Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: The Inherent Dangers of Abandonware IoT Devices

  1. #1
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    The Inherent Dangers of Abandonware IoT Devices

    https://www.theregister.com/2020/06/...pport_periods/

    Knowledgeable users may understand the inherent dangers in orphaned consumer devices, but consumers do not.

    Many years ago, I made the mistake of buying a Western Digital MyBookLive device. To my disbelief and frustration, WD abruptly abandoned the device three years after my purchase. Note that this was specifically sold as an Internet‑facing media‑serving NAS. That's about as central and critical a role as a device can play in any given network environment. Their response to outraged queries (abridged): "We are committed to security. This device should only be used within a good firewall."

    The really sad thing was not their lame, irresponsible response; it was how few consumers were sufficiently knowledgeable to be outraged.

    Abandonware is already a big problem now. It's going to get much worse.

    PS. I finally resurrected that WD NAS by nuking its lousy dead firmware from orbit and replacing it with OpenWRT. Once again, FOSS/Linux rides to the rescue.

  2. #2
    Join Date
    Sep 2014
    Location
    United States
    Beans
    286
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: The Inherent Dangers of Abandonware IoT Devices

    I'm not sure how any company thinks it can maintain such ambitious projects in the first place. It's almost like it's designed to fail because consumers can host their own cloud cheaper while others could get free cloud storage anywhere.

  3. #3
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: The Inherent Dangers of Abandonware IoT Devices

    This was back in the day when cloud was not as ubiquitous as it is today and there was still some question as to how it would develop. Indeed, this was WD's "answer" to the desire for self-hosted cloud devices.

    The bigger problem is that WD did not consider this a "failure". As far as they are concerned, they sold millions of units, pocketed their profits, and are not responsible for all of the dead bodies lying around—I have no doubt that thousands of those units are now slaves in the massive botnets that are causing so much havoc in the net.

    With respect to my original link, neither will Samsung, LG or any of these other fridge manufacturers. Consumers are enticed into paying huge premiums for "smart" fridges that can automatically restock themselves by placing orders with the online supermarket delivery service (ooo-ahhh), but are not warned that the fridge will be abandonware after two years (what's abandonware?).

  4. #4
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: The Inherent Dangers of Abandonware IoT Devices

    Planned obsolescence has been around for many decades. If we believe the American movie industry there are alien races right now scheming to invade earth because they have used up all the precious resources of their own planet. In my opinion they used up the resources building the massive invasion fleets. And then their equivalent of a certain smartphone/tablet reseller advertised their next model and could not meet the demand. So, the invasion fleet is launched.

    https://en.wikipedia.org/wiki/Planned_obsolescence

    Regards
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  5. #5
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: The Inherent Dangers of Abandonware IoT Devices

    Quote Originally Posted by grahammechanical View Post
    …So, the invasion fleet is launched.
    By far the best theory I've yet heard.

    I do get the planned obsolescence business model. Whether I agree with it is another matter, but I'm not so naïve as to expect businesses to act otherwise. However, one would think that even this business model can only get away with so much cynicism:
    …LG saying patches would be issued as required. Samsung said it would offer software support for a maximum of two years…
    Two years???

    The mischievous side of me wonders how Samsung would react if it got about that their fridges are only designed to last 2 years.

  6. #6
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: The Inherent Dangers of Abandonware IoT Devices

    Quote Originally Posted by DuckHook View Post
    The mischievous side of me wonders how Samsung would react if it got about that their fridges are only designed to last 2 years.

    i work in customer care for a large household manufacturer. i don't know what Samsung would say, but i do know our new bosses do not understand the concept of repair. so the products are made and dumped on market with no way to repair them after a year or two.

    luckily the new law in Europe will force them to supply parts so that appliance (not all appliance types yet) can function and be repaired for 10 years. i mean from consumer standpoint it makes a lot of sense. i am not sure how this will affect the IoT appliances they try to peddle. once i spoke with a marketing guy and IoT enthusiast. i mentioned that if you don't update one can hack and then the whole brand will look bad. he agreed that they need to figure out a solution for that. i don't think they ever did. they continue to sell these devices.

    i too would advise consumer to try and avoid such devices, at least until there are certain standards in place. if we had something similar to AMD64, UEFI and ATX standards, then at least consumers or repairmen could replace the OS later on with newer OS version or at least opensource software.
    until this si possible these items will basically be beyond repair and in EU they will receive lower grades on label. so as consumer you will see a label that will define how easily can it be repaired within certain period. then people will vote for money. no one will buy * star appliance if all others have 4* or 5*

    i also hope this will move on to TV, smartphones and various hubs. manufacturers should be bound to at least some standards.

    energy labels basically did just this. they forced manufacturers to really "go green". no one will buy an oven with D or C class energy efficiency if all others have A+, A++ and A+++ and they cost approximately the same. additionally i think you can see the savings on the labels (or rather you can calculate them). so who in their right mind would want to buy something that costs the same, yet is more expensive in the long run, makes more noise, doesn't dry as good etc.?!
    Read the easy to understand, lots of pics Ubuntu manual.
    Do i need antivirus/firewall in linux?
    Disk backup (works on newer PC): Clonezilla
    User friendly full disk backup Redobackup is now back as Rescuezilla

  7. #7
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,020
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: The Inherent Dangers of Abandonware IoT Devices

    Samsung said it would offer software support for a maximum of two years…
    For a cloud dependent IOT device, I read that as "We guarantee that this device will stop working within two years.". I really can't think why anyone would buy such an item.

  8. #8
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,849
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: The Inherent Dangers of Abandonware IoT Devices

    Do you really think abandonware products became "botnet farms"?

  9. #9
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: The Inherent Dangers of Abandonware IoT Devices

    Quote Originally Posted by kevdog View Post
    Do you really think abandonware products became "botnet farms"?
    https://nakedsecurity.sophos.com/201...security-flaw/

    This is just an example. There are similar stories weekly.

    I subscribe to a number of security blogs and reading them is just depressing. So much so, that there are times I have considered unsubscribing. But ignorance is not really bliss, so I grit my teeth and stay informed.

    Consider the case of the Western Digital MyBookLive in my first post.

    1. It was abandoned on kernel 2.x (I don't bother remembering which one precisely, but it was an ancient kernel anyway).
    2. It was designed and sold to be Internet facing with UPnP turned on by default.
    3. It was marketed as a consumer appliance that was just plug-and-play. A cloud device for dummies.
    4. I bought mine at Costco. There was a mountain of them in just the one store. If not millions, then at least hundreds of thousands were sold.
    5. Since its orphaning, thousands of CVEs have been discovered. Let's just exploit an infamous one: heartbleed.
    6. If I were a bad guy, I would prowl for old MyBookLives. They advertise their webservices freely and distinctively, so are easy to spot.
    7. Since it's a consumer device, many users who are just knowledgeable enough to be dangerous would have activated ssh without a second thought.
    8. Never mind heartbleed. Many of those same users would not have even bothered changing the ssh password from its factory default (they were all the same, root ssh was enabled and the password was available with any web search).

    There is absolutely zero doubt in my mind that a hefty proportion of those MyBookLives are now pwned.

    Botnet farms, DDoS bots, cryptomining bots… some form of bot anyway. Why on earth would a scumbag refrain from taking advantage of such easy pickings?

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,542
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: The Inherent Dangers of Abandonware IoT Devices

    We need laws to mandate "Truth In Packaging" like we have for Food items with the Nutrition Labels.

    I've thought a little about what should be on the box side for any internet dependent devices AND software:

    • Support EoL date
    • Free upgrade schedule and paid "extended support" schedule.
    • Patch schedule - monthly, quarterly.
    • What works without internet connectivity?
    • What requires internet connectivity to work?
    • List of all {domains|IPs}:{ports} required for each network connection
    • List of protocols used for each external connectivity
    • 2FA standards supported
    • How new firmware is updated – USB flashing, network load, something else?


    If I'd known that Google was going to EoL my $450 phone 2 yrs later, I'd never have bought it. Seems many companies think 3 yrs of support is fine. I find it strange that Apple seems to do the best job, by far, of all the IoT makers.

    Some devices that people buy without thinking about life times.
    • Remember Plays For Sure from MSFT?
    • Thermostats like Nest v1 (pre-Google)
    • Door locks / Garage doors
    • Any internet cam/video
    • Phones / Tablets
    • TVs
    • Media Players
    • Routers
    • Kitchen appliances with IoT stuff
    • IoT controllers that tie into Google / Amazon / Apple "home" controllers.
    • Software - how long will WoW be available or Quickbooks or Starflight or Apple Video purchases?
    • Digital cameras with connectivity


    BTW, almost all consumer routers get 2-3 yrs of support, no more. I'm always amazed when people are running 10 yr old Belkin/Buffalo/Linksys routers that have never been patched. If you care about security in your house, there are 3 choices:
    1. Get a recent small business router like Mikotek or Ubiquiti which are well regarded for quick patching
    2. Build your own x86-64 device that runs one of the small business router distros which are known to be well-maintained. pfSense, OPNSense, some Linux versions like smoothwall, sonicwall, ...
    3. Build your own x86-64 device that runs a small Linux distro that YOU setup as a firewall + router.

    I suppose people could just buy a new router every 3 yrs.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •