[Dailydave] Junk Hacking Must Stop!
lcamtuf at coredump.cx
Mon Sep 22 16:44:50 EDT 2014
Well, I wouldn't badmouth "IoT hacking" just for the sake of it - for
better or worse, it's a growing and increasingly important attack
surface, it is in many ways a decade behind the standards we've come
to expect on the desktop, and it occasionally deals with genuinely
interesting and possibly unsolved problems - say, around auth.
The issue is chiefly that, as you note, a lot of the headline-grabbing
research is just poorly thought out and often done with little
ambition; if you have physical access to a fridge and even then, your
technical expertise is limited to being able to brick it or infect it
with SQL Slammer, it is perhaps wrong - on some abstract, existential
level - for you to be able to get a lot of air time out of that.
But then, it's not really fixable, right? It's a hot topic, both for
legitimate reasons and because of its vaguely sci-fi vibe. Journalists
want to write about it, people want to click on the links and pay for
conference tickets, and the only way to improve the situation is to
wait for things to calm down and keep putting out better work.
If anything, I would warn against confusing the prevalence of
low-quality, high-visibility research in a particular field with the
whole thing not being worthy of our attention. Many people have made
that mistake with web security some 10 years ago.
On Mon, Sep 22, 2014 at 11:53 AM, Dave Aitel <dave at immunityinc.com> wrote:
> Look, I get how we all love free trips to various locales other than Seattle
> or Boston or whatever (which are not, technically "locales" so much as just
> "places people happen to live"). But one more hacking talk about breaking
> into some random piece of electronics that people might use somewhere like a
> Internet-connected bed-warmer, or a MRI machine, or a machine people use to
> make MRI machines, and the whole hacking community is going to be wearing
> the cone of shame for a week!
> Yes, we get it. Cars, boats, buses, and those singing fish plaques are all
> hackable and have no security. Most conferences these days have a whole
> track called "Junk I found around my house and how I am going to scare you
> by hacking it". That stuff is always going to be hackable
> I get that Barnaby hacked an ATM. I thought it was stupid then, and it's
> even stupider now when your basic ATM runs XP so it can display ads to you
> while you take money out of it. But it's not stunt hacking unless it can wow
> you. If you are wowed by someone owning XP these days, then you are out of
> it and need to be re-reading Carolyn Meniel's HappyHacker website. Yes,
> there is Junk in your garage, and you can hack it, and if you find someone
> else who happens to have that exact same Junk, you can probably hack that
> too, but maybe not, because testing is hard.
> Cars are the pinnacle of junk hacking, because they are meant to be in your
> garage. Obviously there is no security on car computers. Nor (and I hate to
> break the suspense) will there ever be. Yes, you can connect a device to my
> midlife crisis car and update the CPU of the battery itself with malware,
> which can in theory explode my whole car on the way to BJJ. I personally
> hope you don't. But I know it's possible the same way I know it's possible
> to secretly rewire my toaster oven to overcook my toast every time even when
> I put it on the lowest setting, driving me slowly but surely insane.
> So in any case, enough with the Junk Hacking, and enough with being amazed
> when people hack their junk.
> -dave :>
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
More information about the Dailydave