Search forums

Forums

Export thread

Hacked Baby Monitor

Aug 15, 2013#1

GasBandit

So. Imagine you wake up one night hearing a growling, malevolent voice coming from your 2-year-old's baby monitor, snarling "Wake up Allyson, you little shit!"

Apparently that's been the real fright a houston couple experienced recently. Their internet-enabled baby-monitor-cam got breached and a practical joker scared them (though their 2 year old slept through it all).

Everybody's all aghast about this. Me, I think it's a good thing this happened. Too many people want/are used to too many devices that are just "turn it on and it works, over the internet!" If it "just works" for you, it "just works" for anybody, and before you go hooking up anything to your internet you better be intimately familiar with terms like "firmware upgrade" and "port forwarding" and not feel uncomfortable in the slightest with doing either, or you're just beggin' for a cyber-buttpounding. Fortunately for these people, their run-in with reality was at the hands of a comparatively harmless clown whose antics did little more than teach them, it's twenty fucking thirteen, you live in a first world country, you have obligations to a certain level of aptitude before you go plugging in tech. If you don't know how to do it, pay someone who does.

And on a related note, here's a friendly reminder that the letter of the law says if somebody steals your wifi and surfs kiddy porn, you are held responsible. Default passwords and unupgraded firmware are not your friends.

Aug 15, 2013#2

Chad Sexington

GasBandit said:
And on a related note, here's a friendly reminder that the letter of the law says if somebody steals your wifi and surfs kiddy porn, you are held responsible. Default passwords and unupgraded firmware are not your friends.

Seriously? Jesus, that's not the case in Canada.

Aug 15, 2013#3

GasBandit

Chad Sexington said:
Seriously? Jesus, that's not the case in Canada.

Yes. I'm not saying it's a good law (and it's been a while since I checked up on it for revisions, honestly, since I posted about it in my political thread), but it's on the books. Your network security is held to be your own responsibility, so America, for the love of god, change those passwords and update that firmware.

The guy in the article above claims he had a firewall up, to which I say bullshit, I'd bet dollars to donuts he doesn't even really know what a firewall is. At most, he had a software firewall solution on his PC, or he bought a wireless router that said it had firewall software on the box. Nobody puts an honest to god hardware firewall in their home.

Aug 15, 2013#4

AshburnerX

GasBandit said:
Yes. I'm not saying it's a good law (and it's been a while since I checked up on it for revisions, honestly, since I posted about it in my political thread), but it's on the books. Your network security is held to be your own responsibility, so America, for the love of god, change those passwords and update that firmware.

I'm pretty sure they've since declared that an IP address isn't enough to make an ID on the identity of a child pornographer, as it's just as likely that someone is stealing their wi-fi or someone else in the house is doing said activities as it is the accused is. Having it be the responsibility of every citizen to protect their own net security just isn't feasible when most people have no means to prevent illegal access from a truly dedicated and motivated individual.

Aug 15, 2013#5

GasBandit

AshburnerX said:
I'm pretty sure they've since declared that an IP address isn't enough to make an ID on the identity of a child pornographer, as it's just as likely that someone is stealing their wi-fi or someone else in the house is doing said activities as it is the accused is. Having it be the responsibility of every citizen to protect their own net security just isn't feasible when most people have no means to prevent illegal access from a truly dedicated and motivated individual.

It's still enough for the RIAA.

Aug 15, 2013#6

AshburnerX

GasBandit said:
It's still enough for the RIAA.

Civil charges, not criminal.

Aug 15, 2013#7

Shakey

This isn't really all that new, except maybe the fact that it's being done to a baby monitor. It's always been fun to browse all the security cameras people set up without a password, or leave the default one on.

Aug 15, 2013#8

GasBandit

AshburnerX said:
Civil charges, not criminal.

Hrm, well, I hope you're right that the law has been amended. But it's still better to secure your wifi, if for no other reason than to save the cost of a door.

Aug 15, 2013#9

AshburnerX

GasBandit said:
Hrm, well, I hope you're right that the law has been amended. But it's still better to secure your wifi, if for no other reason than to save the cost of a door.

That's just general life advice: if doing or not doing something might result in the police busting down your door and shooting your dog, you'd better do/not do it.

Aug 15, 2013#10

Gared

I can't wait until someone pulls something similarly practical-jokey with those ridiculous internet ready refrigerators. Like having someone's grocery list automatically update with "out of human liver."

Aug 15, 2013#11

PatrThom

GasBandit said:
Nobody puts an honest to god hardware firewall in their home.

I do.

(or at least I port forward the Hell out of the chain of routers I do have. A full-on open source UTM like endian or zeroshell will happen when I have both time and money to spare)

Gared said:
I can't wait until someone pulls something similarly practical-jokey with those ridiculous internet ready refrigerators. Like having someone's grocery list automatically update with "out of human liver."

Have you heard the fun people have been having with these new Philips Vue light bulbs?

--Patrick

Aug 15, 2013#12

Shakey

PatrThom said:
I do.
(or at least I port forward the Hell out of the chain of routers I do have. A full-on open source UTM like endian or zeroshell will happen when I have both time and money to spare)

Have you heard the fun people have been having with these new Philips Vue light bulbs?

--Patrick

I was just going to link the light bulb deal. If you think about it, you could have a lot of fun. There are internet connected thermostats, locks, lights, drapes, tvs, etc. Even the google chromecast has zero security. If you don't have your wifi secured, people can push whatever they want to it. Surprise porn!

Aug 15, 2013#13

PatrThom

Shakey said:
Surprise porn!

If you simultaneously hack the baby monitor and the Chromecast, you can push the baby monitor to their TV, and do a MST3K-style critique of their baby's antics while you play with their lights. I'm sure that wouldn't creep them out at all.

--Patrick

Aug 15, 2013#14

GasBandit

PatrThom said:
I do.
(or at least I port forward the Hell out of the chain of routers I do have. A full-on open source UTM like endian or zeroshell will happen when I have both time and money to spare)

Routers don't count. They're better than nothing but... well, I don't have to tell YOU the difference.

And you know damn well that was a "statistically insignificant portion of people" type "nobody"

Aug 15, 2013#15

bhamv3

Weren't there some printers that could be remotely commanded to print out whatever you wanted? Did they fix that exploit?

I've always wanted to make someone's printer print random stuff, but that'd be wasting their toner, and given how expensive toner is, I'm not that evil yet.

Aug 15, 2013#16

GasBandit

bhamv3 said:
Weren't there some printers that could be remotely commanded to print out whatever you wanted? Did they fix that exploit?

I've always wanted to make someone's printer print random stuff, but that'd be wasting their toner, and given how expensive toner is, I'm not that evil yet.

Yes and no. In fact sometimes it's even easier now, with printers just being directly on the network instead of having to be "shared" and even hosting their own driver files.

I sometimes have fun changing the status messages on the various printers around the building

WARNING: RADIATION LEAK

FEED ME A LIVE CAT

I WILL KILL YOU HUMAN

And when our accountant had an LJ5 he kept under his desk,

NICE SHOES[DOUBLEPOST=1376626413,1376625983][/DOUBLEPOST]Here's how you do it, incidentally. At the command prompt,

NET USE LPT1: \\server\sharedprintername /PERSISTENT:YES
echo @PJL RDYMSG DISPLAY="WARNING: BAD GRAMMAR" > LPT1
NET USE LPT1 /delete

(only works with HP printers, I think)

Aug 15, 2013#17

Bones

GasBandit said:
Nobody puts an honest to god hardware firewall in their home.

wait you mean you are not suppose to? I have one for the company vpn system so I can work from home every couple days.

Aug 16, 2013#18

PatrThom

GasBandit said:
I don't have to tell YOU the difference.

It's been a while since I had to do anything with ISA server, and I've probably forgotten most of how to work with it.
But I really liked the programmable, rule-based flexibility, that's why I want to move to a UTM eventually even though currently I'm technically just a "home user."

--Patrick

Aug 16, 2013#19

Bowielee

I don't broadcast my SSID, I hate to make assumptions, but I assume that means that no one would be able to just pick up my wifi, seeing as you have to manually search for the SSID on the connecting device. (obviously, I also have it password encrypted).

Aug 16, 2013#20

PatrThom

An Access Point will still advertise itself as being present, even if it does not broadcast its name.
"MAC address filtering" is another layer, but this also has its own limitations.
Still, every little bit helps, right?

--Patrick

Aug 16, 2013#21

Bowielee

MAC filtering is not feasable for the usage of the network. I'm confident by having the encryption and not broadcasting the SSID that we'll be fine at my place. Especially because I'm kind of in the middle of nowhere.

Aug 16, 2013#22

PatrThom

In case anyone is reading this as an actual guide to network safety, unless some device(s) on your network require you to dial back your protection*, for maximum security a consumer wireless router should be set to not broadcast its SSID, to MAC filter to only devices which are "trusted," and WPA2 encryption should be enabled with a strong password. Of these three things, the first two only serve to discourage casual snooping; it is the last one that is your actual armor.

--Patrick
*And if they do, you should really consider replacing them with equivalents that are more secure.

Aug 17, 2013#23

Frank

I want as many people as possible using my wifi. It's a valid shield against copyright trolls here.

Aug 19, 2013#24

Eriol

Bowielee said:
MAC filtering is not feasable for the usage of the network. I'm confident by having the encryption and not broadcasting the SSID that we'll be fine at my place. Especially because I'm kind of in the middle of nowhere.

Here's the problem though, is that every time a device that's on said network is not near it, or coming in to range, it broadcasts the SSID preemptively. This means that anytime you're anywhere with your smartphone, it is broadcasting "one of the networks I connect to is 'HIDDENHOMENETWORKNAME' and are you out there?" All the time. As the wiki link from PatrThom said, there are many many ways to get that SSID, even from secured networks. It's a false sense of security.

Aug 19, 2013#25

Bowielee

Eriol said:
Here's the problem though, is that every time a device that's on said network is not near it, or coming in to range, it broadcasts the SSID preemptively. This means that anytime you're anywhere with your smartphone, it is broadcasting "one of the networks I connect to is 'HIDDENHOMENETWORKNAME' and are you out there?" All the time. As the wiki link from PatrThom said, there are many many ways to get that SSID, even from secured networks. It's a false sense of security.

As I said, we are also using WPA2 encryption. Besides, someone would literally have to follow me home to find the SSID that matches what my phone is putting out, so this security concern itself is overblown.

Aug 19, 2013#26

Eriol

Bowielee said:
As I said, we are also using WPA2 encryption. Besides, someone would literally have to follow me home to find the SSID that matches what my phone is putting out, so this security concern itself is overblown.

My point is that anytime any device turns on or goes out of sleep, it also does this. So somebody in the area with a scanner program running will see somebody broadcast something that can only be for one of the not-broadcasting SSID networks in the area. So while your hidden network might slightly deter wardrivers, it will do nothing for those who are near you and want "a different network" to do their mischief from.

Aug 19, 2013#27

Bowielee

Eriol said:
My point is that anytime any device turns on or goes out of sleep, it also does this. So somebody in the area with a scanner program running will see somebody broadcast something that can only be for one of the not-broadcasting SSID networks in the area. So while your hidden network might slightly deter wardrivers, it will do nothing for those who are near you and want "a different network" to do their mischief from.

Also, as I said, I live in the middle of nowhere.

Aug 19, 2013#28

GasBandit

Bowielee said:
Also, as I said, I live in the middle of nowhere.

Always the best defensive strategy, on multiple levels.

Aug 19, 2013#29

PatrThom

Bowielee said:
Also, as I said, I live in the middle of nowhere.

Screen Shot 2013-08-19 at 6.52.55 PM.png

I won't lie, this is a bit SE of where I expected, given your description.

--Patrick

Forums