
Russia: Hidden chips 'launch spam attacks from irons' - mikecane
http://www.bbc.co.uk/news/blogs-news-from-elsewhere-24707337
======
ChuckMcM
This is pretty funny. I doubt its authenticity but confess that when I worked
at Intel (a looooooooooong time ago) and Andy Grove suggested there would be
an 8086 in every Toaster I thought he was nuts, because the minimum system was
about 4 sq inches (I had one as a demo board Intel sold) and who would want a
CPU in a toaster anyway? A timer and a heating element, how hard is that?

Flash forward to today when playing with an Electric Imp[1] and noting that
you don't need 4 sq inches, you don't even need 1 sq inch and you can network
the damn thing.

So it certainly becomes _feasible_ to do this sort of thing but I'm unable to
construct a non-targeted reason why it would be _worthwhile_ to do it. Now if
you said, "A shipment of toasters headed for the US Embassy" or something
where there was some actionable intelligence to be gained by snooping the
network, perhaps. but randomly? Not so much.

[1] [http://electricimp.com](http://electricimp.com)

~~~
drzaiusapelord
I know the net enabled toaster is a running joke, but I would kill for one.
Typically toasters are cheaply made and give varying results.

I'd love to see a Nest-like toaster. I'd buy it in a second. Not sure if it
needs net access, but it can certainly use intelligence. Might be nice for it
to email me when its crumb tray gets full or download updates (toasting times
for new items like gluten free bagels, etc).

~~~
adriand
Dear god no. I have a Nest thermostat and it drives me nuts with its
inappropriate learning behaviour. I can just imagine the toaster learning,
incorrectly, to what degree I wish my bread to be toasted and thus giving me
levels of crispiness that I did not expect or want.

I really think there's a problem with over-engineered products these days. Not
every appliance needs a motor or batteries, let alone a computer. I'm still
very happy with my manual can-opener (the most reliable ones are the most
basic, in my experience, like this one:
[http://meridianvale.files.wordpress.com/2013/05/can_opener.j...](http://meridianvale.files.wordpress.com/2013/05/can_opener.jpg))
and my analog meat thermometer.

~~~
colechristensen
Things aren't over-engineered, they're poorly engineered. It's supposed to be
the art of taking away until nothing unnecessary left. The common practice is
to replace things which are difficult to engineer or expensive to manufacture
with electronics and _that_ is the failure.

~~~
sp332
The Nest isn't that kind of engineering. It took a programmable thermostat
(already overkill for most people's use cases) and added even more automation
on top.

~~~
duncan_bayne
Do you know how much money you can save with a programmable thermostat? We
took a good 25% off our gas central-heating bill by having one fitted.

~~~
cantankerous
His point isn't that a programmable thermostat isn't worthwhile, but that most
people don't want it even if they should. Moreover, the OP notes that the Nest
is overkill as far as programmable thermostats go.

------
huhtenberg
If you read the original, there are several strong bullshit indicators.

The 200 meter range is one.

Second, they quote some guy who's a director of a consumer electronics
importer. He says that the reason they found these "spy chips" is because the
shipment of consumer electronics was over declared customs weight. So they
started looking and found chips, _meaning_ that the keyword you are looking
here for is "customs", not "Chinese spam chips" :)

[0]
[http://www.rosbalt.ru/piter/2013/10/22/1190990.html](http://www.rosbalt.ru/piter/2013/10/22/1190990.html)

~~~
trycatch
The story was discussed on Russian forums and people found even more blatant
BS there -- "wi-fi module" was in fact just a speaker used to indicate
horizontal position of the iron, spying module in the demonstrated Chinese
phone were just capacitors.

------
newsmaster
"by connecting to any computer within a 200m (656ft) radius which were using
unprotected Wi-Fi networks."

wow it's better than any wifi router I've ever owned! Time to buy an iron.

------
snorkel
Makes sense. People who use irons are the real global power brokers in every
modern society. The laundry room is the ultimate prize. Even though it may
cost $50 to manufacture an iron that has 200M WiFi range and sophisticated
viral payloads, and sure irons are unplugged most of the time, and OK, you'd
have to sell the irons at a steep loss, but still you will have amassed a
network of thousands of irons spanning the globe, listening, waiting, and
ironing.

~~~
selimthegrim
"This is a Seldon crisis we're facing, Sutt, and Seldon crises are not solved
by individuals but by historic forces. Hari Seldon, when he planned our course
of future history, did not count on brilliant heroics but on the broad sweeps
of economics and sociology. So the solutions to the various crises must be
achieved by the forces that become available to us at the time.

"In this case, -trade!"

Sutt raised his eyebrows skeptically and took advantage of the pause, "I hope
I am not of subnormal intelligence, but the fact is that your vague lecture
isn't very illuminating."

"It will become so," said Mallow. "Consider that until now the power of trade
has been underestimated. It has been thought that it took a priesthood under
our control to make it a powerful weapon. That is not so, and this is my
contribution to the Galactic situation. Trade without priests! Trade alone! It
is strong enough. Let us become very simple and specific. Korell is now at war
with us. Consequently our trade with her has stopped. But, -notice that I am
making this as simple as a problem in addition, -in the past three years she
has based her economy more and more upon the nuclear techniques which we have
introduced and which only we can continue to supply. Now what do you suppose
will happen once the tiny nuclear generators begin failing, and one gadget
after another goes out of commission?

"The small household appliances go first. After a half a year of this
stalemate that you abhor, a woman's nuclear knife won't work any more. Her
stove begins failing. Her washer doesn't do a good job. The temperature-
humidity control in her house dies on a hot summer day. What happens?"

He paused for an answer, and Sutt said calmly, "Nothing. People endure a good
deal in war."

"Very true. They do. They'll send their sons out in unlimited numbers to die
horribly on broken spaceships. They'll bear up under enemy bombardment, if it
means they have to live on stale bread and foul water in caves half a mile
deep. But it's very hard to bear up under little things when the patriotic
uplift of imminent danger is not present. It's going to, be a stalemate. There
will be no casualties, no bombardments, no battles.

"There will just be a knife that won't cut, and a stove that won't cook, and a
house that freezes in the winter. It will be annoying, and people will
grumble."

Sutt said slowly, wonderingly, "Is that what you're setting your hopes on,
man? What do you expect? A housewives' rebellion? A Jacquerie? A sudden
uprising of butchers and grocers with their cleavers and bread-knives shouting
'Give us back our Automatic Super-Kleeno Nuclear Washing Machines.'"

------
drzaiusapelord
The source for this is Russia state owned media. I imagine this is a Ukrainian
chocolate situation. When Russia gets pissed at someone they attack a trade
relationship that hurts that country. Suddenly, Ukrainian chocolate is unsafe.
Suddenly, American adoptive parents are unsafe and morally dubious for Russia
adoptions.

I wonder who makes these irons and if this is the beginning of a larger smear
operation.

~~~
smcl
I've not heard about the Ukrainian chocolate war before (have now googled and
read about it, oddly enough in Russia Today), but I've read about and seen the
Georgian and Moldovan wine ban in action. Pretty brutal for such small
countries to be honest. Luckily the best Georgian + Moldovan wine will get
exported to the EU anyway, but for your average winery times must get tough.

~~~
guard-of-terra
I'm not so sure EU wants to import wine anyway. They have their own of the
best quality in any quantities

~~~
vidarh
The EU imports massive amounts of wine from all over, so yes, Russia might
just turn out to hurt their own interests with that ban, as it's quite
possible Georgia and Moldova will simply find other markets and get less
dependent on Russian trade.

------
IvyMike
During my short time in Russia, the "unprotected wifi network" did not appear
to exist. Wherever I went, they seemed pretty paranoid (probably justifiably)
about keeping wifi locked down.

Hotels went so far as to give you a custom per-device one-day-only password.

~~~
drzaiusapelord
There are European (EU?) laws that do this too, and I'm assuming Russia ones.
Essentially, they want the identity of every user on wifi. Sucks for the
casual traveler.

~~~
rit
YMMV, depending on country... and how much the hotel cares about Wifi access.

Italy has strong controls related to terrorism, IIRC. The which has meant the
last few times I stayed in hotels there you had to hand over your passport for
photocopying to be issued Wifi passwords.

France & Germany have been a mixed bag – smaller hotels handed out per-device,
per-use passes but a few nicer / chain hotels I stayed at have the standard
"Open hotspot, enter your room # and name to bill to room" setup as I'd find
here in the States. The UK For the most part has been fairly normalised ala US
Style for me.

On the other hand, there are apparently controls over mobile internet access
in France, including a (? 48 hour ?) delay in activating prepaid Data, and
IIRC your passport also gets entered in the DB. Generally, I'm a prepaid-data-
in-country type traveller (I have a bag of about 25 sims from various
countries)... France has been a no go for that.

~~~
drzaiusapelord
I remember having a little fun in Florence with guessing passwords. Think I
got on a restaurant or hotel wifi near a tourist spot using "12345678"

If they can't stop me, they ain't stopping dedicated terrorists.

~~~
rit
I suspect (this is entirely speculation) based on conversations with Hoteliers
in Italy before that they find it an onerous, silly requirement.

They simply have to show that anyone they _authorized_ to access their network
was logged.

Following the letter of the law, not the spirit, as it were.

------
onion2k
I've been ironing my tinfoil hat and all along I was just perpetuating the
problem. Doh!

------
csandreasen
True or not, it's an interesting attack vector. Makes me wonder (again,
assuming this is real) if it was designed that way or perhaps the manufacturer
was compromised/firmware modified (although why would an iron need firmware?).
I imagine we'll probably see more attacks using unconventional attack vectors
in the future; the Chinese hackers using a thermostat to maintain persistence
in the US Chamber of Commerce springs to mind [1]. Something that you bring in
and connect willingly to your network would be devastating. Can you imagine
buying a new TV, toy for your kids or some other high-tech wifi-enabled device
and later discovering that it would periodically arp-poison your laptop?

[1] (see section titled "Lying in wait", about halfway down the article)
[http://www.nytimes.com/2013/01/31/technology/chinese-
hackers...](http://www.nytimes.com/2013/01/31/technology/chinese-hackers-
infiltrate-new-york-times-computers.html?smid=tw-share&pagewanted=all&_r=0)

------
rexreed
Sounds interesting - it must be very cost effective to do this, so I'm
wondering what chipsets are used in these products? Would this make for a very
low cost Internet of Things? I've always wanted to have a mini-router embedded
in a light bulb. It wouldn't need power and should have decent range.

~~~
nwh
You can use one of the WiFi SD cards for something like this. They're
completely hackable, and run busybox linux.

This is an early article, an other people have gone so far as to add displays
and other devices to them.

[http://haxit.blogspot.com.au/2013/08/hacking-transcend-
wifi-...](http://haxit.blogspot.com.au/2013/08/hacking-transcend-wifi-sd-
cards.html)

~~~
toomuchtodo
Do you have one in mind? An Eye-Fi perhaps?

~~~
nwh
They all seem to be built on the same foundations, though the Transcend ones
look to be the most popular. I've one sitting around but I haven't had a
chance to do much with it except for confirming that the vulnerabilities
exist.

------
bio4m
Are SoC's getting so cheap that this kind of scatter shot approach is cost
effective ?

In all honesty I believe this is a fabricated story. Mainly 1) its not cheap
2) Irons are hot and can have water in them for steam. Not ideal for
electronics 3) Irons aren't in use all day. Hardly a great attack vector, a
mobile phone charger would be much better

~~~
mrb
About #2: Irons already have electronics in them, typically a microcontroller
+ sensor + LED(s) + input buttons + of course the heating element.

~~~
bio4m
Now I feel old; last time i looked inside an iron all I found was a
thermocouple, a cheap bulb and the heating element;)

------
makerops
I am sorry, but this is just cool (if in fact, the reporting is accurate).

~~~
AUmrysh
This is why using Chinese chips in American military equipment is a bad idea,
aside from the fact that ghost runs of popular chips can result in fake, non-
working chips.

------
conductor
Why did they choose the irons? Usually irons are not plugged-in more than
couple of hours in a week.

~~~
Sanddancer
First thing that comes to mind is that no one would suspect an iron. People
are gonna beat their heads over these intermittent spam issues for quite a
while before any correlation pops up. Second, if you add a battery to the
chipset, then you can charge while the person's ironing and out spam
throughout the week. Irons are pretty high power devices, so no one's really
going to notice an extra watt or so.

~~~
discreditable
Wouldn't an SOC + battery in an iron be fairly prone to overheating issues?

~~~
pyre
It could just charge while the iron is on, and do everything else while the
iron is off. As to being affected by heat, there are parts of the iron that
can't be hot (i.e. the handle), so you can move the install away from the hot
parts.

------
not_rhodey
There is no way that this attack method is profitable if the attacker is
fronting the cost of manufacturing. This leads me to believe that this article
is incorrect or fabricated, or that this is a seriously interesting attack on
a iron manufacturer.

------
Axsuul
Scary foresight of things to come with the internet of things.

~~~
vezzy-fnord
I'm more afraid of computerized toilets, to be honest.

~~~
raganwald
"We tried to port-scan the rogue device, but it flushed the evidence."

I'll just show muself out...

~~~
gknoy
Might be a better experience than once the local script kids find your bidet.
;)

------
tokenadult
There are lots of attempts at humor in the comments. So far, the BBC reporting
just says, "State-owned channel Rossiya 24" reported something, without any
BBC reporter claiming to have independently verified the reports from Russia.
Maybe this isn't a true fact about the world. It might be Russian official
media paranoia, or some kind of hoax, or some kind of misunderstanding of a
legitimate product feature. Until this story is better verified, I will go
right on ironing my clothes. Are there specific brand names or lot numbers of
the products available to reporters in other places who could verify (or
disconfirm) this story?

~~~
mikecane
The original Russian report is typically fractured by Google Translate:
[http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=...](http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.rosbalt.ru%2Fpiter%2F2013%2F10%2F22%2F1190990.html)

I think this is something where shipments specifically headed to Russia were
targeted. But that's not to say it can't pop up elsewhere. [typo edit]

~~~
gcb0
Why irons though?

i remember a classic demo at one conference where they used a PSU. It had some
advantages: 99% certain it will be used near a computer. USB and Ethernet
ports for "power surge protection" that can add attack vectors.

the only reason i can think of for irons is either lack of other
opportunities, or trying to be as inconspicuous as possible (tech savy people
are more prone to opening a PSU than an iron)

~~~
pbhjpbhj
>* remember a classic demo at one conference where they used a PSU.* //

Wifi from inside a grounded PSU casing inside a (possibly metal) PC casing
doesn't sound like something that's going to work very well?

~~~
gcb0
all UPSs i had were plastic cases.

ah, sorry... i wrote PSU... my bad. _not_ a PSU, but one of those UPS, or no-
break. more specifically the APC ones that are cheap and have USB data port
and Ethernet/modem filtering.

------
cdi
Don't trust anything Russian state-owned media says. It went completely crazy
in last 2 years. I recently watched a "Documentary" on this main "news"
channel Rossiya 24, which speculated that the outbreak of Swine influenza in
Asia was an ethnicity-targeted bio-weapon attack, carried out by the US. And
other similarly insane things like "Bill Gates tries to make everybody
infertile in Africa, with his anti-malaria vaccine." Overall mood that this
'program' tried to convey is "be afraid, be very afraid of foreigners and
foreign states. They are out to get you."

~~~
annnnd
Sounds like pretty much any media in any state, USA included... Replace the
names of the countries and you will get your regular CNN.

------
dschiptsov
"И — боже вас сохрани — не читайте до обеда советских газет..."

------
fit2rule
There's really no way for us to know that CPU manufacturers haven't embedded a
backdoor that transmits - on some unknown frequency, or maybe technology - the
contents of CPU registers and cache lines directly to some NSA satellite
somewhere. We just don't have the ability to audit the powers that create
these machines; and this sort of highlights a massive disparity between
classes - the technocratic class, and the consumer class.

------
mdisraeli
TOR EXIT NODES. In a single swoop, the internet just got a whole lot messier
to police ;)

I've been thinking about ideas like this for years, but it never occurred to
me that you could just hit the supply chain at the source, rather than
covertly fit the devices once kit had been installed.

------
EA
Scary to think that my coffee pot is connected to your coffee pot by a piece
of metal.

~~~
balabaster
I wonder if they spend their time exchanging pictures of cats too?

~~~
JVIDEL
Nope, toaster pictures

~~~
balabaster
That's like porn to irons? :D

------
wil421
In other news the NSA has possible backdoors in real computer devices.

------
venomsnake
My new company will provide Faraday caging of homes and residential
buildings... Seems like with the new Intel chips with built in wifi that were
rumored it will become popular service

~~~
rexreed
Would it help in this case? Sure, you'd prevent signals from leaving the
house, but the signals in this case are all internal to the house, so the wifi
would still work internally. All you'd prevent are outside services from
pinging in and vice-versa, not much help for internal devices connected
through broadband internet wired or fiber.

~~~
venomsnake
There won't be much unsecured stuff to connect to on the inside.

------
slig
Are botnets getting expensive or do they suck to send spam nowadays?

------
marshray
Without more evidence, I'm pretty skeptical of this particular claim.

Nevertheless, thousands of heating elements under your control in enemy
territory would make a pretty evil cyberweapon.

------
im3w1l
I wonder if finding this is the result of post-NSA paranoia.

------
keithboor
This makes me miss Burn Notice. Thats the kind of stuff Michael Westen would
be doing in pretty much every episode.

------
elwell
See what happens when you take down the iron curtain???

------
skyfantom
Give us time, and we'll make bears with WiFi bots!

------
pantalaimon
Finally, the Internet of Things is becoming a reality

------
gcb0
hacking at its best. and a whole new meaning to internet of things.

