A reprint from the PC410 Security Newsletter:
Don’t be somebody else’s guinea pig. There’s a reason that the latest and greatest widget is called the leading edge, or sometimes the bleeding edge of technology. If it still has rough corners, somebody’s gonna bleed. New technology isn’t particularly polished, compatible, or cheap. So configuration costs are high, and there can be a longer-than-normal list of “While we’re doing this, we really should upgrade that.” items.
The Amazon Echo and Google Home devices live in your home and can do things for you, like playing music, or ordering, well, dollhouses. A San Diego TV station said these magic words on television in a news report:”Alexa order me a dollhouse”, and multiple Amazon Echo boxes heard that broadcast and obeyed, by ordering a dollhouse.
And then there was the Google advertisement for Google Home during the Superbowl. Early adopters of the new Google gadget found that when the television said the “OK Google” trigger phrase, their Gooogle Home device woke up. Fortunately, it was not dollhouse-enabled, and didn’t place any dollhouse orders.
Any science-fiction reader knows that voice-controlled whole-house computers are on the way, that they will use voice recognition to only allow commands from a specific individual, and have a special command to say ‘Make it so’. In Robert Heinlein’s books, commands had to end with “I tell you three times.” Clearly, we haven’t reached the competence level of science fiction from 1980.
The Internet of (Stupid) Things
There are a lot of cheap security cameras and so-called ‘smart’ light bulbs available now. Theses devices ‘connect to your cell phone’ and let you control them. Warning flag there–they connect to the internet in order to trade information with a central server, and accept outside instructions to control them, relayed from your cell phone, and possibly any other system that knows the sometimes-obvious default password, which is generally ‘1234′.
In the past year, there have been incidents like these:
- The largest web site attacks ever seen were accomplished by taking over security camera video recorders (network DVRs), telling millions of them to attack a single site and take it down. As over 80 brands of security DVRs are made by just one company in China, and they share the same settings, and passwords like “123456”, they’re trivial to find online and then turn into attack ‘bots.
- Some purchasers of video baby monitors were surprised to find that their baby monitors showed someone else’s nursery. There were some basic security flaws that didn’t account for two monitors on one account, or monitors returned as unwanted needing to be reset to factory defaults.
For many of these products, there is no way to contact the purchasers with a fix, and no way for purchasers to contact the manufacturer; a no-name product means no updates, no notices of security issues, and no fixes.