FBI Warns About Internet-Connected Toys' Security Risk

 

Do you want your kid's Barbie doll or stuffed animal to spy on you? Probably not, and that's why the FBI has warned consumers to consider their child's privacy and cyber security before "introducing smart, interactive, internet-connected toys into their homes or trusted environments."

A rising number of toys have been connected to the internet. Mattel actually made a smart Barbie doll, CloudPets made internet-connected stuff animals, and other companies have turned rudimentary playthings into Internet of Things (IoT) devices. The problems occur when companies don't secure these products--that smart Barbie http://www.pcworld.com/article/3012220/security/internet-con... can be hacked, and CloudPets' stuffed animals
http://www.tomshardware.com/news/cloudpets-teddy-bears-leak-... leaked private information and voice recordings.

Prease to read more here:

http://www.tomshardware.com/news/fbi-warns-internet-connecte...

--
Never argue with a pig. It makes you look foolish and it anoys the hell out of the pig!

Lots of risky products

There are lots of risky products, from smart thermostats, fridges. TV's, cameras light bulbs etc.

People are sometime too quick to adopt a so called smart device, just because they think it's cool or they can't do without something, that they've happily done without for the past 20 years.

--
DriveSmart 65, NUVI2555LMT, (NUVI350 is Now Retired)

too much internet IMHO.

Internet connected toilets just seemed a step too far...

Too much!

Anything that is too much is not good. Too much technology is a poison.

--
EGMJR

Any IoT device that you

Any IoT device that you can't change it's default password and doesn't have user upgradeable firmware should be avoided like the plague.

That means just about all of them, including internet connected TVs (which will probably go on phoning home with your viewing habits and network information even if you could upgrade the firmware).

Smart TV

Mine would think all I do stream through my HDMI 2 port which is my Roku, which in turn I only use to stream movies from my server in my basement. I'm pretty boring to "The Man".

--
Striving to make the NYC Metro area project the best.

tracking

even if you turn off tracking is it really off ? do you know how much info google has on you ? can somebody hack google and gain info about you ? getting info about your health from your doctor online is handy isn't it ? the easier things get the more you have to give up ! you don't have to leave your house to do anything any more pay your bills online, order meals delivered to your door, medicine delivered to your door, order clothes TV's online . you want easy there's a price to pay ! the only thing you can do is be careful double check your bank accounts have credit cards alert you to odd purchase's , watch for ID theft on medications or medical treatment you never had who knows where advances in technology and hacking will go one seems to follow the other , I suppose in the future they will install a smart chip in your body and a hacker will create an emulator of the smart chip and the circle will start all over again !

If you never leave the house...

...why would you need to buy clothes online? grin mrgreen

--
Striving to make the NYC Metro area project the best.

Luddite

Luddite

NOUN
a person opposed to increased industrialization or new technology:
"a small-minded Luddite resisting progress"

My Ring doorbell lets me know when UPS/FedEx/Amazon delivers a package. They don't ring the doorbell, even when I had a 1940's model. Now packages don't stay out in inclement weather and aren't potential targets of thieves.

My Sensi thermostat is great with my two story house. In the middle of the night when the upstairs gets too hot/cold, I can adjust the temperature without getting out of bed and be back asleep in 30 seconds.

My smart phone can go ahead and track me. I don't give a darn.

--
Zumo 550 & Zumo 665 My alarm clock is sunshine on chrome.

aluminum foil time

GPSgeek wrote:

People are sometime too quick to adopt a so called smart device, just because they think it's cool or they can't do without something, that they've happily done without for the past 20 years.

Could it be they have nothing to hide?

--
Garmin 38 - Magellan Gold - Garmin Yellow eTrex - Nuvi 260 - Nuvi 2460LMT - Google Nexus 7 - Toyota Entune NAV

Everyone has something they should hide

You don't see people walking around with their banking info plastered on tee shirts. (Except that president of Life Lock that put his social security number on the side of a bus) Hiding things is natural and for your own security. Everyone should take a bit of precaution in their everyday lives. Skeletons in the closet...that's another story altogether. These Internet connected devices are (possibly) opening the door into your personal life without your prior knowledge. That's the part that that I have a beef about. I'm not really worried about my TV or Roku. No financial information on either of them. If they track my viewing habits they will be sorely disappointed. I'm boring.

--
Striving to make the NYC Metro area project the best.

it's

interesting how the ordinary person is becoming more savvy....this isn't 2009 when > 50% of home wireless was still using the default WEP key that came with the install. I remember a person telling me he cracked these in < 1 min. using his smartphone.

Flash forward to 2017. Most of these home routers have guest networks, and it comes out of the box WPA2.

I observed. At a bbq, when people asked for the guest wireless password, my wife's aunt (over 60 mind you) said she has to type it in to the device. Then, if they remember, they change it. This would be inconvenient before, but today, it's easy, those guests don't have wireless the next time they come over, unless they ask. Because the guest ssid got a new password, the user stayed the same (all their devices).

When retired people (not talking 42, talking 85) are supplementing their income with eBay stores, you know that in general, the population is more savvy than just 10 years ago.

Please post

flaco wrote:
GPSgeek wrote:

People are sometime too quick to adopt a so called smart device, just because they think it's cool or they can't do without something, that they've happily done without for the past 20 years.

Could it be they have nothing to hide?

Please post your network login address and password - if you have nothing to hide.

Technology gone berserk -

Technology gone berserk - Just because it CAN be done, doesn't mean it SHOULD be done.

IMHO, the current trend in car "entertainment centers" is a step in the WRONG direction.

--
I never get lost, but I do explore new territory every now and then.

Speaking as an actual security professional here...

dave817 wrote:

Luddite

NOUN
a person opposed to increased industrialization or new technology:
"a small-minded Luddite resisting progress"

My Ring doorbell lets me know when UPS/FedEx/Amazon delivers a package. They don't ring the doorbell, even when I had a 1940's model. Now packages don't stay out in inclement weather and aren't potential targets of thieves.

My Sensi thermostat is great with my two story house. In the middle of the night when the upstairs gets too hot/cold, I can adjust the temperature without getting out of bed and be back asleep in 30 seconds.

My smart phone can go ahead and track me. I don't give a darn.

As far as home devices on a network (like things like thermostats and the kitchen fridge and honestly any device I don't intend to replace on a lifecycle of 2-5 years)...well, yes, I am a luddite and proudly so.

As a security professional I say this: "The first rule of the Internet of Things is don't put your darned things on the Internet if you don't have to". Literally EVERY bit of guidance I've seen from not only security professionals but even the major enterprise router manufacturers like Cisco.

The other rules are "If you have to have the thing on the Internet, make sure you change the default username/password combo. If you can't do that, make sure it is behind a STRONG firewall with only the specific ports open that your IoT Thing needs to do its thing on the Internet. Also, have a full lifecycle program including a plan to replace your IoT Thing or find a way for alternate firmware security updates when the manufacturer stops providing security support."

Smartphones? Typically have a two-year replacement cycle. Typically you either get OS updates from manufacturer or you can often get third-party OS updates assuming the phone is not bootloader-locked. (Note: You actually DO want bootloader locking in a professional environment, but you'll be replacing on a two-year cycle anyways.)

Fridges and thermostats? Typically lifetime cycles of 20 years or more are expected, at least ten, and there is a non-negligible chance that the OS for your Internet-friendly fridge will not be updated at some point. At which point, some Russian mob cybercriminal is probably going to "own" the computer in your fridge or your thermostat and use it as part of a botnet to send out lots of spam or try to knock a site offline or distribute ransomware. Or they might put ransomware on the fridge or the thermostat for lulz ("Send us 1.5 bitcoins or we turn the freezer and fridge to 50 degrees").

My Raspberry Pi I use for the PiAware flight tracking project at FlightAware? On latest version of Raspbian (a Debian Linux port for RasPi), default username/PW changed, and the only ports that connect to that and the outside world are the three ports it needs to send and receive info from FlightAware--otherwise, it has no Internet access from the outside. SSH and Telnet are of course turned off, as well as other methods of remote access. Just because I'm EXTRA paranoid and I have a router that will let me do this, I even keep the Pi on its own VLAN (essentially it has its own virtual network separate from the home network, and the Pi and the home PC run on separate pieces of "intranet").

Smart TVs? Oh (expletive) no. If I need to stream something from the Internet to my TV, that's what home PCs/Roku/Kodi boxes are for. There is no legitimate reason for my television to be connected to the Internet 24/7 grin

Getting worse

Saw on the news that robot vacuum cleaner collects information on your place (floor plan, furniture, etc.) and "sells it" out to advertisers.

Its interesting to see all the local networks

Nobody hides them, some days there are 8 or more and we live in somewhat rural suburbs. WiFi goes a long way