Smart homes still not "smarter than a fifth-grader"

Smart Home technologies continue to make their failures headline news. Only yesterday did the BBC ran the story "Smart home kit proves easy to hack, says HP study" laying out a litany of vulnerabilities and weaknesses uncovered in popular internet-connected home gadgetry by HP's Fortify security division. If nothing else the story proves that household vulnerabilities are now worthy of attention - no matter how late HP and the BBC are to the party.

As manufacturers try to figure out how cram internet connectivity in to their (formerly) inanimate appliance and turn it in something you can manage from your iPad while flying from Atlanta to Seattle over the in-air WiFi system, you've got to wonder "do we deserve this?"

I remember a study done several years ago about consumer purchasing of Blu-ray players. The question seeking an answer at the time was why were some brands of player outselling others when they were all the same price point and did the same thing? Was brand loyalty or familiarity a critical factor? The answer turned out to be much simpler. The Blu-ray player with the highest sales simply had a longer list of "functions" than the competitors. If all the boxes for the players list 50 carefully bullet-listed pieces of techno-jargon and the other box listed 55 - then obviously that one had to be better, even if the consumer had no understanding of what more than a dozen of those bullets even meant.

In many ways both the manufacturers and consumers of Smart Home technologies continue to fall in to that same trap. Choosing a new LCD HiDef TV is mostly about long lists of word-soup techno-babble, but that babble now extends into all the new features your replacement TV can do via the Internet now. How did we ever survive before we could issue a command via the TV (hidden 5 levels deep in menus and after 3 agonizing minutes of waiting for the various apps to initialize) in order to make the popcorn machine switch from unsalted to salted butter?

For as much thought as goes in to the buying decision over one long list of features against another, the manufacturers of Smart Home devices appear to exhibit about the same effort in securing the features they're trying to cram in. That is to say, very little.

In some ways it's not even the product engineering teams that are at fault. It's more than likely they've been honing their product for 20+ years from an electrical engineering perspective. But now they've been forced to find someway of wedging a TCP/IP stack in to the device and construct a mobile Web app for its remote management. They aren't software engineers, they certainly aren't cyber-security engineers, and you can bet they've never had to adhere to a Security Development Lifecycle (SDL).

How to I characterize the state of Smart Home device security today? I think Richard O'Brien summed it up best in his play The Rocky Horror Picture Show - Let's do the timewarp again!!! The overall state of Smart Home security today is as if we've jumped back 20 years in time to Windows 95.

Handling Secret Documents

"Whoops!" - although I'm guessing the real phrase contained a long string of expletives - after a senior UK government official managed to get snapped on camera emerging from a car with secret documents (outside No 10) - unfortunately the paparazzi were able to read the document in hand through their lens.

This kicked of a chain of terror raids...

Full story is over on the BBC -"Terror raids follow files blunder"

//Updated: Friday 10th, April//

He's a photo of the document in question...

Encouraging the UK police to hack a little more often

Apparently the UK Home Office is going to be encouraging the British bobby to do a little more hacking against those big bad cybercriminals out there - according to the BBC news.

In a statement regarding the agreement, the Council stated that "the new strategy encourages [the police and the private sector] to…resort to remote searches."

British law already allows police to remotely access computers under the Regulation of Investigatory Powers Act 2000, which allows surveillance to "prevent or detect serious crime".

I'm not sure exactly what the Council thinks the "private sector" encompasses, but wouldn't it be rather jolly if that included commercial penetration testing teams? (obviously not including commercial criminal hacking-as-a-service providers) I'd love to take a legal crack at the multitude of known criminal sites out there, and so would just about every professional pentester I know.

With the prospect of hacker-bobby knocking on your virtual door, you just know that someone'll complain about the breach of privacy etc. Oh well, it'll be interesting to see if the police take up the hacking challenge. If not, I'm sure these no shortage of willing volunteers.

One other quick note about the BBS news article. I'm not sure who Professor Peter Sommer is, but I'm not sure about the following statement...

Most anti-virus programs and firewalls will detect surveillance attempts because they are designed to stop the remote access software or Trojan-type viruses that hackers - even police hackers - usually use, he explained.

As far as I'm aware most of the professional malware out there in use today by the real criminals is a generation or two more advanced that the anti-virus solutions in popular use. And, strangely enough, that very-same malware the criminals are using can be purchased by anyone willing to fork over a few hundred dollars to a hacking-as-a-service provider in Russia, Korea, Turkey, Brazil, etc. so I don't think that's an inhibitor.

Here's a proposition to the police officers that are worried about being detected by anti-virus - buy the same software the organized criminal teams are using.