The more I hang out at a coworking space watching newfangled startups and their trendy ideas, the more I realize they need a Granny around to remind them of the bears in the woods and the woves in the forest.
posted by infini at 1:51 AM on April 10, 2017 [2 favorites]




In the case of this vibrator, the hack depends on WiFi proximity, which seems like a reasonable threat if you happen to live in an apartment building. But it also depends on whether or not someone who is both motivated and knows how to hack your vibrator being close by. It's not an unlikely threat scenario, but that doesn't make it a likely threat scenario.In the case of this vibrator, the hack depends on WiFi proximity, which seems like a reasonable threat if you happen to live in an apartment building. But it also depends on whether or not someone who is both motivated and knows how to hack your vibrator being close by. It's not an unlikely threat scenario, but that doesn't make it a likely threat scenario.

So, why am I seeing nothing on IRL?

(Also, I suspect for some folks this could be a feature and not a bug...)
posted by Samizdata at 3:32 AM on April 10, 2017


From the article: "The devices performing the attack were access points and wireless bridges made by Ubiquiti Networks..."

I keep wondering if this nearly-throwaway line is concealing something more. Ubiquiti devices are good - really good - and in proper hands can be quite powerful tools for controlling and monitoring a local network environment. I use and like them. Security Researcher Troy Hunt uses and likes them. But this isn't the first time I've heard them mentioned in the context of coordinated efforts to secure/disable/attack Internet of Things devices.
posted by mystyk at 5:12 AM on April 10, 2017


I would love to be able to start the heater or AC in my car when I'm stepping out of the shower in the morning or at the end of the day when my train is ten minutes out of the station -- great to have your car a cozy 72 when you sit down in the driver seat.

I'm sure that would be delightful, but it's not worth the hit to local air quality. Wear a coat or use a sun shade.

This response comes courtesy of the people waiting to load a truck in the parking space next to me at IKEA, who couldn't understand why turning off the engine when nobody's in the car might be a good idea. (And were apparently not bothered by standing around in a fume cloud themselves. I assume they're smokers.)
posted by asperity at 6:45 AM on April 10, 2017 [1 favorite]


Wardriving is a currently active threat scenario

I see what you did there...
posted by acb at 8:13 AM on April 10, 2017 [3 favorites]


I always thought IoT was a setup for a Pixar movie.

John Ratzenberger as the vibrator with the easily hacked camera.
posted by Segundus at 8:32 AM on April 10, 2017 [1 favorite]


> "Someone hacked Dallas tornado sirens last night - turning on all 156 of them near midnight.

With a couple tweaks, this is a great opening line for a novel.
posted by postcommunism at 8:49 AM on April 10, 2017 [5 favorites]


MattD: "I would love to be able to start the heater or AC in my car when I'm stepping out of the shower in the morning or at the end of the day when my train is ten minutes out of the station -- great to have your car a cozy 72 when you sit down in the driver seat."

Isn't this what remote car starters are for? I mean, these things have existed for at least 20 years, not sure why the internet needed to get involved. I mean, if you're far enough away from your car that one of those don't work, then maybe don't start your car yet?

In fact, every time I see one of these IoT and/or fancy home automation things, I can't help but think either: a) this is something that is 80-90% covered by pre-existing technology, or b) this is not something that should exist. Like, sure the Nest thermostat is slick and is supposed to "learn" your behaviors and patterns and preferences or what not. But, I have a programmable thermostat (a lot like this one, but even more primitive in that it only differentiates weekdays and weekends, not each day of the week) where you can set a target temp for when you wake up, when you leave the house, when you return, and when you go to sleep. It's basically fine. Same with programmable lights. I (and my parents before me) use one of these doo-hickeys and, granted, they'll only work for lamps plugged into a wall socket rather than, say, built-in lights (there are more complicated ones for those, though) and you have to set the schedule in advance and can't change it from afar but, again, it's mostly fine. Sure, I know a lot of this is just the crotchety oldster in me talking -- I'll cop to using VHS tapes instead of a DVR to record TV programs well into 2003 or 2004 -- but I am really having a hard time understanding why all these functions need to be internet-connected. Also, controlling ovens or toasters or other heat-generating kitchen appliances from afar? No thank you. I don't even like leaving a slow cooker alone too long which, yes, I understand is the whole point of a slow cooker.

Anyways, there is actually one IoT/smart-home function that I really wish someone could crack: I just want someone to be able to tell me what food and ingredients I have in my fridge, freezer, and cupboard when I'm not standing right in front of them. I don't even really need to know if the stuff is expired or not. I just want to know if I need to buy more garlic or popsicles or whatever when I'm at the store or when I'm on the way home to know if I need to stop at the store at all.
posted by mhum at 11:08 AM on April 10, 2017 [1 favorite]


To keep the networked toaster company?

Aww, Milton.
posted by fiercecupcake at 11:59 AM on April 10, 2017 [2 favorites]


Anyways, there is actually one IoT/smart-home function that I really wish someone could crack: I just want someone to be able to tell me what food and ingredients I have in my fridge, freezer, and cupboard when I'm not standing right in front of them.

By your own logic, you should just check that before you leave the house.
posted by fiercecupcake at 12:00 PM on April 10, 2017 [1 favorite]


I am really having a hard time understanding why all these functions need to be internet-connected.

Because recreating existing technology in a new format is (a) shinier and (b) easily monetized.
posted by Greg_Ace at 12:02 PM on April 10, 2017


Dang it, I thought this was going to be about racoons knocking outdoor security cameras off your house.
posted by bendy at 1:33 PM on April 10, 2017


fiercecupcake: "By your own logic, you should just check that before you leave the house."

lol touché

On the other hand, I don't think I could count the number of times either I or someone else I knew was in a situation where they found themselves away from their house and wanted to know "hey, we out of X or do we need to get more?" I think I can count the number of times I or someone else I knew was away from their house and thought "I sure wish I could turn on my washing machine right now."
posted by mhum at 1:52 PM on April 10, 2017


"Someone hacked Dallas tornado sirens last night - turning on all 156 of them near midnight.

With a couple tweaks, this is a great opening line for a novel.


"The air above the capital was the clamor of sirens, tuned to a vortex frequency."
posted by Johnny Wallflower at 3:48 PM on April 10, 2017 [1 favorite]


> "Someone hacked Dallas tornado sirens last night - turning on all 156 of them near midnight.

With a couple tweaks, this is a great opening line for a novel.
posted by postcommunism at 10:49 AM on April 10 [2 favorites +] [!]

And, then, the murders began.
posted by a non mouse, a cow herd at 5:06 PM on April 10, 2017 [4 favorites]


Martin,

The abusive language here and in your negative Amazon review, submitted minutes after experiencing a technical difficulty, only demonstrates your poor impulse control. I'm happy to provide the technical support to the customers on my Saturday night but I'm not going to tolerate any tantrums.

At this time your only option is to return Garadget to Amazon for refund. Your unit ID 2f0036... will be denied server connection.
This shit writes itself.
posted by ostranenie at 12:48 PM on April 11, 2017 [1 favorite]


I used to want a Wifi-enabled oven (so I could preheat on my commute home) but now I'm having visions of someone burning my house down without my knowledge, so I think I'll pass.
posted by ThePinkSuperhero at 12:49 PM on April 11, 2017 [2 favorites]


Depending on how fancy your oven is you may be able to program your it to preheat later in the day without it being connected to the internet. My last oven had a Sabbath mode that could run a user-defined program of when to turn on and off.
posted by peeedro at 4:44 PM on April 11, 2017


My last oven had a Sabbath mode

...to be used for cooking bats?
posted by Greg_Ace at 5:47 PM on April 11, 2017 [1 favorite]


Oh wait, sorry, that's Black Sabbath mode...
posted by Greg_Ace at 6:51 PM on April 11, 2017 [2 favorites]


peeedro: "Depending on how fancy your oven is you may be able to program your it to preheat later in the day without it being connected to the internet."

Practically all (I'd say all but somebody probably made one for school dorms or something with no clock, I've never seen one though and I have seen ranges with no oven glass or drawer) ovens produced since WWII have a timer that will turn the oven on and off at a preset time.
posted by Mitheral at 10:10 PM on April 11, 2017


(And were apparently not bothered by standing around in a fume cloud themselves. I assume they're smokers.)

They're probably not smokers but would complain to people smoking outside about second hand smoke anyways. (Ask me how many times someone has complained as they walked by me right next to a car filled road/highway.)
posted by LizBoBiz at 1:02 PM on April 12, 2017 [1 favorite]


I once had someone in a covered bus depot full of idling diesel engines comment to me about me smoking a cigarette. The complaint about smoking isn't about the smoke. It's about the cultural animus surrounding it.
posted by hippybear at 2:58 AM on April 13, 2017 [3 favorites]






« Older "What I've tried to do with my work is eliminate...   |   “He really just prefers butter for a number of... Newer »


This thread has been archived and is closed to new comments