Proposed standards for Internet of Things

[dhouston]

Here's yet another article that addresses the need for IoT standards...
http://www.nytimes.com/2016/10/14/automobiles/steering-cars-toward-the-internet-of-things-on-ramp.html?ref=business

[dhouston]

And here's another article addressing the lack of security on most residential IoT devices.
http://www.csoonline.com/article/3128805/internet-of-things/the-internet-of-insecure-things-thousands-of-internet-connected-devices-are-a-security-disaster-in.html?google_editors_picks=true
I suspect the IoT power supplies referenced are UPS devices. That's a vulnerability I hadn't considered.

[bkenobi]

Are networked UPS's a consumer level thing now?  Last I checked they were enterprise only.  Then again, I haven't looked at UPS's in a couple years or more so it could be an entry level feature.

After reading the article, I see that this remark was specific to a data center's UPS setup.  But, a google search of "network manageable UPS" came up with several options for remote access.  So, these are a consumer level thing as well now (~$250 on Amazon).

[dhouston]

Are networked UPS's a consumer level thing now?  Last I checked they were enterprise only.  Then again, I haven't looked at UPS's in a couple years or more so it could be an entry level feature.

You're probably right. My UPS has a USB link to my main PC which, of course, links to my router . I don't know whether that can be exploited but it's probably not beyond the realm of possibility. I won't lose sleep over it but it does raise my awareness should I need to replace it.

[dhouston]

Actually, I found this 10-yr old engadget post which seems to indicate that, once again, I'm late to the party, and that a USB link MIGHT be exploited. I might lose sleep, after all, and it might not be totally because of this weekend's super/hunters moon...
https://www.engadget.com/2006/07/25/how-to-network-your-ups/

[dhouston]

After reading the article, I see that this remark was specific to a data center's UPS setup.  But, a google search of "network manageable UPS" came up with several options for remote access.  So, these are a consumer level thing as well now (~$250 on Amazon).

Thanks for the update.

One thing that would help here is a way for the router to send alerts whenever there's an abnormal rate of outgoing traffic. I've yet to see anything like this. Of course, even this would only help with DDoS swarms, not with incoming probes looking for personal data.

[bkenobi]

I haven't looked recently, but I bet DDWRT or Tomato have features for this kind of thing.  You can control the QOS (quality of service) setting to limit traffic during different times of day.  If that's possible, then it shouldn't be too much harder to detect certain types of traffic over a given threshold and report it somehow.

EDIT:
YAMon for DDWRT
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=259806

I don't use Tomato or any of the other variants, but a usage monitor should be available for all custom router firmware.

[dhouston]

There was another massive DDoS attack this morning although it's probably too early to know whether it also harnessed IoT devices.
http://www.theatlantic.com/technology/archive/2016/10/when-the-entire-internet-seems-to-break-at-once/504956/?google_editors_picks=true
http://www.usatoday.com/story/tech/2016/10/21/cyber-attack-takes-down-east-coast-netflix-spotify-twitter/92507806/

[dhouston]

YAMon for DDWRT
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=259806

I've wondered what, if anything, can be done regarding security for small, embedded devices like those most likely to be used for hobbyist IoT. The Orange Omega2 is such a device. It runs OpenWRT which is compatible with YAMon.
https://www.kickstarter.com/projects/onion/omega2-5-iot-computer-with-wi-fi-powered-by-linux/description

[dhouston]

There was another massive DDoS attack this morning although it's probably too early to know whether it also harnessed IoT devices.

Brian Krebs (Internet Security Expert) now has a list of IoT devices used against his site last month. They comprise a usual suspects list of devices probably also used in Friday's DDoS attack on Dyn.
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

Interestingly, it mentions Brian Karas, a name (good guy) that will be familiar those of us who used to frequent Usenet's comp.home.automation discussion group.

[dhouston]

While looking into how to monitor outbound web traffic I came across another KrebsonSecurity article that is about a million times scarier.
https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/
The first line...

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware.

[dhouston]

Yet another IoT security issue.
http://www.nytimes.com/2016/11/03/technology/why-light-bulbs-may-be-the-next-hacker-target.html

[bkenobi]

I wish they hadn't cut away without saying how long the time gap was.  Does it take 10 seconds or many sessions (recharging the drone being the limitation) to take over the lights?

[dhouston]

I hadn't watched the video. I saw this...

The researchers were able to spread infection in a network inside a building by driving a car 229 feet away.

and then quickly scanned the rest of the article. The low tech car-based method is similar to war-driving to find vulnerable WiFi networks which hackers have been doing for about as long as there have been WiFi networks. However, if they used a Tesla, they might still need to be concerned about their battery.

[dhouston]

WeMo devices (even the WiFi Crockpot) vulnerable to hijacking.
http://www.computerworld.com/article/3138991/security/update-your-belkin-wemo-devices-before-they-become-botnet-zombies.html?google_editors_picks=true