the internet of things is completely out of control
Vložit
- čas přidán 2. 06. 2024
- The internet of things is getting too wild and I really cant handle it.
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
📰 NEWSLETTER 📰 Sign up for our newsletter at mailchi.mp/lowlevel/the-low-down
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - Věda a technologie
Just remember, the S in IoT stands for security.
epic
The S stands for Switch Off 😂
@@timotheos0190 boo
This comment deserves today's internet award! 😂
but there is no S... oh... oohhhh, I get it now.
Tech enthusiasts have their house filled with tech. Programmers just have a toaster with a gun next to it in case the toaster becomes sentient.
A meme I once saw (paraphrasing):
The difference between tech enthusiasts and people who actually work in the tech industry is that tech enthusiasts have smart tech plastered all over their home, so they can control everything with the press of a button from their phone, meanwhile the most advanced piece of tech in a tech worker's house is a printer from 2004 and they keep a loaded handgun nearby in case it makes a noise they don't like.
and the toaster was made in 1970
😂😂😂😂😂
It's less about distrust and more about seeing when things have serious issues, and when they aren't really helping you in any way. Like I wouldn't buy a smart washing machine, cuz I don't see a point, unless they somehow become useful or cheaper than normal, but an automatic vacuum cleaner that you turn on when you go out is great.
@@Stay_away_from_my_swamp_water If the washing machine went around and gathered up all of the dirty laundry, then it would be worth it!
...
Until it misidentifies the cat as a sweater
Dude I laughed so fucking hard when you got into the SMART chastity cages that can be force-locked 💀
It's a feature 💀💀💀
Won't say 'chastity', but no stress dropping the classic ol' BigDong420. This is why we love you LLL
BigDong420 got my back in the lawsuit ✊
@@LowLevelLearning only because you went for open instead of lock
We're living in the Future...and it's stupid af🤦♂
I took a screenshot of this, my phone literally stopped loading comments below this one and gave an error:
There was a problem with the server [503] Retry
Having completely unprotected APIs is wild, like week four of a web dev bootcamp you’d know that’s a baaaad idea.
Working on a React project where to login, you need to get a JWT token that is retrieved using the superadmin credentials of the public backoffice interface, and it's on production like that.
@@LetrixAR wtf
At least because of that unprotected API your thing would be protected from STD forever😢
Regardless of whether or not a device SHOULD be online, any device that CAN be online and can access the wider internet, CAN be compromised and CAN be used as part of a DDOS attack. Whether it be tooth brushes, smart washers, or your phone, it doesnt really matter, the simple matter is that there are an ever increasing number of connected devices, with an ever increasing number of security vulnrabilities.
It's important to not increase your possible attack surface area. Buying smart devices that have no reason to be smart is a clear security risk. A car can still drive without an Internet connection, a toothbrush can still brush your teeth. People don't seem to understand the concept of an attack surface area though and they buy a bunch of Internet connected devices made by people who have no idea about basic security practices.
@@minneelyyyy8923but as a consumer, what can i do against it? I want to get the latest s63 amg, but i cant tell them mfs hey just remove all the electronics.
Absolutely, and I usually speak of "tech-orgy", which includes the majority of those who can afford "smart" devices, and themselves don't even know why they do that, apart from feeling over everything. If only that money went in good hands...
It should be illegal to release a commercial internet connected product without having it pass some basic security tests first.
Smart chastity devices? What a strange time we live in...
when articles are using the term "people with a penis" unironically you know we are living in peak stupid
@@shinoobie1549Ah yes, because using the correct and precise term is "peak stupid"
@@shinoobie1549 Stupidity is in the eyes of the beholder
@@arctic_line there is correct term for it. It's "Man" or "Men"; male even.
@@Ronaldo-se3ff Except here, that comes with implicit qualifications, when "people with a penis" does not. Your statements betray a lack of understanding of what goes into formal writing and why the standards we've settled on exist.
I'm a s/w engineer but I'm a Luddite in the technical sense of the word - I object to unnecessary technology that makes the world worse. Which is anything IoT to start with.
Nah, IoT is cool. Lots of fancy graphs and usage statistics. If you do it well enough you can very accurately track if a change you made actually had a difference or if it was meh.
But yes I want full control over the device. I refuse to trust anything I do not have full control over.
No full control and no real alternative? Either it doesn't get network connectivity or gets put on a separate network with only what it needs to communicate with its API for what functionality I need and no more. If it asks for too much, insta return. Managing that does become a headache when they push updates because they sure as hell won't tell you what they changed. I've asked multiple times.
@@LiveType IoT is great for practical stuff like getting metrics on the environment and your tools and whatnot. but like all technology, when it comes to being sold to a consumer market its literally just a premium markup and loss of privacy for worlds smallest convenience. Like I have a smart speaker I barely use because I already just have my phone right there for Bluetooth
@@LiveTypethe tech is cool enough, but for my own use? Useless. Yes I could start everything from my couch, but why? Are we as a people really too lazy to push a f** switch?
Do I really want to spend the night in all kinds of color lighting?
It's fun for five minutes and then meh.
@@LiveType The problem with IoT is the "I". 90% of these things literally don't need a connection to the internet at all and would be just as functional with local-only connections. But the companies need to data harvest...
wait until smart ball crushers come to the market
I think you just repeated the elevator pitch for OnlyFans.
I think this device also comes with electric shocks lmao
hold on i got an business idea
**Your wheelchair and children accessible can crusher wants to know your location.**
Why can't we just go back to the days when rather than having your 'device' unlocked remotely, you just shouted "call the locksmith!" and someone in a nearby house repeated the shout, "call the locksmith" and so-on until the locksmith finally got the message and rode out on his donkey to unlock the 'device'?
Imagine some genius techbro executive just deadass sat down and said: "Ya know what this thermostat _really_ needs? *A network stack"*
If we look on the bright side, it creates a world where It's fun to hack around
Its gonna be Watchdogs quickmenu hacking irl
@LessThanPro I think this was one thing the watchdogs devs didnt manage to anticipate 😂
@@_Lumiere_ Quite the contrary, Watch_Dogs was meant as a wake-up call and a warning of things to come.
I personally think this whole thing of making "smart" gadgets is really dumb. The limit is a phone, even then, it may be best to just use dumb phones as much as possible. Get off TikTok people, and start learning how to program!
Based computer user
@@DsiakMondala I use Arch, btw. :)
I believe there's 3 main reasons companies make smart devices:
1. They can harvest your data
2. They have more control over your device and can remove features from your device at any point (e.g. locking features behind a subscription)
3. Makes people more likely to buy it because they think new is better (which it isn't).
Basically, it's for the companies' benefit, not yours, don't buy "smart" devices.
@@freddymuskelberg Bingo! Couldn't say it better! :D
I swear, if I ever want "smart" devices like that, I will build them myself
I swear, if I ever show any signs I want smart devices like that I'll have a friend slap me until I come to my senses.
@@M0UAW_IO83 Until you find out that you like to be slapped
To note, for the device locking. It's using bluetooth, so you would need to be in range of the device itself to be able to lock it, not through an HTTP Server. That being said you could run a software on your phone to scan surrounding devices and lock them very easily.
in theory, in practice who knows, its an "app" its always going to need to go to the internet to do stupid shit, so it can easily leak data, or the programmers can be dumb and route bluetooth commands over the internet API
Are you *sure* about that? My impression is that the "device" connects to your phone using Bluetooth and then an app running on the phone does HTTP-ish stuff. It seems like thins would be necessary since the "device" supposedly lets the trusted partner lock/unlock it from anywhere.
@@sootikinsiirc there were some more articles referencing products of a similar category of toys that functioned in exactly the way you described. There were also a few instances where such devices had incredibly flawed BLE implementations as well
Phone 1 (of the wearer) is near the device and communicate to it via Bluetooth and to the internet via an API.
Phone 2 (of the wearer's partner) is somewhere else on the planet and talks to the internet via the API. The idea is that Phone 2 has control over the locking and unlocking no matter where it is and Phone 1 is used as an internetbluetooth bridge.
Thinking about it logically, a device that can be unlocked via short range bluetooth is about as useful as.. you know.. manually unlocking it by hand. It would surely connect to the phone, or else it seems rather pointless
I am appalled by the trend of adding unnecesarsy microelectronics and internet access to everything. Like wtf?! This is a massive misuse of resources, increases manufacturing costs and product prices, provides questionable benefits to the consumer at best, while at the same time being a potential security hole and a guaranteed waste of electricity and data traffic.
On top, you gotta replace that "smart" shit every 2 years, because its internal, sub-standard quality, non-replacable battery dies, or due to the manufacturer just remote-disabling the product such that you go and buy a new one to keep the profits rolling in.
Such practices destroy our planet and make people poorer, especially when "dumb" products just get phased out and the only thing one can still buy, are the "smart" variants. Needless to say, the children gathering the raw materials in African mines literally did so for nothing more than enabling an especially degenerate variant of consumerism. There are only few things that are more moronic.
I don’t mind “smart” devices in general, I kinda like using my phone as a “universal remote controll”. The problem is most of those devices are not satisfied to stay within the LAN, but rather every manufacturer wants to lock you into their stupid cloud solution.
I noticed that when looking for a doorbell camera that doesn’t connect to a cloud service. Practically impossible to find. I kind of wanted to just make my own.
@@TehKarmalizer Make your own then. Amazon's product listing can't tell you what to do.
@@endermannull4420 I might. Hard to make time for projects like that, but I think it would be a great experience.
LLL: "'... a trusted partner to remotely lock and unlock the device over bluetooth using a mobile app.' That makes sense."
Me: "Not it fucking doesn't!"
It does if you're into that.
chastity cages never should've been bluetoothed. Just use a key lmao.
It lets your wifes boyfriend lock it over the phone
Security as *second* thought? That's optimistic!
If you make whatever thing connect to a server for basic functionality you have way more more control over the product post-sale.
DRM, a subscription model, data collection, whatever anti-consumer scheme you're pulling is easier to pull off if they still _need_ you for your thing, even if it could easily all be local.
Man, you just made me think of the world of subscription-based washing machines with season passes. It's coming, isn't it?
@@user-sl6gn1ss8p It is. Only recently did BMW gave up from the heated seats subscription, they were just too soon. It will come back, and so will washing machines's battle pass.
@@user-sl6gn1ss8p go look up "Candy Washpass"
I googled it lmao, the future is here
@@user-sl6gn1ss8p it already exists, Candy WashPass lol
Right. The business is the data.
the second article about the chas cage is incorrect and i think was later found to be part of a bit of a hoax while it being force locked was a real exploit the having to use bolt cutters or a angle grinder is incorrect. essentially the ring is held in place by a single small piece of metal held by thin plastic and a accessible set screw a very small amount of a force is all it takes to deform the plastic and have the lock unlock. it was very much sensationalized
also because the battery in them isnt great in order for your lock or unlock command to actually work the device would have to have been powered on and bluetooth connected at the time
It was just a joke article from australian stand-up comedian
3:16 AI enabled washing machine
No different from the ai enabled oven that literally watches your meal cook using cameras. I think Siemens or LG. It's insane.
I love your example of spamming refresh to lock someone out/in their device. I think it really helps bridge the gap to non-techy folks to explain exactly what it means for an API to be left open and unprotected.
When i had to replace my furnace and therostat, I asked the repair man about smart home stuff. He said they fail way too often compared to non-connected equipment. Same story from car mechanic. I don't see any reason to have "smart" devices if it just brings in security flaws and more points of failure.
I'm glad I don't have a single "smart" device except my phone and I wanna keep it that way.
Me after some hacker takes control over my chastity cage and leaves me permanently locked in: 😩😭
Yeah, the only "smart" devices in my home are smarpthones, and a smart TV my dad got because it was easier to find a 4K smart TV than a non-smart 4K TV.
Smart TVs are ALWAYS cheaper because the sale is subsidized by selling your viewing data. So your dad chose to sell his, and your, data for a discount.
@@nobodynoone2500 also cheaper because the market is flooded with them for that reason. Companies aren’t exactly incentivized to produce and sell products without telemetry.
My girlfriend bought a smart fridge, I get waves of anxiety every time I go for a beer.
Are u gilfoyle from silicon valley
Similar thing, a colleague was trying to track down some unusual WiFi traffic on his home network and it turned out to be his fridge, asked him why he'd connected it to the 'net and apparently the only way to get a service tech out to repair the POS is to let call home so they can run remote diags on it.
Wasn't some guy locked outside of his house last year because the house thought he was a racist? Have they really learned nothing out of it?
Sounds like someone has a veeery stable career lined up for themselves 😂 cyber security = job security
Aargauer is paywalled and journalists don't like paying for random international paywalls, like you have to call the manager, the manager calls procurement, 4 week long process with uncertain outcome, i'd like to imagine. So they quoted Golem instead, who knows what happened there, they might have misread the article before re-telling it to its readers. Golem is also German language but it's ad supported, not paywalled. Then eventually someone from the English language press quoted Golem quoting Aargauer, and the ball got rolling.
The Aargauer article doesn't look like the one that was originally published, the title was different. They probably had to re-word it for quality given they caused a little too much of a ruckus.
That a big outlet can't a) pay a stupid fee to another outlets, like they're not in the same boat (sure, you can argue that it wasn't one of the bigger ones, so up until now they had no need to pay it, but then how did they found out?). Also, they should have some form of budget for things like this that doesn't need preapproval. After all, these sites are several bucks a month, even if you get all of them, it will be, what, several thousand dollars ? Hardly something to be concerned with at a big company.
also b) can't fuU^%^##$ng do a stupid translation and have to use things like google translate. From german to english, of all languages. I swear, they should be laughed out of the room. They don't deserve to be in the industry. Let alone by a big or medium outlet in the industry. But it's not like journalists in general have high standards... sigh
Looking forward to your course 😊😊
I hope people just go back to simple devices. I had an electric toothbrush for years until I realized it wasn’t even better at cleaning my teeth. I recently went back to regular toothbrushes which are a fraction of the price, quieter, easier to replace and don’t need cleaning.
It takes no effort for me to not buy crap. There is a retail term called "channel stuffing", whereby Chinese factories pushed product to shelves without the retailer actually ordering. This happened with KMart and Walmart. They would order one box and get four. Well, Amazon replaces channel stuffing. There are middlemen that will resale anything, including reverse engineered knockoffs. This combats the US buying on credit, which China hates. US retailers don't buy product for resale. Instead, the shelf space is a vendor slot, and if it sells, the mfr gets paid. Renting vendor shelf space goes away with online ecosystems, and here we are. Reaching net zero? Lie. We will be swimming in e-waste. But I got my bluetooth enabled tinfoil hat and copper mesh condoms that act like a faraday cage.
Oh Aargauer Zeitung! My mom is from the canton of Aargau😅🇨🇭
Then average people wonder why us programmers avoid unnecessarily smart devices like the plague.
We need MORE companies like that. "What do you mean 'password'? There is no password. Please enter your SSN, bank info, medical info, etc." 🤣
The way I see it, if you can't afford to fix it, then you can't afford to sell it to the public.
Regarding companies trying to save money on security, what needs to be done is the introduction of policies that incur fines and the like to in turn make it cheaper to ensure proper security of your product than pay a potential fine afterwards.
Companies follow money. If proper security is the cheapest path, companies will follow it.
What a time to be alive. Technology is meant to solve problems, but the current mentality seems to be about shoehorning the hottest thing in tech at a given moment into a shitty product and hoping people buy into it somehow.
I'm pretty sure the data from the washing machine turned out to be a bug in the router monitor software. Although an internet connected washing machine does seem a little unnecessary! Our dishwasher has an app - we didn't ask for it, but were curious and did set it up. We can see our neighbours washing machine listed on the devices to connect to
The "S" in IOT stands for security
The API with absolutely no access control blows my mind, it's scary to think there are professional developers out there coding in this way...
Yesterday I was at a shop where new TVs (for ads n stuff) were installed. 2 APs were left wide open and I regret only having my phone with me.
I would like to see a law that mandates that IoT devices must have ability to configure a custom self hosted server.
As a generally pro-tech, software engineer, I hate most technology.
I have 1 computer in my house, NO smart devices, and generally dislike using my phone/ avoid using it as much as possible.
It's definitely sad seeing people get duped into buying what essentially are cheap "smart" toys, and the learning to hate "technology".
I spend HOURS on the internet every day -- I have NEVER heard that story
The "those things" segment should have been saved for April 1st. I had to check the date to make sure it wasn't.
when I was a kid, the internet was a place you went to have fun...
Back in the past, the smart chastity watcher was the gossipy old neighbour, who would always know if you "broke the rules".
Wait why couldn't they make the device controllable via Bluetooth, or even come with its own remote controller, without the need for an internet connection? Even without that security flaw the device becomes unusable if the servers go down. If the company goes out of business then everyone's devices are pretty much useless forever.
That's the point of "smart" tech
I want anything smart in my home to connect to a local server, not the internet.
Yeah. Not just the new stuff. How many old edge devices etc. Are out there that haven't been patched for many years if ever?
Sure, basement teams don't do security till they have to - but that has, in fact, been true for the IETF since day zero.
this reminds me the scene with hacked smart fridges from "silicon valley" 😂😂😂
Internet's over.
Y'all don't have to go home, but you can't stay here.
Companies want to make everything smart for marketing and collecting data, but consumers just wish their stuff would be able to last 10 or even just 5 years.
I remember joke back when i was kid. I was watching Two and half Man and Charlie for the first time in his life was using a washing machine and when he started the machine he was asking Alan how he is going to know when is going to end and Alan told him that is going to call him. I laughed so much back then 😂. Technically is not going to call you probably but send you messages that it's finished working 😆.
The story and points you made were all great, but it irks me most that 'news' outlets just copy stories from other websites without even validating the stories they run.
Hi, I'd like to leave a suggestion for a future low-level video. Can you make a video on the topic of type punning in C both using pointer casts and unions?
Dang it, you got my hopes up. I have a smart toothbrush that looks a lot like one of the toothbrushes pictured. (Really not so smart, because it shows a frowny face if I use it for even a few seconds less than the arbitrary "goal". Very demotivating.) But if it could be compromised and used for nefarious purposes online, that would be SO COOL. That would mean the hardware is much more capable than advertised, and we could possibly turn a unitasker (expensive toothbrush) into a multitasker (environmental sensor, travel router, BLE hacking tool...) Maybe we could fix the frowny face negative reinforcement problem too along the way.
But no.
permanent lock in 😰
If it didn't happen yet, then it will eventually happen.
Hello I recently came across your channel and it seems the theme is around low level programming which is something I want to learn more. Do you offer any content on learning c++ and or c# please? If not could you recommend any good places to learn?
In the notification I got, this video had the title of your video on Riot's Vanguard VAC... until I clicked on it.
Something similar DID happen in 2016. A big chunk of the internet went down for a bit after a DDoS attack on the DNS provider Dyn. The culprit? IoT devices.
This is bonkers
Consider an Ad-blocker
"When we try to fix it, it causes more problems" Skills issue. If you can't put some basic authentication on your API endpoints, that's 100% an extremely embarrassing skills issue.
I never thought there would be a device I needed connected to the internet less than a toaster, but here we are.
All of my household items are dumb, because I prefer peer competition.
It's actually wild that someone thought, that making an over with a pyrolysis cleaning function IoT-enabled was a good idea. I wouldn't allow anything in my house that reaches up to 900 deg. Celcius to ever get even remotely close to a wifi. 🤣
We don't need smart devices. We need smart people.
Funny how he avoids certain words out of the fear of getting demonetized but then shoots the f-word out there. 🤣
Whew… Triple L you had me worried there… I was starting to think that 3mil cell phones were used in a ddos attack ❗️
B-b-but, I cant possibly live without my internet connected juicer that I activate through my phone...
Imagine being unable to have sex not because you're an arch user but because your chastity belt server was turned off and you were locked at the time, lmfao
Yeah, none of this stuff should be internet connected. If it needs networking, it needs to be on a separate vlan, firewalled off, and only allowed to communicate with specific hardware in the house.
But while all of it is getting easier, I still wouldn't expect the average consumer to do any of that. Home assistant is far from trivial to set up, the routers people get from their ISP probably don't even support vlans in the first place, and you can't expect people to be constantly tweaking their firewall to be tuned right. And so everything is cloud connected, sigh...
I remember botnets and all that, but getting DDoS'd by IoT toothbrushes is funny, even if it's only funny if it didn't happen to you. 😭
i just don't know how anyone who claims to be a developer would think it was OK to have an unsecured API exposed on the internet - regardless of what that API is used for. Let alone if the API has real world potential to do physical harm to someone.
It's just stunningly incompetent.
I suppose this is the fundamental flaw in generative AI, you can ask it to create some basic software, but you still need the knowledge to verify that software is production worthy, so you are effectively back to square one.
The only solution is open source software and hardware. You just can't trust closed solutions do what they claim to do.
I just installed a ransomware in your shoelaces. If you wanna tie your shoes, you owe me $150.
The internet of things *which should never be connected to the internet*
Imagine putting something connected to the internet inside your mouth.
I bought a corded printer partially because of this, also so I could use a printer without a wifi connection. I'm also buying a unifi router for a VLAN and router UI
People have not been hurt enough by these insecure devices. Therefore they don't care, therefore manufacturers don't care. I don't like to see people hurt, but like children and flames, the flame is not respected until they burn themselves.
I wish I knew how to make people care, before some major incident happens with these things.
A note on the smart washing machine. It was later found out that Johnie's router was miscalculating the numbers. The smart washing machine, while yes it was using data, was not using data to the level that he had thought.
90% of smart devices just don't need to be, we're in the "could we" phase of iot instead of the "should we" phase.
Entertainment console connected to iot? Sure, most content is on streaming platforms now.
Washing machine on iot? There's no way to remotely put your clothes in the wash so why would you need to remotely start the wash
A smart chastity belt that you have to use an app to play with? What's wrong with just using a lock and key like a medieval torturer?
The partner can control the cage more easily. Especially vibratoins or other functions
Military Standard Security so:
It is protected vs a Ak47,
but not vs a 0 or a 1.
Can someone explain me why would someone use a Smart/IOT toothbrush or any other device other than someone with some kind of disability?
Since it's impossible to get a decent TV without smarts, and I'm sure I'm preaching to the choir here, but be sure the block all traffic on your network to your TVs. Allow only whatever _legally acquired_ content you have locally and any specific streaming service that someone conned you into paying for.
Since the beginning of the IoT there's a meme picture "Internet of ransomware Things".
The use cases are "Clean me" and "You can only buy our cartridges".
I don't think this should be framed as companies not thinking about security until it's too late.
We have seen a lot of dumb and even harmful things done in the name of security in recent years and realistically in all these applications what security is implemented should amount to "it doesn't have the ability to connect to the internet"
People with a YUP 🤣
What I think: if they can't afford to fix it, they shouldn't be allowed to continue to exist. (And in particular, their CEO's shouldn't be able to get another paycheck, or sell a share, until the fix is done, if ever.)
Smart spatula on the horizon
Theres no way my bluetooth enabled toothbrush can hack anything
These people need to have their money privileges revoked... I'm sure there's some in greater need.