The uninvited Internet of things
Your editor recently moved house; part of that move involved carefully packing up the dust-covered household television set, gently transporting it to the new home, and lovingly moving it to its new location — followed by gracelessly dropping it on the floor while lifting it into place. The search for a replacement involved asking a salesman for a reasonable "non-smart" television, a request that was met with mirthful incredulity. It would appear that such things no longer exist; all televisions are built to be placed on the network now.
The abuses associated with "smart" televisions are well understood. They phone home to report on one's viewing habits. They have cameras and microphones to record the environment and send that data back home as well. This sort of antifeature was just not in your editor's vision for the new living room. The good news is that, with a WiFi-connected television, there are options. Control of the router can be used to limit the device's connectivity to the world. Or, as your editor did, one can simply ignore the devices plaintive whining and not connect it to the net at all.
Control over a device's connectivity gives a certain amount of control over its behavior. The "do not connect it at all" option is especially powerful. Amazingly, devices like washing machines, frying pans, ovens, doorknobs, etc. have worked for many years without a mothership to report to; many of them still will. Keeping them off the net can block a lot of unpleasantness.
Now consider this
enthusiastic product placement on BoingBoing, which used to be a site
that understood issues like privacy concerns. This particular blurb is
promoting "Particle
EtherSIM", which is intended to provide widespread connectivity to IoT
devices. According to the text: "This is exciting and is going to
open a lot of new possibilities for IoT
".
One of those possibilities is certainly connectivity that is now completely outside of the control of the "owner" of these devices. The EtherSIM page is clear about this:
Over time, our cellular platform has become increasingly popular. The biggest reason for this is that cellular connectivity "just works". Wi-Fi devices have to be connected to the network by the user, which creates a lot of customer onboarding friction and often low connectivity rates (a lot of Wi-Fi devices never come online).
By putting a cellular modem and SIM directly in a device, the problem of it never coming online can be solved; it will be able to report home whether the "owner" wants it to or not. The vendor will retain control and will be able to, for example, disable the device at will. People who purchase such devices and bring them into their homes will not be able to control that connectivity; indeed, they may not ever even know that it exists.
This problem can already be seen in the area of automobiles, many of which have had their own cellular connectivity for some time. Tesla famously uses that link to track its cars, push software updates, and remotely disable features when cars are resold. Location data from many car brands is continuously fed upstream where it is put to any number of undisclosed uses, including being sold to military organizations. Some vendors give owners some control over this data stream; others explicitly do not.
Can there be any doubt that the purveyors of other connected devices will be attracted by network connectivity that does not require the customer's cooperation? The sorts of data streams that we see from cars now will soon be generated by household appliances, cameras, medical implants, lawn mowers, sex toys, water faucets, articles of clothing, and many other things that product designers are surely thinking of right now. These streams will not flow over networks we control; short of living in a Faraday cage, there will be little we can do about them. We have not begun to see the kinds of spectacular security issues, including surveillance, stalking, fraud, and repression, that will result.
The fact that most of these devices will be running Linux internally provides surprisingly little comfort, somehow.
What is to be done about this problem is far from clear. Legal approaches
can be attempted; no device should phone home without explicit permission
from its owner, for example. Perhaps someday we'll all have 5G femtocells that
restore a bit of control within the home, at least. But getting this genie
back into the bottle will not be an easy task; somehow we will need to find
a way to live with it while retaining some control.
Posted Mar 26, 2021 17:01 UTC (Fri)
by josh (subscriber, #17465)
[Link] (8 responses)
Posted Mar 29, 2021 0:42 UTC (Mon)
by ringerc (subscriber, #3071)
[Link]
Ideally these devices would have a legally mandated physical RF kill switch on them.
Posted Mar 31, 2021 18:15 UTC (Wed)
by Seirdy (guest, #137326)
[Link]
Posted Apr 22, 2021 6:39 UTC (Thu)
by bernat (subscriber, #51658)
[Link] (5 responses)
Posted Apr 22, 2021 16:47 UTC (Thu)
by zlynx (guest, #2285)
[Link] (4 responses)
Anything used as a computer display should never include image processing. The computer's GPU can do that if necessary.
As for display of Bluray movies or similar, why? How do viewers reconcile complaints about The Hobbit looking weird at 48 FPS with auto-smoothing producing 240 FPS?
Posted Apr 22, 2021 17:25 UTC (Thu)
by bernat (subscriber, #51658)
[Link] (3 responses)
I am using Kodi and a Sony. Putting the Sony in "game mode" (to disable any processing) produces horrible results.
Posted Apr 22, 2021 17:56 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
How does it look horrible there?
Posted Apr 22, 2021 18:55 UTC (Thu)
by bernat (subscriber, #51658)
[Link] (1 responses)
Posted Apr 22, 2021 19:28 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link]
I have been seem other TVs that do the interpolation stuff and I don't like it. It made everything have a feel like a soap opera (maybe it was the uncanny valley?) when upsampled to 120 Hz. Maybe content designed for that is better, but then it seems like I want it to just be dumb and not do the smart stuff.
I'll check the zoom settings.
Posted Mar 26, 2021 17:23 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link]
Appliances are more scary, especially since they're quite expensive so it's quite appealing to add "premium" IoT features that actually make money for the producer and/or get you in a lock-in horror.
Posted Mar 26, 2021 18:05 UTC (Fri)
by excors (subscriber, #95769)
[Link] (9 responses)
Posted Mar 26, 2021 19:24 UTC (Fri)
by cozzyd (guest, #110972)
[Link]
Posted Mar 27, 2021 18:19 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (7 responses)
That sounds like these are piggybacking uninvited on other peoples' internet.
As soon as they piggy back onto a metered connection, they're looking at criminal charges of "theft of electricity" (yes I'm sure we've actually charged people with that over here ...), and as it's a company engaging in criminal behaviour the sparks will probably fly ...
Cheers,
Posted Mar 27, 2021 19:00 UTC (Sat)
by excors (subscriber, #95769)
[Link] (6 responses)
The protocol's bandwidth is so tiny that even if you've got thousands of devices connected to a single gateway, the gateway probably won't see more than a few MBs of traffic per day, so it's not going to be a practical problem for metered connections.
Posted Mar 27, 2021 21:44 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (4 responses)
No. Informed consent is not opt-out. If you don't opt in, they can't do it.
Cheers,
Posted Mar 29, 2021 1:02 UTC (Mon)
by ringerc (subscriber, #3071)
[Link] (3 responses)
Posted Mar 29, 2021 9:57 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (2 responses)
That is why GDPR requires you to separate out functionality from data collection, and to get consent for data collection after you get acceptance of other terms for functionality.
Posted Apr 1, 2021 21:00 UTC (Thu)
by khim (subscriber, #9252)
[Link] (1 responses)
Posted Apr 2, 2021 3:12 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
It's an example of how clicking "I accept" on a 100-page contract of adhesion might not be considered informed consent.
Following that example, one could imagine a similar law to GDPR (or an extension of it) saying terms that allow automatic collection and transmission of personal information outside your house have to be separated out.
Posted Mar 28, 2021 14:36 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
And metered connections charge by the MB, so it is a measurable cost ...
Cheers,
Posted Mar 26, 2021 18:21 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
I suspect that pretty soon, the only way to stop devices from connecting will be to go in and remove or disable the radio hardware, which is not something most people could do. And that might put the device in a snit and make it just stop working because it can't reach the mother ship. It's a real mess.
Posted Mar 26, 2021 18:34 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (40 responses)
Basically privacy is dead, get over it.
Posted Mar 26, 2021 19:17 UTC (Fri)
by dskoll (subscriber, #1630)
[Link] (34 responses)
Privacy is one concern, but with IoT you also have the possibility of attackers making your IoTs turn on you. Depending on just what exactly the "T" in IoT is, that could actually endanger your safety.
Posted Mar 26, 2021 20:09 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (33 responses)
Posted Mar 26, 2021 20:39 UTC (Fri)
by jebba (guest, #4439)
[Link] (7 responses)
Posted Mar 26, 2021 20:55 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (6 responses)
And for smaller devices with these kinds of connectivity (EtherSIM) the amount of bandwidth is too pitiful for any reasonable DDoS.
Posted Mar 27, 2021 15:44 UTC (Sat)
by tpo (subscriber, #25713)
[Link] (5 responses)
Posted Mar 27, 2021 16:45 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Posted Mar 31, 2021 19:11 UTC (Wed)
by tpo (subscriber, #25713)
[Link] (1 responses)
However in order for IoT to become like the electric grid it needs to become like the electric grid: extremely narrow in scope (it will deliver property X) and deliver their function in an extremely stable and reliable manner.
Today everything on the internet is *not* extremely narrow in scope. Plenty of the machines on the net *should* be, but really they are the exact opposite: they are complete turing machines without any boundary to their function whatsoever. It only takes a signal to them (could be an exploit, a malfunction, or many other things) and they transform from narrow scope, well defined machines to arbitrarily repurposable universal machines.
When you have computers/machines/gadgets/tools that are not connected to the network of networks, that is - physically not reachable from the internet - then you can have some confidence that they will stay within their scope and work as intended.
Once they are connected however, at the current state of affairs, you can /not/ realistically and with confidence be sure that they will keep on working as intended.
My thesis is that at present engineering is *not* able to create connected machines that will keep working as intended.
I'd even say that the incentives are weighted extremely strongly *against* the creation of such non-weird machines:
* features, ...
I honestly have no idea how under these current circumstances an IoT can happen that will not result in recurring instablity? I would be interested to know in case you or any reader would be willing propose how to approach this side of the problem. (And the more entrenched IoT will be, the more far reaching the consequences of those instabilites will be).
Mostly autonomous systems could be an approach, however I'm under the impression that this idea has been a pipe dream so far and tech tends to diminish in diversity as it "matures" and to converge to centers of monopoly?
Posted Mar 31, 2021 19:16 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Apr 2, 2021 3:39 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link] (1 responses)
The electrical grid didn't become mostly safe by happenstance. There's a huge amount of regulation that goes into ensuring it is as safe as possible, but it still sometimes kills people or starts massive wildfires. If we want the IOT to be as safe as the electricity that powers it, we're going to need a set of regulations as detailed as a modern electrical code. We're also going to need the equivalent of UL or ETL to test IOT devices before they can go on sale. That actually sounds like a great idea.
Posted Apr 2, 2021 3:52 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
It might take decades, though. Not that it's a bad thing, right now IoT is in too much of a flux anyway.
Posted Mar 26, 2021 21:03 UTC (Fri)
by jebba (guest, #4439)
[Link] (22 responses)
* Recording video cameras for blackmail.
* Recording to pick up account numbers or other financial info (e.g. bank accounts, blockchain accounts, ...).
* Industrial espionage.
* Using the gear to do blockchain mining. (You may suggest that IoT doesn't have the power, but a lot of small devices now even have "AI" processors now for things like tensorflow).
* General freaking malice. Just go to 4chan for 3 minutes and realize these are the folks that will be looking to crack into these devices.
* Taking control of the device in some sort of ransomware (e.g. can't drive tesla until you send btc).
Just a few off the top of my head.
Posted Mar 26, 2021 21:06 UTC (Fri)
by jebba (guest, #4439)
[Link] (1 responses)
* Paid reverse-SEO services.
* Paid false persona services (e.g. they'd have a lot more "consumer" IPs to come from, and look legit to twitter).
Posted Mar 26, 2021 21:08 UTC (Fri)
by jebba (guest, #4439)
[Link]
Posted Mar 26, 2021 23:07 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (19 responses)
> * Recording to pick up account numbers or other financial info (e.g. bank accounts, blockchain accounts, ...).
Oh, and most people have very little money in their bank accounts (which is a sad thing in itself).
> * Industrial espionage.
> * Using the gear to do blockchain mining. (You may suggest that IoT doesn't have the power, but a lot of small devices now even have "AI" processors now for things like tensorflow).
> * General freaking malice. Just go to 4chan for 3 minutes and realize these are the folks that will be looking to crack into these devices.
> * Taking control of the device in some sort of ransomware (e.g. can't drive tesla until you send btc).
> Just a few off the top of my head.
Posted Mar 27, 2021 3:22 UTC (Sat)
by nrdxp (guest, #142443)
[Link] (4 responses)
Just to be as explicit as possible, the problem is that it's the ultimate "viable business model" to conpletely dominate and control your subjects by force or subversion. I'll let you do the math on history, but insecure IoT systems are a dictator's fucking wetdream.
Human technology has advanced at a truly miraculous rate. Human behavior, it seems, is largely unaffected.
Posted Mar 27, 2021 3:24 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
> Just to be as explicit as possible, the problem is that it's the ultimate "viable business model" to conpletely dominate and control your subjects by force or subversion. I'll let you do the math on history, but insecure IoT systems are a dictator's fucking wetdream.
Posted Mar 27, 2021 20:13 UTC (Sat)
by leromarinvit (subscriber, #56850)
[Link]
Neither do I. But if your light switch can spy on you, that might be pretty interesting to dictators. Run speech recognition on everyone's audio, and - depending on capabilites and resources - look for trigger words or run some sort of AI on it to analyze what people are talking about. Have everything you classify as dangerous analyzed manually, and you'll get a nice list of people to watch more closely, disappear, or whatever suits your particular fancy.
Do IoT lights switches have microphones? Most probably don't. But smart speakers seem to be pretty popular, and listening to everything you say is quite explicitly necessary to fulfill their very purpose.* And there have been cases of devices having a microphone that wasn't necessary for them to perform their intended function.
Do you disassemble every device you own to see what it can do that the manufacturer didn't tell you? I usually don't, and the prospect of not being able to trust random devices not to spy on me, even those not marketed as IoT, is frightening to me.
* I know they don't normally stream all audio somewhere else, but look for trigger words locally and only run (remote) speech to text on a short snippet around that. But since they have a mic and a network connection, in principle they all have the capability to be turned into 24/7 bugs.
Posted Apr 1, 2021 10:05 UTC (Thu)
by nim-nim (subscriber, #34454)
[Link] (1 responses)
> controlling everything you do and believe
that’s what advertising is about. Google and Facebook’s bread and butter. Controlling what you think and auctioning tiny parcels of that control to entities that want to get you to do things (be it buy XXX or vote for YYY).
The first step in manipulating someone has always been to know what that person thinks today, it used to take talented con artists, pervasive cloud monitoring is achieving the same result by dumb brute force.
Posted Apr 1, 2021 14:09 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
They care about targeting for advertisers. If anything, they prefer people to stay really diverse to complicate targeting for other competitors in the ad space. If everybody thinks the same then there's nothing to target.
This pervasively led to small groups of people isolating themselves in echo-chambers.
Posted Mar 27, 2021 3:38 UTC (Sat)
by Nahor (subscriber, #51583)
[Link] (5 responses)
What makes you think that? Film someone in a compromising situation (typically sex) and you can extort thousand of dollars from them. And given how email scams, which mostly affects elderlies are profitable, it's hard to imagine how compromising videos wouldn't be given the wider victim market.
That said, video recordings don't even have to be used for blackmail, they could just be sold. The pedophiles will have a field day.
>> * Recording to pick up account numbers or other financial info (e.g. bank accounts, blockchain accounts, ...).
It's not just about videos. Keyboards could be IoT devices. Microphone can record the sound of keys being pressed on said keyboards, which, combined with statistical analysis to figure out which keys match which sounds, allow for capturing passwords (https://en.wikipedia.org/wiki/Acoustic_cryptanalysis). Some radio devices might be coerced into recording electromagnetic fields to figure out what is being displayed on a monitor (https://en.wikipedia.org/wiki/Electromagnetic_attack). Even power consumption from a "smart power meter" could be used (https://en.wikipedia.org/wiki/Power_analysis).
> Oh, and most people have very little money in their bank accounts (which is a sad thing in itself).
So you're denying the existence of email scams.
>> * Industrial espionage.
First, with the work-from-home, the different gets between home and office gets very fuzzy. Second, IoT devices also exist in offices.
>> * Taking control of the device in some sort of ransomware (e.g. can't drive tesla until you send btc).
I'm not sure what your point is if you agree that smart TV and Teslas are valid examples. Just because some devices are not worth ransoming doesn't mean that IoT is now safe to use.
>> * General freaking malice. Just go to 4chan for 3 minutes and realize these are the folks that will be looking to crack into these devices.
New at 11: Script kiddies have "pretty high-level knowledge"
>> Just a few off the top of my head.
Then you must be tired. Seriously.
Posted Mar 27, 2021 4:01 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
> That said, video recordings don't even have to be used for blackmail, they could just be sold. The pedophiles will have a field day.
> It's not just about videos. Keyboards could be IoT devices. Microphone can record the sound of keys being pressed on said keyboards
> So you're denying the existence of email scams.
In reality email scams work because they require near-zero monetary and time investment from scammers. So even an occasional payout from a moron who really believes a Nigerian Prince is enough to keep them afloat. The same goes for computer ransomware.
Can you think of a criminal business model that these IoT devices would enable, and that doesn't require investment of time and money?
> If the light switch ransom is $2, one could be tempted to pay it, it's both faster (no need to have to go to the store or wait for the delivery, no need to find and wait for an electrician when one is not comfortable with electric wires) and cheaper
And again, I'm not saying that it's all great. I'm just saying that doomsday predictions of IoT-based collapse of everything are hugely overrated. We've had massive IoT deployment for one and a half decade by now, with barely any real global issues.
Posted Mar 27, 2021 9:41 UTC (Sat)
by rbtree (guest, #129790)
[Link] (3 responses)
This sounds way too complicated. No need to look for any cheaters.
One of my emails leaked somewhere and I get a lot of blackmail spam lately: "I got you jerking off on video and if you don't pay me XXX bucks I'll send it to your contacts. Here's my Bitcoin address, you have 24 hours."
Every email includes a unique Bitcoin address which you can look up in any search engine. Every single one of them received a few thousand dollars worth of payments.
Now imagine how much more credible would these emails get if they addressed you under your full name instead of simply "you", and had a link to the actual video.
Posted Mar 27, 2021 12:10 UTC (Sat)
by anselm (subscriber, #2796)
[Link] (1 responses)
That sort of threat is trivially countered by not jerking off in front of a camera in the first place. If you absolutely must do that sort of thing, at least put some gaffer tape over the lens!
Posted Mar 27, 2021 12:48 UTC (Sat)
by excors (subscriber, #95769)
[Link]
The blackmail-spammer doesn't need to actually find a clip of you doing something embarrassing - they could just show you an innocuous clip to prove they have access to your cameras, and then bluff about the less-innocuous clips they're going to release publicly. It seems plausible that would scare enough people who can't remember precisely what they did in front of every camera in their house over the past few years, to greatly increase the proportion who will pay instead of calling the bluff and dismissing it as meaningless spam.
Posted Mar 27, 2021 16:40 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link]
But once this happens a couple of times to your contacts, people will just get de-sensitized. Which probably will be a good thing in general for society.
Posted Mar 27, 2021 11:20 UTC (Sat)
by james (subscriber, #1325)
[Link] (3 responses)
In a judgement from the Court of Appeal in London earlier this year:
Obviously, his initial blackmail material was not gained through IoT hacking; my point is that blackmail using compromising photos and videos can happen, does happen, and ruins ordinary children's lives.
Posted Mar 27, 2021 16:48 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Posted Mar 28, 2021 3:49 UTC (Sun)
by nickodell (subscriber, #125165)
[Link] (1 responses)
These are devices built by the lowest bidder, deployed by people who either don't understand or don't care about security. It would be surprising if they were secure.
Posted Mar 30, 2021 5:00 UTC (Tue)
by awetmore (subscriber, #6598)
[Link]
Posted Apr 2, 2021 2:47 UTC (Fri)
by lurk546 (guest, #17438)
[Link] (3 responses)
Posted Apr 2, 2021 3:13 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Honestly, these attack scenarios all just seem to be right out of movies with Keanu Reeves.
Posted May 31, 2021 17:03 UTC (Mon)
by immibis (subscriber, #105511)
[Link] (1 responses)
Posted Jun 1, 2021 1:36 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Mar 27, 2021 0:08 UTC (Sat)
by dskoll (subscriber, #1630)
[Link]
Along with what others have mentioned, you could have a DDoS attack that goes wrong and causes unintended malfunction. Attackers' code can also be buggy.
Posted Mar 27, 2021 4:55 UTC (Sat)
by felixfix (subscriber, #242)
[Link]
Posted Mar 29, 2021 1:31 UTC (Mon)
by ringerc (subscriber, #3071)
[Link] (4 responses)
Powerful nations can potentially dispose of inconvenient brown people by having their own cars identify them for drone strikes.
Another issue is with abusive or violent ex partners. A "smart" home gives someone malicious a whole lot of potential access, especially when many of the devices were never built with security in mind and have not seen a security update for 5-10 years. Home cameras are the most obvious issue but far from the only one.
It's another handy way for thieves to determine when a home might be easy to raid too.
Individual bad actors don't need strong tech skills for this stuff. Look at how widespread snooping on poorly secured cameras became once it was possible to do with-off-the-shelf devices or a simple kit and some ready-to-go software.
But for me the biggest one is that the vendor can "fix" my device however it likes.
Got eBooks on an ereader? If your device detects it has moved to a different country it might lock down or delete your books and refuse to let you read them because of regional licensing. This is already a thing. Now imagine that with ... everything. Moving internationally? Don't expect to bring any of your appliances or electronics with you.
$ourcompany made an agreement with $othercompany or were acquired by them, so we'll just push new functionality to the device and enable it whether or not the owner wants it enabled.
Did you like the way your TV could pause live feeds for up to 30 minutes due to its internal buffering feature, and use the same to skip over ads? It even uses its infrared presence detection capability to auto-pause if you got out of the room. The TV vendor got bought out by a company with advertising interests, so today your TV has a new "feature" where it detects ad segments and stops skipping ahead in order to force you to watch them. It detects if you get up and pauses the ads for you until you return, and uses gaze tracking to ensure you're looking at the TV. Enjoy your new features. You were "notified" and you "agreed," if you can call a popup screen that looks identical to the popup "accept new license terms" screen that appears every 3 days due to constant minor updates a genuine notification. They will, good luck arguing. Did I mention it now uses its imaging capabilities to identify how many people are in the room and who they are then reports that to the owner to be collated with the other data it creeps from you?
Congratulations, your scales now integrate with Google Fit! Oh, you didn't want that? Too bad. We shut down our previous services and the scales don't even work without a round-trip of data to a cloud server, so you'd better get used to Google creeping you. Even though you deliberately bought the last model you could find that didn't require Google Fit, and when you bought it it didn't require an Internet round-trip for basic features either, that "feature" was added in a remote push update without your consent or knowledge. Of course, for "security" it updated the signature database in the bootloader, so you can't roll back to an older version even if you could obtain an image of one. Your health insurer buys data from Google Fit and is now nagging you to get in shape or they'll raise your premiums.
Your front door lock does a remote firmware update that fails, leaving it inoperable, stuck locked or stuck unlocked. You never agreed to the update or knew it was happening.
Your front door lock gets a remote firmware update that adds support for Google Family to your lock, which previously used only its own NFC based app. Your abusive ex is still on your Google Family account, which you don't use anymore and forgot about. Your phone is signed into it through your Google account though, so the lock's app helpfully enables it automatically. You and your violent ex both get an email notification saying "you can now unlock your home with your google account!" You don't realise your ex got one so you ignore it, you're always getting pointless updates from your crap self-updating and adding or disabling features you don't want. The first you know of it is when he's unlocked the door with his phone and is inside.
You can't buy an air conditioner without remote control and monitoring from your power company anymore. You have a health condition that makes you quite ill when it's too hot, but your power company doesn't recognise it as a valid exemption so they turn your AC down or off automatically in high demand periods.
This is so far from just being a privacy issue.
Posted Mar 29, 2021 1:41 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
A TV that would force you to sit through ads will be dead on the market, etc.
The only one item that is even close to being reality is power companies controlling appliances to balance the load, but even that is unlikely to happen because people will vote that down.
Posted Mar 29, 2021 3:29 UTC (Mon)
by rodgerd (guest, #58896)
[Link] (2 responses)
Pretty much any TV you can buy will, in fact, force you to sit through ads.
Posted Mar 29, 2021 5:01 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Posted Mar 31, 2021 8:01 UTC (Wed)
by nhippi (subscriber, #34640)
[Link]
"Sometime in 2016 Samsung began pushing a software update to enable ads in the user interface of previously acquired Smart TVs as well as new TVs. The ads were shown above a new icon in the bottom menu."
Posted Mar 27, 2021 9:42 UTC (Sat)
by Max.Hyre (subscriber, #1054)
[Link] (3 responses)
We're doomed.
Posted Mar 29, 2021 6:39 UTC (Mon)
by motiejus (subscriber, #92837)
[Link] (2 responses)
Is there a good resource where I can filter out the "smart" ones? Bonus if it's suited for European market. Posted Mar 27, 2021 14:43 UTC (Sat)
by glasserc (subscriber, #108472)
[Link]
https://frame.work/blog/in-defense-of-dumb-tvs
They recommended a vendor called Sceptre. I guess it's too late to help our poor editor this time around, but maybe it will help someone else!
Posted Mar 28, 2021 13:56 UTC (Sun)
by pabs (subscriber, #43278)
[Link]
Posted Mar 28, 2021 18:41 UTC (Sun)
by amarao (guest, #87073)
[Link] (8 responses)
Basically, I'd like to see that selling food with asbestos is illegal, and selling appliances which performs data transmission without permission from theowner (with mandatory ability to inspect transmissed) as much illegal.
Moreover, every case where you have to permit it to use a feature should be considered as plausible intervention case for anti-monopoly watchdog.
Posted Mar 29, 2021 23:45 UTC (Mon)
by sjj (guest, #2020)
[Link] (7 responses)
Posted Mar 30, 2021 7:01 UTC (Tue)
by amarao (guest, #87073)
[Link] (1 responses)
The best proof I have is a real estate agent, complaining that he need to delete the whole archive of passport/id copies he got stashed for all years of curating sales agreements. I nod understandingly, but it was pure joy of GDPR at work.
The main consequence of gdpr is that companies can't use dark patterns with non-obvious opt-out for nasty scrapping. If someone want to see your data at will, it's going to be visible, and easily declinable without loosing desired functions.
Posted Mar 30, 2021 23:17 UTC (Tue)
by sjj (guest, #2020)
[Link]
Posted Mar 30, 2021 7:31 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (3 responses)
And I think I'm about to have a battle with the local council, who now demand I create an account to access information they are legally obliged to ensure I receive ...
I think the whole attitude can be summed up as "we need to collect your information so we can protect it ...", the irony of which is obvious!
As somebody who has to comply with the GDPR? Okay, I'm small fry, but for me it's been great. I administer a snail/email address list for a local organisation, and it gave me the excuse to send out a whole bunch of "please reply or you'll be struck off our list" mails. I now have *proof* that people who receive our stuff actually want it. We're saving money in that it's encouraged people to change from snail to email, and it's helping people in that older people have been encouraged to switch from email to snail BECAUSE IT'S EASIER FOR *THEM*.
Cheers,
Posted Mar 30, 2021 9:22 UTC (Tue)
by james (subscriber, #1325)
[Link] (2 responses)
Personally, I'd like to see rather more GDPR enforcement, and some case law on where the boundaries are. At the moment, I get the impression that too many companies are pushing the boundaries or just ignoring them.
Posted Mar 30, 2021 9:45 UTC (Tue)
by anselm (subscriber, #2796)
[Link]
One of the main ideas behind the GDPR is to encourage companies (and other institutions) to store less data about people instead of more. The other idea is to force more transparency about why companies believe they need the data that they do store about people. Both of these are good things in principle.
Posted Mar 30, 2021 9:51 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Apr 9, 2021 5:55 UTC (Fri)
by nilsmeyer (guest, #122604)
[Link]
Posted Apr 1, 2021 6:06 UTC (Thu)
by Nemo_bis (guest, #88187)
[Link]
It's from https://2020.copyleftconf.org/ and the author is https://www.moddable.com/peter-hoddie .
Posted Apr 13, 2021 19:46 UTC (Tue)
by oldtomas (guest, #72579)
[Link] (4 responses)
Posted Apr 13, 2021 19:48 UTC (Tue)
by corbet (editor, #1)
[Link] (3 responses)
Posted Apr 14, 2021 13:01 UTC (Wed)
by oldtomas (guest, #72579)
[Link] (1 responses)
A plausible approach would be to try each hotspot in turn, perhaps sorted by descending signal strength, until it succeeds in its attempts of phoning home.
Posted Apr 14, 2021 14:53 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
Every smart TV I've ever seen offers you an onscreen list of WiFi APs, and asks you to choose yours from the list. If it needs a PSK or similar, it then gives you a way to fill that in via the remote.
In practice, I suspect the "smart TVs that connect to a neighbour's AP" have never done that autonomously - instead, someone else with physical access has been prompted to connect to WiFi, and has chosen the open AP instead of the owner's AP.
Posted Apr 18, 2021 7:15 UTC (Sun)
by flussence (guest, #85566)
[Link]
Posted Apr 16, 2021 4:09 UTC (Fri)
by csd (subscriber, #66784)
[Link] (1 responses)
Posted Apr 16, 2021 5:08 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
Wol
The uninvited Internet of things
The uninvited Internet of things
Wol
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things - relevance of GDPR
The uninvited Internet of things
Wol
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
* ... quick iteration and time to market, ...
* ... and ubiquity i.e. low price trump everything
* unreliable machines are not really a problem for the producer
* the more non-defined the better (the machine can be updated, features added after having been handed over from the producer, ...)
* how today's immensely voluminous software stack works is mostly a mystery
* weaponizable machines are an advantage
* this list goes on
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
For regular citizens? Not worth it.
You need to have a pretty good angle on the monitor and then watch (or use an AI) on hundreds of hours of video to find that one time the credentials were entered. Also defeated by 2FA.
Not for regular citizens.
You will never get a block even with millions of IoT devices. ASICs totally dominate the area. I guess you can mine Monero or some other shitcoin that is designed to be ASIC-resistant. In this case the increased power usage might be a problem, but likely minor.
Sure, but this would work only once and require a pretty high-level knowledge.
It may be worth it for Tesla and maybe for a SmartTV. But for a random light switch? Nope, it'll just get replaced.
I've thought about this area and I just can't see a viable "business model".
The uninvited Internet of things
The uninvited Internet of things
They actually do not. It's simply not profitable.
I don't know any dictatorship that was held up by lighting switches.
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
>For regular citizens? Not worth it.
>You need to have a pretty good angle on the monitor and then watch (or use an AI) on hundreds of hours of video to find that one time the credentials were entered. Also defeated by 2FA.
>Not for regular citizens.
>It may be worth it for Tesla and maybe for a SmartTV. But for a random light switch? Nope, it'll just get replaced.
But even for a light switch, it all depends on the amount being asked, same as Tesla and TVs. I'd rather buy a new Tesla than pay a $200k ransom. If the light switch ransom is $2, one could be tempted to pay it, it's both faster (no need to have to go to the store or wait for the delivery, no need to find and wait for an electrician when one is not comfortable with electric wires) and cheaper (no need to buy they switch and pay the electrician). And while $2 may not be a lot, multiply that by the number of people who would be willing to pay the price of a coffee, it could be quite profitable as well, and the fact that the authorities won't bother investigating a $2 crime, it could be quite safe for the ransomers as well.
>Sure, but this would work only once and require a pretty high-level knowledge.
>I've thought about this area and I just can't see a viable "business model".
The uninvited Internet of things
That would work if you can find a video with a mistress. But this would require manually sifting through tens of thousands of hours of boring videos. If you control cameras in cheater's home and mistress's home you might try to correlate the images, but this will be unlikely.
Sure. But you can jump on Pornhub and watch thousands of livestreams, so the value of such videos will be limited.
This is all implausible. It would require a highly complicated setup and will still be defeated by 2FA.
Nope. I think you're way into the "Alice and Bob" security fairy tales.
Sure. And this would work, once or twice. Eventually consumers will switch (pun intended) to lighting switches that provide warranty (my LED lamp has a 10-year warranty, for example). This would force manufacturers to get more serious about security.
The uninvited Internet of things
The uninvited Internet of things
Now imagine how much more credible would these emails get if they addressed you under your full name instead of simply "you", and had a link to the actual video.
The uninvited Internet of things
The uninvited Internet of things
Jebba wrote that compromised IoT devices could be used for The uninvited Internet of things
Recording video cameras for blackmail.
Cyberax replied: For regular citizens? Not worth it.
It is, unfortunately, very much worth it for some people -- not for monetary gain, but sexual satisfaction.
... he pretended to be a young girl or boy and approached other young people online. Using his invented profile, he persuaded his victims, all of whom were residents of the United States, to disclose intimate photographs and videos of themselves to him. He then threatened that he would release the indecent images he had obtained unless they performed indecent acts or produced more indecent images for him.
It appears he would push the children to carry out more and more extreme acts under the threat of releasing the pictures he already had.
The Appellant knew what he was doing. He knew he was causing pain and distress; he could see it on the screen in front of him. His conduct was well thought through, complex, manipulative and highly effective. It went on for a prolonged period. As a minimum, as he said, he "got off on power".
The uninvited Internet of things
Here this is an important point. You not only need a pervert who would want to prey on children, but also somebody who would be willing to burn an IoT vulnerability to do it. These vulnerabilities are not cheap.
The uninvited Internet of things
Such as a device being left at the default password?
https://www.asmag.com/showpost/26498.aspx
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
In an interesting article on presidential security from the IoT, Bruce Schneier observes Bruce Schneier can't find a car
In 2016, I tried to find a new car that didn’t come with Internet connectivity, but I had to give up: there were no options to omit that in the class of car I wanted.
Bruce Schneier can't find a car
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
The uninvited Internet of things
Wol
Don't blame GDPR for the BBC "requiring" an account: that's entirely the BBC's doing. They were clear at the time they were doing it because they wanted to collect that data.The uninvited Internet of things
The uninvited Internet of things
Don't blame GDPR for the BBC "requiring" an account: that's entirely the BBC's doing. They were clear at the time they were doing it because they wanted to collect that data.
The uninvited Internet of things
Wol
The uninvited Internet of things
Copyleft of Things – Peter Hoddie – CopyleftConf 2020
https://commons.wikimedia.org/wiki/File:Copyleft_of_Thing...
Check your neighbor's WiFi hotspot, too
I've heard for a while that some devices will do that, but never seen any verified claims of a specific device selecting an unsecured AP on its own. In some places doing that might well be considered to be a violation of the law. Has anybody conclusively shown that this happens?
Check your neighbor's WiFi hotspot, too
Check your neighbor's WiFi hotspot, too
Check your neighbor's WiFi hotspot, too
Check your neighbor's WiFi hotspot, too
The uninvited Internet of things
Soon the TV will be going the other way though, as there will be fewer and fewer non-streaming options, so is having it go encrypted through your wifi instead of cel that useful? You don't know what's going through that SSL encrypted pipe either way. And if you try to block it - the provider can just tunel it all through a vpn to a common endpoint that does not allow you to filter out portions of their traffic.
If your device needs connectivity to function, it needs connectivity to function. The big-brotherism and/or hackabiliy are all equally true via cel or wifi.
Your only measure of control is to not use IoT devices (and soon TVs will truly fall into that category...).
Sorry to rain on this parade, the cel vs wifi is just a convenience thing, it doesn't really affect the privacy or security (again, outside of the TV of today).
The uninvited Internet of things
That's actually not true for many switches and sensors. They can work just fine locally over ZigBee/ZWave or local WiFi.