Forum menu
What the NSA that have a history of paying companies to have a back door.
Worse than that, they infiltrate standards bodies to try and weaken the encryption methods eg the dual elliptic curve method..
http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
most of what is being discussed here is people going in via the internet. My router is secure to external attacks from that perspective, as by default there is no port forwarding and you can't log on to it from outside, hence it effectively protects any IoT devices on my WiFi network
It would protect IoT devices from direct access, ie attempting to connect to a specific port via the IP address that your ISP has given you today.
Sure an IoT device could break out (I'd think that relatively unlikely for most)
Breaking out is exactly what I expect many of these devices to do. Baby monitors, webcams, NAS devices, home heating/lighting etc. that you expect to be able to access from outside.
With portforwarding totally disabled from the outside, those devices will establish a connection from the inside to "a server somewhere on the net". Your app/phone/whatever connects via that external server, so any requests from outside go via that connection that's already established from inside.
I'm not surprised by the story. IoT devices often have naff all security. For many of these devices, security is not something that those designers and developers have had to worry about until now. And now they are using stock Linux based embedded distros, and hardcoding things for convenience.
The NSA did it to a Swiss company selling encryption for banking decades ago, so they have form. TBF the NSA and GCHQ effectively invented computers to crack codes, so it'd be a surprise if they weren't on top of things.
I think everyone assumes that the NSA goes to Microsoft and says "Here, install this backdoor in return for 1 bazillion dollars". In reality there is probably a situation where they say "Here, install this in your datacenter in return for nothing and if you tell anyone we did this, you go to jail"
I think it's perhaps closer to say "this is the standard, you have you use it if you want to be FIPS-compliant." Which is both less surprising and arguably more concerning.
@Cougar, I recall that one of the TLA agencies paid a large chunk of change to a company developing encryption in USA. My Google powers are failing me currently so no reference yet. Needless to say once the news got out the product was tainted as was the company.
This weekend some of the comentards on The Register were suggesting that a router running DD-WRT was the only way of properly securing your home network device from being recruited into a botnet. Firmware updates seem to be forgotten once the next device arrives on the market and DD-WRT (if your device will run it) is the only way to maybe keep a jump ahead.
Juniper Systems were the compromised company using Dual E_C.
ninfan - Member
It's somehow reflective of the society we live in that that a communication system designed in large part to survive the destructive impact of nuclear war is now itself being held hostage by toasters.
INCOMING!
[b]
This weekend some of the comentards on The Register were suggesting that a router running DD-WRT was the only way of properly securing your home network device from being recruited into a botnet.
I'm not necessarily disagreeing but I'd love to see the logic behind it being the [i]only[/i] way.
Can you give me the link to that please?
I think it's perhaps closer to say "this is the standard, you have you use it if you want to be FIPS-compliant." Which is both less surprising and arguably more concerning.
Oh, absolutely. The thing is, the above, plus what I wrote are both absolutely the case ๐
Hi Cougar [url= http://www.theregister.co.uk/2016/10/19/home_router_insecurity/ ]El Reg link[/url] The comment by Dwarf is what I based my comment above on.
Cheers for that, will read in the morning.
Apparently the main culprit is being recalled...
I'd love to know where the pressure came from for that recall. I can't imagine it was voluntary given that it is all of the webcams that they sold (pre 2016 I think)
Yep, I'm amazed. But given it's a cheap toy which still works fine as a camera, I suspect no one will actually return them.
I still think bricking them all is a good idea, that way they will get returned or binned...
I was wondering if those webcams were even products of a single company, or if they were an OEM thing rebadged under a whole host of brand names?
Good luck recalling that.
Remote bricking might be an option, but if there's a way for the manufacturer to brick them, whether thats the brand name mfr, or the mfr of the OEM reference design and firmware, then one thing you can guarantee is that there is a way for hackers to brick them remotely too.
DD-WRT has had and will have its share of vulnerabilities. The security of it comes more from those who would make the effort to use it being concerned about security. If manufacturers and ISPs were to ship it as standard the same problems would exist.
[img] 
[/img]
https://twitter.com/jjarmoc/status/789637654711267328