Forget Huawei, The Internet Of Things Is The Real Security Threat

from the somebody's-watching-you dept

We've noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn't supported by much in the way of hard data. And while it's certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don't really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.

Week after week we've documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.

The latest case in point: a popular Chinese GPS tracker, used to track everything from vehicles to kids and the elderly, has been found to contain a significant flaw that can trick the device into handing over GPS data using little more than a text message. The devices, which are made in China and rebranded and sold by more than a dozen companies, can also be used as remote surveillance devices, notes cybersecurity researchers:

"Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless."

While the device can be protected with a PIN, that setting isn't enabled by default, and the researchers found the devices can be remotely reset, bypassing the pin anyway. This is, if you hadn't been paying attention, kind of the norm when it comes to IOT devices. By the time flaws like this are exposed the company involved has usually moved on to marketing new devices with an entirely new array of vulnerabilities. And since most such devices don't offer much in the way of transparency, consumers usually are largely clueless to the fact that their devices are putting their private data at risk.

Security researchers keep warning us that the check is going to come due on the internet of things front, and we're not taking the warnings seriously:

"This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”

As security researchers have been saying for several years, it's likely going to take a major attack on significant infrastructure and some significant fatalities before we wake up out of our collective stupor. In the interim DC is obsessed with whether companies like Huawei are covert Chinese spies, but largely apathetic to the fact that the internet of broken things already provides all the spying opportunities a nosy government or rogue actor would ever need.

Filed Under: computer security, internet of things, iot, security
Companies: huawei


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    williamchambers, 20 May 2019 @ 6:56am

    college help

    If you find it hard to cope with your studies, then I have an excellent online service https://studymoose.com/malincho-case-study-analysis-essay that will help you solve problems with writing various types of written works.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2019 @ 7:29am

    Both things are a threat.

    I think one of the major concerns is of China having control of our telecom infrastructure.

    Don't forget, Huawwei doesn't just help the Chinese government, it is part of the Chinese government.

    reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 20 May 2019 @ 7:53am

      People with the power to do something about those concerns could invest their influence into getting flaws in the IoT infrastructure fixed. If they refuse to do so, perhaps they want to spy on the American public, too.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 May 2019 @ 8:22am

        Re:

        Are you really that worried about people spying on you?

        I'm far more concerned about the Chinese government being a major equipment supplier to our telecom companies.

        reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 20 May 2019 @ 8:28am

          Re: Re:

          Why, because of spying? Or did you have something more nefarious in mind? What would that be?

          reply to this | link to this | view in chronology ]

          • icon
            Gary (profile), 20 May 2019 @ 8:30am

            Re: Re: Re:

            Considering Google has pulled the plug on Huawei it seems likely they may fold.

            So the Internet of (Shitty) Things is a bigger threat to safety.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 20 May 2019 @ 8:33am

              Re: Re: Re: Re:

              I think the evil genius mindset behind these security blunders is the big threat to everyone including those who support the insane world domination silliness.

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 20 May 2019 @ 8:43am

              Re: Re: Re: Re:

              Why would Google fold?

              reply to this | link to this | view in chronology ]

            • icon
              PaulT (profile), 21 May 2019 @ 5:12am

              Re: Re: Re: Re:

              "Considering Google has pulled the plug on Huawei it seems likely they may fold."

              That's very unlikely. They will just create their own store and clone whatever non-FOSS components they need to retain compatibility. I wouldn't be surprised if some Chinese organisation has already created a homegrown fork of the OS in preparation for a move like this.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 20 May 2019 @ 8:59am

            Re: Re: Re:

            Do you think the Air Force would buy fighters from China if they came in with a lower bid?

            Why should the government allow our telecom infrastructure to built by the Chinese? There's a big national security component to it as well.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 20 May 2019 @ 10:28am

              Re: Re: Re: Re:

              Do you understand there is a big difference between the government purchasing something for the military and the phone company purchasing something for the phone company - right?

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 20 May 2019 @ 12:59pm

                Re: Re: Re: Re: Re:

                Are you saying there isn't any national security component to our telecom infrastructure?

                reply to this | link to this | view in chronology ]

                • icon
                  Seegras (profile), 20 May 2019 @ 1:34pm

                  Re: Re: Re: Re: Re: Re:

                  Are you saying there isn't any national security component to our telecom infrastructure?

                  None. At least according to the actions of the CIA and NSA -- and national government itself. Leaving companies for three years with open vulnerabilities. On purpose. So they can spy on them. Wannacry?

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 20 May 2019 @ 5:44pm

                    Re: Re: Re: Re: Re: Re: Re:

                    Every vulnerability and zero-day that comes to the attention of the NSA goes before a board that weighs the value against the potential danger. Disclosure is negotiated on a case-by-case basis with a bias for disclosing.

                    The defense department and homeland security worry a great deal about the security of our infrastructure but the concern isn't necessarily about spying as much as it is of control.

                    reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 21 May 2019 @ 9:40am

                  Re: Re: Re: Re: Re: Re:

                  "Are you saying there isn't any national security component to our telecom infrastructure?"

                  No - I do not recall making that statement.

                  Why do you expect the two things to be treated in the same manner?

                  reply to this | link to this | view in chronology ]

          • identicon
            Rocky, 20 May 2019 @ 9:18am

            Re: Re: Re:

            How about logic bombs that can be remotely activated?

            A state actor may be more interested in shutting down communications rather than just spying.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 May 2019 @ 3:17pm

          Re: Re:

          Yes. If researching new trade secrets, starting up a company, building strategic plans, there is expectation that some things are confidential. Without this the major tech players can simply keep a finger to the pulse and rip off innovative development before competitor brings it to market. Complete transparency breaks the market.

          On personal level the media routinely takes partial statements out of context. Complete transparency provides too much opportunity for character assassination, a trend we see increasing in use to destroy livelihood of the population speaking out against establishment politics.

          reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 20 May 2019 @ 1:29pm

      Re: Who to depend on?

      So..Who would you depend on..
      Do you understand that the programming of devices ISNT setup At the maker/builder..
      In the USA you have 5 people in a New corp, design and send the data TO China. It is up to those 5 people to Evaluate the product BEFORE, they have it shipped TO the USA for sales.

      Go look up the 'BARBIE', that was connected to the internet. That listened to Everything in the house. That the Corp said Saved the data and shipped it, so that the Corp could Adjust and fix any REMOTE problem, and improve the language..
      Look around your home, and Find 1 thing, that IS MADE in the USA, that is IOT.. Dont look at the Flower pot, that Connects to your Router to tell you the DIRT NEEDS WATER...
      Look at all the Security cameras, that HAVE TO HAVE A REMOTE ACCESS TO ANOTHER COMPANY, to save pictures and video, and send them to your phone.. I would rather have a Small wireless NAS in my home that would Save the data, and a Rasp Pi, to send the data DIRECT to my phone..

      reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 20 May 2019 @ 8:38am

    Most 'Smart' devices are designed to spy on the end purchaser. No hack needed. Whether it is your viewing habits, things you buy, how often you leave the house, etc, the data is being collected, aggregated with other data, and the result sold to other companies.

    All one has to do is look at Facebook and Google's announcements about future 'features' to learn some of the things the data is being used for. I think it was FB that recently announced a 'Who you are about to meet with' feature being worked on.

    If they know who you are about to meet with, very likely they know who your kids are about to meet with.

    And it is likely that most folks have little idea this data collection is happening. After all, for most people, things like TVs, refrigerators, microwaves, etc are passive gizmos. Not even in their thoughts that the new TV is spying on them.

    And most Congress critters are still buying the 'Computer companies needs special laws that exempt them from normal laws' line that was bought off on when Microsoft was still a small upstart company competing with IBM for the OS market.

    reply to this | link to this | view in chronology ]

    • identicon
      Kellyanne Conway, 20 May 2019 @ 10:33am

      Re:

      See .... I told you so !!!!

      Everyone laughed at me for suggesting Obama was spying on Donald via the microwave oven that is capable of turning into a camera.

      reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 20 May 2019 @ 3:05pm

      Re:

      Consider..
      Cellphone with full remote access to your GPS..
      (its said it can be turned on remotely..)
      Any device that has a NAME to respond to..
      Google, Windows, Iphone..Name it, even your barbie.
      Your car have a NAV system?? A built in computer to ask directions?? or do other things..

      What would it take to LET IT, talk directly to the cellphone system...NOT ALLOT... how about bypass your Router password..NOT ALLOT...(most people dont change the orig passwords..) ADMIN/PASSWORD will get you into 50% of them.

      Do you really know whats in your Hardware?? how easy it is to install a BUG..software or hardware..
      DONT ASK.. you wont like it.

      reply to this | link to this | view in chronology ]

  • identicon
    norahc, 20 May 2019 @ 9:25am

    From the government's viewpoint, the lack of security in the IoT is a valued feature, not a threat or a bug.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 May 2019 @ 10:23am

      Re:

      Have you ever watched Congress question a tech executive? I'm not confident that they could spell IoT let alone tell you what it means.

      Plus, why would they care about my connected light bulbs and garage door opener when the greatest spy device ever is in almost everybody's pocket and contains GPS, a camera, a microphone, and logins to every service imaginable?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 May 2019 @ 10:37am

        Re: Re:

        The Government != Congress

        One is a small part of the other.

        You are correct in that Congress does not care about your IOT devices, they care about the kickbacks they get from industry in return for not regulating the IOT POS.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 May 2019 @ 11:09am

        Re: Re:

        I've tried to watch it but every time I do all I hear is "Entrance of the Gladiators".

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 May 2019 @ 12:42pm

        Re: Re:

        and one more thing ... not all congress members are the same - DUH

        Some of them actually hire knowledgeable and experienced people to fill the staff positions thus allowing them access to technical details, analyses and possible actions that make sense. I know, it's hard to believe but it happens.

        reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 20 May 2019 @ 1:38pm

    Action? I don't know... fatalities every year related to Daylight Saving time change (spring forward) haven't resulted in any action whatsoever. Maybe something will happen if you can show a loss in profits associated with it (fines, for example).

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.