Skip to content

IT News

This is Why People Fear the ‘Internet of Things’

IoT Spy

Quote

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!

I first became aware of this bizarre experiment in how not to do IoT last week when a reader sent a link to a lengthy discussion thread on the support forum for Foscam, a Chinese firm that makes and sells security cameras. The thread was started by a Foscam user who noticed his IP camera was noisily and incessantly calling out to more than a dozen online hosts in almost as many countries.

Turns out, this Focscam camera was one of several newer models the company makes that comes with peer-to-peer networking capabilities baked in. This fact is not exactly spelled out for the user (although some of the models listed do say “P2P” in the product name, others do not).

But the bigger issue with these P2P -based cameras is that while the user interface for the camera has a setting to disable P2P traffic (it is enabled by default), Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online (see screenshot below).

This is a concern because the P2P function built into Foscam P2P cameras is designed to punch through firewalls and can’t be switched off without applying a firmware update plus an additional patch that the company only released after repeated pleas from users on its support forum.
Yeah, this setting doesn’t work. P2P is still enabled even after you uncheck the box.

One of the many hosts that Foscam users reported seeing in their firewall logs was iotcplatform.com, a domain registered to Chinese communications firm ThroughTek Co., Ltd. Turns out, this domain has shown up in firewall logs for a number of other curious tinkerers who cared to take a closer look at what their network attached storage and home automation toys were doing on their network.

In January 2015, a contributing writer for the threat-tracking SANS Internet Storm Center wrote in IoT: The Rise of the Machines that he found the same iotcplatform.com domain called out in network traffic generated by a Maginon SmartPlug he’d purchased (smart plugs are power receptacles into which you plug lights and other appliances you may wish to control remotely).

….

“The details about how P2P feature works which will be helpful for you understand why the camera need communicate with P2P servers,” Qu explained. “Our company deploy many servers in some regions of global world.” Qu further explained:

1. When the camera is powered on and connected to the internet, the camera will log in our main P2P server with fastest response and get the IP address of other server with low load and log in it. Then the camera will not connect the main P2P server.

2. When log in the camera via P2P with Foscam App, the app will also log in our main P2P server with fastest response and get the IP address of the server the camera connect to.

3. The App will ask the server create an independent tunnel between the app and the camera. The data and video will transfers directly between them and will not pass through the server. If the server fail to create the tunnel, the data and video will be forwarded by the server and all of them are encrypted.

4. Finally the camera will keep hearbeat connection with our P2P server in order to check the connection status with the servers so that the app can visit the camera directly via the server. Only when the camera power off/on or change another network, it will replicate the steps above.”

As I noted in a recent column IoT Reality: Smart Devices, Dumb Defaults, the problem with so many IoT devices is not necessarily that they’re ill-conceived, it’s that their default settings often ignore security and/or privacy concerns. I’m baffled as to why such a well-known brand as Foscam would enable P2P communications on a product that is primarily used to monitor and secure homes and offices.

Apparently I’m not alone in my bafflement. Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI), called the embedded P2P feature “an insanely bad idea” all around.

“It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network,” Weaver said.

Windows 10 forced update KB 3135173 changes browser and other defaults

Quote

“The cumulative update not only knocks out PCs’ default settings, it prevents users from resetting them”

If you have Chrome as the default browser on your Windows 10 computer, you’d better check to make sure Microsoft didn’t hijack it last week and set Edge as your new default. The same goes for any PDF viewer: A forced cumulative update also reset PDF viewing to Edge on many PCs.

Do you use IrfanView, Acdsee, Photoshop Express, or Elements? The default photo app may have been reset to — you guessed it — the Windows Photos app. Music? Video? Microsoft may have swooped down and changed you over to Microsoft Party apps, all in the course of last week’s forced cumulative update KB 3135173 .
….
How many times does this have to happen before Microsoft separates security and non-security patches, and give us tools to block or delay patches? As long as Microsoft’s patching bugs are relatively minor, there’s little incentive to give us the tools we need. The day we get a really bad, crippling patch, there’ll be tar and feathers.

Better IDEA: Just saw NO to Windows 10

‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6

iphone bricked

Quote

It’s the message that spells doom and will render your handset worthless if it’s been repaired by a third party. But there’s no warning and no fix

Thousands of iPhone 6 users claim they have been left holding almost worthless phones because Apple’s latest operating system permanently disables the handset if it detects that a repair has been carried out by a non-Apple technician.

Relatively few people outside the tech world are aware of the so-called “error 53” problem, but if it happens to you you’ll know about it. And according to one specialist journalist, it “will kill your iPhone”.
Apple says iPhone ‘Error 53′ is to protect customers’ security

The issue appears to affect handsets where the home button, which has touch ID fingerprint recognition built-in, has been repaired by a “non-official” company or individual. It has also reportedly affected customers whose phone has been damaged but who have been able to carry on using it without the need for a repair.

But the problem only comes to light when the latest version of Apple’s iPhone software, iOS 9, is installed. Indeed, the phone may have been working perfectly for weeks or months since a repair or being damaged.

After installation a growing number of people have watched in horror as their phone, which may well have cost them £500-plus, is rendered useless. Any photos or other data held on the handset is lost – and irretrievable.

Tech experts claim Apple knows all about the problem but has done nothing to warn users that their phone will be “bricked” (ie, rendered as technologically useful as a brick) if they install the iOS upgrade.

Freelance photographer and self-confessed Apple addict Antonio Olmos says this happened to his phone a few weeks ago after he upgraded his software. Olmos had previously had his handset repaired while on an assignment for the Guardian in Macedonia. “I was in the Balkans covering the refugee crisis in September when I dropped my phone. Because I desperately needed it for work I got it fixed at a local shop, as there are no Apple stores in Macedonia. They repaired the screen and home button, and it worked perfectly.”

He says he thought no more about it, until he was sent the standard notification by Apple inviting him to install the latest software. He accepted the upgrade, but within seconds the phone was displaying “error 53” and was, in effect, dead.

When Olmos, who says he has spent thousands of pounds on Apple products over the years, took it to an Apple store in London, staff told him there was nothing they could do, and that his phone was now junk. He had to pay £270 for a replacement and is furious.

“The whole thing is extraordinary. How can a company deliberately make their own products useless with an upgrade and not warn their own customers about it? Outside of the big industrialised nations, Apple stores are few and far between, and damaged phones can only be brought back to life by small third-party repairers.

It is all about the money isn’t Apple? !

Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped

Windows10-Spy
Quote

…Speaking to PC World, Microsoft Corporate Vice President Joe Belfiore explained that Windows 10 is constantly tracking how it operates and how you are using it and sending that information back to Microsoft by default. More importantly he also confirmed that, despite offering some options to turn elements of tracking off, core data collection simply cannot be stopped:

“In the cases where we’ve not provided options, we feel that those things have to do with the health of the system,” he said. “In the case of knowing that our system that we’ve created is crashing, or is having serious performance problems, we view that as so helpful to the ecosystem and so not an issue of personal privacy, that today we collect that data so that we make that experience better for everyone.”

To his credit, Belfiore does recognise the controversial nature of this decision and stresses that:

“We’re going to continue to listen to what the broad public says about these decisions, and ultimately our goal is to balance the right thing happening for the most people – really, for everyone – with complexity that comes with putting in a whole lot of control.”

B.S.!


Interestingly Belfiore himself won’t be around to oversee this as he is about to take a year long sabbatical. When he comes back, however, I suspect this issue will still be raging as Windows and Devices Group head Terry Myerson recently confirmed Windows 10 Enterprise users will be able to disable every single aspect of Microsoft data collection.

This comes in combination with Windows 10 Pro and Enterprise users’ ability to permanently disable automatic updates which are forced upon consumers and shows the growing divide between how Microsoft is treating consumers versus corporations.

So how concerned should users be about Windows 10’s default data collection policies? I would say very.

By default Windows 10 Home is allowed to control your bandwidth usage, install any software it wants whenever it wants (without providing detailed information on what these updates do), display ads in the Start Menu (currently it has been limited to app advertisements), send your hardware details and any changes you make to Microsoft and even log your browser history and keystrokes which the Windows End User Licence Agreement (EULA) states you allow Microsoft to use for analysis.

The good news: even if Belfiore states you cannot switch off everything, editing your privacy settings will disable the worst of these. To find them open the Start menu > Settings > Privacy.

The bad news: despite Belfiore’s pledge “to continue to listen”, Microsoft’s actions (including the impending Windows 7 and Windows 8 upgrade pressure) suggests the company’s recent love for Big Brother tactics is only going to get worse before it gets better…

Answer? Stay on windows 7 pro or switch to a Linux distro. It is time that users stand up and say “Stop spying or I will stop using your products.” Remember, Windows 10 is not free, you pay for the privileged to get raped by their ilk!

Fortigate Back Door

Quote

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable…..”Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products,” said the company in a blog post.

“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS.”

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

In all cases, the problem can be sorted by updating to the latest firmware builds. Don’t delay – hackers are closing in on the backdoor management authentication issue.

“Looking at our collected SSH data, we’ve seen an increase in scanning for those devices in the days since the revelation of the vulnerability,” said Jim Clausing, a mentor with the SANS Institute.

“Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven’t already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.”

Comcast (monopolist) using browser injection Upsell New Modems

quote

We already know that Comcast can — and does — inject alerts into users’ web browsers to alert them to potential copyright infringement, but the nation’s largest Internet provider can also use this ability to interrupt your enjoyment of the web in order to remind you to upgrade your modem.

Consumerist reader and Comcast customer “BB” says that the cable company upgraded the network in his area in recent months, and has been writing and calling him regularly about upgrading his modem ever since.

“For months we received multiple letters in the mail, explaining how we were missing out on the great new capabilities of their network,” writes BB. “This eventually escalated to repeated phone calls from Comcast, stating that we should really upgrade our modem.”
Thing is, BB owns the modem he uses and he’s experienced no problems with service or speeds since the network upgrade. He’d rather not spend money on a new modem — or pay Comcast too much to rent one from the company — when what he has is working just fine.

And BB is not some minor Internet user with an ancient desktop computer that he only uses to check email once a week. In fact, he’s a software developer living — like many of us — in a home with multiple web-connected devices.

“We stream Netflix and YouTube and our Internet speed is great for everything we need,” he writes. “Why should I spend the money?” ….“Now they’ve moved to more aggressive measures to try to get me to upgrade,” writes BB. “The other day as I was browsing the web on my phone, on my home WiFi, I got a pop-up notice while browsing on wired.com.” (see screenshot above)

In big red letters, the notice alerts BB that there is some “Action Needed” on his service.

It reads:
“Our records indicate that the cable modem, which you currently use for your XFINITY Internet service, may not be able to receive the full range of our speeds. To ensure you’re receiving the full benefits of your XFINITY Internet service, please replace your cable modem.”

Use HTTPS and change your DNS to a non Comcast DNS. Above all, do not use any Comcast firewall/routers as they are cheap, insecure and feature COmcast’s ability to turn your paid for internet connection into a public wifi access point which they on-sell to others at your expense. That should be disabled.

Comcast is an example of what is wrong in the country. In many markets it acts and is a monopolist. It is time to separate content delivery from transmission and end the monopoly and duopoly market conditions.

Comcast’s Xfinity home alarms can be disabled by wireless jammers

Comcast-security

If you trust your ISP to provide Network and Physical Security, you have a fool for an adviser

Quote

Some intruders no longer need to come in through the kitchen window. Instead, they can waltz right in through the front door, even when a home is protected by an internet-connected alarm system. A vulnerability in Comcast’s Xfinity Home Security System could allow attackers to open protected doors and windows without triggering alarms, researchers with cybersecurity firm Rapid7 wrote in a blog post today.

The security bug relates back to the way in which the system’s sensors communicate with their home base station. Comcast’s system uses the popular ZigBee protocol, but doesn’t maintain the proper checks and balances, allowing a given sensor to go minutes or even hours without checking in. The biggest hurdle in exploiting the vulnerability is finding or building a radio jammer, which are illegal under federal law. Attackers can also circumvent alarms with a software-based de-authentication attack on the ZigBee protocol itself, although that method requires more expertise. Attackers would also need to know a house was using the Xfinity system before attempting to break in, a major hurdle in exploiting the finding.

“The sensor had no memory of the break-in happening”

To prove his findings, Rapid7 researcher Phil Bosco simulated a radio jamming attack on one of his system’s armed window sensors. While jamming the sensor’s signal, he opened a monitored window. The sensor said it was armed, but it failed to detect anything out of the ordinary. But perhaps even more worrisome than the active intrusion itself is that the sensor had no memory of it happening and took anywhere from several minutes to three hours to come back online and reestablish communication with its home base.

Firefox finally comes to iOS

Quote

At long last, Firefox has come to iOS. Rather unusually, this is the first version of the Firefox browser that does not use the Gecko layout engine, instead using iOS’s built-in WebKit-based layout engine. …..There are two big reasons that you might want to use Firefox for iOS: you’re a Firefox user on your desktop PC and want to avail yourself of synchronised bookmark and tab histories; or you buy into the idea that Mozilla is a better and safer shepherd of your Web surfing experience.

Wi-Fi blocking at hotels and convention centers

Quote

The Federal Communications Commission yesterday issued proposed fines against two companies in its latest actions against Wi-Fi blocking at hotels and convention centers.

Each company has been accused of blocking personal Wi-Fi hotspots that let consumers share mobile data access with other devices such as laptops and tablets. Hilton and M.C. Dean must pay the fines within 30 days or file written statements seeking reduction or cancellation of the penalties. We’ve contacted both Hilton and M.C. Dean this morning but have not heard back.
..
The FCC last year received a complaint against a Hilton hotel in Anaheim, California that the company “blocked Wi-Fi access for visitors at the venue unless they paid a $500 fee.” More complaints against other Hilton properties followed, and in November 2014, the FCC issued Hilton a letter of inquiry seeking information about its Wi-Fi management practices at various Hilton-owned hotel chains.

“After nearly one year, Hilton has failed to provide the requested information for the vast majority of its properties. Hilton operates several brands, including Hilton, Conrad, DoubleTree, Embassy Suites, and Waldorf Astoria properties,” the FCC said. Hilton’s response “contained corporate policy documents pertaining only generally to wireless management practices (which did not discuss Wi-Fi blocking) and provided Wi-Fi management records pertaining only to the single Hilton-brand property named in the complaint,” the FCC said in a Notice of Apparent Liability.
..
Hilton did not provide information or documents regarding its other properties. The company “stated that providing the omitted material ‘would be oppressive and unduly burdensome,’ and questioned the Bureau’s authority to investigate potential Wi-Fi blocking at other Hilton-brand properties,” according to the FCC.

In addition to the fine, the FCC ordered Hilton to file full responses to all of its previous requests for information.

M.C. Dean is the exclusive Wi-Fi provider at the Baltimore Convention Center and “charges exhibitors and visitors as much as $1,095 per event for Wi-Fi access,” the FCC said.

The FCC last year received a complaint that M.C. Dean was blocking personal hotspots, and it sent Enforcement Bureau field agents to the venue “on multiple occasions and confirmed that Wi-Fi blocking activity was taking place,” the commission said.

“During the investigation, M.C. Dean revealed that it used the ‘Auto Block Mode’ on its Wi-Fi system to block consumer-created Wi-Fi hotspots at the venue. The Wi-Fi system’s manual describes this mode as ‘shoot first, and ask questions later.’ M.C. Dean’s Wi-Fi blocking activity also appears to have blocked Wi-Fi hotspots located outside of the venue, including passing vehicles,” the FCC said.

What charming corporate citizens.