"Tech Appliances" and "Security" (IoT too!)

-
So, Filippo lost the password to his WD NAS, and discovered that
All actions are actually unauthenticated. If you are not logged in the NAS will answer with a HTTP 302 Redirect... AND THEN PROCEED HANDLING THE REQUEST and sending the output. As if you were logged in. That's a first for me.
Let me repeat this: if you are not logged in, the only thing the system will do is add a redirect to the login page in the HTTP Headers and carry on, obeying whatever you are telling it to do.
I pretty much assume that security on these things is s**t.
The thing is, I wasn't particularly perturbed by this - and on reflection, I realized that the reason was that
Seriously, I just assume that pretty much any "tech appliance" at home - wifi routers, NAS, cable boxen, whatever - probably have more holes in them like swiss-cheese.

Why?
Well, look at it this way

  1. The software they are shipped with will have some security holes in it.
  2. You, OTOH,  are extremely unlikely to keep up with patches/revisions.
  3. Even if it could auto-update (lets pretend), you are unlikely to actually have it do so (*)
  4. As a result, your "tech appliance" (or IoT device) is, well, guaranteed to be - highly! - vulnerable

Note that I am not even considering the plethora of other stuff like

  1. Poor security practices to begin with (e.g., Filippo's WD NAS)
  2. Bad security ("I will roll my own crypto") that you'll find all over the place
  3. No security (If I had a nickel for every device that had admin/admin as the default password)
  4. Misplaced security (All those peoples who have complex passwords on their laptop, but then share their disks unprotected)
  5. Necessary - lack of - security (The vendor wants to collect some type of data from you)

The bottom line here is that, even with the best of intentions, your device is likely to have holes in it.  And the reality is that the intentions are not the best, the security practices are s**t, and your devices do resemble swiss-cheese.
And thats why I just implicitly assume that any devices I have at home are compromisable, and treat them as such.

And no, I don't get all paranoid about it.  I mean, if you want to compromise that temperature sensor on my wall, rock on. I mean, cui bono and all that... (and yes, you could be the power company, and you could be compromising the sensors to make 'me use more (or less!) power.  Whatever...)  (**)

(*) Many many reasons. Firewalls, networks, regulations, liability, blah, blah, blah
(**) Yeah, I'm not saying security is pointless.  I am saying that, in the current world we live in, your devices do have s**t for security...


Comments

Post a Comment

Popular posts from this blog

Cannonball Tree!

-
Image
Spotted this one just outside the Ravindra Kalakshetra in Bangalore .  Its called the Cannonball Tree , but is - technically (i.e., in Latin, if thats your metier) - Couroupita Guianensis , or ನಾಗಲಿಂಗ ಪುಷ್ಪಾ  in Kannada. The fruits look like Cannonballs (well, d-uh), and the flowers are really quite amazing, and pretty ludicrously distinctive...
Read more

Erlang, Binaries, and Garbage Collection (Sigh)

-
Image
The nice thing about garbage-collection is that it is makes memory management absolutely transparent to you Of course, the above is true right up to the point when it stops being transparent, at which point it does a phase change from nice to clusterf**k of biblical proportions .  There are entire posts, books, and suicide notes that have been written about this, and I have no great desire to add to them, save with the minor comment that paranoia about garbage-collection is still justified , albeit only in the edge-cases for most people. That said, I'll give you that Erlang GC is in many ways much, much better positioned in this regard than, oh, Java, but it still rears up and bites you in the butt when you least expect it. ( More information about Erlang's GC vis-a-vis Java here , and Jesper's truly excellent description of Erlang's GC here ).  A story from the past should serve to illustrate this. Once upon a time, in a magical land far far away - well, Her
Read more

Visualizing Prime Numbers

-
Image
From Jason Davies , we have El Patron de Los Primos , probably one of the coolest prime number visualizer that I've seen.  For every Natural number, he draws a periodic curve that intersects at that number and each of its multiples.  Needless to say, prime numbers are touched by only two curves (itself and 1 ). You can scroll to the right, and move up the prime food change. (The image above is a screen grab.  Go here to see the actual thing)
Read more