3 comments

[ 2.6 ms ] story [ 14.3 ms ] thread
One of the scariest things to me about IoT devices is people using them without really understanding the tech behind them. It feels like a lot of older companies are still just getting used to working with smartphones and having databases instead of file cabinets, and suddenly IoT means they have 20 new devices that they don't really understand, that often are set up to have more access than necessary (because that's probably the easiest way to set them up)...
There's no need for device to be made secure. Just configure your network so that the device can only talk through a specific virtual private network, or even better a separate physical network. It's not difficult, but it might be more costly. Car manufacturers do this. The entertainment system usually cannot talk directly to the engine control unit. There is a bridge device between the two that controls the conversation. Safety critical stuff is on the ECU side of the bridge not the entertainment side and the ECU side is not public.

I don't mean cars are perfect, just that the concept is well known and manufacturers do try to implement it (with varying degrees of success of course).

I was hoping this would be an elaborate side channel where the data was exfiltrated bit by bit over a few weeks by inducing temperature fluctuations that were picked up by the thermometer that was visible through a window from the building next door. But it's just another "IoT" device. These things should be considered backdoors until proven otherwise.