The FBiOS stories have reminded me about how many concessions we make to our OPSEC when we buy consumer products. I’ll not turn this into a diatribe about Consumerism but I thought it might be a good reminder to us all (myself included) that we should be weary of the products we purchase and their implications. We know about the threats of a mobile phone being able to track your location, read your text messages, and all kinds of scary “features” but the new consumer devices with network access may be the next scary beast.
Fear Your Toys
All of those products that are installing IP’s into your otherwise benign devices are a super high risk. Yes you’ve heard this before, yes you know about it, but how many have you purchased and what do they do? If you are someone that is at least privacy conscious, think about making privacy conscious decisions.
In the security industry people like to call any security research related to them “RubbishSEC” referring to the idea that whenever someone talks about hacking one of these devices, they’re hacking a pile of trash that has no real security protections. And this is my point. It’s true that your Nest doesn’t have a lot of security protections but we accept this because “it’s a consumer device.”
Manufacturers see consumers as people that do not care about security. They don’t care about privacy or OPSEC or what types of threats their product introduces into the consumers' environment.
Our flashy new consumer devices that have access to the Internet are not just toys, they are risk factors. Use for example the childrens doll security issue. You might now think that owning a Barbie Doll is analogous to running telnet. In the same way that we wouldn’t run unnecessary services on our computers, we shouldn’t use hackable consumer devices in our homes. Think of your home or apartment right now. What do you have that has network access and what does it provide you?
Defending Against Your Barbie
You have options to defend against the Toy Robot Uprising. You can take the activist stance and say “I am not buying these products!” and good for you if you can. Some of us that are weaker cannot do this and have become addicted to some of these consumer products. What then?
Just like QubesOS and Subgraph OS have created compartments for high risk processes, do the same for for you toys. There’s a new technology called a “toy box” that is designed to be a container for all of your IoT devices. :) That’s only half a joke. As I’ve said over and over, if you want to live two lives in the dark and in the light, you have to compartmentalize.
- Put your Barbie on her own wireless network.
- Make sure that your refrigerator cannot connect to your laptop.
- Lock your toys away when you’re not playing with them
- Unplug and disable devices when they’re not in use
- Learn as much as you can about how they work.