See, I Told You So (IoT Security)
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2019-01-14 15:28 by Karl Denninger
in Consumer , 243 references Ignore this thread
See, I Told You So (IoT Security)
[Comments enabled]

This is why you don't put items like this in your house -- ever.

Our biggest story of the week was a cautionary tale of exactly how wrong smart home security can be. Amazon-owned Nest competitor, Ring is in hot water over the reported ability for US employees to watch the feed from almost any Ring camera. Some employees used this ability to watch other employees’ feeds and tease them about “romantic dates.”

Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing “every video created by every Ring camera around the world.” What’s more, these employees had a “corresponding database that linked each specific video file to corresponding specific Ring customers.”

This, of course means that:

1. These video feeds are unencrypted from the get-go.

2. They're stored unencrypted too.

That's nice.  Then they store the footage on 'consumer-grade' cloud storage that the employees of the company can get to, it's not encrypted and of course an employee can associate the files with a person and thus knows their exact identity.

Isn't that special?

Never mind that such a "doorbell" doesn't just collect images from people who are coming into your home; it also collects images, all the time perhaps, of anyone the camera can see, and since it's at your front door pointed outward that includes a whole bunch of other people who might be within eyeshot of it.

This exact issue is why HomeDaemon-MCP doesn't rely on cloud-anything.  It only gets its license keys from a central server to verify you have the right to use it.  Beyond that, nope, nope and nope.  The connection between it and your phone or laptop is entirely point-to-point and is encrypted end-to-end.

Video data, as I've pointed out, is almost-never encrypted in transport.  It's not that it wouldn't be a good idea, it's that those little cameras lack the CPU power to do it in real time to potential multiple endpoints at once, so they don't.  Further, doing so also requires key management of some sort.  To make them capable of both would make the cameras more expensive, which is of course bad.  So they don't, and most of the common ones use RTSP for the video side which has no protocol support for encrypted data streams anyway.

Oh well.

You can still look to the right and, if you're interested in entering this business with a package built to make that sort of crap not possible simply by not using cloud resources at all, plus always passing data between the customer's devices in encrypted format, thus making picking off the data stream in transport very hard -- email me.  A quick overview is at http://homedaemon.net

Why would you put your entire life in the cloud, in real-time, where literally anyone could steal it -- including the employees of the firm who sold you the box?

Don't do dumb things -- including buying devices of this sort and "smart speakers" that are actually always-listening microphones that get to hear your most-intimate conversations.

Period.

Go to responses (registration required to post)
 



 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info See, I Told You So (IoT Security) in forum [Market-Ticker]
Rollformer
Posts: 378
Incept: 2013-02-13

Report This As A Bad Post Add To Your Ignored User List
This is why I use Nest. The sex toy ads I get in my Google searches are phenomenal.

</sarc>
Tarmoney
Posts: 467
Incept: 2008-01-23
A True American Patriot!
LI, NY
Report This As A Bad Post Add To Your Ignored User List
And of course we need one of these...
https://m.youtube.com/watch?v=sdHQ_Gj2lL....

----------
"Then have a recession. It's a financial enema for a sick animal." - Rick Santelli
I really can't wait to see all these guys twist on the rope... -me
smiley
smiley
Tickerguy
Posts: 155623
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yeah, well, when I need to take a crap -- I just want to take a crap.

And I sure don't want no crap from Spamazon.

----------
Winding it down.
Gable
Posts: 895
Incept: 2009-07-04

Retired in NC Mountains
Report This As A Bad Post Add To Your Ignored User List
One of a whole bunch of reasons I read TF was the advanced warnings of dangers of "Smart" devices. This summer I had to replace my HVAC system. Because on my electronics background I told the installer I was going to shadow him during the install so I would understand how the system worked. It is a dual furnace system where it runs the heat pump down to a certain temperature then switches to propane. He was Ok with it and I was able to offer a a second set of hands.

When he was setting up the Honeywell thermostat he asked me my wireless password. I asked why he needed it and he said the wireless connection was needed to determine the outside temperature. I am like WTF, the system does not have a outside sensor. Nope. The thermostat routes through Honeywell's site ( no doubt collecting data) then finds the nearest "official" US Weather Station, which my case is the local airport 15 miles away and at a 600 feet lower elevation. Well that was totally unacceptable. One because I don't want Honeywell knowing my thermostat setting activity and secondly the temp at my place and the airport can be as much as 18 degrees different in winter.

I asked if there was an option for a local sensor. He said yes, which I went with.

Moral of the story...inquire about ANY new devices being installed in your house. Thanks to the TF I was informed enough to prevent a mistake.
Thank you Karl.

----------
In all of history, no government became more honest, less corrupt, or respected its citizens' rights more as it grew in size. E.L. 2016
Tickerguy
Posts: 155623
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
No problem.

Yes, my HVAC system optimizes using the OAT (part of what HomeDaemon does here at the house.)

Yes, from a local sensor.

No, that data doesn't go anywhere else.

Not only is it more-accurate right here (duh) but it's nobody else's ****ing business what I have my thermostat set to.
Inline

----------
Winding it down.

Gable
Posts: 895
Incept: 2009-07-04

Retired in NC Mountains
Report This As A Bad Post Add To Your Ignored User List
Quote:
nobody else's ****ing business what I have my thermostat set to.


Exactly. As soon as the HomeDaemon goes retail I plan to get a system to take advantage of it capabilities and security from spying eyes.

----------
In all of history, no government became more honest, less corrupt, or respected its citizens' rights more as it grew in size. E.L. 2016
Thelazer
Posts: 213
Incept: 2009-05-11

Davenport, Fl
Report This As A Bad Post Add To Your Ignored User List
Gable / Gen. I'm just afraid that not enough consumers will EVER wake up enough to see why this solution is the best one. I wish that wasn't the case, but I have lost all faith in your average Joe Americano.

Asimov
Posts: 110368
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
Karl: Since you seem to have decided not to try to run a business selling your software to make money because of... well, various things you've talked about, and probably some you haven't

Have you, by chance, considered running a non-profit to sell it? I really don't know any details about running one, was just a thought I had today.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Kgmqt
Posts: 150
Incept: 2013-08-19

Minnesota
Report This As A Bad Post Add To Your Ignored User List
The real kick in the nuts is you have a company proclaiming to be selling you a security device, but unable to have proper controls in place within their own company to monitor and prevent this ****.

There are so many upstarts out there. Some have really good products. But they dont know InfoSec, they dont know infrastructure, and they are mostly looking to make quick money. They take short cuts - setup something quick in the cloud, hire some talent but dont worry about ethics, try to maximize profits by selling product on the front side and the data out the back. It is ever more difficult to purchase any product without knowing if the company selling it is deliberately trying to screw you, or if you will get screwed by that companies incompetence.
Orionrising
Posts: 88
Incept: 2017-01-26

Report This As A Bad Post Add To Your Ignored User List
so they are not only probably recording minors they are also distributing that footage of minors across international lines...
Generalee
Posts: 17
Incept: 2011-04-30

S.W. Ga
Report This As A Bad Post Add To Your Ignored User List
Electrical Engineer co-worker was talking about his installation of his new doorbell this past weekend. I said really you want the chinese watching you on Utube? his reply. "It's got a password" You betcha I Won't be attending any parties at his place.
Login Register Top Blog Top Blog Topics FAQ