Forget Huawei, The Internet Of Things Is The Real Security Threat

from the somebody's-watching-you dept

We’ve noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn’t supported by much in the way of hard data. And while it’s certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don’t really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.

Week after week we’ve documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.

The latest case in point: a popular Chinese GPS tracker, used to track everything from vehicles to kids and the elderly, has been found to contain a significant flaw that can trick the device into handing over GPS data using little more than a text message. The devices, which are made in China and rebranded and sold by more than a dozen companies, can also be used as remote surveillance devices, notes cybersecurity researchers:

“Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless.”

While the device can be protected with a PIN, that setting isn’t enabled by default, and the researchers found the devices can be remotely reset, bypassing the pin anyway. This is, if you hadn’t been paying attention, kind of the norm when it comes to IOT devices. By the time flaws like this are exposed the company involved has usually moved on to marketing new devices with an entirely new array of vulnerabilities. And since most such devices don’t offer much in the way of transparency, consumers usually are largely clueless to the fact that their devices are putting their private data at risk.

Security researchers keep warning us that the check is going to come due on the internet of things front, and we’re not taking the warnings seriously:

“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people?s lives without their knowledge,? said Fidus? Andrew Mabbitt, who wrote up the team?s findings. ?This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn?t going to end well.?

As security researchers have been saying for several years, it’s likely going to take a major attack on significant infrastructure and some significant fatalities before we wake up out of our collective stupor. In the interim DC is obsessed with whether companies like Huawei are covert Chinese spies, but largely apathetic to the fact that the internet of broken things already provides all the spying opportunities a nosy government or rogue actor would ever need.

Filed Under: , , ,
Companies: huawei

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Forget Huawei, The Internet Of Things Is The Real Security Threat”

Subscribe: RSS Leave a comment
28 Comments
PaulT (profile) says:

Re: Re: Re:3 Re:

"Considering Google has pulled the plug on Huawei it seems likely they may fold."

That’s very unlikely. They will just create their own store and clone whatever non-FOSS components they need to retain compatibility. I wouldn’t be surprised if some Chinese organisation has already created a homegrown fork of the OS in preparation for a move like this.

Anonymous Coward says:

Re: Re: Re:6 Re:

Every vulnerability and zero-day that comes to the attention of the NSA goes before a board that weighs the value against the potential danger. Disclosure is negotiated on a case-by-case basis with a bias for disclosing.

The defense department and homeland security worry a great deal about the security of our infrastructure but the concern isn’t necessarily about spying as much as it is of control.

Anonymous Coward says:

Re: Re: Re: Re:

Yes. If researching new trade secrets, starting up a company, building strategic plans, there is expectation that some things are confidential. Without this the major tech players can simply keep a finger to the pulse and rip off innovative development before competitor brings it to market. Complete transparency breaks the market.

On personal level the media routinely takes partial statements out of context. Complete transparency provides too much opportunity for character assassination, a trend we see increasing in use to destroy livelihood of the population speaking out against establishment politics.

ECA (profile) says:

Re: Who to depend on?

So..Who would you depend on..
Do you understand that the programming of devices ISNT setup At the maker/builder..
In the USA you have 5 people in a New corp, design and send the data TO China. It is up to those 5 people to Evaluate the product BEFORE, they have it shipped TO the USA for sales.

Go look up the ‘BARBIE’, that was connected to the internet. That listened to Everything in the house. That the Corp said Saved the data and shipped it, so that the Corp could Adjust and fix any REMOTE problem, and improve the language..
Look around your home, and Find 1 thing, that IS MADE in the USA, that is IOT.. Dont look at the Flower pot, that Connects to your Router to tell you the DIRT NEEDS WATER…
Look at all the Security cameras, that HAVE TO HAVE A REMOTE ACCESS TO ANOTHER COMPANY, to save pictures and video, and send them to your phone.. I would rather have a Small wireless NAS in my home that would Save the data, and a Rasp Pi, to send the data DIRECT to my phone..

tom (profile) says:

Most ‘Smart’ devices are designed to spy on the end purchaser. No hack needed. Whether it is your viewing habits, things you buy, how often you leave the house, etc, the data is being collected, aggregated with other data, and the result sold to other companies.

All one has to do is look at Facebook and Google’s announcements about future ‘features’ to learn some of the things the data is being used for. I think it was FB that recently announced a ‘Who you are about to meet with’ feature being worked on.

If they know who you are about to meet with, very likely they know who your kids are about to meet with.

And it is likely that most folks have little idea this data collection is happening. After all, for most people, things like TVs, refrigerators, microwaves, etc are passive gizmos. Not even in their thoughts that the new TV is spying on them.

And most Congress critters are still buying the ‘Computer companies needs special laws that exempt them from normal laws’ line that was bought off on when Microsoft was still a small upstart company competing with IBM for the OS market.

ECA (profile) says:

Re: Re:

Consider..
Cellphone with full remote access to your GPS..
(its said it can be turned on remotely..)
Any device that has a NAME to respond to..
Google, Windows, Iphone..Name it, even your barbie.
Your car have a NAV system?? A built in computer to ask directions?? or do other things..

What would it take to LET IT, talk directly to the cellphone system…NOT ALLOT… how about bypass your Router password..NOT ALLOT…(most people dont change the orig passwords..) ADMIN/PASSWORD will get you into 50% of them.

Do you really know whats in your Hardware?? how easy it is to install a BUG..software or hardware..
DONT ASK.. you wont like it.

Anonymous Coward says:

Re: Re:

Have you ever watched Congress question a tech executive? I’m not confident that they could spell IoT let alone tell you what it means.

Plus, why would they care about my connected light bulbs and garage door opener when the greatest spy device ever is in almost everybody’s pocket and contains GPS, a camera, a microphone, and logins to every service imaginable?

Anonymous Coward says:

Re: Re: Re:

and one more thing … not all congress members are the same – DUH

Some of them actually hire knowledgeable and experienced people to fill the staff positions thus allowing them access to technical details, analyses and possible actions that make sense. I know, it’s hard to believe but it happens.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »