Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oops: Security Holes In Belkin Home Automation Gear

timothy posted about 5 months ago | from the did-you-leave-the-iron-on-or-shall-I? dept.

Security 77

chicksdaddy writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin's WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network. IOActive researcher Mike Davis said on Tuesday that his research into Belkin's WeMo technology found the 'devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.' IOActive provided information on Davis's research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. There has been no response yet from Belkin."

cancel ×

77 comments

Holes in everyone's router! (1)

GoodNewsJimDotCom (2244874) | about 5 months ago | (#46277779)

Apparently to fix your Linksys, I hear all you need to do is disable: Remote Administration

Re:Holes in everyone's router! (2)

SeaFox (739806) | about 5 months ago | (#46280575)

Apparently to fix your Linksys, I hear all you need to do is disable: Remote Administration

IMHO, that's a feature that should have never been turned on by default to start with. When I bought my last router (a Linksys WRT54G) eight or nine years ago, you could only administer it over wired connections by default. You had to turn on the ability to use wireless devices to make changes.

Nowadays router makers seem to all allow wireless admin access by default, even when most people never bother to change the admin password. So all you need is to not secure your wifi (or have a compromised password) and any wardriver can have free reign to change stuff.

Re:Holes in everyone's router! (1)

uvajed_ekil (914487) | about 5 months ago | (#46282699)

Not a problem for those of use who use aftermarket/open firmware. Or not such a problem. The recent hubbub over Linksys routers only concerns those with stock firmware, no? Of course it is a bit disturbing nonetheless, but at least there are not major inherent flaws in the hardware that can not be patched. And I'm 100% positive that they are many routers that have much more serious issues. And how often are home or small business routers really directly hacked anyway?

Predictable .... (4, Interesting)

gstoddart (321705) | about 5 months ago | (#46277801)

As soon as you start having something poking holes through your firewall to allow inbound traffic, this is pretty much a predictable outcome.

The internet of things, smart home monitoring, and thermostats you can adjust from the web ... all of these are things which are going to cause security problems, because most companies doing these kinds of things seem to completely ignore security, or when they try, still do a piss poor job.

I view the whole thing as a big "what did you expect?".

Re:Predictable .... (-1, Troll)

Charliemopps (1157495) | about 5 months ago | (#46278319)

Well your wifi network should not have any access to the internal network... period. But I think the problem here is the devices themselves. They are in control of some high wattage appliances in your home. If they can be accessed without proper credentials, then I could see someone turning the furnace on full blast 24/7, dropping the humidity to 0 then cycling every appliance in the house on and off as fast as possible until something frys.

Re:Predictable .... (3, Insightful)

sexconker (1179573) | about 5 months ago | (#46279337)

Well your wifi network should not have any access to the internal network... period.

What the fuck? My girlfriend has a laptop. We both have phones. Those devices connect to our internal network via Wifi. We need to access the LAN over Wifi.
If you want a separate network for your home automation shit, then you've got to have some means of controlling it, so you're inevitably going to end up bridging the two networks at some point.

Re:Predictable .... (1)

fisted (2295862) | about 5 months ago | (#46280257)

I do all my home automation manually, in the basement, on tty0, you insenditive clod.

Re:Predictable .... (1, Funny)

boristdog (133725) | about 5 months ago | (#46278525)

Which is why the best home security system is still the kind with four paws and a loud bark.

Re:Predictable .... (1)

EvilSS (557649) | about 5 months ago | (#46278821)

Which is why the best home security system is still the kind with four paws and a loud bark.

I dunno about that. Mine has two steel feet and a pair of vulcan cannons and I feel pretty secure.

Re:Predictable .... (0)

Anonymous Coward | about 5 months ago | (#46280087)

Which is why the best home security system is still the kind with four paws and a loud bark.

Security weaknesses in the K9 system have been well documented and are actively exploited. Since this product is no longer supported, updates are not expected any time soon.

Re:Predictable .... (1)

uvajed_ekil (914487) | about 5 months ago | (#46282805)

My home security system consists mainly of a number of conspicuous perimeter signs (which mention the main hardware provider, Smith & Wesson), a large and vocal canine, and some "hardware" as a last line of defense. 100% uptime (aside from some partial downtime when I take the dog with me) and effectiveness since installation.

If I may be perfectly sincere, a medium-large dog that barks when startled is generally all you need to protect your home. Most all dogs are incredibly vigilant, and no burglar wants to deal with a dog. From a criminal's perspective, it is much easier to move on to the next house than fight off a potentially dangerous dog (or dogs - it can be hard to tell whether a home with a dog has one or several). Most burglars don't spend days, weeks or months casing a house like bank robbers in movies do.

I did have a break-in once. There was no dog and no car in the driveway. 1:00 in the afternoon on a weekday and some homeless 37 year-old drug addict decided my house was the one to loot. Too bad for her (yes, her) I was home. Too bad for me that the prosecutor inexplicably refused to speak to me and had the charges dismissed six months later. Lucky for her I did not have "hardware" handy at the moment and was in utter disbelief.

You're talking about MS-Windows, right? (0)

Anonymous Coward | about 5 months ago | (#46280007)

As soon as you start having something poking holes through your firewall to allow inbound traffic, this is pretty much a predictable outcome.

So, you're predicting this'll happen to everyone running Teredo-capable Microsoft windows systems (like Win7 for example) that hasn't manually disabled uPnP on their routers, then? Since those systems can (and do!) open incoming ports on most commercial routers and APs without the system owner knowing anything about it...

Re:You're talking about MS-Windows, right? (1)

0123456 (636235) | about 5 months ago | (#46282671)

People actually leave uPnP enabled on their routers?

Re:Predictable .... (1)

contrapunctus (907549) | about 5 months ago | (#46285031)

The WeMo switch I have is connected to the guest network of my router.
So the rest of my network is secure I hope...

I say Tomato... (3, Funny)

plover (150551) | about 5 months ago | (#46277835)

...you say Belkin,
let's watch your house get hacked.

Re:I say Tomato... (0)

Anonymous Coward | about 5 months ago | (#46278539)

...you say Belkin,
let's watch your house get hacked.

Thanks for this writing.

ERP Software Bangladesh [syntechbd.com]

Belkin Gear (2)

sjbe (173966) | about 5 months ago | (#46277849)

...from Belkin

What is it with these guys? Every piece of gear of theirs I've tried over the years has been flaky or just plain crap. I realize I don't have a large sample size but I've seen other people make similar comments about their gear. Their stuff just always seems to have some sort of problem.

Re:Belkin Gear (-1)

Anonymous Coward | about 5 months ago | (#46277955)

That's because they hire dropouts from bottom-level schools in India to do their engineering work.

(The captcha is oddly apt: "disaster")

Re:Belkin Gear (3, Interesting)

J'raxis (248192) | about 5 months ago | (#46278063)

Maybe their hardware is crap because they're more about abusing their customers [slashdot.org] than providing quality products.

Re:Belkin Gear (1)

Rufty (37223) | about 5 months ago | (#46278481)

I used to like Netgear, but they're crap now. You say Belkin is too, OK, who then? Linksys? I've had fun mucking up a WRT54GL, but that's ancient now, and back then Netgear were OK, too. TPlink? I like the TL-WR703N, but that's not really a big sample size.

Re:Belkin Gear (1)

sjbe (173966) | about 5 months ago | (#46279031)

I used to like Netgear, but they're crap now. You say Belkin is too, OK, who then?

I've at least had mixed luck with Netgear stuff, mostly fine with a few duds. Same with Linksys, D-Link, Trendnet and some others. Apple gear I've used has been solid if pricey. But I have yet to have a bit of Belkin gear that didn't do something unexpected (in a bad way). Maybe some of their stuff is fine but I haven't come across it.

Re:Belkin Gear (2)

Grishnakh (216268) | about 5 months ago | (#46279769)

Try Buffalo; their routers come standard with DD-WRT. Or, look at the DD-WRT and OpenWRT device databases and pick a well-supported device to run one of those firmwares on.

Re:Belkin Gear (1)

LoRdTAW (99712) | about 5 months ago | (#46279771)

I have one of their routers here at work (not my decision I can assure you). It works but its web config menu sucks and lacks many of the features you find in a decent router OS like m0n0wall or pfSense. But that is every crappy low end router. At home I run m0n0wall on an Alix board. That system is *ROCK SOLID* and I highly recommend it if you want a basic yet solid router for a connection of upward of 50 mbps or a bit more. If you want more speed for 100mbps+ then go with a Soekris NET6501 and pfSense.

*BUT*
I have used Netgear switches exclusively at home since I bought my first networking kit from them back in 1999 (2 PCI 10/100 nics and a 4 port 10/100 hub). I have probably owned 6 or 7 different netgear switches over the years and they worked perfectly up until they were upgraded or retired. I don't buy the home networking products in the ugly plastic cases. Instead I only buy the business oriented switches in the metal cases. Sure you spend anywhere from 70-100 bucks for an 8 port switch (or a bit more if you want a smart switch) but they have yet to fail on me. Right now at home I have a Netgear GS110TP, the ALIX running m0n0wall and an Ubiquiti UniFi AP (its an awesome AP). You couldn't ask for a better, more solid home networking setup.

Re:Belkin Gear (1)

DarwinSurvivor (1752106) | about 5 months ago | (#46281207)

Belkin now owns Linksys.

Re:Belkin Gear (1)

andydread (758754) | about 5 months ago | (#46278699)

would you like to recommend and aternative that works better in your experience?

Re:Belkin Gear (1)

sjbe (173966) | about 5 months ago | (#46279091)

would you like to recommend and aternative that works better in your experience?

Lately I've had the best luck with Trendnet and Apple. Dlink and Netgear are usually fine though I have run across a few bad pieces of gear. Linksys I've had mixed luck with and their stuff has gotten worse over time. My small office uses a Netgear 24 port switch, a few Trendnet gigabit switches and an Apple Airport Express for wireless. Haven't had any problems with any of it. We had a Netgear router (replaced by the Airport) which handled our wireless until it died for unexplained reasons.

Sample size here is small though so don't take my word without a lot of NaCl.

Re:Belkin Gear (1)

Anonymous Coward | about 5 months ago | (#46279101)

I remember when Belkin was mostly known for desk organizers and mouse pads. I wish they'd have stayed that way.

Re:Belkin Gear (1)

Grishnakh (216268) | about 5 months ago | (#46279777)

Don't forget horrifically overpriced cables.

Re:Belkin Gear (1)

gtall (79522) | about 5 months ago | (#46279265)

I only have a data point of one, a gizmo to use the radio to capture iPod tunes and play them so I could hear them. Never worked right. I finally gave up resolved not to believe anything Belkin says about their stuff. With only one data point, that's not a good argument, but then I don't want to get burned again.

Re:Belkin Gear (1)

drinkypoo (153816) | about 5 months ago | (#46281145)

What is it with these guys? Every piece of gear of theirs I've tried over the years has been flaky or just plain crap.

Well, the problem is that all their gear is flaky or just plain crap.

They make pretty good cables. Everything else is junk.

Re:Belkin Gear (1)

AmiMoJo (196126) | about 5 months ago | (#46285227)

They position themselves as a high end brand, priced appropriately. In fact they buy the cheapest shit they can get that week and package it up, usually with the same model number as last week so the drive download is actually a bundle of several different drivers.

Attention Alice Hill (-1)

Anonymous Coward | about 5 months ago | (#46277861)

Slashdot Classic - Something I'd expect to squirt out of your pussy when you have an orgasm.

Beta - Something I'd expect to squirt out of your anus after drinking rotten milk.

Re:Attention Alice Hill (-1)

Anonymous Coward | about 5 months ago | (#46277983)

wow....

but its true beta is that bad.

Re:Attention Alice Hill (-1)

Anonymous Coward | about 5 months ago | (#46278317)

Man seriously.. Do you have anything nice to say..
there are several ways to look @ this..
yes Beta Sucks, Hooray..
but this overly descriptive diatribe of how body parts, etc work is just over the top..
it is because of these atrocious, unnecessary, and vulgar responses that repel what may be the new "slashdot crowd"
We should attract based on intelligence, integrity, and intellect. This comment seems to subvert that.
Moving past that..
Can some one get off their (fallen asleep) tushies and censor this type of nonsense.. Freedom of speech is one thing, but describing the vulgar function of body parts in a public forum is outrageous, off topic, unnecessary, waste of time/energy, immature, unbecoming of the educated staff of this publication, and seriously is it really for the kids/your mother/ or your wife?

Moving past all of that, why would my pussy-cat be squirting? Very confusing.

instead of -1 why not just pull the comment citing vulgarity??

ok c yaaaa

I saw a documentary about this on TV last night (4, Funny)

OzPeter (195038) | about 5 months ago | (#46277895)

The hackers got into the home security system and caused it to mis-identify the homeowners as intruders. This caused the home security system to activate its laser targeted rifle and shoot (to kill) one of the homeowners.

Ooops .. sorry .. that was last nights episode of Almost Human [fox.com]

  (and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

Re:I saw a documentary about this on TV last night (1)

gstoddart (321705) | about 5 months ago | (#46278045)

and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel

It may be sad for Sy-Fy, but I'm personally glad to see that decent sc-fi is actually being made and that people don't just keep not understanding the audience.

Re:I saw a documentary about this on TV last night (0)

dysmal (3361085) | about 5 months ago | (#46278089)

Sad when Fox News has better Sci Fi than Sy Fy chanel.

Re:I saw a documentary about this on TV last night (0)

OzPeter (195038) | about 5 months ago | (#46278129)

but I'm personally glad to see that decent sc-fi is actually being made and that people don't just keep not understanding the audience.

When it comes down to it Almost Human is your basic cop/detective show. However the writers have done a pretty good job of weaving in the future implications of technology as plot points.

As an aside IMHO that article the other day asking about where is decent SciFi nowadays seemed to miss the point that for a good show character interactions and growth are what makes it good and that technology by itself is merely a prop.

Re:I saw a documentary about this on TV last night (0)

Yetihehe (971185) | about 5 months ago | (#46278253)

As an aside IMHO that article the other day asking about where is decent SciFi nowadays seemed to miss the point that for a good show character interactions and growth are what makes it good and that technology by itself is merely a prop.

In MY humble opinion, character interactions and growth makes a good space opera (SyFy), not SciFi.

Re:I saw a documentary about this on TV last night (1)

gstoddart (321705) | about 5 months ago | (#46278359)

Nope, crashing and booming and action makes good space opera (Star Wars was space opera not sci-fi).

Exploring how technology affects our lives and what we do with it, that's sci-fi.

Re:I saw a documentary about this on TV last night (1)

swb (14022) | about 5 months ago | (#46280029)

You and the person you're replying to are both right.

There's a fair amount of scifi that merely ladles on a bunch of melodrama in the hope that someone will think of it as "character development" when in fact it often just serves as filler and often displaces action and technology.

"Walking Dead" went down this road IMHO in Season 2 on the Farm. So much of that season was personal and social angst in a rural agricultural setting with the occasional appearance of a zombie. Everything else kind of went by the wayside. I'm not saying some of it wasn't enjoyable or it wasn't well done or that it isn't a "realistic" depiction of being stuck with people in a crisis situation but the entire narrative was defined by a bunch of personal melodrama without the rest of it.

Showing the complex personal, social and cultural dimensions of science and technology -- when it happens -- is when science fiction transcends being genre entertainment and actually becomes more like classical drama or literature.

Re:I saw a documentary about this on TV last night (0)

Anonymous Coward | about 5 months ago | (#46278093)

(and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

Dude, Fox has great SciFi. It's the "Real Science" on Fox that has folks worried.

Re:I saw a documentary about this on TV last night (0)

Anonymous Coward | about 5 months ago | (#46278531)

OK ok serriously..

how did home automation roll into programming on FOX???

Are there any moderators working @ /.???

is there anybody to keep this thread on track??

perhaps its naught so much Beta that sucks......................
Perhaps its the new overlords that are now in control of the "snicker" content..

Way to go /., just keep loosing those readers..
When I used to work for Hitachi back in the late 80's there was a division that was solely setup as a tax shelter(business losses) etc..
That division was setup, meant, and cultured into failure. That being said, I am conjecturing if /. has now turned into the "business Loss" tax shelter..
Looking @ this thread, It's easy understanding that proposed conclusion..

People seriously.. I do love /., I loved it alot more back in the "day", but we all evolve and move on.. sometimes better most times worse..

Please save the ship before it sinks, and a national treasure is lost forever due to stupidity..

thanks and Seee ya.

Re:I saw a documentary about this on TV last night (1)

Megane (129182) | about 5 months ago | (#46279627)

how did home automation roll into programming on FOX???

Seriously, at least try to understand the message you are responding to before making a mindless Buck Feta rant.

Let me 'splain it to you Loozy. There's this new cop show on TV, only one of the cops is an android. [wikipedia.org] And it's set like 35 years in the future, [wikipedia.org] so all the cool stuff of 2014 (like quadcopters) [wikipedia.org] is everyday stuff. And people do bad stuff with the cool stuff, so the human cop and the robot cop have to sort it all out. And in yesterday's episode (oh yeah, ON FOX), someone hacked into a home automation system to kill the people living there. (Though it helped that there was a frickin' death laser attached to it.)

Re:I saw a documentary about this on TV last night (0)

Anonymous Coward | about 5 months ago | (#46278585)

I think its pretty sad when the moderators cant keep this thread on topic..
How did faulty Home automation spawn a discussion about how the television programming on the Sy-phy channel versus Faux.

lets conserve energy and stop writing hyperboly like this..

The RedEye Jedi.

Re:I saw a documentary about this on TV last night (1)

OzPeter (195038) | about 5 months ago | (#46279897)

I think its pretty sad when the moderators cant keep this thread on topic..

Who are these "moderators" that you speak of? And what is the topic they should be keeping the thread on?

Re:I saw a documentary about this on TV last night (1)

Joe_Dragon (2206452) | about 5 months ago | (#46278155)

You beat me to it.

still the south park one was very funny

http://www.southparkstudios.co... [southparkstudios.com]

Re:I saw a documentary about this on TV last night (1)

mrchaotica (681592) | about 5 months ago | (#46279421)

(and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

What else do you expect from something that sounds like a pet-name for venereal disease?

Re:I saw a documentary about this on TV last night (1)

Megane (129182) | about 5 months ago | (#46279633)

I thought "SyFy" was pronounced "shitty".

Re:I saw a documentary about this on TV last night (1)

Lanforod (1344011) | about 5 months ago | (#46279629)

Bastard. Where was the spoilers warning. I haven't watched that episode yet.

Re:I saw a documentary about this on TV last night (1)

OzPeter (195038) | about 5 months ago | (#46279885)

Bastard. Where was the spoilers warning. I haven't watched that episode yet.

Considering that that was the opening sequence of the show I hardly consider that it needed a spoiler alert. Now you may want to shut your eyes before you read about who actually did the hacking .. :D

Re:I saw a documentary about this on TV last night (1)

Grishnakh (216268) | about 5 months ago | (#46279791)

(and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

Expect the show to be cancelled early. This is typical of Fox: they cancelled Firefly after 14 episodes, and Terra Nova after 1 season (with a cliffhanger).

Re:I saw a documentary about this on TV last night (0)

Anonymous Coward | about 5 months ago | (#46280661)

And Dark Angel; Titus; Undeclared; Action; That 80's Show; Wonderfalls; Fastlane; Andy Richter Controls the Universe; Skin; Girls Club; Cracking Up; The Pitts; Firefly; Get Real; FreakyLinks; Wanda At Large; Costello; The Lone Gunmen; A Minute With Stan Hooper; Normal, Ohio; Pasadena; Harsh Realm; Keen Eddie; The Street; American Embassy; Cedric the Entertainer; The Tick; Louie; and Greg the Bunny.

But don't worry, this time they won't betray us!

Re:I saw a documentary about this on TV last night (1)

antdude (79039) | about 5 months ago | (#46281815)

Also, FOX put Almost Human messed up the episode order like Firefly. :(

Re:I saw a documentary about this on TV last night (0)

Anonymous Coward | about 5 months ago | (#46338667)

That's because Fox is for entertainment and SyFy is like Syphilis.

Intentional backdoors? (1)

J'raxis (248192) | about 5 months ago | (#46278037)

Remember when this company did this [slashdot.org] to their routers?

Surprised? (3, Interesting)

dysmal (3361085) | about 5 months ago | (#46278157)

Why is anyone surprised? The more stuff you have online, the more targets you have on your back. This reminds me of the arguments after Stuxnet when people were asking why equipment was online that had no business being online. People are trying to set up their house like the Jetson's with everything automated and controllable from their smart phone. Just because you can, doesn't mean you should! http://www.businessinsider.com... [businessinsider.com] http://online.wsj.com/news/art... [wsj.com]

MOAR IETF! (1)

markhahn (122033) | about 5 months ago | (#46278169)

IETF made everything possible, but has unfortunately been somewhat abandoned, or at least isn't functioning as a mooring-of-sanity as it used to. In some ways, this is inevitable, since the e-world is big enough that even a small company can do its own thing, and still succeed big.

This matters for IoT, since most cloud-enabled IoT devices do totally random things: poke through firewalls with UPNP, shove your private data into some random website, potentially over insecure protocols. (Or protocols that could be secure, but are implemented poorly or are simply in need of an update.) At some level, the problem is really that the easy path, for any given cloud vendor, is to set up their own cloud infrastructure (though it might be layered on Amazon, etc). This is bad for the customer because what happens when the company crashes, or gets bought and dissolved, or when the company just decides to stop supporting the device?

IETF should be thinking along the lines of a *local* data hub that you own, that your devices talk to over a simpler, standard protocol. Not that security can be ignored just because traffic is local, but an extra level of indirection makes all the difference in hardware as well as software. Whether that local hub is intelligent, whether it has storage - open question. And maybe devices need to fall back to trying to talk to the external cloud. But customers will eventually realize that they should want their own data to at least potentially be under their own control, not inherently subject to the vagaries of some whispy, transient external cloud. You don't want your fire alarm dependent on random external sites, or your internet-enabled door locks, or your thermostat, etc.

Re:MOAR IETF! (1)

Obfuscant (592200) | about 5 months ago | (#46280373)

IETF should be thinking along the lines of a *local* data hub that you own,

You give to IETF more power than they actually have. They document standards. They don't police them. They can't kick someone who violates them off the net. We have a long history of companies who ignore the standards because they want to either "enhance the user experience" or control it ...

You don't want your fire alarm dependent on random external sites, or your internet-enabled door locks, or your thermostat, etc.

Most people who buy this kind of stuff want it to "just work". That means they don't care if it uses some cloud services, they want to buy it, plug it in, and have it do something productive. Making it cost more by requiring a more complex home network with controllers and such will cost sales to companies that don't require that.

That's why the Xfinity et. al. home automation services are there. Someone else deals with it, and then you can do all kinds of stuff from work, the grocery store, etc. The person who is pushing a grocery cart down the aisle and decides to lower the thermostat isn't worried about someone else pushing it back up.

The guy sitting on the front porch of his vacation home quizzing the kids about whether they shut off everything at the real house and then pushing a single button that turns off the TV, kitchen faucet (???!!!), lights, and then locks the doors, doesn't think about someone else being able to turn them back on. And that commercial is one of the scariest ones I've seen. Xfinity will actually let you turn your kitchen faucet on and off remotely. What have we come to as a society if we need that kind of remote control? We really do have people who were raised in a barn, I guess.

Black Friday sales (2)

omnichad (1198475) | about 5 months ago | (#46278797)

That explains all the Black Friday sales on this product. Get them sold before the vulnerability is public. I'm betting they knew about this.

Writes itself (1)

ThatsNotPudding (1045640) | about 5 months ago | (#46279151)

"WeMo dumb, we just got our customers robbed."

Additionally, our mothers are rather large.

Already Patched (2)

Bruha (412869) | about 5 months ago | (#46279461)

Latest firmware contained security fixes.

Re:Already Patched (1)

msauve (701917) | about 5 months ago | (#46279693)

So, where can the changelog be found which documents that the latest firmware has addressed all the noted issues?

Re:Already Patched (1)

DarwinSurvivor (1752106) | about 5 months ago | (#46281247)

Good, but that doesn't do much for the non-technical people who bought this and won't be checking for firmware updates every weekend.

Re:Already Patched (0)

Anonymous Coward | about 5 months ago | (#46282709)

So it ought to: They were only notified about it by US-CERT back in October.

software faults, real world consquences (1)

Barbarian (9467) | about 5 months ago | (#46279563)

Any automated control should have a local override to disconnected it from the control loop. This is normal practice in process plants. That way when a hacker takes over your thermostat, you put it in override until the access problem is fixed.

Second, fires by software should not be possible. Protections should be baked into the hardware for home control things that can have e consequences to people.

The hidden danger of the IoT... (3, Interesting)

BUL2294 (1081735) | about 5 months ago | (#46279619)

Not to sound like I'm a crotchety old man telling kids to "stay off my lawn" and eschewing technology, but the Internet of Things really is opening Pandora's box... Currently, manufacturers tend to make a product, find bugs/get user complaints & make a new product. They might produce a few bug/security fixes--but then ignore that product in very short order. But the IoT really changes things, and not for the better...

Here's an example... Walk around your house and figure out the age of all of your appliances. You probably have a few items (e.g. refrigerator) that are pushing 20 years old??? Now, imagine you buy a few shiny new IoT appliances & they're all connected to the Internet--15+ years from now. Seriously, this is a disaster waiting to happen & a hacker's wet dream... Imagine what support will exist 15 years from now for current versions of Android 4.x, Linux 3.x, Apache, PHP, MySQL, etc. Or better yet, what 1999-era software still receives even security patches or bug fixes? (Win9x--nope. Linux 2.2--nope. IIS4--nope. W2K--nope. SQL Server 7--nope... You get my point...)

Ultimately, with the IoT, we're trusting that companies will be willing to support their products, including OS kernel patching on FOSS platforms that were long-abandoned by their progenitors, 25-odd years??? Dream on... I don't intend to replace my fridge or washer in a few years because it got "bricked" because of a security hole the manufacturer chose to ignore...

Belkin's problems are only the beginning...

Little choice (0)

Anonymous Coward | about 5 months ago | (#46281099)

Or better yet, what 1999-era software still receives even security patches or bug fixes? (Win9x--nope.

Funny that around August 2001 good ol' XP came out, and extended-support-we-really-mean-it-now was applied to its support deadline on this end of of the long rope to 2014 (48.98 days from now).
IE6, managed to achieve a close second in longevity with ~7 years of updates (wikipedia says May 2008 was the latest stable release), but I don't know if they patch it with Windows Updates. It is funny how litte people care that certain devices

Ultimately, with the IoT, we're trusting that companies will be willing to support their products, including OS kernel patching on FOSS platforms that were long-abandoned by their progenitors, 25-odd years??? Dream on... I don't intend to replace my fridge or washer in a few years because it got "bricked" because of a security hole the manufacturer chose to ignore...

I am pretty bitter about industry collusion to destroy old tech via attrition. I'm pretty sure one day you'll walk into the store and just have to buy IoT devices. I mean, try and find monocrome dumbphone this day and age (even ten years ago it was a dying breed). All you can do is buy the tech and try to find a reason NOT to plug it in. But they'll find something tempting to put there, such as FB or tweet feed readers, and presto. I mean, Cat-5 and video-game consoles don't match... DIDN'T until PSNetwork and XBox brought online play into the living room. Lastly, if people distrust their cat 5 and wifi, the companies will just roll their own, or shoehorn it into infant tech. wifi-ac standard can probably jump through the "DRAFT!" ropes with labeling. Wireless N has only been "final" for like 3 years

Re:The hidden danger of the IoT... (0)

Anonymous Coward | about 5 months ago | (#46290037)

We won't be able to stop the integration of networking components into "dumb" appliances, but they won't be able to stop us from just not connecting it to the internet.

I mean, it has to work without internet, right?

Right?

Ugh, maybe it will just remain a "luxury" option on those insanely priced $3,000+ models..

Although it will be funny to read stories about how if your milk is 3 days past expiration and your strawberries look questionable, Brand X Internet-Aware Refrigerators will buffer overflow into a 100% cooling cycle, spiking your electricity usage, freezing the unit solid and potentially burning the mechanics out... Nah, couldn't happen, right?

temporary fix (3, Interesting)

NetMagi (547135) | about 5 months ago | (#46279621)

If you control your Belkin WeMo's locally like I do (Shell Script To Control Belkin WeMo’s - http://moderntoil.com/?p=839 [moderntoil.com] ), the answer is as simple as a few firewall rules to stay safe. First, when I read this, I panicked and blocked all outgoing requests from the IP's of my WeMo's, then watched the firewall log to see what they were trying to do. Mine were pinging my LAN default gateway, trying to connect to "184.73.174.14:3478", and trying to connect to multiple IP's on UDP port 123. I adjusted my rules to allow them to hit the default gateway directly (but not NAT through it), since this is probably some check by the local OS on the WeMo's to see if the network is up. I also allowed them to hit anything on UDP 123 (NTP), since without the current time, they can be useless with a schedule. Looking at my logs now, all I see blocked is the constant requests to "184.73.174.14:3478". Local control resumed normally with these changes in place.

Re:temporary fix (1)

Obfuscant (592200) | about 5 months ago | (#46280275)

...all I see blocked is the constant requests to "184.73.174.14:3478".

Interesting. That's an address in the Amazon cloud. It accepts telnet connections but gives nothing back that I can see.

It may be something like the attempted external connections I found from an internet power switch. Why would an internet power switch be trying to connect to a site in China? The vendor claims it was their aborted attempt at a dynamic DNS service so you could control the switch from the world. I dunno, but I blocked it anyway.

At the same time I found this traffic, I also found that a relatively recent soho WAN/LAN router would honor DHCP requests on the WAN(!) side and this "feature" could not be shut off or configured, and it was doing broadcasts to do device discovery on the same WAN port, which also could not be turned off. Sorry, I forget which brand this was. I think the name started with L or D ... I finally bought a more expensive "N" based router that doesn't have these defects.

I wounder why the fridge calls me fat ass all the (0)

Anonymous Coward | about 5 months ago | (#46280381)

I wounder why the fridge calls me fat ass all the time?

Please tell me I'm dreaming! (1)

wdhowellsr (530924) | about 5 months ago | (#46281331)

Please tell me the browser cache is screwing with me. Please tell me that my wife wants to have sex more often ( ok that isn't going to happen, I have a 12 and 15 year old) Do we really have Slashdot.org back?

"security" (1)

uvajed_ekil (914487) | about 5 months ago | (#46282653)

Security holes in a Belkin something? Go on, you can't possibly be serious.

Note to self (1)

sgt scrub (869860) | about 5 months ago | (#46282873)

Self,
Disconnect chainsaw from home network.

Stupid architecture (1)

sjames (1099) | about 5 months ago | (#46284395)

'The cloud' should not have any access to these devices AT ALL. At most, a hole in the firewall should allow external connections to a server running on the LAN that can then talk to the devices (and that should be entirely optional). They should never even try to phone home for any reason. It's nobody's business but mine which lights are turned on.

That is especially true since according to TFA, Belkin leaked the keys to the kingdom.

Belkin says "solved" http://www.belkin.com/us/supp (1)

franklyray (3547025) | about 5 months ago | (#46306257)

Just reconnected my two switches. Let's see.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...