Categories
cloud IoT security

“I’m totally screwed.” WD My Book Live users wake up to find their data deleted

This is like the worse case scenario that security researchers have been warning about. Someone exploited an old vulnerability for some WD devices and wiped out all the data in those devices that are exposed in the internet.

WD advises customers to immediately unplug their My Book Live and My Book Live Duo from the internet.

“I have a WD mybook live connected to my home LAN and worked fine for years,” the person who started the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seem there but empty. Previously the 2T volume was almost full but now it shows full capacity.”

It’s too easy to blame IoT device manufacturers, but this is a very tough problem. The following comment from HN says it best.

There’s really no winning with this.

You can release patches 6 years after your device is EoL but there will forever be more security issues and people using your ancient product (think how long it takes some versions of Windows to truly reach less than 100k active machines. Hell I wonder if Windows 3.1 has really reached that number or not. The long tail is going to be loooong). Not to mention you’ve created a precedent that the device is still getting patches and can be used by users, only making the lifecycle issue worse.

You can release a version which severely limits the capability of the product or effectively disables it but this is just a guaranteed way of getting bad press and even more customers will be mad at you for killing a device early.

You can turn the device over to the community (if you can managed to get it through legal and 3rd party agreements) but that isn’t actually going to solve anything as it’s not a product for extremely tech savvy users, at best it buys deflection in the news report in exchange for the effort of doing this (if you can at all).

You can claim the lifecycle is over and years later and be technically correct but still get the bad press and user feedback anyways.

Source: “I’m totally screwed.” WD My Book Live users wake up to find their data deleted

Categories
internet IoT security

Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security

This is serious. If you have Ubiquiti equipment do change your credentials immediately and check for signs of compromise.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Source: Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security

Categories
IoT security

‘This is dangerous stuff’: Hacker increased chemical level at Oldsmar’s water system, sheriff says

This is why you should secure your endpoints, especially if you are operating a critical infrastructure. This seems to be one of those supervisory interface that is exposed over the internet. Thank goodness no real harm was done.

And this time, Gualtieri says, the hacker did more than just remote in. According to the sheriff, the hacker spent up to five minutes in the system and adjusted the amount of sodium hydroxide in the water from 100 parts per million to 11,100.

“This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners,” Gualtieri added.

Source: ‘This is dangerous stuff’: Hacker increased chemical level at Oldsmar’s water system, sheriff says

Categories
IoT sensor

Reported drop in visitors to museum a counting error, Lifestyle News & Top Stories – The Straits Times

We are in an age where the proliferation of sensors to collect data for analytics is becoming common-place. However there needs to be more caution in completely trusting the result of the data collected, eg. sensors can malfunction, there may be software errors, unprotected endpoints can be hacked etc.

The error resulted from a faulty sensor over the main entrance that was initially detected in the spring of last year, a museum representative said. At that time, an engineer was sent to repair the device, but the device later failed a routine accuracy test in July last year.

Source: Reported drop in visitors to museum a counting error, Lifestyle News & Top Stories – The Straits Times

Categories
IoT security

This Hacker Is My New Hero

Internet vigilante to the rescue? Someone – or some group of people – decided the best way to save the Internet from the scourge of insecure IoT devices is to disable them permanently. I like how he/she/they describes his/her/their project.

I consider my project a form of “Internet Chemotherapy” I sometimes jokingly think of myself as The Doctor. Chemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the Internet was becoming seriously ill in Q3 and Q4/2016 and the moderate remedies were ineffective. The side effects of the treatment were harmful but the alternative (DDoS botnet sizes numbering in the millions) would have been worse. I can only hope hope that when the IoT relapse comes we’ll have better ways to deal with it. Besides getting the number of IoT DDoS bots to a manageable level my other key goal has been to raise awareness. The IoT problem is much worse than most people think, and I have some alarming stories to tell.

Source: This Hacker Is My New Hero

Categories
IoT

Cowlar

Internet-connected cows. Lovely.

Reduce labor, make good decisions & relax while we watch over your cows!

Source: Cowlar

Categories
IoT security

IoT garage door opener maker bricks customer’s product after bad review | Ars Technica

Ouch. Talk about poor customer service. A particularly irate customer who bought an IoT garage door-opener posts a nasty review and his device was denied server access, effectively making it useless or “bricking” it. Imagine posting a bad review about your Smart TV and it stops working. Hmmm.

Startup tells customer “Your unit will be denied server connection.”

Source: IoT garage door opener maker bricks customer’s product after bad review | Ars Technica