Fear and Loathing of IoT
I never had to fear my VHS recorder. It sits under my bed now, gathering dust, in case I decide I really need to play one of the six VHS tapes I have left (stored in my closet, gathering dust). But even when it was actively used it never presented a threat to anyone. I do fear my DVR.
It wasn’t always a threat. In fact I was excited when I first got the device. I could record hours of shows I would never get around to watching. Having shows stored on my DVR means I always have the option of watching them, but will never have to.
Then I was offered a new DVR by my cable provider. An upgrade. I could record hours and more hours of shows. So I got it.
Some of these great features required a connection to the internet. And sure enough, my shiny new DVR had an Ethernet connection on the back.
That last part was supposed to be a good thing. But that connector made me start to think. My DVR is yet another IoT device. That made it dangerous if connected to the internet. And now we know just how dangerous that is. Turns out some DVRs have well known default passwords that are hard coded. Have Telnet and SSH turned on. And who knows how many unpatched vulnerabilities there are in the OS.
Is mine that way? I have no idea. My cable company is not telling me. There is nothing on their website addressing the issue. Since my brand does not appear to have been used in the latest DDoS attacks, should I then consider it safe? I don’t think so. And I don’t see it as my responsibility to Pen test the device. It’s not my job to determine if IoT devices I bring into my home pass even basic security standards.
It may appear that I have no other choice; I have to figure it out myself. But I refuse to do that. I’ve made a simpler choice. That Ethernet connector is gathering dust. I never connected my DVR to the Internet. I never will. And I want to make something clear to the cable company, and ever other company trying to sell me services via their box and the internet – it ain’t happening till you make these devices secure.
Senior Engineer Video AI platform/Infrastructure Development & Delivery @ e& enterprise-MBA in Project Management PMP?CDCP C.Eng.(I) FIE(I)
8 年I used in meli iran bank in 2006...
Content Generator
8 年I hated tape, but at least it was hacker proof. ps - don't think a lot of people saw the story about the big device hack last week, so they may not get this comment.
--
8 年Totally agree with you.