
Of course smart homes are targets for hackers - janvdberg
https://mjg59.dreamwidth.org/45483.html
======
sophacles
One threat model I think is being missed here: the fact that scanners and
geolocation services both exist, makes the job of burglars much simpler in an
insecure IOT world.

Basically they go to their friendly shodan-alike and get a list of ip running
IOT cameras (etc). Then they pipe that list through a geolocation service and
grep for their target region. Then they just monitor for good targets, and
when they are unoccupied.

Much like the big hubub when people pointed out that mentioning vacations on
an open facebook feed was burglar bait.

Both take away a lot of effort for reconning homes, so they are probably being
used to narrow the search for good potential targets.

~~~
fegu
This isn't the threat it is made out to be. Most homes are empty every day
when people are at work. It isn't really necessary to perform advanced
analysis to find an empty home.

~~~
freeflight
Most homes, but not all homes, especially with home offices being an actual
thing that's becoming more popular. I doubt many burglars want the risk of
running into somebody during their "heist", so they will stake out possible
targets. Staking out a target used to be time-consuming and a bit risky,
because the burglar needed to be on location for quite some time to conduct
surveillance themselves, in person. Now they can stake out multiple targets at
the same time, from anywhere they want, with all the anonymity the Internets
allow for.

~~~
trprog
While the addition of anonymity would certainly be appreciated by would-be
burglars you seem to be leaving out a small detail. It is trivially easy for a
burglar to determine if someone is home. They can just walk up to the front
door, knock and see if anyone answers.

If someone is there ask for a glass of water, ask if they have accepted Jesus,
ask if Steve lives there or whatever other BS excuse they have ready before
simply moving on to another prospect. If no one comes to the door then the
home is very likely empty and they can proceed.

This has the added benefit for the burglar that anyone seeing them enter the
property will assume they have good reason to be there. After all they marched
straight up to the front door and rang the doorbell which is what non-thieves
do so its less suspicious if they then go around the side of the house when no
one answers.

~~~
ghaff
In some ways, this is just another class of "Thieves are following you on
Twitter so don't let anyone know if you're going on a trip." Sure, for some
high profile individuals, keeping your movements secret may make sense. But
for most people this is sufficiently far down on the list of threats that it
probably doesn't matter.

------
cakeface
This article, like many security articles, shows an unwillingness to reason
about security in a non-extreme manner. All aspects of life include risk,
internet or IoT security are just one axis of risk that must be weighed when
making decisions and, well, living. I find The Wirecutter's advice to be
perfectly sound and reasonable.

~~~
mjg59
Most people aren't sufficiently informed to be able to make those decisions in
a reasonable way, and having the Wirecutter provide this kind of advice
without explaining that there are cases where some people _do_ need to be more
paranoid is harming those people. Telling people that everything will be fine
when we know that for some people there's a much higher probability that it
won't be shouldn't be acceptable.

~~~
enraged_camel
>>Most people aren't sufficiently informed to be able to make those decisions
in a reasonable way

Exactly. The _vast_ majority of people aren't aware that their "smart
thermostat" can be hacked and used to perform a denial of service attack on
websites.

~~~
anc84
I'd wager that the vast majority of people also does not care the slightest
about that. The manufacturer is at fault for that, not the person who bought
the device. Unless people themselves get any drawback, why should they care?

~~~
enraged_camel
Well, it's like how people used to not care about leaving their wifi access
points unprotected back in the day. It took several years of news stories of
neighbors downloading child porn through those WAPs (and things like that)
before people became aware of the risks and password protection became
standard practice.

------
drcross
Can someone fill me in on this IOT hacking phenomenon. Surely the vast
majority of devices sit behind a NATted router with a firewall on consumer
premises, they don't have dedicated IPv4 addresses and don't touch the
internet unless they are requested to (or already have a bad binary on
install). How is this hacking happening?

~~~
gh02t
Also consider the hubs. To take a well known example, Phillips Hue lightbulbs
don't connect to the net directly and don't have any significant computational
resources to speak of. They are just an 8-bit Atmel microprocessor with a
Zigbee radio to talk to the hub (
[https://blog.adafruit.com/2016/06/14/teardown-of-a-
philips-h...](https://blog.adafruit.com/2016/06/14/teardown-of-a-philips-hue-
led-lightbulb-with-zigbee-and-atmega2564-avr-iot-iotuesday/) ).

On the other hand, the Hue hub is running a full embedded Linux distro (which
has even been rooted, though it requires physical access
[http://colinoflynn.com/2016/07/getting-root-on-philips-
hue-b...](http://colinoflynn.com/2016/07/getting-root-on-philips-hue-
bridge-2-0/) ). A lot of the "real" smart home gadgets are using this model
and they will gleefully punch a hole in you firewall, so it comes down to the
security of the hub(s).

From what I know, Mirai is mostly hitting stuff that isn't what I think of as
IoT - stuff like routers, security cameras and DVRs. Seems like it's being
misrepresented, though that's not to say that an attack on something more in
line with what I think of as IoT/smart home isn't possible. I have no doubt
that tons of refrigerators with Wifi and connected coffee makers are
vulnerable. Part of me wonders if Mirai was meant as a grey hat warning since
it's just showing what's possible only picking on low hanging fruit ("Mirai"
means "future" in Japanese).

~~~
s_q_b
> _Part of me wonders if Mirai was meant as a grey hat warning since it 's
> just showing what's possible only picking on low hanging fruit._

I would wager that is correct. I certainly took it that way, especially after
the source code dump. [0] That seemed to be almost out of frustration.

[0] [https://github.com/jgamblin/Mirai-Source-
Code](https://github.com/jgamblin/Mirai-Source-Code)

------
rsync
A long, long time ago - before JohnCompanies and rsync.net and Oh By - I was a
windows sysadmin.

One thing I noticed was, for the most part, the intelligence of a user was
inversely correlated to how much shit they had running in their windows system
tray.

The smarter you were, the fewer little blinking mini-icons you had down in the
lower-right corner of the desktop. You didn't need those gimmicks and you
understood the value of simplicity in a running system.

I wonder how smart homes and smart people correlate ?

~~~
saulrh
I always get annoyed at how many things want a system tray icon now. There's
_no reason_ for my mouse to need a piece of software that lives in the system
tray. There's _no reason_ for my IM client to live in the system tray. There's
_no reason_ for my video card driver to have an updater service that lives in
the system tray. It's ridiculous. Of the 12 things in my system tray, I've
only ever clicked on _three_ of them. It's infuriating.

~~~
tunap
_" It's infuriating."_

I sure hope you don't own an HP printer...

Get into Services and set unessentials to manual, bloatware to disabled(if
cannot uninstall & keep functionality or driver). Some searching[0] around
will show more than a few MS services can be disabled without anything of
value lost.

edit: blackviper's still up and running. wow. :

[0] [http://www.blackviper.com/sitemap/](http://www.blackviper.com/sitemap/)

~~~
pavel_lishin
My favorite piece of HP software was some printer "accessory" that would hang
out on the desktop, overlaying the icons there, and on occasion overlaying
every other piece of software as well, taking up pretty valuable screen real
estate and mindscape, too.

------
blacksmith_tb
I am not sure I follow - is the implication that some "creepy" person I met at
a bar/cafe/etc. who knows only my first name will somehow exploit
$RANDOM_IOT_DEVICE in my home? Even if you allow that they might be able to ID
me accurately (say with a phone camera), they'd need to find my IP (which
changes regularly, DHCP from my ISP), get through the firewall, and compromise
the device. That isn't impossible, but it would make a better subplot for Mr.
Robot than something I should spend time worrying about. It seems much more
likely IoT devices will be exploited by scripts, running over ranges of IPs,
and their "creepy" owners will be thousands of miles away from my home.

~~~
s_q_b
Do you have anything in your home that you might wish to keep private? Any
texts with loved ones? How about any intimate moments, whispered nothings that
you would prefer not be recorded?

Oh, you say you have nothing to hide.

Do you have a bank account? An investment portfolio? College funds for your
kids?

A skilled attacker can make all of that vanish.

Without many people noticing, the IoT has slowly invaded the average American
home. Almost every TV is a Smart TV, internet gateways are smarter, Alexa,
Siri, Cortana, light bulbs, door locks, refrigerators, thermostats...

With a little effort, an average pen tester could own your system, publish
your secrets, steal your life savings, record you with your wife, and brick
your iPhone, TV, and furnace just for good measure.

It's time to take IoT security seriously.

*It actually was on Mr. Robot. There was a subplot wherein Darlene compromises an E-Corp exec's smart home, causes the appliances and security system to malfunction to drive away the occupant, and then uses the place as a hideout.

~~~
deegles
Even if you literally have nothing valuable to hide, consider that a hacked
device on your network could be used for malicious things like DDOS, hosting
illegal content, proxies for other attacks, etc etc.

~~~
yomly
More importantly, consider how much more empowered malicious state-backed
entities become. At the moment we can only be surveilled (which is plenty
terrifying). What happens when we can be physically influened remotely at
scale

------
munin
How is a consumer supposed to answer any of these questions for themselves?

~~~
clock_tower
Just don't buy smart-house equipment in the first place, if you ask me. Dumb
houses are good enough; and unless you're talking about panic buttons to call
the police, more connectivity means more vulnerability.

(Now, to find a TV that doesn't have a microphone.)

------
upofadown
It entirely depends on the thing. If someone hacks my light switch all they
can do is turn the light off and on while revealing to me I have a problem I
have to fix. Anyone can call my home phone number and turn on my car plug for
4 hours. All they will do is waste a small amount of electricity. If they want
to disable my alarm and open my door, well that will be a lot harder,
particularly if they want to try to do it remotely.

If there is anything that can, say, let someone remotely cause a fire then the
problem isn't security. The problem is that you have something under software
control that can cause a fire. Chances are that regular faults will burn down
the house much more often than "hackers" will. Note that such faults can be
caused by things like lighting hitting the power lines somewhere in your city.
They don't have to be actual bugs.

Of course the "internet of things" is kind of a joke right now. What with the
lack of any sort of standardization it is unlikely that the owner will be able
to usefully control things much less some remote attacker.

~~~
WalterBright
I looked into electronically controlling the lights in my house 15 years ago.
I was hard pressed to see any value in it. Walk into a room, flick it on. Walk
out, flick it off. The light is for the person in the room - why flick it on
and off when nobody is there?

(Yes, I know about deterring burglars.)

~~~
gh02t
My roommate has an extremely annoying habit of leaving lights on, despite
constant reminders of "hey turn off the light." We otherwise get along pretty
well, so it wasn't worth fighting over. So I modified the switch to add remote
control using a simple wifi controlled switch and also added a motion
detector. Now the light turns itself of. Sure it's overkill, but it really is
convenient and made for a fun project, plus it only cost about $10.

Similarly, our HVAC puts out most of its air upstairs and we use a fan to help
move air down the stairwell. I set it up to coordinate with the HVAC to turn
on and off in time with the cycles and also to turn itself off in the evening
when we are all asleep and back on in the morning. Again, not essential but
fun and handy.

The HVAC itself is also controlled by a somewhat complex system that I made
over the course of about 6 months. It makes a big difference in keeping the
house temperature even and also saves something like $10 per month in
electricity. My point here is that well targeted smart home devices can be
really handy. On the other hand I made this stuff myself specifically tailored
to my needs. IMO, it's hard for commercial products to really hit the sweet
spot between being easy to use and yet adaptable enough to fit into
everybody's life tightly enough to not be annoying.

~~~
WalterBright
LED lights consume not much power. How does that compare with the power used
by a wifi + motion detector system running 24/7?

It's pretty clear that an HVAC system that is on a timer can save considerable
power. I have a programmable thermostat for that reason, but the user
interface for it is so awful I need to reread the manual every time. It would
be better if it was wifi and presented a web page as a UI.

I also bought a programmable cat feeder. Again, one needs a manual to figure
it out. What is wrong with those engineers? You shouldn't need a freakin'
manual to set up a cat feeder. And the UI couldn't be satisfied with 5
buttons, no, you've got to do chording and hold buttons for various amounts of
time to do various things. It's complete madness.

(I don't want the cat feeder hooked to the internet, though. I'm suspicious
the cat has been plotting against me, and it might be able to coordinate with
other cats via the cat feeder interface, which could spark the cataclysm.)

~~~
gh02t
> LED lights consume not much power. How does that compare with the power used
> by a wifi + motion detector system running 24/7?

It's barely a rounding error. Sleeping the microcontroller, average current
draw is a couple mA. LED lights draw around 500 mA.

Regarding the HVAC, what I made is more focused on keeping the temperature
balanced by taking a weighted average of temperatures across the house, with
the weights adapting to where people are, similar to the Ecobee thermostats
but DIY. It also has a web interface where you can view temperatures and power
usage, which is far more useful than I thought it would be.

------
yabatopia
The author poses some interesting questions, but unfortunately doesn't provide
really useful answers.

How is the avarage consumer going to find out the security reputation of a
vendor of smart home devices? How to find a reputable vendor for such or such
device like a baby monitor, security cam, smart lightning or wifi repeater? In
an easy way and easy to comprehend?

Is there a website to check to security of smart home devices, or a list of
reputable vendors? That would be a first step.

------
chx
Let me grab this occasion to ask: WTF is going on in general? I readily
presume most people have a wifi router with these iot devices and while
obviously those are not the best security wise (I presume again most don't run
pfsense or openwrt) but still they are there, NATting away happily. How would
a baby monitor appear on the open web...? I can't imagine the average user
setting them up in DMZ or port forward or ... what is happening here? I am
obviously missing some primarily home networking oriented protocol probably
because I am configuring my own routers and I am simply unaware of some
feature of the factory firmware that allows traffic inwards.

~~~
userbinator
I don't use those products, but I can imagine many of them automatically doing
port forwards
([https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_tr...](https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal)
) and possibly even automatically registering in a dynamic DNS service, all
for the "convenience" of the "I don't know what a port is and I don't want to
know" user.

~~~
chx
> Many routers and firewalls expose themselves as Internet Gateway Devices,
> allowing any local UPnP control point to perform a variety of actions,
> including retrieving the external IP address of the device, enumerate
> existing port mappings, and add or remove port mappings.

Are you bloody kidding me? Why do you even have a firewall, rudimentary as it
is, then?

~~~
closeparen
UPnP comes from the view that NAT is an unfortunate artifact of residential
ISPs only giving out one IPv4 address per household, not a crucial security
strategy.

If you really think of your NATing router as a security device, turn off UPnP.
Though I'm not sure how much good that will do, as any device can still phone
home or reverse tunnel.

~~~
chx
Sure but port scanning and forming a massive botnet is impossible if they are
not even capable of listening on an open port which NAT gives you for free.
It's like the lemonade you could make when life you gives you lemons. Except
now it's spoiled too.

~~~
closeparen
On the other hand, UPnP is the only currently viable strategy for average
people to run devices on their home networks and control them from the
internet without looping in a third party server.

