MESSAGE
| DATE | 2015-09-10 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [LIU Comp Sci] Internt of things...
|
From owner-learn-outgoing-at-mrbrklyn.com Thu Sep 10 10:42:46 2015
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id 2B3DD16115E; Thu, 10 Sep 2015 10:42:46 -0400 (EDT)
Delivered-To: learn-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id 192CD161161; Thu, 10 Sep 2015 10:42:46 -0400 (EDT)
Delivered-To: learn-at-nylxs.com
Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89])
by mrbrklyn.com (Postfix) with ESMTP id 25F4016115E;
Thu, 10 Sep 2015 10:42:21 -0400 (EDT)
Received: from panix2.panix.com (panix2.panix.com [166.84.1.2])
by mailbackend.panix.com (Postfix) with ESMTP id 4B4781752D;
Thu, 10 Sep 2015 10:42:21 -0400 (EDT)
Received: by panix2.panix.com (Postfix, from userid 20529)
id 0E87E33C79; Thu, 10 Sep 2015 10:42:21 -0400 (EDT)
Date: Thu, 10 Sep 2015 10:42:21 -0400
From: Ruben Safir
To: hangout-at-nylxs.com, learn-at-nylxs.com
Subject: [LIU Comp Sci] Internt of things...
Message-ID: <20150910144220.GA8347-at-panix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: owner-learn-at-mrbrklyn.com
Precedence: bulk
Reply-To: learn-at-mrbrklyn.com
May 27, 2014 -at- 2:56 PM 15,777 views
The Half-Baked Security Of Our 'Internet Of Things'
The Half-Baked Security Of Our 'Internet Of Things'
Kashmir Hill ,
Forbes Staff
Welcome to The Not-So Private Parts where technology & privacy collide
Follow on Forbes (2081)
It is a strange series of events that link two Armenian software
engineers; a Shenzen, China-based webcam company; two sets of new
parents in the U.S.; and an unknown creep who likes to hack baby
monitors to yell obscenities at children. “Wake up, you little
slut,” the hacker screamed at the top of his digital lungs last
summer when a two-year-old in Houston wouldn’t stir; she happened to
be deaf. A year later, a baby monitor hacker struck again yelling
obscenities at a 10-month-old in Ohio.
Both families were using an Internet-connected baby monitor made by
China-based Foscam. The hacker took advantage of a weakness in the
camera’s software design that U.S.-based Armenian computer engineers
revealed at a security conference in Amsterdam last April. As tech
behemoths Google and Apple announce plans to accelerate the development
of the Internet of Things, the tale is worth telling. It reveals much
about what we have to fear and what we must improve as more and more of
the devices in our lives become connected to the Internet, and to the
pranksters, spies, voyeurs and fraudsters who dwell there.
***
Sergey Shekyan, 36, and Artem Harutyunyan, 29, stand well over six feet
tall, though both spend a lot of their time sitting in front of
computers. Shekyan wears black glasses, talks earnestly, and strikes The
Thinker‘s pose when listening to others. Harutyunyan has wide eyes
underneath dark, heavy brows and seems older than 29 thanks to a
sprinkling of grey in his dark hair. They both have one-year-olds, born
three months apart. They have known each other since childhood; they
were neighbors in Yerevan, Armenia. After a devastating earthquake in
1988, Harutyunyan’s father, a civil engineer, brought an IBM IBM
+0.00% 286 home to work on new building designs. It was the first
computer in the apartment building, they recall.
Sergey Shekyan and Artem Harutyunyan
Sergey Shekyan and Artem Harutyunyan
The young neighbors both went on to study software engineering at
Armenia’s technical university. Both moved abroad after graduation,
Shekyan to a series of jobs in the San Francisco area where he developed
tools to automatically scan websites for vulnerabilities and to simulate
Denial of Service attacks, and Harutyunyan to Switzerland to work on
cloud computing at particle physics lab CERN. They reunited in the
summer of 2011, when Harutyunyan traveled to the Bay Area to teach at
Google GOOGL +0.16%’s Summer of Code. Shekyan heard his old neighbor
was in town through the Armenian expat network and invited him to his
Redwood City home for a BBQ. He wound up recruiting Harutyunyan to come
work for his then-employer, security firm Qualys QLYS -3.45%. (Shekyan
has since moved on to Shape Security.)
The two became neighbors again in 2012, Harutyunyan and his wife moving
into the condo next door to the Shekyans. “Every evening, we go to
one another’s house for a coffee or a cigarette,” says Shekyan.
That December, Shekyan decided to buy a baby monitor for Christmas for
his then three-month-old daughter. Many of his friends had raved about
their Foscams, showing him how they could bring up the feed from the IP
cameras on their iPhones and show him what was happening in their homes.
He snapped one up on Amazon — where it was the first hit for
“surveillance cam” — when he saw the price drop to $40. As
he waited for it to be delivered, he re-read the description on the
Amazon page – about the camera’s ability to send emails and text
messages – and he started to become skeptical. “A camera cannot
do all this for $40 and do it right,” he thought.
Recommended by Forbes
When it arrived, his and Harutyunyan’s nightly get-togethers turned
into hackfests. Their rule, to keep it challenging, was to only hack the
camera though its Web interface. “If someone has physical access to
your devices, you’re pwned,” says Harutyunyan. “We wanted to
see how easy they were to hack remotely.” They would put the kids to
bed and then start playing with the camera’s operating system,
seeing how easy it was to knock it offline by making connection requests
to it and seeing whether they could force the camera to accept software
updates from them.
“Normally when a manufacturer pushes a firmware update, they
cryptographically sign the update, and the device checks the signature
and will refuse the update if it doesn’t have the signature,”
says Sergey. “You can’t force an update on an iPhone, for
example. We figured out the Foscam will accept just about anything. But
it’ll brick.”
The two don’t self-describe as security engineers. They did this in
their spare time for fun. They were simply two new dads tinkering with a
camera. Yet this became a crucial part of Foscam’s security review.
They bricked more than 10 cameras, rendering them useless, and took
advantage of Amazon’s generous return policy to get new ones. They
also trawled through Foscam forums and security blogs, including a very
informative one from “Irish Jesus,” to see who had previously
done research on Foscam. They came across a French security researcher
who had discovered that anyone could sign into any Foscam with the
password “admin.”
Watch or Be Watched
They packaged their research into a presentation and submitted it to
“Hack In The Box,” a security conference in Amsterdam each
April. They called it, “To Watch Or To Be Watched: Turning Your
Surveillance Camera Against You.” Like most hacker conferences, it
was a chance to preen and show off one’s skills, and to network with
other security researchers. The conference paid for only one
presenter’s expenses, but Qualys was happy to pay to have Hauryunyan
go as well, as these conferences help build a firm’s reputation.
They planned to do a live demo of the hack at the conference, but
bricked the camera hours before they were to go on stage, so they wound
up playing video of them doing the hack instead. It didn’t make a
huge splash. There were a few articles about it on niche security blogs,
probably because the researchers talking about the ease of hacking
“IP cams” rather than the more-alarming “baby monitors.”
Reporters focused instead on a presentation about hacking airplanes with
an Android phone.
But a future baby-monitor hacker saw it. The presentation included
information about how the problem could be fixed, but it also included
the directions needed to exploit the vulnerability.
The Foscam’s distinctive shape (via ABC News)
Harutyunyan found out that the hack had happened in the real world four
months later as he prepared to give a talk about the vulnerability in
Seattle at an embedded devices security conference. He saw a news report
about a baby monitor getting hacked and recognized the distinct R2-D2
shape of a Foscam camera.
Shekyan and Harutyunyan didn’t have direct contact with Foscam,
though they had put information about the vulnerability in the
company’s user forums. “I’m sure the company doesn’t
read those, though,” says Harutyunyan. A French researcher had
disclosed the “admin” problem to the company earlier that year,
but Foscam didn’t release an update that fixed the problem until
June of 2013. And customers that were vulnerable would have needed to be
regular readers of the company’s blog posts in order to know about
it. There was no “BabyBleed” logo concocted. The Internet did
not go crazy about it like they did over Heartbleed as it affected many
fewer people — just tens of thousands.
***
Foscam ad in Singapore
Foscam ad in Singapore
Chase Rhymes, the recently-hired, Texas-based COO for Foscam’s U.S.
distribution arm, says Foscam didn’t have infrastructure in place to
warn customers. Based in China, its cheap IP-cams became popular fast in
the U.S., Canada and Europe, used to watch homes, babies, and elderly
parents. “The company made a mistake,” he says. “It had
grown really fast and didn’t have a marketing arm to come up with a
communication plan or talk to the media.”
Even though it was just two hacked cameras out of “over a million
out there,” according to Rhymes, the hacks hurt Foscam. The negative
publicity around the baby monitor cyberattacks caused a slump in sales
last year. And the family of the Texan toddler has plans to sue Foscam
for deceptive trade practices.
Rhymes is now doing all the talking for Foscam; there is still no easy
way to reach the Chinese manufacturer. Though Rhymes wasn’t with the
company when the hacks went down, he’s now responsible for
explaining them. “We wanted to give our customers the freedom to
keep it easy and not have to make their own password,” he says.
“But it wound up being costly to us and our brand. So now we’re
going to force them to customize their passwords.”
Another problem for the company in doing damage control when
vulnerabilities in its products are exposed is that it doesn’t have
a direct relationship with many customers, who buy their cameras from
resellers like Amazon or Best Buy. “If customers bought from a third
party they’re on an island and we can’t necessarily reach
them,” says Rhymes. It couldn’t send customers an email to tell
them to update their vulnerable systems. The company eventually did put
a warning up on the Foscam Web-interface that customers would visit to
set up their cameras, but people using a third-party service to watch
their camera feed — there are lots of apps available in the Apple
app store — would not necessarily visit that site ever again after
linking it to their chosen app. “We’ve reached out to the
resellers and the apps but we have no confirmation that they’ll
alert users,” says Rhymes. This is why the chief security officer of
the CIA’s venture firm In-Q-Tel thinks things connected to the
Internet need to be programmed to die or to ask for firmware updates on
a regular basis. Google-owned automated thermostat company Nest, for
example, does firmware updates automatically. That, of course, comes
with its own issues, when a company gets to make changes to a product in
your home without your input.
Foscam has since taken steps to fix things, beefing up their marketing
and security. “We thought we had a rigorous testing environment for
new products, but we’re going to add some new steps. We now have 8
people in China and 2 people in Houston who are running cameras, and
trying to breach and hack them,” says Rhymes. “We’ve
increased the size of the team and have a game plan going forward to do
more investigating and catch problems before they happen.”
Rhymes says Foscam plans to market a new product, specifically for
watching kids, called “Fosbaby.” They used to release new
products very quickly but now they’re delaying the roll-out, making
sure this one is secure before they start selling it to parents.
Rhymes is contrite but he also says that customers need to be aware that
technology evolves rapidly and that they need to be doing updates
regularly to stay safe. “People need to understand in technology
that firmware and software need to be updated periodically. I’m
hoping the people who have these products realize that,” says
Rhymes.
Rhymes still seems surprised that anyone would want to hack a baby
monitor in the first place. I ask if Foscam has any idea who the hacker
is; he still hasn’t been caught.
“That isn’t our main concern. We just want to keep it from
happening again,” says Rhymes. “It’s still a surprise to us
that someone would want to do that. I don’t know what motive they
have. It doesn’t compute with me.”
***
One of the problems in the emerging ‘Internet of Things’ is that
companies with no experience in Internet security are diving into the
space rapidly by adding connectivity to their devices. “This is not
a camera, it’s a computer,” says Harutyunyan. “But
they’re not designing it as a computer, they’re designing a
camera.”
Harutyunyan and Skekyan have not stopped hacking on Foscam. They found
another vulnerability with the camera’s DNS service in February that
would allow anyone to control what the camera connects to, meaning they
could be enslaved by a botnet and used in DDoS attacks. The two dads
didn’t know who to contact at the company, sending an email to a
generic “support” address. They emailed again after a week and
and were connected to engineers in China who didn’t think it was a
problem because it had been fixed in new devices. After some pushing,
the company released a manual update in May that would fix the issue on
older devices.
When I ask Rhymes who people should contact when they find a problem, he
doesn’t have a good answer though he does say he’s grateful for
their feedback. I tell him about bug bounty programs which pay rewards
to security researchers who find vulnerabilities in products; security
researcher Bryan Krebs has argued that they should be compulsory. Rhymes
has never heard about the concept. I tell him about new start-ups like
BugCrowd and Synack that offer this as a service to companies. He says
they sound interesting. “That’s a good idea,” he says.
“We need a lot of resources to do our own security testing.”
Harutyunyan says software will always have bugs and that perfect
security is impossible, but that some vendors are trying harder than
others. “It boils down to money,” says Harutyunyan. “The
reason why [Internet of Things] vendors are not doing security better is
that it’s cheaper not to do it. It’s expensive to build security
in. The shopper in Best Buy will buy the camera for $40 not the one
that’s $100. She doesn’t know or care about the security. There
will be more and more hacks, not just of cameras but of lots of things.
Eventually it will make people care, and it will be more expensive to be
insecure than secure.”
Shekyan thinks that there should be a rating system for security so an
uninformed shopper can make that part of their decision-making process,
and that there should be certain security standards so that a site
can’t fall to a simple script kiddie. “These are marketed as
security devices at Home Depot and Best Buy,” says Harutyunyan.
“You don’t expect them to have security problems.”
The government hasn’t issued any solid criteria for what it expects
from companies security-wise, though the Federal Trade Commission has
gone after the Wyndham hotel chain and IP cam maker Trendnet for making
it too easy for hackers to break into their systems. In response,
companies have complained that it’s unclear what that the FTC’s
expectations are for security practices.
“It’s going to be an issue with all of these connected
devices,” says Foscam’s Rhymes. “Hackers breaking into them
is not any different from a house being broken into even though the door
was locked. I can complain to the lock manufacturer, but they’ll say
the lock isn’t perfect. It doesn’t mean the company is bad or
the product is bad or that people shouldn’t have door locks. People
are going to keep getting these home automation products because the
benefits outweigh the risks. But when the lock is picked, we need to use
that as an opportunity to improve the locks moving forward.”
Harutyunyan agrees with him: “There’s no way to make an
unbreakable door. It will always be possible to break software, but
it’s a matter of price – is it expensive or cheap to break
it?”
There are things consumers can do to make themselves safer, such as
putting their connected devices behind Virtual Private Networks, or
VPNs. “But that’s not a normal consumer device. You need a
custom router with custom firmware and need to be a professional
computer person to set it up,” says Harutyunyan. “Even I
don’t have a VPN at home.”
Shekyan never did get a baby monitor for his daughter. “She just
sleeps with us.”
Gallery
Forrester: Top Technology Trends For 2014 And Beyond
Launch Gallery
10 images
http://www.forbes.com/sites/kashmirhill/2014/05/27/article-may-scare-you-away-from-internet-of-things/
|
|
