[personal profile] koanhead
 Recently unifex of firmwaresecurity.com sent me this link  to a tweet on InternetOfShit which refers to this link  to reddit emoting over a bad security story - a Netgear customer returned their wireless-enabled camera and later discovered that they had access to (and were receiving notifications from) the camera after it had been resold. unifex cited this as "one of the joys of lack of refurbishability of IoT". Refurbishing old computer equipment is something I'm known for, so an inability to do so is of interest to me.

I'm not so sure that this device is non-refurbishable, though. As far as I can tell it's a little box with a camera, a wifi setup, and a webserver inside. I haven't had the opportunity to crack one open to see if there's a SOIC or a JTAG interface inside. WIth a little bit of equipment (a selectable power supply, a computer with a GPIO header, and some wires and clips) one could dump the contents of the device's storage and potentially reflash it with something less malign than that provided by the vendor. It's also possible that one could re-flash it using a vendor-provided upgrade path in software, something that's present in many router boxes by the same vendor. The effort and skill required to refurbish such a device might prove beyond my poor ability, but there are many more skilled hackers than I out there. I feel sure that if someone fished one of these bad boys (and they are bad) out of the bin or received it as a donation to be refurbished and passed along, then that could be brought to pass.

The reason for this is that the device in question isn't an appliance suitable only for the task the vendor printed on its box. Like most IoT devices, set-top boxes and network equipment, this is a general-purpose computer soldered on to some basic peripherals and unleashed haphazardly upon an unsuspecting world. It's not a camera, it has a camera. It's a little computer.

IoT vendors want for their customers to think of these devices, these products, as unitary, single-purpose, single-use devices. What they are is intentionally crippled general-purpose computing devices. Vendors make more money (or think they will) selling multiple single-purpose devices than they will selling a smaller number of multi-purpose devices. This is deceitful and an act of poor faith, but it is par for the course in commerce where caveat emptor is the ruling principle (as opposed to commerce where a third-party acts as a regulator or guarantor.)

A "camera connected to the Internet" would be more like a peripheral for an existing computer inside your existing network: what we now call a webcam. You can't connect to the Internet without a computer. How would that even work? I'm sure there are wireless webcams out there, but I don't know that it's possible to manage a wifi or Bluetooth link without a computer either. For that matter, I don't know that it's possible to pull images from a CCD without a general-purpose computer, although I have taken apart a USB webcam and did not find anything inside that looked like one.

If you buy a box with a computer in it, then you are buying a computer. The computer is the boss of the device, and "general purpose computer" means that it can do anything. The usual caveat applies: If you don't own your computer, then someone else does. You can be held responsible for the things done by the computers under your control, so you had better do your best to make sure you are the one controlling them.

Vendors sell on features. It's certainly possible to sell a dingus that "does anything"- every PC is such a dingus. "Does whatever" feels like only one feature though, while "unlimited cloud storage", "integrates with IFTTT" and "will make you a sandwich" are multiple features. "Does anything including stuff you don't want" is an anti-feature, and every general-purpose computer comes with it. Vendors don't want to talk about this (or, apparently, even think about it) but customers must be aware of it or it will bite them, and the rest of us, in their personal and our collective asses.

Identity URL: 
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Expand Cut Tags

No cut tags



October 2016


Most Popular Tags

Style Credit

Page generated May. 23rd, 2017 10:55 am
Powered by Dreamwidth Studios