• P (unregistered)

    TRWTF is JS isn't involved in this WTF.

  • (>'-')> (unregistered)

    TRWTF is M$ isn't involved in this WTF.

  • Little Bobby Tables (unregistered)

    My mind is irrevocably locked onto the thought of Mindy Kaling, so help me ...

  • (nodebb) in reply to Little Bobby Tables

    First of all, how dare you?

  • Björn Tantau (unregistered)

    It would be a crime not to report this company. But somehow I see almost every prejudice I have against IoT confirmed. (almost because I never thought they'd issue updates)

  • (nodebb)

    I call BS. Most IoT devices in a domestic environment will be behind a NAT (or series of NATs) , and always use an outbound connection to their host for ease of installation and use with a dynamic IP. So unless they can somehow successfully open and forward TCP port 22 inbound on every client site makes this whole "script that SSHs Into the device" story sound completely bogus. If they are all somehow connected to a giant VPN spanning every device, this would have made a much better story anyway. If someone somewhere managed to make STUN for TCP (aka STUNT) actually work reliably enough for a forced firmware upgrade, then they should be given a Nobel Prize.

  • Helten (unregistered)

    Three digits, four symbols, a space and a letter add up to 9. So the minimum password length was nine characters, not eight!

  • Somebody Somewhere (unregistered) in reply to idzy

    Is it possible to do an equivalent of passive mode FTP with SSH, to get past the router's NAT?

  • eth0 (unregistered) in reply to Helten

    You don't understand. The minimum password length is 8 characters but you have to enter 9 at least.

  • Brian (unregistered)
    She'd been hearing at every job fair how IoT was still going to be blowing up in a few years

    You know, I've been hearing this same thing for at least twenty years now, if not longer.

  • Foo AKA Fooo (unregistered) in reply to Somebody Somewhere

    Kind of, yes. You can open a reverse tunnel ("RemoteForward") to make any local port available on the target machine, including, of course, the ssh port itself. We actually do this for equipment we sell (not exactly IoT stuff, but the use case here is similar; most of them are behind NAT routers, indeed).

    Though we need a central server that they connect to, so the six VMs doing stuff might be a bit problematic. Not that they'd need them, anyway. Thousands of ssh instances, that's nothing. I could run them on my laptop (with the global key on it :) within a reasonable time frame. ssh takes a bit of CPU time at login for key exchange etc., but afterwards the script is just sending commands to the remote device and waiting for it to process them. You could easily run dozens of them in parallel.

    But the better design, of course, would be to have the devices themselves scan for updates regularly, making sure the updates are signed. No need to even ssh into them for that purpose (we only need to for manual troubleshooting etc.).

  • Anon (unregistered) in reply to Helten

    Your password is allowed to contain at most one backspace!

  • (nodebb) in reply to idzy

    Maybe not a Nobel Prize (computer science and math are not categories in those awards), but maybe the IEEE or ACM (Association for Computing Machinery, not American Country Music) awards would be appropriate. Seeing as we are talking about the Internet of Things, might I suggest an Ignoble prize?

  • Feeling lucky (unregistered) in reply to idzy

    The real WTF is:

    Initech can scp directly into each device even when it is behind a firewall!


    Those cameras apparently open up a tunnel to the service ("are online"), such that the service ("script") can ssh into them (over this tunnel) and forcefully do the update. So they do not need to open a hole into the firewall, they are the hole.

    As each model type has it's own ssh key, these SSH private keys must be uploaded to the EC instances of course, such that the script can do it's work. An agent would be enough, but nope, the keys were uploaded. So the keys, which are stored privately on each laptop to prevent them to be in a network, are stored in the EC, which is a virtual network (a virtual network is far less secure than any physical network).

    Also the EC instances are needed, because the devices need to pull the firmware. If you can ssh into a device, you can scp the files, too. Or sftp them in case you miss the scp binary. So no need to curl at all! But no, that's probably far too easy, I suppose.

  • Anonymous (unregistered)

    "when our passwords get leaked again"

  • an0n (unregistered) in reply to Anonymous

    HA! I noticed that too, alongside Mindy apparently not raising an eyebrow at that.

  • Karl Bielefeldt (github)

    The funny thing about these "super-secure" password requirements is that completely randomly-generated 25-character passwords often don't meet the requirements, even though they have much higher entropy. I have to take a truly random password and add a space in the middle or whatever.

  • (nodebb)

    Remind us again: how long did it take for the universal lock key for DVD players to become public knowledge? Of course, an SSH private key is a [bold]CompletelyDifferentSituation/bold

  • A nany mouse (unregistered)

    Hello there,

    I'm not really formed to network / security (I mostly program offline software), so I do not really understand why what Initech does is bad practice. (apart from storing passwords, I know that ^^). Can someone make me a short explanations, or point me to articles that are relevant?

    Thanks :)

  • Hasseman (unregistered) in reply to Karl Bielefeldt

    The Enigma was cracked because of the design flaw it would not map a character to itself. Passwords must have figures and symbols might also be a design flaw? As you said, 25 character pwd can have a higher entropy

  • ooOOooGa (unregistered) in reply to A nany mouse

    Besides the password storing, the other topic is the SSH keys. And maybe the NAT/firewall holes that the IoT devices are creating, but I'll stick to the SSH keys.

    1. These IoT devices all share a single SSH key per model of device. One master key that opens up SSH access to every single one of their Model Q cameras.

    2. Those master keys are stored on every single laptop for everyone in the department. Every developer. Every middle manager. Every executive.

    Now, consider how those two items interact with things like employee turnover and laptop theft.

  • I can be a robot if you want me to be (unregistered)

    Sell enough of them that you get bought by Amazon or Google and let someone else worry about the security breach.

  • Programmer Robot 10C-32 (unregistered) in reply to Helten

    Not necessarily... Your password could satisfy the letter and number rule at the same time.

    12π @#$%


  • ooOOooGa (unregistered)

    Nah. Use e instead.

    Or better - i. Real hackers would never check for the number i in passwords. (ba-dum tchsss)

  • Harris M (unregistered) in reply to ooOOooGa

    You missed the joke, you should've said real hackers would never imagine that anyone would use the number i in their password.

  • Pietro (unregistered)

    There is a website out there called "the internet of sh*t" collecting stories of flawed internet of things devices. Very entertaining.

  • jay (unregistered)

    I particularly like sites where they have a complex password rule, but don't tell you what it is. I had one where I typed in what I thought was a pretty good password: 9 characters including a capital letter, several small letters, 2 digits, and a punctuation symbol. I got a message saying it didn't meet their password rules. Didn't say what the rules were, just that I didn't meet them. I tried a number of changes and still, doesn't meet the rules. I finally stumbled on deleting a character and that made it pass. I had used the same digit twice in a row, maybe the rule was you can't use the same character twice in a row? That's a dumb rule. I still don't even know if that was it, or what the rule was.

    Tip: When you give an error message, be specific enough that the user might actually be able to figure out what to do to fix the problem.

  • PICNIC WTF (unregistered)

    "Well, we were worried about storing something so sensitive on the network."

    Their workstations aren't connected to a network?

  • sizer99 (google) in reply to A nany mouse

    Besides what ooOOooGa and Feeling Lucky said, the correct thing to do would be

    1. Automatically generate a new cert for every device - so if someone steals / hax the cert they can only get into a single device. We do this, it's easy using openssl. If you can't figure out how to do that, at least update the certs for every batch so only a single run is compromised.
    2. Have the device occasionally check for updates and update itself. No need for it to constantly have a tunnel punched through the firewall or to look for devices to connect and push the update to them. No need for ssh.

    Honestly, even if you can't do 1, 2 is much easier than what they're doing. Makes me suspect they want that constant tunnel into every device so they can do some lascivious peeping on whatever the camera is seeing.

  • dan (unregistered)

    It's safe to say Mindy learned a lot during her internship. Mostly, she learned, "don't buy anything from Initech."

    So close, yet so far. The correct lesson is don't buy any InternetOfShit crapware from anyone.

  • eric bloedow (unregistered)

    oh, i just remembered a silly story: a manager boasted about his new security system. he CHALLENGED anyone to get past it. so someone sneaked into the manager's office to check it out...it was a fingerprint scanner. he got around it simply by unplugging it and plugging something else into the same slot!

Leave a comment on “Internship of Things”

Log In or post as a guest

Replying to comment #:

« Return to Article