Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Communications Networking Privacy Security The Internet IT

IoT Security Is So Bad, There's a Search Engine For Sleeping Kids (arstechnica.com) 127

An anonymous reader writes: Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams. The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores. While IoT manufacturers are to blame, this also highlights the creepy stuff you can do with Shodan these days. At the start of January, Check Point recommended companies to block Shodan's crawlers. The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.
This discussion has been archived. No new comments can be posted.

IoT Security Is So Bad, There's a Search Engine For Sleeping Kids

Comments Filter:
  • Johnny can't encrypt (Score:4, Interesting)

    by dfn5 ( 524972 ) on Saturday January 23, 2016 @11:22PM (#51359507) Journal
    Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install. Frankly I'm not surprised. Nor do I have a solution. As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.
    • Re: (Score:2, Offtopic)

      by penguinoid ( 724646 )

      Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install.

      Or for someone who can't spell the most popular sport in the world.

    • by creimer ( 824291 ) on Sunday January 24, 2016 @12:38AM (#51359693) Homepage

      As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.

      If you're not charging your relatives for tech support, you're doing it wrong. The fastest way to discourage relatives is to quote the hourly rate of your local mechanic ($100 in my area). If your relatives won't pay to have a mechanic fix the car, you can bet that they won't pay to have you fix the computer.

      • by AmiMoJo ( 196126 ) <mojo@worl d 3 . net> on Sunday January 24, 2016 @09:52AM (#51360823) Homepage

        Problem with charging your relatives for support is that they will then start charging you for the same. Need a lift to the airport? Help moving house? Look after your cat for the weekend? Childcare?

        Rather than becoming the black sheep of the family, just be more assertive at calling in those favours. Start the conversation with "how is your computer doing?" and end it with "so I need help moving this grand piano I bought..." You can even cash in while doing the tech support. When the call up, say you will come over, and then casually ask if they have any of that meatloaf they served the other day you could grab a slice or two of.

    • by omglolbah ( 731566 ) on Sunday January 24, 2016 @01:06AM (#51359759)

      Yet, for wireless routers encryption is enabled by default for most, and a sticker with the password is put on the physical device.
      Why not the same for a camera?
      Not a perfect solution, but a hell of a lot better than the current situation.

    • by Dutch Gun ( 899105 ) on Sunday January 24, 2016 @05:24AM (#51360335)

      Generally speaking, implementing correct security is extremely difficult, but a company that puts security as a priority can design systems that are secure by default, and strike a reasonable balance between customer ease of use and effectiveness. It doesn't have to be impossible for a soccer mom to use a device securely.

      You can see the difference in two competing chat apps: Threema vs iChat. Threema is a "trust no-one" model, and requires you to actually meet face to face with a person to pre-exchange keys before you can chat with the maximum security protocol. iChat, on the other hand, "just works", relying on Apple to manage the key exchange. You're giving up a small amount of security for the convenience of a seamless experience, and trusting Apple to keep it the channel secure on your behalf.

      I think most people would be fine with trusting the company they bought their devices from to actively manage the security aspects so they don't have to think too much about it, but in many cases, it's not that the security is flawed... it's completely non-existent. Anyone complaining about Shodan is simply blaming the messenger. The blame lies squarely on the companies that are selling these products with zero security in mind.

      • by Bert64 ( 520050 )

        iMessage is aimed more as a replacement for SMS, which worked in the same way - you had to trust your telco and that of the recipient. For casual chat both systems are more than adequate.

        • Don't get too hung up on the analogy. The point I was trying to make is that there's a security vs convenience tradeoff, but it's certainly not impossible to make reasonably secure products accessible to the masses. These IoT companies aren't even trying.

    • Security can be implemented fully transparently to the user. This does of course take quite a bit of effort, and it can be costly since you need a few things on your system that take the workload off the user.

      Since both mean more cost for the device, this is not an option. Those gadgets are supposed to be cheap, security is not a selling point so to hell with it.

    • Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install.

      Didn't you mean sucking moms instead?

    • I have a solution: until companies carry a legal penalty for being do damned incompetent at security, and they have to give a damn ... stop buying this shit.

      I know, it's a wacky idea, and people can't survive without something connected to their smart phone.

      But on behalf of those of us who have been saying this shit is defective by design for years, what the hell do you expect? This stuff is entirely predictable.

      I've simply ran out of the ability to feel any sympathy for this.

    • Baloney. Have a unique default password generated for each device, print it on a sticker and paste it to the device. They've been doing that with routers for years already.
  • by westlake ( 615356 ) on Saturday January 23, 2016 @11:31PM (#51359529)

    The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.

    It won't matter to the families of the children you have exposed that other scanning tools are available. Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.

    • by Anonymous Coward

      Yours is public and visible --- and it has a deliberately provocative name.

      That's the point, Shodan is selling a service, and they want publicity.

      Hopefully this will make the mainstream news and people who have their cameras connected to the internet will learn and take them down.

      • And realistically, Shodan is offering a more useful service for free - showing people that their webcam is broadcasting to the entire world.

        The fact that the "solution" is "hey, block this one provider" and not "holy crap, unplug that thing NOW and get one that isn't broadcasting our cash register to anyone with half a brain.

        I suspect this will get fixed when someone gets hurt or robbed, and decides to take it out on the manufacturer. (I'm guessing there's a (media) case to be made in "hey, the webcam you s

    • by Anonymous Coward

      It won't matter to the families of the children you have exposed that other scanning tools are available. Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.

      The device manufacturers are clearly to blame here.....this isn't a Shodan problem. Any reasonable timeline for a response to responsible disclosure has long since passed.

    • by Lunix Nutcase ( 1092239 ) on Sunday January 24, 2016 @12:18AM (#51359651)

      Because sweeping this under the rug means bad guys won't ever attack these devices. *rolls eyes* Their point won't have been made until these *groan* IoT *groan* device making shitheads secure their crapware.

      • by excelsior_gr ( 969383 ) on Sunday January 24, 2016 @01:49AM (#51359847)

        I'm afraid I have to agree. This search engine needs to receive as much publicity as possible, not get swept under the rug. Only then, I hope, will the people become aware of how orwellian the IoT really is.

        • IoT is not orwellian, what turns orwellian when people don't care about security issues: users and manufacturers. This has nothing to do with Big Brother. Enable the security on your webcam and no one will sneak at you.
      • Because sweeping this under the rug means bad guys won't ever attack these devices. *rolls eyes* Their point won't have been made until these *groan* IoT *groan* device making shitheads secure their crapware.

        The geek makes this argument whenever one of his pet "white hat" hacking projects is clearly open to abuse.

        The problem here is that the argument appeals only to other geeks --- not to those who see only an invasion of privacy made possible --- made easier --- by a search engine like Shodan. That a door was unlocked or the lock was broken does not imply a right to enter.

        The geek needs to learn that others see him as the shithead whether he is wearing the white hat or the black.

    • Yours is public and visible --- and it has a deliberately provocative name. You can't search Google for Shodan and miss the connection.

      The malevolent AI villain in System Shock 2? I fail to see the connection...

      You've made your point...now shut it down.

      Yes. They've made their point. Now it's the job of the manufacturer to shut it down, since people anywhere on the planet can run a similar service, and there's not dick you can do about it without a policing treaty, and extradition treaty, and a willingness to spend a lot of money following up the events.

      • SHODAN is an artificial intelligence whose moral restraints were removed from her programming by a hacker in order for Edward Diego, station chief of Citadel Station, on which SHODAN was installed, to delete compromising files regarding illegal experiments and his corruption. She is a megalomaniac with a god complex and sees humans as little better than insects, something which she constantly reminds the player of.

        No moral restraints, megalomaniac?

    • I did the impossible. I searched Google and came up with martial arts, Go, and this article. And similar articles from back when this was news. The connection you claim is obvious is clearly missing.

      I'm more interested in this having been news for years, and devices aren't even using minimal security via obscurity. A normal ISP might knock you off for port scanning, but hitting random addresses on a single port might not trigger the same response, making it trivial to replicate this search engine.

    • So killing the messenger it is again? Let's hush it up, when nobody talks about it, maybe it just goes away.

      You know the old saying, if you make Shodan a criminal, only criminals will go onto the orbital station and fight her. Or something like that.

    • by AmiMoJo ( 196126 )

      You can search Google for unsecured webcams. They periodically remove them from their database, but if you stay ahead of the curve with new models they are easily accessible via google.

  • by kriston ( 7886 ) on Sunday January 24, 2016 @12:21AM (#51359659) Homepage Journal

    I'm not sure if everyone already knew this but Shodan *started* as an non-secured webcam search engine back in 2009.

  • The feds will shut down the sleeping-kids search engine in a couple of weeks, after they infect a bunch of computers with phone-home-ware.

    What's that you say? I'm posting in the wrong thread [slashdot.org]? Sorry, saw "kids" and "cameras" and "creepy" and they sort of blended together there for a minute.

    Strange but true: My captcha is warrants. Now THAT is creepy!

  • by Morgaine ( 4316 ) on Sunday January 24, 2016 @01:07AM (#51359765)

    An AC wrote:

    People who don't secure their systems and devices are to blame for someone breaking into them?

    There was no breaking in.

    If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.

    This isn't anything like breaking and entering, nor even like someone walking through a door which you left wide open. It's much more intentional on your part than that:-- you offered data to the public by creating an unrestricted access port on the Internet, your offer was accepted when someone opened that port, and then you deliberately sent your data out to that recipient. It was your choice, before and after you made the offer to the public. Nobody can force you to send your data if you don't want to. Your system wasn't hacked to change its code to something that you did not intend.

    The closest analogy I can make is to imagine yourself standing on the sidewalk in the high street, an open sweet jar in one hand, and the other hand outstretched offering sweets to passers by. The highstreet is the public Internet, and your invitingly outstretched hand is the open port. If someone takes hold of the sweet, you can still prevent it from being taken by holding tightly onto the wrapper (an access restriction, perhaps you want to check that recipients are smiling first).

    But if you first offer a sweet and then release it, you don't get to complain --- it was your visible intention to hand out sweets to passers by, and nobody can read your mind, only your actions. If you don't understand this then perhaps you don't grasp how Internet protocols work, and you would be best advised to stay well clear of the Internet.

    You may wish that Internet protocols worked some other way, perhaps using ESP, but they don't. They work as they were defined.

    • If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.

      Was it their choice though? Were they aware that the device is exposed?

      Part of the blame lies on the manufacturer if they make it too easy for an uninformed person to leave the device in an unwanted state. Bad design.

  • by jones_supa ( 887896 ) on Sunday January 24, 2016 @01:42AM (#51359833)

    ...front gardens, back gardens...

    Aha! But not side gardens! Those have better privacy...

  • by gavron ( 1300111 ) on Sunday January 24, 2016 @02:44AM (#51360051)

    ...they they don't need to worry about the surveillance.

    And the parents who put these protections in place, that's just like our big brother the NSA and GCHQ putting protections in place for us. No encryption necessary. Hope no bad guys get a hold of this.

    But if you're doing nothing wrong... ...you have no reason to worry.

    E

    • With the ever changing laws and more and more insane laws springing into existence, do you even know anymore whether you do anything wrong? Worse, are you sure that what you enjoy doing today would not be considered "wrong" tomorrow? And that the powers that are might wonder whether you stopped with that "habit" you had that used to be legal before?

  • It is as the IoT people never even have heard of the, by now, 30+ years of history of Internet security fails. These must be the dumbest, most arrogant and most clueless developers, lead by managers of the same quality. It is high time that we get legally actionable gross negligence for manufacturers that ignore Internet security best practices.

    • That last part of your statement is pretty much the reason right there.

      Business decisions are driven by simple considerations. Whether some feature is added is decided by basically 3 questions?

      1. Is it going to increase revenue?
      2. Is it going to increase sales?
      3. Do we have to do it to avoid fines?

      If none of the 3 apply, it will not be done. Security is "neither of the three". So to hell with it.

      • by gweihir ( 88907 )

        Indeed. And hence bad security must be made a significant cost factor for those making devices with it.

    • Don't tell me, you haven't RTFA no?
  • "Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors."

  • by JustAnotherOldGuy ( 4145623 ) on Sunday January 24, 2016 @02:24PM (#51361763)

    IoT: Internet of Trouble

    Lets see....cheaply-made products produced and sold with barely a nod to security, installed by users who are likely to be as clueless as they could possibly be, all connected to a worldwide network easily accessible by lots and lots and lots and lots of malicious people with too much time on their hands.

    What could possibly go wrong??

    Trust me, you ain't seen nothin' yet. I'd wager that 98% of all of these consumer-grade gadgets are going to be easily hackable in their default configuration. It's only a matter of time- eventually one of them will cause a serious injury or death, or at the very least some kind of significant property damage.

    You want your refrigerator to be internet enabled? Great! But should it also have the unfettered ability to turn the temperature down and spoil all the food?

    You want door locks you can control from the other side of the world? Great! But should any Joe Blow with a free hacking kit be able to unlock your doors at will?

    You want to be able to remotely turn on your stove and start heating some water? Great! But should it blindly start "heating" a cardboard box left sitting on the burner because some dickhead in Moldavia can bypass your login?

    You want an internet-enabled thermostat? Great! But should some malicious asshole be able to turn off your heat in the dead of winter when you're on vacation, freezing your house and causing your water pipes to burst?

    Don't get me wrong- I think the overall idea of IoT is fascinating and holds great promise, but mark my words... like anything else it's gonna be abused too. Unfortunately I think it's going to take some major-league lawsuits before manufacturers start taking the security aspect of it seriously.

  • Internet traffic on the Vatican City grew 500% in 15 minutes.

The reason why worry kills more people than work is that more people worry than work.

Working...