Iot "made in china"

[JCBiggs]

What do you folks think is the possibility that makers of smart devices could  (even without the knowledge of the oem)   be putting back doors into fridges and toasters for bot nets later?    I mean..   How does  that many devices get compromised... Most of these devices are wireless and behind a firewall.     Does anyone verify the software on these things?   Or test for  "extra"  communication...... 

 

Just to clarify...  I'm talking about the Chinese guy that puts the chips on the board.   Not samsung or lg.  

[doomsriker]

No, I do not think corporate espionage is afoot. 

[Spork829]

Eh, could be. Just a few weeks ago they found that big bug on some cheap Chinese phones, from BLU I think it was. Don't buy cheap Chinese knockoffs. Other than that the main reason IoT devices get hacked is because the companies that make them aren't tech/internet companies a lot of time and don't understand the importance of fully securing the wireless connections.

[79wjd]

Your home firewall is literally irrelevant to everyone who you would actually want to keep out. 

 

Do I think there is a backdoor in my (hyopthetical) smart fridge? Probably not, although, it's certainly possible. I'd be much more concerned with other things -- like a potential kill switch in a car or vulnerabilities that the developers didn't anticipate. 

 

1 minute ago, Spork829 said:

Eh, could be. Just a few weeks ago they found that big bug on some cheap Chinese phones, from BLU I think it was. Don't buy cheap Chinese knockoffs. Other than that the main reason IoT devices get hacked is because the companies that make them aren't tech/internet companies a lot of time and don't understand the importance of fully securing the wireless connections.

"bug" that just happened to send data back to China. 

[JCBiggs]

Why would you think a home router firewall is irrelevant?   I mean..  I have mine locked down pretty good,  but why would that be the case for the average person? 

 

I just don't see how they manage to get through millions of isp's, email clients firewalls,  and then into the hardware of the fridge that requires a total reboot,  all without the user getting alerted or slowing down /compromising the day to day performance or the device...  But if there is something  already inside...  That unpacks,  opens slowly.. Now it's a whole lot easier 

[Spork829]

2 minutes ago, djdwosk97 said:

Your home firewall is literally irrelevant to everyone who you would actually want to keep out. 

 

Do I think there is a backdoor in my (hyopthetical) smart fridge? Probably not, although, it's certainly possible. I'd be much more concerned with other things -- like a potential kill switch in a car or vulnerabilities that the developers didn't anticipate. 

 

"bug" that just happened to send data back to China. 

Okay bug was the wrong word, put it there generally cause I couldn't remember what exactly the issue was  

[Guest]

Here are some Chinese companies:

• Lenovo
• Huawei
• HTC

Taipei/Taiwan:

• Acer
• Biostar
• Cooler Master
• Cyber Link
• TP Link
• D Link
• ASUS
• G Skill
• Synology
• MSI
• Clevo

Don't just tag everything "made in china" and claim it is harmful. In fact

[fjdhdhcyfhf]

if USA law enforcement is pushing for back doors I would not be surprised if china was doing the same

[Spork829]

2 minutes ago, SCHISCHKA said:

if USA law enforcement is pushing for back doors I would not be surprised if china was doing the same

Um, great firewall  

[Drak3]

IoT brings in more vulnerabilities than it's really worth. Honestly, a better system would be a hardwired, internal network with no internet access.

 

 

2 minutes ago, JCBiggs said:

Why would you think a home router firewall is irrelevant?   I mean..  I have mine locked down pretty good,  but why would that be the case for the average person? 

Because if someone wants into your network, they're going to get in. Sure, a firewall can slow or stop inexperienced hackers, but at this point, those guys are busy finding minor exploits for companies like Microsoft.

It also doesn't do much for outgoing communications, especially if they're encrypted and disguised as part of normal operation.

[JCBiggs]

... China would be the primary culprit.. So yes..  Made in china.   (all those companies have made in china products)    

 

Do you think apple inspects every cpu of every phone they salr?   Is not hard for a major chip maker to hide something completely out of site of even apple..  (yes that's an exaggeration but its still valid)    they could even hide hardware between layers of the pcb,  or inside batteries..  It isn't far fetched..  And if they can do it in a phone..  Imagine what they can do in a device people don't pick through with a fine  tooth comb.  

[79wjd]

11 minutes ago, JCBiggs said:

Why would you think a home router firewall is irrelevant?   I mean..  I have mine locked down pretty good,  but why would that be the case for the average person? 

Your router in general does a pretty bad job at securing things in general for a couple reasons. First off, the VPN service that's built into a lot of routers lacks a lot of the security settings you would actually want, not to mention a lack of entropy for randomness in a LOT of routers. The built in firewall likely suffers from a similar lack of all the correct settings. Plus, there's the fact that the person you're afraid of will get past a cheap firewall anyway. It's like enabling MAC filtering -- it will only inconvenience you and the idiots you don't care about. Oh, and don't forget, your router is neglected by the company so it doesn't get all the bugs/exploits patched either. 

 

Speaking of, another major exploit was just found on Friday for Netgear routers: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/

 

9 minutes ago, deXxterlab97 said:

Here are some Chinese companies:

• Lenovo

Don't just tag everything "made in china" and claim it is harmful. In fact

 

Ummmm, I'm pretty sure Lenovo was the one who got a ton of shit for putting a backdoor into their laptops. 

[Guest]

Just now, djdwosk97 said:

Ummmm, I'm pretty sure Lenovo was the one who got a ton of shit for putting a backdoor into their laptops. 

That's one less company. Can't imagine a laptop with doors though \s

[JCBiggs]

I wouldn't be surprised if iot had some kind of beacon built in..  That's all I'm sayin... Maybe they will figure out how to stop ddos eventually regardless 

[Spork829]

2 minutes ago, JCBiggs said:

they will figure out how to stop ddos eventually

Good luck

[LAwLz]

2 hours ago, djdwosk97 said:

Your router in general does a pretty bad job at securing things in general for a couple reasons.

I disagree.

 

Of course, it is not a great solution like an ASA or Fortigate, but the mere fact that you are behind NAT protects you from far more things than you might imagine.

 

 

And yes, I absolutely believe that there are a bunch of backdoors in IoT devices. If Lenovo, a huge company with a reputation, is willing to do it then I am sure some smaller Chinese company selling toasters are willing to do it too.

I don't think that's responsible for the majority of attacks though. It's far easier to get someone to run a suspicious email attachment than to egt someone to buy your smart-toaster.

 

 

As for companies checking the chips to see if someone has tampered with their chips, Apple is actually already doing that.

Quote

At least part of the driver for this is to ensure that the servers are secure. Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.

 

The NSA has also been caught intercepting shipments from Cisco to customers, and modified the firmware to include vulnerabilities before delivering them to the customers.

This has lead to Cisco doing things like marking their packages with fake addresses, or having their customers pick the packets up at the distributor instead of relying on regular shipping.

 

China might be bad, but I am at least equally worried about products made in the US (and now the UK).

[GoodBytes]

What I am questioning is, for IoTs specifically, if they are really backdoors, or more like software done on the cheap by hiring inexperience in security developers (or outsourced on the cheap), and also, not hiring any security experts due to cost, and lack of care. Everything cut down on the cheap to maximize profits.

[beanhubbleday]

9 hours ago, JCBiggs said:

What do you folks think is the possibility that makers of smart devices could  (even without the knowledge of the oem)   be putting back doors into fridges and toasters for bot nets later?    I mean..   How does  that many devices get compromised... Most of these devices are wireless and behind a firewall.     Does anyone verify the software on these things?   Or test for  "extra"  communication...... 

 

Just to clarify...  I'm talking about the Chinese guy that puts the chips on the board.   Not samsung or lg.  

iT'S BEEN DONE. fRIDGES HAVE BEEN JOINED INTO bOTNETS  

 

SORRY FOR CAPS CBA TO TYPE AGAIN  

[JCBiggs]

I just cant see how mirai gets into the hardware and does what it does. i mean we are talking about devices with the horsepower of a calculator... and most of them are made in such a manner that they CANT be updated.  but yet this malware gets in, finds a way to unpack, and runs in the background without killing performance of the device... thats just a bit far fetched to me. ive seen the marai code, and read multiple studies on how it works... and there is nothing spectacular about the code.  I mean...you could just block all the telnet ports (inyour cheap routers) and its essentially dead in the water

[GoodBytes]

1 minute ago, JackHubbleday said:

iT'S BEEN DONE. fRIDGES HAVE BEEN JOINED INTO bOTNETS  

 

SORRY FOR CAPS CBA TO TYPE AGAIN  

Well, Microsoft wants to put Cortana on fridges, an other IoT devices to make a smart home/kitchen.

http://www.theverge.com/2016/12/13/13935136/microsoft-cortana-windows-10-iot-devices

 

So just imagine these smart home stuff get cheaper, and more common in the household, a security flaw is discovered (or a backdoor is implemented) allowing a hacker or government(s)or police spy on people. This is the same story with Amazon and Google smart home stuff. And no, I am not doing a tin foil hat joke. As long as humans develop software, nothing will be perfect, and with hackers trying to find flaws for miss usage, they'll try and find a flaw and exploit it.

[beanhubbleday]

27 minutes ago, GoodBytes said:

Well, Microsoft wants to put Cortana on fridges, an other IoT devices to make a smart home/kitchen.

http://www.theverge.com/2016/12/13/13935136/microsoft-cortana-windows-10-iot-devices

 

So just imagine these smart home stuff get cheaper, and more common in the household, a security flaw is discovered (or a backdoor is implemented) allowing a hacker or government(s)or police spy on people. This is the same story with Amazon and Google smart home stuff. And no, I am not doing a tin foil hat joke. As long as humans develop software, nothing will be perfect, and with hackers trying to find flaws for miss usage, they'll try and find a flaw and exploit it.

I don't disagree lol

 

But IDC if the government know I have eggs and juice in my fridge  

[JCBiggs]

I do care if the government knows how many eggs  and juice i have in my fridge. because its none of their business..

i wish i was a billionaire with money to blow...id create  a security company from hell. 

[GoodBytes]

36 minutes ago, JackHubbleday said:

I don't disagree lol

 

But IDC if the government know I have eggs and juice in my fridge  

No, it is more turning on the mic and listening to conversations. It can be used to stalk someone, governments (all countries) and police can use it without a warrant, and more. I mean, you can't break the mic...as you would want to go "Hey Cortana, show me the recipe of Jack's Famous Spicy Tree Log with Ostrich Eggs".. I mean that is the point of a smart home... where you have different devices monitoring you, to do things for you, and you can give commands to set things.

[JCBiggs]

the question is how do you stop it... permanently. 

[GoodBytes]

6 minutes ago, JCBiggs said:

the question is how do you stop it... permanently. 

Well you can't... beside not have Internets and no smart home.

But, what can be done is companies (including car companies) make serious investments in security, have a full skilled and highly knowledgeable developer team. And perhaps some independent firm, similar to the ESRB in US and Canada, where the industry monitors itself, but instead of age recommendation, it is focused on security checks of systems (IoTs, and other smart home devices, cars, etc.), where there is no governmental influence. This would add considerable barrier... but it will probably delay the release of products, which is probably going to complicate things in having such organization funded, especially cost.