"Tech Appliances" and "Security" (IoT too!)
So, Filippo lost the password to his WD NAS, and discovered that
The thing is, I wasn't particularly perturbed by this - and on reflection, I realized that the reason was that
Seriously, I just assume that pretty much any "tech appliance" at home - wifi routers, NAS, cable boxen, whatever - probably have more holes in them like swiss-cheese.
Why?
Well, look at it this way
Note that I am not even considering the plethora of other stuff like
The bottom line here is that, even with the best of intentions, your device is likely to have holes in it. And the reality is that the intentions are not the best, the security practices are s**t, and your devices do resemble swiss-cheese.
And thats why I just implicitly assume that any devices I have at home are compromisable, and treat them as such.
And no, I don't get all paranoid about it. I mean, if you want to compromise that temperature sensor on my wall, rock on. I mean, cui bono and all that... (and yes, you could be the power company, and you could be compromising the sensors to make 'me use more (or less!) power. Whatever...) (**)
(*) Many many reasons. Firewalls, networks, regulations, liability, blah, blah, blah
(**) Yeah, I'm not saying security is pointless. I am saying that, in the current world we live in, your devices do have s**t for security...
All actions are actually unauthenticated. If you are not logged in the NAS will answer with a HTTP 302 Redirect... AND THEN PROCEED HANDLING THE REQUEST and sending the output. As if you were logged in. That's a first for me.I pretty much assume that security on these things is s**t.
Let me repeat this: if you are not logged in, the only thing the system will do is add a redirect to the login page in the HTTP Headers and carry on, obeying whatever you are telling it to do.
The thing is, I wasn't particularly perturbed by this - and on reflection, I realized that the reason was that
Seriously, I just assume that pretty much any "tech appliance" at home - wifi routers, NAS, cable boxen, whatever - probably have more holes in them like swiss-cheese.
Why?
Well, look at it this way
- The software they are shipped with will have some security holes in it.
- You, OTOH, are extremely unlikely to keep up with patches/revisions.
- Even if it could auto-update (lets pretend), you are unlikely to actually have it do so (*)
- As a result, your "tech appliance" (or IoT device) is, well, guaranteed to be - highly! - vulnerable
Note that I am not even considering the plethora of other stuff like
- Poor security practices to begin with (e.g., Filippo's WD NAS)
- Bad security ("I will roll my own crypto") that you'll find all over the place
- No security (If I had a nickel for every device that had admin/admin as the default password)
- Misplaced security (All those peoples who have complex passwords on their laptop, but then share their disks unprotected)
- Necessary - lack of - security (The vendor wants to collect some type of data from you)
The bottom line here is that, even with the best of intentions, your device is likely to have holes in it. And the reality is that the intentions are not the best, the security practices are s**t, and your devices do resemble swiss-cheese.
And thats why I just implicitly assume that any devices I have at home are compromisable, and treat them as such.
And no, I don't get all paranoid about it. I mean, if you want to compromise that temperature sensor on my wall, rock on. I mean, cui bono and all that... (and yes, you could be the power company, and you could be compromising the sensors to make 'me use more (or less!) power. Whatever...) (**)
(*) Many many reasons. Firewalls, networks, regulations, liability, blah, blah, blah
(**) Yeah, I'm not saying security is pointless. I am saying that, in the current world we live in, your devices do have s**t for security...
Comments