• We have updated the guidelines regarding posting political content: please see the stickied thread on Website Issues.

Hacking Homes & Appliances: Risks In The Internet Of Things (IoT)

maximus otter

Recovering policeman
Joined
Aug 9, 2001
Messages
13,848
It’s no secret that the Internet of Things is full of insecure gadgets. All you need is one high profile incident to be flooded with terrifying headlines about how everything from robotic vacuum cleaners to smart sex toys can be hacked to spy on you. However, apparently some devices like Smarter’s IoT coffee machine can also be reprogrammed to go haywire and demand ransom from unsuspecting users.

This week, Martin Hron, a researcher with the security firm Avast, reverse engineered a $250 Smarter coffee maker as part of a thought experiment to potentially uncover an important flaw in the infrastructure of smart devices.


“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.

His experiment was a success: After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.

“It was done to point out that this did happen and could happen to other IoT devices,” Hron said in an Ars Technica interview.

Hron discovered that the coffee maker acts as a wifi access point and uses an unencrypted connection to link to its corresponding smartphone app, which is how the user interacts with their machine and hooks it up to their home wifi network. The app also pushes out firmware updates, which the machine received with “no encryption, no authentication, and no code signing,” pers Ars Technica, providing an easy exploit.

Upon learning this, he uploaded the Android app’s latest firmware version to a computer and reverse engineered it using IDA, an interactive disassembler and staple in any reverse engineer’s toolkit. The process also required disassembling the coffee maker to learn what CPU it used. Armed with this information, he wrote a Python script that mimicked the coffee maker’s update process to implement the modified firmware and lines of script that actually trigger it to go haywire.

https://gizmodo.com/this-hacked-coffee-maker-demands-ransom-and-demonstrate-1845191662

maximus otter
 
Seeing the filtered facts of the case laid-out in black& white like this, I think there are grounds to expect that this particular percolater acted totally out of character: I don't think it would've normally espressoed itself this way.

As a lifelong IT guy, I have sworn that none of my appliances will ever be connected to a
Ok, I can see why you'd traditionally have concerns. But in principle, properly-configured IoT appliances should be as secure as any other networked asset.

The world of Local Area Networks is moving inexorably towards the applied concept of Zero Trust Networking. It fully-recognises that a reliance upon perimeter security (either at the corporate edge with firewalls, or distributively at the workgroup/ core switchport level) is flawed and futile. Depth security is ensuring that even compromised credentials, spoofed multifactor authentication and falsified certificates are no match for the way network security is headed.

Innovations exemplified by manufacturers such as Cisco, with its highly-effective ISE (Identity Services Engine) and Stealthwatch are tying-down all possible loopholes and exploits that previously represented major security threats for data networking.

The rapid development of Software Defined Networking reflects and compliments the huge progress already made towards total virtualisation within data server architectures.

But if you own a casino....at present you should probably ensure your aquarium pump is only connected to the electricity socket
 
Last edited:
ibid....
<irony>
2020-09-29 04.27.10.png

<\irony>
 
Ok, I can see why you'd traditionally have concerns. But in principle, properly-configured IoT appliances should be as secure as any other networked asset.
I agree completely. Wake me up when this becomes a widespread reality :)
 
I find the IoT as puerile and unnecessary as I find it disturbing. People who buy these products deserve to be murdered by them.
 
Newly reported research demonstrates that a robotic vacuum cleaner using laser-based Lidar for navigation can be hacked to serve as a microphone 'bug' capturing sounds which can be deciphered with at least 90% accuracy.
Popular Robotic Vacuum Cleaners Can Be Remotely Hacked to Act As Microphones

A team of researchers demonstrated that popular robotic household vacuum cleaners can be remotely hacked to act as microphones.

The researchers — including Nirupam Roy, an assistant professor in the University of Maryland’s Department of Computer Science — collected information from the laser-based navigation system in a popular vacuum robot and applied signal processing and deep learning techniques to recover speech and identify television programs playing in the same room as the device.

The research demonstrates the potential for any device that uses light detection and ranging (Lidar) technology to be manipulated for collecting sound, despite not having a microphone. This work ... was presented at the Association for Computing Machinery’s Conference on Embedded Networked Sensor Systems (SenSys 2020) on November 18, 2020. ...

“We welcome these devices into our homes, and we don’t think anything about it,” said Roy ... “But we have shown that even though these devices don’t have microphones, we can repurpose the systems they use for navigation to spy on conversations and potentially reveal private information.”

The Lidar navigation systems in household vacuum bots shine a laser beam around a room and sense the reflection of the laser as it bounces off nearby objects. The robot uses the reflected signals to map the room and avoid collisions as it moves through the house. ...

The researchers were unsure if a vacuum bot’s Lidar system could be manipulated to function as a microphone and if the signal could be interpreted into meaningful sound signals. ...

First, the researchers hacked a robot vacuum to show they could control the position of the laser beam and send the sensed data to their laptops through Wi-Fi without interfering with the device’s navigation.

Next, they conducted experiments with two sound sources. One source was a human voice reciting numbers played over computer speakers and the other was audio from a variety of television shows played through a TV sound bar. Roy and his colleagues then captured the laser signal sensed by the vacuum’s navigation system as it bounced off a variety of objects placed near the sound source ... — items that might normally be found on a typical floor.

The researchers passed the signals they received through deep learning algorithms that were trained to either match human voices or to identify musical sequences from television shows. Their computer system, which they call LidarPhone, identified and matched spoken numbers with 90% accuracy. It also identified television shows from a minute’s worth of recording with more than 90% accuracy. ...

FULL STORY: https://scitechdaily.com/popular-ro...can-be-remotely-hacked-to-act-as-microphones/

RESEARCH REPORT:
Spying with your robot vacuum cleaner: eavesdropping via lidar sensors
Sriram Sami, Yimin Dai, Sean Rui Xiang Tan, Nirupam Roy and Jun Han, November 2020, ACM SenSys 2020.
DOI: 10.1145/3384419.3430781

FULL RESEARCH REPORT (PDF Format):
https://dl.acm.org/doi/pdf/10.1145/3384419.3430781
 
I find the IoT as puerile and unnecessary as I find it disturbing. People who buy these products deserve to be murdered by them.
Apart from the people for whom they're genuinely life-enhancing (eg people with disabilities)? I agree, however, about able-bodied people dressed in expensive sportswear who won't walk three feet to switch the light on. I know someone who bought a new-build flat which was already fully rigged out with smart-connected tech, but he soon stopped using most of it apart from the heating and the oven (he lives alone and has unpredictable work hours, so it's useful to be able to activate it all when he leaves work and come home to a warm house and pre-prepared casserole.) The rest though is largely useless, to him.
 
Dad bought an electric fire with a remote.

He now keeps losing the remote. (as you do)

I think he should have bought something different
 
In the Internet of Things there's no limit to the things hackers can exploit or deny you until you meet their demands. Gentlemen, be advised this could include your genitals ...
‘Your Cock Is Mine Now:’ Hacker Locks Internet-Connected Chastity Cage, Demands Ransom

Turns out giving an internet-connected device control of your penis may not be the best idea ever.

A hacker took control of people's internet-connected chastity cages and demanded a ransom to be paid in Bitcoin to unlock it.

"Your cock is mine now," the hacker told one of the victims, according to a screenshot of the conversation obtained by a security researcher that goes by the name Smelly and is the founder of vx-underground, a website that collects malware samples.

In October of last year, security researchers found that the manufacturer of an Internet of Things chastity cage—a sex toy that users put around their penis to prevent erections that is used in the BDSM community and can be unlocked remotely—had left an API exposed, giving malicious hackers a chance to take control of the devices. That's exactly what happened, according to a security researcher who obtained screenshots of conversations between the hacker and several victims, and according to victims interviewed by Motherboard.

A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely "locked," and he "could not gain access to it."

"Fortunately I didn’t have this locked on myself while this happened," Robert said in an online chat.

"I wasn’t the owner of the cage anymore so I didn’t have full control over the cage at any given moment," another victim who goes by the name RJ told Motherboard in an online chat. RJ said he got a message from the hacker, who said they had control of the cage and wanted a payment to unlock it. ...

FULL STORY: https://www.vice.com/en/article/m7a...ternet-connected-chastity-cage-demands-ransom
 
Last edited:

Marketplace season 46 ep. 2 : "White hat" hackers hack people's high tech home security devices to show how easily someone with know-how can hack into your home if you have your home connected to the internet.

Scary. I tend to lock myself out and go over to my neighbours to get my other set of keys to let myself in. I enjoy doing things the hard way. lol
 
Some old style hacking of pneumatic tubes.

IT'S ALL TOO common to find hackable flaws in medical devices, from mammography machines and CT scanners to pacemakers and insulin pumps. But it turns out that the potential exposure extends into the walls: Researchers have found almost a dozen vulnerabilities in a popular brand of pneumatic tube delivery system that many hospitals use to to carry and distribute vital cargo like lab samples and medicine.

Pneumatic tubes may seem like wonky and antiquated office tech, more suited to The Hudsucker Proxy than a modern-day health care system. Yet they're surprisingly common. Swisslog Healthcare, a prominent medical-focused pneumatic tube system maker, says that more than 2,300 hospitals in North America use its “TransLogic PTS” platform, as do 700 more elsewhere in the world. The nine vulnerabilities that researchers from the embedded device security company Armis found in Swisslog's Translogic Nexus Control Panels, though, could let a hacker take over a system, take it offline, access data, reroute deliveries, or otherwise sabotage the pneumatic network. ...

https://www.wired.com/story/pneumatic-tubes-hospitals-hacking/
 
I have heard writer Jamie Bartlett predict that hacker terrorists will attempt to turn people's thermostats up to 200 degrees Celsius to try and start house fires.
 
I think my thermostat would struggle to go over 40 celcius.
 
Ok, I can see why you'd traditionally have concerns. But in principle, properly-configured IoT appliances should be as secure as any other networked asset.

It's not even the traditional "tech person doesn't want a smart home because they know it's unsecured". I don't like where the intended, 'legitimate' design choices are going. I don't want the data harvesting. I don't want to pay for a subscription for functionality of something I've bought, and you have to deal with that often enough. I don't want a firmware update that alters features I even just enjoy, or disables something because someone wants me to get a new one, or otherwise modify my behavior for whatever silly reason they have (and you get enough of that on website feature design changes).
It's to keep the creep of society out of your personal space. You can't stop it, so you have to manage it.
 
I know I don't want a 'smart' home. About the only appliances I have (apart from a PC) that are 'smart' are my new phone (which is mostly kept switched off) and my 3 TVs (which I never keep on standby).
My LG TV even has a voice activated remote. I used that once out of curiosity and then removed the batteries.
Not getting an Echo or Alexa. I have Cortana turned off. My webcams are taped up.
There is now too much stuff even for a techy like me to handle. I wish things were simpler.

And now my Mum wants to get on the Internet...
 
In a rare joint announcement, FBI Director Christopher Way and MI 5 Director General Ken McCallum has issued a dire warning that China is trying to hack or steal anything they can get their hands on whether business or personal.

These two men claim China’s hacking efforts may be more serious than Russia’s war effort.
 
In a rare joint announcement, FBI Director Christopher Way and MI 5 Director General Ken McCallum has issued a dire warning that China is trying to hack or steal anything they can get their hands on whether business or personal.

These two men claim China’s hacking efforts may be more serious than Russia’s war effort.
They've been up to these tricks for years, but only now do they bring it up?
 
It’s no secret that the Internet of Things is full of insecure gadgets. All you need is one high profile incident to be flooded with terrifying headlines about how everything from robotic vacuum cleaners to smart sex toys can be hacked to spy on you. However, apparently some devices like Smarter’s IoT coffee machine can also be reprogrammed to go haywire and demand ransom from unsuspecting users.

This week, Martin Hron, a researcher with the security firm Avast, reverse engineered a $250 Smarter coffee maker as part of a thought experiment to potentially uncover an important flaw in the infrastructure of smart devices.


“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.

His experiment was a success: After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.

“It was done to point out that this did happen and could happen to other IoT devices,” Hron said in an Ars Technica interview.

Hron discovered that the coffee maker acts as a wifi access point and uses an unencrypted connection to link to its corresponding smartphone app, which is how the user interacts with their machine and hooks it up to their home wifi network. The app also pushes out firmware updates, which the machine received with “no encryption, no authentication, and no code signing,” pers Ars Technica, providing an easy exploit.

Upon learning this, he uploaded the Android app’s latest firmware version to a computer and reverse engineered it using IDA, an interactive disassembler and staple in any reverse engineer’s toolkit. The process also required disassembling the coffee maker to learn what CPU it used. Armed with this information, he wrote a Python script that mimicked the coffee maker’s update process to implement the modified firmware and lines of script that actually trigger it to go haywire.

https://gizmodo.com/this-hacked-coffee-maker-demands-ransom-and-demonstrate-1845191662

maximus otter
I just bought a new washer dryer tower unit that insists I set up an app on my phone "for trouble shooting" and I had already decided I would not do that. It is bad enough that my "old" washer (only 5 years old but replaced because of space issues) won't work if one of the hoses has no water pressure. And to reset that it is such a weird contortion that may or may not work, I am missing the old washer from the 80's.
 
Back
Top