Security Vulnerability in Smart Electric Outlets

A security vulnerability in Belkin’s Wemo Insight “smartplugs” allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network.

From the Register:

The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.

Even when security measures are added to the devices, the third-party hardware used to make the appliances “smart” can itself contain security flaws or bad configurations that leave the device vulnerable.

“IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation,” the McAfee researchers wrote.

“However, these devices run operating systems and require just as much protection as desktop computers.”

I’ll bet you anything that the plug cannot be patched, and that the vulnerability will remain until people throw them away.

Boing Boing post. McAfee’s original security bulletin.

Tags: Internet of Things, McAfee, patching, vulnerabilities

Posted on September 12, 2018 at 6:19 AM • 49 Comments

Comments

mrmcd • September 12, 2018 6:51 AM

Embarrassed to say I actually have one of these plugs, and they do get firmware patches on a fairly regular basis (now I know why). It’s not an obvious process though: You have to open the app, accept a pop-up dialog that only appears once a day, and then wait ~5 minutes while the plug power cycles several times. Anything connected to the plug effectively can’t be used while it’s patching.

Mace Moneta • September 12, 2018 7:04 AM

I’ve only been buying devices supported by the open source firmware, Tasmota. I flash each device, which can subsequently be updated over the air. I restrict the devices to LAN-only operation (remote access is via ssh or VPN). This is the LoT (LAN of Things), a much better implementation. But it does require more knowledge than IoT.

Sam Lord • September 12, 2018 7:40 AM

I’d be interested to see whether the future of IoT ends up being a consumer friendly version of what Mace has described above.

A bunch of “dumb” smart devices which have a simple, discoverable API, and talk to a consumer friendly firewall / web server. Focus on the security of that one element, and make it so nothing else is accessible to the internet. Maybe there are some flaws to doing things that way, but its surely better than having a tonne of public-facing servers running low-security operating systems with propriertary operating systems.

Peter Galbavy • September 12, 2018 7:40 AM

I had an “Efergy” smart plug for a while for a specific purpose, but after it was done and I was installing a new home router I noticed lots of fun and interesting DNS look-ups in the local cache for a wide range of Chinese destinations. None of which were either associated with the company supplying the device or the authors of the app. This was continuous and not while the device was in use or the app on my phone open.

I didn’t have much time or motivation at the time to look at the traffic but the device was recycled and the app very much deleted.

Ewan Marshall • September 12, 2018 8:17 AM

So keep following my policy of avoiding smart devices where possible, and if not possible, use only on a segregated network.

TimH • September 12, 2018 8:43 AM

Anyone got comments on Steve Gibson’s Three Router Solution to IOT Insecurity?
https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity

Are there DD-WRT settings that a good enough to silo intranet from guest wifi intended for internet only?

Or an open source (firmware inspectable) lump to do this?

Rick Lobrecht • September 12, 2018 8:54 AM

And this is one of the key reasons why I have chosen Apple Homekit for my (very few) automated switches. Apple’s hard stance on security and requirement for firmware updates helps to mitigate against this kind of thing.

I do like the suggestion of segregating IoT devices to a separate network. I may have to play around with that.

Matt Goff • September 12, 2018 8:55 AM

WeMo devices are upgradable OTA. I have mine (along with everything IoT) on its own VLAN, but this isn’t generally possible with consumer routers. Seems like this is an opportunity for manufacturers– add a checkbox to block intranet access for specific devices (a la wireless isolation).

Phaete • September 12, 2018 10:20 AM

I love reading stuff like the mcafee article, somehow it slipped through, thanks for the reminder.

I would have loved to see more info on how router config can mitigate this.
(VLAN, UPnP off, restricted routes/protocols)
And they seem to have used a shitty router that cannot display currently open/requested UPnP ports

“After the plug is compromised, it could use the built-in UPnP library to poke a hole in the network router.”

“With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page”

With the last sentence they assume any router with standard config and limited functionality (show uPnp bindings…)

In my own network, a compromised plug like that would be as dead as a dodo.
But indeed in most consumer (setup) networks it would flourish.

Hacker • September 12, 2018 11:33 AM

Several commenters have suggested separate networks for IoT, but none have really nailed it. I have a lot of IoT and 15 years of Security Architecture experience. I do not use either wifi or IP networking for basic devices like switches, lights and plugs. These devices belong on a separate physical network like ZWave, Zigbee or Lutron. They can talk with the home hub, and the home hub is on the Internet. The home hub is patchable and capable of being managed securely.

The only exceptions to this are for devices that require lots of bandwidth (cameras) and those that don’t have competitors available using the above networks. For cameras one can get Network Video Recorders with built in switches and keep those on isolated LANs too. There is a lot of poorly implemented IoT out there, but there is also a lot of stuff that is implemented pretty well.

I don’t travel much. I’d hesitate to make assertions on TSA reliability as that’s out of my experience. If Bruce isn’t using IoT, perhaps he should stop making assumptions and making bets about it.

IoT has a lot of benefits for some folks. I now have fire/CO2 alarms in both my houses that turn on lights and send out notifications. That’s a safety advantage that is at least an order of magnitude cheaper now due to IoT.

Tim Spellman • September 12, 2018 11:43 AM

Dear Americans,

You are big consumers of this IoT stuff. And big producers of law firms. Can we arrange for you to create a class action lawsuit or two? Lawsuits that hold individual IoT owners liable for their unpatched devices contributing to, say, the DDOS attacks that those devices take part in.

Imagine receiving a certified letter saying, “If you own device X, and you cannot show it was fully patched, you are hereby assessed $50,000 for damages your device caused,” when said device cost $50. That would motivate the manufacturers to make sure their devices can be patched so we can at least have a chance at keeping them secure.

Sincerely,
Well, everybody

Hmm • September 12, 2018 1:38 PM

Your best bet is writing someone in Brussels to achieve any actual motion as you describe.

That government still has its own teeth.

Technotron • September 12, 2018 2:03 PM

McAfee report says that to break into this gadget, they needed access to the network.

So… they need access to the network… so they can hack into this device… so they can get access to the network??

My head is spinning!!

Clive Robinson • September 12, 2018 2:09 PM

@ Bruce and the usual susprcts,

From the intro,

Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.

Just how many years is it we’ve been saying this collectively?

I know I’ve been saying it since before the term “IoT” was coined in one way or another, going back even befor the now forgoton “Smart Grid” that was to hide behind Smart Meters, even befor electronic medical implants got NFC type “wireless”…

All the warnings and signs were there…

But how much notice was taken? Further proof that bad ideas and marketing makes the junk people want at prices that can only be suspicious at best.

Much as I don’t like heavy handed legislation with overly broad scope, I’m coming around to the somewhat vengful idea that “Placing on the market” consumer protection should become the 150ton steam hammer solution for these little IoT nuts before they become might oaks of trouble.

John Doe • September 12, 2018 2:47 PM

@Clive Robinson

Agreed. The issue with heavy-handed legislation isn’t that it can’t technically clean up the mess, it’s that almost no legislators know anything about technology… so how are they supposed to legislate good/secure/etc technology? In practical terms, they cannot. The only thing they could possibly do is make a mess of legislation that does little good (and therefore can only be bent to harm)… I realize Bruce is on the whole “legislate, legislate, legislate” bandwagon, but I fear that’s because he knows more technology and market forces (and how they fail) than he does politics (and the many ways it fails too)…

Jesse Thompson • September 12, 2018 2:56 PM

I’mma just keep making sure that this XKCD gets posted on every IOT post here until Bruce finally does a piece on it in particular. 😉

https://xkcd.com/2044/

Frank Doe • September 12, 2018 2:58 PM

“Bruce is on the whole “legislate, legislate, legislate” bandwagon, but I fear that’s because he knows more technology and market forces (and how they fail) than he does politics (and the many ways it fails too)…”

You are on the internet right now as a result of regulations. Good for you.

John Doe • September 12, 2018 4:07 PM

Indeed. Cause Al Gore invented the internet…. 🙂

Will Fiveash • September 12, 2018 5:20 PM

Seems to me the key to preventing IoT exploits is a secure router config.

Clive Robinson • September 12, 2018 10:26 PM

@ Will Fiveash,

Seems to me the key to preventing IoT exploits is a secure router config.

If only, remember routers are not realy that secure and have faults the likes of the SigInt entities love to exploit.

It’s why I came up with the “garden path” design using a couple of routers in series with instrumentation to spot intrusion.

But the best advice if you must buy IoT is to keep them totaly segregated on their own network which has no external connection capability.

Which means don’t buy IoT that has to “ET phone home” to the “Mothership” ever, for several good reasons.

Firstly, the problem is that ever increasing numbers of IoT and home White/brown goods don’t function or function only minimally. Because they have been deliberatly designed to ET, as gathering all the user data is the way they make profit. That is does your fridge realy need a microphone and Internet connectivity?

Secondly it also builds in planed obsolescence as some Amazon customers discovered. That is you pay money for the device it works for a while then one day with no warning “So sorry Mothership gone, functionality stops”… Or worse “So sorry pay 20USD for next months functionality”…

Thirdly your ISP decides enough is enough and cuts of the traffic or makes you pay premium for it. Think back to what the FCC were planning less than two years ago.

echo • September 12, 2018 10:44 PM

This whole discussion is tiring because I have seen it before in other industries. At some point you become exhausted ‘captured by the system’ or want to check out. I’m not interested in security if it’s only about “boys toys” and job titles. This doesn’t really change much either as tracking another industry the discussion has moved on from quality and engagement to the new shiny AI. This has become the new stick to beat everyone with. It’s Jihad by another name.

@John Doe

Bruce admits he is weak on politics and psycho-social systems.

In a lot of ways large state organisations mirror the “Internet of Things”. Badly trained staff who cannot communication within a mess of policy which is badly written or sometimes ignored? I have provided plenty of examples and personal experience to reveal this and dig behind the surface. I have also drawn plenty of connections between things and directly related them to security policy and published strategies. I’m not sure what else I can say if security is only discussed in terms of conflict and “boys toys”, or anonymous low level bureaucrats power tripping.

@Clive

UK/EU consumer protection law would eradicate some of the worst excesses of the US market. Some “reputable” companies are selling tat no differently to Alex Jones. Their products are not fit for purpose. They really only sold for entertainment value and do more harm than good.

Ismar • September 12, 2018 10:52 PM

Why do we need these in the first place?
Is it because we have run out of useful products to sell and are offered these as a substitute while destroying our independence in the process?

Clive Robinson • September 13, 2018 2:41 AM

@ Ismar,

Is it because we have run out of useful products to sell and are offered these as a substitute while destroying our independence in the process?

Not quite but you are on the right lines.

If you start from the observation that much of what people do for a living is “make work” and has no “originality”, “creativity”, or actual “merit”, then ask why “work” and “markets” actually exist, you come to a different perspective.

The main purpose of work for the majority is to keep people occupied and stop them creating trouble. To accomplish this work is made into a “red queens race” for the gullible and by compulsion in other ways for others. Thus work for many is a form of enslavment.

To see this in action in the US “welfare” is increasingly tied to the notion of work. Because there is not “real work” to be done then “make work” in the form of “seeking work” or “training” is substituted where it can be. In some cases this “training” consisted of comming to a work center where each claiment was given a large pile of plastic toys they had to sort by colour. At the end of the day supposadly out of sight of the claiments the suppervisors would tip all the sorted toys into a single container and mix them up so they were ready for the claiments the following day.

The claiments fairly quickly realised they were being forced into “make work” and I assume that the supervisors were not to stupid to realise they were doing “make work” as well as being used as “guard labour” all the way back up the managment tree to the political decision to impliment such a wastefull process.

Many jobs are just another version of this just less obviously so.

Thus you find there is a spectrum which people appear on at one end is those who live entirely inside their heads at the other those who live entirely in other peoples heads. Unsuprisingly it forms a normal distribution curve.

Those who live inside there own heads tend to be the “true creatives” in life, whilst those who live inside their heads are those “networking types” busy making contacts and getting them selves known, but actually achiving well not a lot. The rest of humanity sits in the middle displaying some of either trait.

The problem with humans which causes the “trouble” that “make work” keeps them out of is they are not just “tribal” but “hierarchical”. That is we are effectively “herd creatures, seeking and protecting resources” and thus in the main accept direction rather than excercise free will.

Again there is a spectrum on which people fall with creative types exhibiting free will but those with psychopathic tendecies using their “creativity” on other people which is where most of mankinds leaders or “powers behind the throne” come from as testing has shown and there is a cute lable to name it which is “emotional intelligence”. You could look at it as a measure of “getting your own way”.

People tend to be easer to manage with the carrot not the stick but it means we have both a “rewards process” and “guard labour”. Thus your motivation in the red queen race is either reward or compulsion, either way you are not in control but being controlled. For psychopaths their main reward is treating people like pieces on a chess board. It accounts for the observasions “Evil people have plans”, and “Good people need direction to do good”.

Whilst for creative people the act of creation is often the only reward that realy interests them for most others it’s “status” often as seen through possessions, and sumed up by the “Keeping up with the Jones'” observation.

Thus we have a market of market places to provide “status”, which will also pander to any vice at a price. One such price is “having buttons that can be pushed” thus you can be controled.

One of the most dangerous things to a leader is people who don’t have buttons that can be pushed. As such they don’t want them around no matter how usefull, because they won’t fit in with the herd due to their independence. In earlier times they were heritics or worse.

So to answer your question of,

Why do we need these in the first place?

The answer is that they are “Status Rewards” by which your independence has indeed been lost… Look at an Apple “fanboi” to see that more clearly than many examples.

Clive Robinson • September 13, 2018 3:03 AM

@ echo,

They really only sold for entertainment value and do more harm than good.

It’s the “status” value more than the “entertainment”.

Worse as it’s something that you are concerned about the market for “status” is almost entirely an abusive one.

And in some respects we all abuse someone further down the chain.

As an individual when you go into a restaurant you are proclaiming a level of “status”, which is provided by other people who we know do frequently get abused by their employers.

Even that big chain burger joint. Your “status” is ‘I have the resources to compell another person to flip burgers for me on demand, via an agent of abuse’. People may not realise it but the entire “service sector” is in fact a “Status by abuse” process.

Most Government departments are actually a “Service Sector” thus have “abuse built into the process”. They are staffed mainly by those with buttons that can be pushed, and they in turn to raise their own meger status see those they deal with as objects to have buttons pushed…

I’ve come across it so many times, that I push their buttons back and it turns into “open warfare” that most times they end up loosing often humiliatingly so. I certainly don’t do it for pleasure, it’s an unpleasent, wasteful and often exhausting thing for me to do. Nor do I do it for status as such, basically I do it just so they treat me as they should do and not try to find buttons to push on me.

MrC • September 13, 2018 3:36 AM

@ TimH

Seems overly complicated to me. At first glance, I don’t see how this accomplishes anything you couldn’t do with ebtables+iptables+ip6tables on a single router.

echo • September 13, 2018 5:51 AM

@Clive

Yes, it’s all tiresome and these kinds of thoughts have been bothering me. There is a similar slide with IoT.

“Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power”

– Benito Mussolini

This quote is an idiot test. Anyone who takes it at face value misses the inadequates hiding behind the system. I’ve plastered enough examples in the squid topic about how people with power to legislate are deliberately circumventing human righs “security” law to create potential for abusive “side channels”. My thesis is the same applies to IoT much like Snowden claimed. Within the UK/EU at least this places an obligation on the vendor above and beyond fitness for purpose consumer legislation.

Women by and large don’t fancy idiots. I know I don’t. Perhaps a change of what is perceived as higher status might encourage more useful effort?

CallMeLateForSupper • September 13, 2018 11:38 AM

@Clive
“Which means don’t buy IoT that has to ‘ET phone home’ to the ‘Mothership’ ever, for several good reasons.”

Roger that!

But there’s a fly in the ointment (isn’t there always!), i.e. too often it happens that what the Shiny Thing requires becomes evident only after said Shiny Thing is unboxed at home and doesn’t work. For that reason, I have some sympathy for buyers of electronic gizmos today; few are “propeller-heads. Not much sympathy though, because ….. because so many Shiny Things don’t merit serious consideration, are nothing more that a solution looking for a problem. It’s a strange world.

That thought jumped up and tugged my beard a couple of weeks ago. My beloved, circa 1950 General Electric toaster had died just after the century changed, and I was resigned to simply having no toast. My thinking was that a replacement 1) would cost at least USD100, 2) would be poorly designed and manufactured and 3) not toast worth a d**m. And so I did without toast for nearly a generation. Recently I happened to read a review of a certain toaster, and it was very positive, a 1st Choice. MSRP was mid-USD20. Worth a try… note to self: save receipt and be gentle with the packaging. I got the last one in stock at a local bricks-and-mortar. I was so happy to have scored the prize and screwed Amazon that I nearly neglected to inspect the goods before buying. As I checked the security of attachment of handles and knob etc, I had a chilling thought: Oh &Diety, please no WiFi/Bluetooth!

It wasn’t long ago that toasters were just toasters, but it’s a strange world now.

Hmm • September 13, 2018 12:38 PM

@sup

“My thinking was that a replacement 1) would cost at least USD100”

You’re saying a toaster would cost $100? Uh…

@echo

“Anyone who takes it at face value misses the inadequates hiding behind the system.”

How could anyone miss the baked-in ‘inadequacies’ of fascism blending the state with the corporation?

“The efficiency of the truly national leader consists primarily in preventing the division of the attention of a people, and always in concentrating it on a single enemy.”

“In relation to the political decontamination of our public life, the government will embark upon a systematic campaign to restore the nation’s moral and material health. The whole educational system, theater, film, literature, the press and broadcasting – all these will be used as a means to this end.”

-A. Hitler

John Doe • September 13, 2018 1:32 PM

@MrC

You’re assuming that ebtables/iptables/ip6tables could never possibly have a flaw, and that all users are perfectly smart and can never mis-configure them, so that there can never be a security vulnerability in the router system itself…

Whereas what @TimH is talking about is not making such assumptions. It is assuming that everything has vulnerabilities in it (including… or even, especially… routers), so the more complicated network segregation is meant to limit such things to not as easily adversely affect everything all at once with a single flaw or successful break-in by a hacker…

Perhaps I should refer to @Jesse Thompson’s xkcd post above… 🙂

echo • September 13, 2018 1:43 PM

@Hmm

I’m not persuaded you understood what I meant. You need to unscramble the literal meanings and misdirection of the quotes. The words themselves are plausible and manipulative nonsense. After a casual search I discovred this paper which help sketch out a few issues.

https://ac.els-cdn.com/S1877042814025919/1-s2.0-S1877042814025919-main.pdf?_tid=7579b82c-91e2-4c36-8b55-8218df891e44&acdnat=1536864013_8749480ab6222f82f4c2916c2b599723

A Systemic Functional Analysis of Dictators’ Speech: Toward a Move-based Model
Reza Khanya, Zohre Hamzelou

According to Systemic Functional Grammar (Halliday, 1985), language is a network system that allows its user to make choices for the realization of their intended meaning. In every part of the world, language is (mis)used to serve the dominant ideology present in that particular society. For instance, politicians can give a well organized public speech to deceive common people. However, a thorough rhetorical move analysis of their written form, can decipher the pattern through which people get hooked to take the preferred mind set. On the other hand, CDA aims at denaturalizing hidden abusive power relations and ideological processes embedded in the text. In addition to uncovering discursive means of mental control, it also plays a crucial role in awakening people who contribute to legitimization of dominance through their ignorance. Accordingly, the findings of the present study will be highly beneficial in revealing future persuasive strategies misused by stakeholders to legalize a government as well as clarifying their true intentions.

Hmm • September 13, 2018 2:01 PM

“I’m not persuaded you understood what I meant.”

-I wouldn’t deign to assume I did, nor anyone. Hence the question about what you meant.

“The words themselves are plausible and manipulative nonsense.”

-All words have those qualities in reserve, depending.

All languages, all peoples, individuals have their own meanings and communication is approximated.
Of course speech can support an outcome or ideal by specific rhetorical patterns, no surprise there.

https://en.wikipedia.org/wiki/Nothing_to_hide_argument – for example.

People are initially entirely programmed by society and of course that can be manipulated specifically in subtle ways that they aren’t necessarily aware of.

https://doi.org/10.1111/mila.12080

“A defining assumption in the debate on contextual influences on truth‐conditional content is that such content is often incompletely determined by what is specified in linguistic form. The debate then turns on whether this is evidence for positing a more richly articulated logical form or else a pragmatic process of free enrichment that posits truly unarticulated constituents that are unspecified in linguistic form. Questioning this focus on semantics and pragmatics, this article focuses on the independent grammatical dimensions of the problem. Against the background of a principled account of the different ways in which the lexicon and the grammar, respectively, determine aspects of propositional meaning, and an uncontentious notion of content, nothing turns out to be ‘missing’ in grammatical expressions in order for them to encode complete propositional thoughts. As this predicts, when putatively hidden constituents are made overt or are otherwise added, propositions result that are systematically different from the thoughts originally expressed. Context, while potentially affecting lexically specified aspects of meaning, never affects grammar‐determined ones, suggesting a specific role for grammar in the normal cognitive mode.”

Whether I understand exactly what you meant or wanted to get at, I am certain of some uncertainty in it.

Clive Robinson • September 13, 2018 6:17 PM

@ CallMeLate…,

I have some sympathy for buyers of electronic gizmos today; few are “propeller-heads.

I have a lot of sympathy for buyers, especially when their gizmo either stops working or starts doing strange things just because someone in China decides to have a new profit model.

However whilst they may not be “Prop-Heads” or nerds they bare some responsability for what they buy, in the same way you would a vehicle.

But that said, “Ever tried getting the manual?” is one of those things that realy realy peeves me.

For instance by a Smart Phone, and other than a couple of pages to describe where the buttons are, you get nothing about any apps etc. If you think about it you’ve got a full unix box with windowing software. Bying an equivalent Unix Work Station you used to get 8 linear feet of manuals just for the OS. So actually finding out what any app does is quiye a task…

65535 • September 13, 2018 8:13 PM

To Webmaster

I am getting an “UNUSED” error in the next post and the top 100 posts. Please check out the problem.

echo • September 13, 2018 9:35 PM

@Hmm

Sorry but I picked up a whiff of gaslighting in your original comment. Whatever argument you wish to begin I am not interested plus this strand of discussion is far too off topic even for me and I don’t like you enough to indulge.

Hmm • September 14, 2018 12:05 AM

Well I was serious when I asked what you meant. I didn’t think it would segue into a “thang”

Hmm • September 14, 2018 12:14 AM

@Moderator

“Security Risks of Government Hacking” seems to have a broken something-or-else.

418 unused – The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@schneier.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

(Anything I might have done? I hope not. I don’t even take Ambien.)

Clive Robinson • September 14, 2018 1:57 AM

@ Moderator,
@ Bruce,

!!! URGENT !!!

The blog is throeing up a 418 page with,

webmaster@schneier.com

Message, for only some pages, and it started about an hour or two ago.

I’m guessing by which pages are effected that it is related to a particular user post, and all posts after that.

That is any posts made after to a page that is still accessable in effect then locks the page from access.

This post is to both provide warning and to test the guess.

If the guess is wrong then there will be another post after this. If this post does lock the page then there will not be.

Clive Robinson • September 14, 2018 2:11 AM

@ Moderator,

Looks like my guess is wrong.

The pages that I’ve found to be locked up from your current site front page are,

/blog/newcomments.html

/blog/archives/2018/09/security_risks_14.html

/blog/archives/2018/09/friday_squid_bl_641.html

I hope that helps.

Mercules • September 14, 2018 3:07 AM

“Looks like my guess is wrong.”

HISTORY, REWRITE THYSELF!

CallMeLateForSupper • September 14, 2018 11:01 AM

@Clive

I used to have great sympathy for non-tech slaves of tech devices and spent a lot of time “in the barrel” nosing unasked into their perceived/real problems – volunteering tips, composing intelligible “heads-up” letters. And I made house calls when asked.

The house calls were the first thing I stopped doing, because it became clear over time that non-techs were taking advantage; when Good Ol’ Techie always comes at the drop of a hat, non-techie has no incentive to listen and learn.

Heads-up was the next to go. It had been very rare to get feedback or questions… or even a “Oh! Thanks for nudging me.” I had to assume that my correspondents were not interested; being a PITA is not what I intended.

“Ever tried getting the manual?”
Argh… that is even worse than the “RTFM!” of some years ago. Nowadays, unfortunately, it is indeed more appropriate to preface “RTFM” with “GET the manual.” We remember the days when guides and manuals were expected to be provided with hardware and software. IIRC, Microsoft lead the movement to “soft” manuals (and sometimes forgetting all documentation). It’s oh so helpful and convenient to have the “FM” on CD when the FP (f**kin’ ‘puter) won’t bloody boot! (Oh… I must have a second computer as backup for when the first computer won’t boot? How silly of me; I should have known.)

TRX • September 14, 2018 11:16 AM

You’re saying a toaster would cost $100? Uh…

That also includes your mandatory service contract, toaster software license, and a year’s access to the Toaster Operation Server. Your bread will be exquisitely toasted just the way we think you should like it, as we monitor all aspects of the process in real time.

In keeping with the latest EU directives, operation of your toaster may be restricted during periods of electrical shortages, to force you to notice our political stance on issues you don’t care about, or because the national health database says you’re turning into a pudge, so no toast for you.

Sancho_P • September 14, 2018 3:24 PM

@Clive Robinson, CallMeLateForSupper

Manuals?

I run a desktop PC (Intel), bought at mediamarkt in Spain, where the (huge) manufacturer denies the model’s existence (sorry, not ours, no info, no FW, no update).
A friend got a medical device from our (monopoly) social insurance supplier, the manufacturer says it’s not sold in the EU, only ME, so no info, sorry.
Got an hp 3TB ext. USB drive to repair, but 0 results for it at the hp homepage, not even that it ever existed (it’s still listed at amazon).

[internally it is a WD MyBook with their incredible “HW encryption” using a JMS538S, read https://eprint.iacr.org/2015/1002.pdf for a good laugh, esp. the RNG part]

So nowadays the rule is: Valued customer, take it or leave it, it’s up to you!

Clive Robinson • September 15, 2018 12:07 AM

@ echo,

Women by and large don’t fancy idiots. I know I don’t.

Some don’t care as long as “the idiot is useful” as the First Lady kind of demonstrates… Likewise many other “Political wives”.

Mind you when the idiot turns out to be an imbecile as Bo Jo has, and has made to many wrong turns and you judge he has passed his zenith then as one newspaper put it,

It’s thought the pair finally split last month, when Boris was forced to move out of the Foreign Secretary’s official residence in central London.

Thus when the “usefulness” is gone, as with utility in a tool you dispose of it, with as little concern as you would “white and stale” bread.

echo • September 15, 2018 2:22 AM

@Clive

Um, yes. There is this. I have noticed this myself. It’s a delicate subject!

Personally, I dislike using people. I would find this to be an insult to my intelligence and would feel unhappy.

Jonah • September 15, 2018 8:55 AM

There’s a good deal of analysis which has already been done on these switches. They’re a weird combination of decently good choices (RSA-signed firmware updates) and some comically bad ones (XOR-based packet “encryption”).

Here’s some good info, if you’re interested in more. https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/

CallMeLateForSupper • September 15, 2018 9:16 AM

@Sancho_P
“So nowadays the rule is: Valued customer, take it or leave it, it’s up to you!”

(sigh) Ain’t that the truth.

If the “(huge) manufacturer” of your Markt ‘puter is IBM:
It would have IBM logo if IBM made and sold it. Then check carefully for a part number; (used to be) on an external sticker which had a barcode plus a long number.

If still no joy, examine the interior cards/boards/”boxes”, many of which should have a sticker with FRU+number (say “froooo”; it’s IBM-speak, Field Replaceable Unit). A box that is full of FRU-marked parts was definitely and undeniable made by IBM.

If you can plunk down photos of the box and its part#, that could only help your cause. That said, there is no guarantee of victory, because if the part# has been “removed from marketing” (pages) then the physical box – yes, the very box you’ve got in your hands – ceases to exist. Today it is the best thing since sliced bread and essential to one’s enterprise; tomorrow it’s … well, it never existed.

Finding “the book of words” for that ext WD drive could be impossible if the drive truly did morph into Unobtainium, as WD claims. I have a 2TB ext WD drive that’s about 7-8 years old, but it never existed! (if one believes WD.

A box that is available from a retailer and disavowed by the manufacturer is either NOS (new, old stock) or “refurbished”. In either case, one should look elsewhere if she needs a supported device.

Sancho_P • September 15, 2018 5:08 PM

@CallMeLateForSupper

It’s a Medion (core i5), case design and logo are authentic, same as the sticker with barcode and model number on the bottom and inside – but exactly this model number is not existent. Dozens of very similar ones, though, but also with a different motherboard (likely chipset / FW). The retailer shop had more than 50 boxes at that time when I bought it, and they have several shops around here.
Also the hp drive has on original hp case, label and sticker.

My guess is these are not pirated devices but pre-series or production excess and were sold in bulk by the OM to a clever intermediary.

But what I wanted to say:
Before one buys anything electronically (esp. here in Spain), check (still in store) online with the manufacturer’s homepage for support.
At home, before unpacking, download whatever they have, tomorrow it may be gone.
(There’s definitely a loophole in legislation when they can cease existence)

Of course, never buy branded watches, smartphones or tablets below 1/5 of the listed price (where the tourists are we have plenty “opportunities” to do so, no one seems to care).

AlexR • September 17, 2018 7:53 AM

@TimH • September 12, 2018 8:43 AM
Anyone got comments on Steve Gibson’s Three Router Solution to IOT Insecurity?

Yes:

a technical expert can do it, but an average consumer would be unable to set it up on their own
though it is a complex solution, that does not consider other factors, that some geeks pay attention to, e.g.: (speaking for myself)

power consumption++, given that you use more hardware
more blinking lights at night
more power sockets are used
more tangled wires under your feet, cord extenders, etc.

If you apply that method, you’ll be juggling +3 apples, which will be more challenging. In environments where you have a sysadmin to do these things for you, that is nice, but this is not the case for many households.

We should think about preventive measures, and avoid this problem by guiding consumers away from poorly designed hardware. This information has to be salient, only then will the consumers be able to “vote with their wallet”.

Consider these approaches:
– [focused on privacy] https://dl.acm.org/citation.cfm?id=3236126 (paper available for free, check the visualizations of the label in the doc)
– [focused on security] https://dl.acm.org/citation.cfm?doid=3212480.3212486 (can be integrated into the design above)

The label could empower consumers and help them make better decisions.

In the long run, the problem will probably require a hybrid solution, which includes reviewing software engineering practices, informing consumers, regulations, usability evaluations, etc. Steve Gibson’s method is one step towards the goal, but on its own – it will not solve the problem.

JohnL • September 20, 2018 2:15 PM

I can’t see the Insight issue (BTW I have two, although currently 100% secure as not plugged in) is as serious as people think, as the exploit requires the attacker to be on your home network already, which probably gives a bunch of more interesting attacks. Also WeMo-s are OTA upgradable so it will get patched fairly soon. Interesting they couldn’t brute force the root pwd so some security thought has clearly gone into them.

Schneier on Security

Security Vulnerability in Smart Electric Outlets

Comments

Leave a comment Cancel reply