[HN Gopher] Three million malware-infected smart toothbrushes us...
___________________________________________________________________
Three million malware-infected smart toothbrushes used in Swiss
DDoS attacks
Author : dist-epoch
Score : 212 points
Date : 2024-02-06 18:07 UTC (4 hours ago)
(HTM) web link (www.tomshardware.com)
(TXT) w3m dump (www.tomshardware.com)
| ano-ther wrote:
| My theory is that every technology goes through a period of
| experimentation before it's clear how it should be employed.
|
| That's why we had project plowshare for the bomb and now internet
| connectivity for every imaginable device, even ones that only
| need an on-off switch.
|
| I am a bit mystified why we need connected toothbrushes, but I
| very much applaud the spirit of experimentation, even if it
| sometimes gives us toothbrush-powered botnets.
| Levitating wrote:
| Is it really experimentation or just slapping a higher price
| tag onto a device for added wifi connectivity.
|
| How do we sell our product X for more? Just add wifi and AI.
| You can do it with almost anything.
| 082349872349872 wrote:
| First they came for *The Onion* And I did not speak out
| For I was not an Onion writer Then they came for
| *Black Mirror* And I did not speak out For I was
| not a Mirror writer Then they came for Horselover
| Fat...
|
| The sanity is already here - it's just not evenly distributed.
| nonrandomstring wrote:
| > every technology goes through a period of experimentation
| before it's clear how it should be employed.
|
| Sure, but as I said here yesterday [0] experimentation is
| something that has far reaching consequences, and that's why
| professional scientists have codes of ethics that seem quite
| absent in the tech world.
|
| Also, as far as the Internet goes, we've had maybe 40 years of
| time to "experiment". There comes a time for results,
| conclusions and some sort of maturity in outcomes.
|
| [0] https://news.ycombinator.com/context?id=39253045
| axus wrote:
| No need to teach your children honesty, when you can just spy
| on their toothbrushes.
| thomastjeffery wrote:
| We're not taking about experimentation, though. We're talking
| about a fully hashed-out business model with its own casual
| acronym (SaaS).
|
| The "why" is obvious: there is a market for any aggregate data
| on human behavior.
| anonymouskimmer wrote:
| > Normally, the toothbrushes would have used their connectivity
| for tracking and improving user oral hygiene habits
|
| Along with that thread on the Folk computer the other day
| (https://news.ycombinator.com/item?id=39241472 ), and a
| discussion on signal interference in long-range wifi and the like
| (https://news.ycombinator.com/item?id=39246399 ) this makes me
| wonder if broad household surveillance centralized to a single
| computer per home for analysis might have benefits over
| decentralized IoT computation.
| hef19898 wrote:
| How about no household surveillance at all? Crazy idea, I know.
| anonymouskimmer wrote:
| That's what I do. But I presume others like it, so here's an
| alternative for them. I have an uncle who was really into
| household automation back in the 80s/90s.
| true_blue wrote:
| Why do toothbrushes need to be able to make web connections in
| the first place? I get that it's for tracking brushing habits,
| but can't that be done with local connectivity only, like LAN or
| something?
| jprete wrote:
| Because the actual business model is selling the aggregated
| data?
| Gigachad wrote:
| What data though? How would it be valuable? From what I saw
| they are getting money from the device sale itself. These iot
| toothbrushes are like $400 and basically just track brushing
| time and pressure. Those don't seem like super valuable ad
| tracking metrics.
| thaumaturgy wrote:
| This might be a fun exercise.
|
| Let's assume we have the following data: the user's email
| address, some sort of smartphone identifying value, their
| ip address, and their brushing habits. That's not very
| much; who would want that?
|
| Well, we know this is a person who will drop $400 on a
| toothbrush. They like shiny things, they have at least a
| middle-class disposable income, and they don't mind the
| headaches of internet-connected devices. Let's sell this
| information to big-box electronics retailers and other
| smart appliance manufacturers. Maybe this person would like
| to buy a $500 toaster too, or espresso machine, or soda
| machine, or bread machine, or microwave.
|
| They care a little bit about oral hygiene. Have they seen a
| dentist lately? If they have $400 for a toothbrush, then
| they probably have better than average dental insurance.
| Let's also sell their information to the larger dental
| offices in their area (as determined by IP).
|
| Do they need mouthwash? Let's pop up an ad for a
| subscription mouthwash service. How about floss? Would they
| perhaps also appreciate a razor made out of aerospace
| titanium?
|
| Oh, but wait ... their IP address just changed, and they
| are brushing their teeth 3 hours later than typical.
| They're traveling! They're traveling and they took their
| expensive toothbrush with them. This opens up an entirely
| new set of possibilities. Travel insurance? A credit card
| with travel incentives? New luggage? How about offers for
| travel upgrades? There are hundreds of companies paying for
| the opportunity to contact pre-qualified customers that
| travel with disposable income.
|
| Oh, wait ... they just bought a set of lightbulbs that we
| also make...
| pmontra wrote:
| I'm with you, but unless the brush stores the data on itself,
| which appliance should receive those data in a typical home?
| jawns wrote:
| What's wrong with "the brush stores the data on itself"?
| Plenty of consumer products do that.
| IncreasePosts wrote:
| The users phone, via a Bluetooth connection?
| Gigachad wrote:
| It's possible but its really unreliable. A device trying to
| reach out to an app on your phone to proxy the data while
| your phone is sleeping/app not running just doesn't work
| that well. You don't want to have to open the app while
| using the device, you just want all the data to be there
| when you look in a week.
|
| These devices almost always have wifi since the chips
| usually have both anyway. And reaching out to a fixed wifi
| is so much more reliable.
| thomastjeffery wrote:
| If you have enough room to store WiFi credentials, then
| you probably have enough room to store toothbrush use
| statistics.
|
| There is no need to copy that data to a phone
| _immediately_. It can be put off until it 's convenient.
| Gigachad wrote:
| And then the user goes out for the day, opens up the app,
| and wonders why the last 3 days of data is missing.
| Meanwhile the chip that does Bluetooth also just has wifi
| bundled in. Aside from the security risk, directly
| connecting to wifi is a vastly superior experience.
| kwhitefoot wrote:
| How much data can a toothbrush collect? Surely just a few
| hundred bytes per brushing session. The ESP32 has 160 kB
| of usable RAM out of the 520 kB total capacity. Surely
| enough for weeks of data even if the data structures are
| badly designed.
| soco wrote:
| Not every toothbrush user has a server at home and the skills
| to attach to it. I would even say that most of those users had
| no idea what they enabled when they activated their
| toothbrushes. And let's not forget about vacuum cleaners,
| refrigerators, washing machines, coffee makers and the other
| zillions of "smart" personal data channeling smart appliances.
| I'd dare a survey, how many HN people actually work on exactly
| these technologies, how many read these words, and how many
| actually care?
| nonrandomstring wrote:
| > I'd dare a survey, how many HN people actually work on
| exactly these technologies, how many read these words, and
| how many actually care?
|
| This is an excellent question. We'd likely find that there is
| an enormous disconnect between high IQ, well educated
| engineers and high emotional and social intelligence.
|
| The perennial excuses; "it's just a job" , "everybody's doing
| it", "if I didn't build <monstrosity x> then someone else
| would" ... these have grown tiresome and weak. Everybody now
| knows these are stupid and dangerous things we are doing.
|
| Is there a kind of fatalistic malice at work? How do people
| who work on this kind of thing manage the dissonance?
| samatman wrote:
| I have several gizmos which use Bluetooth. They're a little
| bit slower to connect to than the WiFi ones, but they work
| fine, and "a bit slower to connect" seems fine for a
| toothbrush.
|
| I also have several gizmos, including lightbulbs, which use
| WiFi. To my chagrin, I've had internet outages which meant
| that I can't turn on a given light until the Internet comes
| back. I put up with it, because telling my computer to change
| the lights is too much fun, but when the internet goes out,
| I'm embarrassed both personally and professionally.
|
| Somehow we've failed as a profession to provide people with a
| home network which continues to function as long as the
| router has power, and that sucks.
| dunham wrote:
| > Somehow we've failed as a profession to provide people
| with a home network which continues to function as long as
| the router has power, and that sucks.
|
| This already existed for lightbulbs in the 70's:
| https://en.wikipedia.org/wiki/X10_(industry_standard)
|
| Wikipedia says the computer interface was 80's, but if you
| managed to have a computer in the seventies, you probably
| knew enough electronics to homebrew something.
| samatman wrote:
| Yeah, we've invented it several times over, and yet, what
| people buy and use is IoS crapware which craps out when
| the network does.
|
| That's worse. You see how that's worse, right?
| dunham wrote:
| yeah, everything keeps getting reinvented worse or made
| worse by adding unwanted, poorly implemented features. My
| unstated point was that a version existed decades ago
| which was more robust than the new, reinvented version.
|
| I'm not sure that people (in general) want these things.
| It seems like product managers adding stuff to justify
| their existence and people buying what they find on the
| shelf. You get an internet connected oven because you
| have no choice anymore. (Hyperbole, but the non-internet
| choices are narrowing.)
|
| Maybe people want to change the color of their lightbulb
| (I'm guessing it gets old quick), but I suspect they're
| not asking for it to be on the internet.
| samatman wrote:
| I find it a genuine quality-of-life improvement to adjust
| the color of light. The temperature matters more, but
| being able to do strong hues is really nice. Not everyone
| is into mood lighting, but I like it.
|
| And I don't care as much about whether or not the bulb
| uses IP to reach my phone, but why should my outside
| connection going down ever matter? As long as the router
| has power, the internal network should continue to
| function. It's a shame is what it is. I figure I could
| put in the sweat to make it "work on my machine" but that
| doesn't solve Joe Normal's problem, and it doesn't sound
| like a fun hobby to me either.
| kwhitefoot wrote:
| Just have the toothbrush run a web server and then the user
| can point a web browser at it. It can also come with a mobile
| app that would scan the local network looking for the device
| in order to discover the IP.
| Gigachad wrote:
| I was at the store looking at them recently and all the
| toothbrushes advertise having "AI", an app, wifi/bluetooth etc.
| I guess it's hard to come up with reasonable upsells on this
| stuff.
| 082349872349872 wrote:
| I had misremembered these as a single comic, but you can't have
| everything:
|
| https://i0.wp.com/www.litterboxcomics.com/wp-content/uploads...
|
| https://i0.wp.com/www.litterboxcomics.com/wp-content/uploads...
| dist-epoch wrote:
| This also good:
|
| https://i.imgur.com/YnBnsKA.jpeg
| kps wrote:
| _"The door refused to open. It said, "Five cents, please." He
| searched his pockets. No more coins; nothing. "I'll pay you
| tomorrow," he told the door. Again he tried the knob. Again
| it remained locked tight. "What I pay you," he informed it,
| "is in the nature of a gratuity; I don't have to pay you." "I
| think otherwise," the door said. "Look in the purchase
| contract you signed when you bought this conapt." In his desk
| drawer he found the contract; since signing it he had found
| it necessary to refer to the document many times. Sure
| enough; payment to his door for opening and shutting
| constituted a mandatory fee. Not a tip. "You discover I'm
| right," the door said. It sounded smug. From the drawer
| beside the sink Joe Chip got a stainless steel knife; with it
| he began systematically to unscrew the bolt assembly of his
| apt's money-gulping door. "I'll sue you," the door said as
| the first screw fell out. Joe Chip said, "I've never been
| sued by a door. But I guess I can live through it."_
|
| -- Philip K Dick, _Ubik_ , 1969
| whoisstan wrote:
| Warren Ellis at Thingscon 2017
|
| "1. It's hard. Don't get me wrong. I know it's hard. And
| Samsung and Apple and several other large corporations want
| in on it. On the bright side, that will give you lots of
| exit opportunities, and soon you could be drinking
| cocktails in Bali while Amazon deals with the backlash from
| the smart doorlock you sold them that still doesn't work
| properly. And they'll spend the money on iteration until
| the device either goes away or starts working properly, and
| the users will have to buy Amazon Prime membership for
| their houses. And then someone will hack your house through
| the buggy wifi thermostat you bought, and your house will
| start ordering DOWNTON ABBEY downloads and you'll come home
| to find it's 40 Celsius indoors and the sink is flooded and
| your fridge has been turned into a porn spambot and you'll
| realise that your house is masturbating to DOWNTON ABBEY.
| If you can get in the front door."
| throw0101b wrote:
| More recently see Cory Doctorow's "Unauthorized Bread":
|
| > _The toaster wasn't the first appliance to go (that honor
| went to the dishwasher, which stopped being able to
| validate third-party dishes the week before when Disher
| went under), but it_ was _the last straw. She could wash
| dishes in the sink but how the hell was she supposed to
| make toast--over a candle?_
|
| * https://arstechnica.com/gaming/2020/01/unauthorized-
| bread-a-...
|
| * From:
| https://en.wikipedia.org/wiki/Radicalized_(Doctorow_book)
| dylan604 wrote:
| This would funny but since it's pretty much exactly how
| printers behave it's more just a slap in the face
| znpy wrote:
| I guess it's time to echo the meme: "The band 'Rage
| against the machine' does not explicitly says what kind
| of machine they are enraged to, but I'm pretty sure it's
| a printer".
|
| EDIT: screen of the original tweet: https://old.reddit.co
| m/r/printers/comments/vqmbu4/rage_again...
| renewiltord wrote:
| Well, now we're straying from the original, but there's the
| libertarian copypasta on Reddit: https://www.reddit.com/r/c
| opypasta/comments/7iqxko/libertari...
|
| > _I was shooting heroin and reading "The Fountainhead" in
| the front seat of my privately owned police cruiser when a
| call came in. I put a quarter in the radio to activate it.
| It was the chief.
|
| > "Bad news, detective. We got a situation."
|
| > "What? Is the mayor trying to ban trans fats again?"
|
| > "Worse. Somebody just stole four hundred and forty-seven
| million dollars' worth of bitcoins."_
|
| > ...
|
| and so on.
| mckn1ght wrote:
| So do I drink my verification can before or after brushing?
| shrimp_emoji wrote:
| Before. Otherwise, you're washing down all the fluoride
| instead of giving it time to bind to your enamel via chemical
| API calls.
| girvo wrote:
| Explains why I went into programming after doing a BSc in
| Chemistry. Just a different kind of API!
| snow_mac wrote:
| Dude. This is too much. My fridge is capable of being connected
| to the internet, so is my oven, garage door opener and my
| dishwasher. WHY? These things have worked so well without this
| crap. I wish manufacturers would stop this insanity.
| soco wrote:
| Theory: you just don't connect them, right. Reality: connect or
| it won't start. Next step: integrated sim card.
| notaustinpowers wrote:
| This literally happened to me on Friday. I was setting up a
| smart TV for my uncle and he just uses it for his Chromecast
| so I thought "whatever, I'm not going to connect this TV to
| his wifi."
|
| Come to find out, the TV locks you out of EVERYTHING if you
| do not connect it to the internet. You see the homescreen but
| you aren't allowed to switch the input unless you connect to
| the wifi. Even after connecting to wifi, you only get access
| to FAST channels, and still have to register with a Samsung
| account before you get permission to change the input.
|
| I don't think I had ever been more upset at a piece of tech
| in my life.
| jimjimjim wrote:
| TVs are the worst. Everything except OLED sets have been
| getting cheaper and cheaper and I'm certain these
| manufacturers aren't achieving this via production line
| optimizations. It starts with the connection to vacuum up
| the data, next comes overlay ads, in a few years it'll be
| subscription plans instead of a sticker price. and the
| general public will love it.
| Vrondi wrote:
| I had one like this (Toshiba), and I did the initial setup,
| then blocked it at my router from ever accessing the
| Internet again. Next TV purchase was a different brand
| (TCL) that didn't require such stupidity.
| Symbiote wrote:
| I would have returned it.
|
| "It's for the basement room, no WiFi there" if the shop
| argues.
| nonrandomstring wrote:
| You're sure you read the instructions correctly? What's the
| make and model of that, please? I think people would like
| to know. That would certainly be illegal over here in
| Europe.
| nonrandomstring wrote:
| > My fridge is capable of being connected to the internet, so
| is my oven, garage door opener and my dishwasher. WHY?
|
| Because you bought them dude! :)
| carleton wrote:
| These are all things that renters would not purchase. How
| many people actually try and use appliances at a rental
| property before signing?
| NoboruWataya wrote:
| Genuine question, are these things really the norm where you
| live? I don't have a garage but none of those other appliances
| are capable of being connected to the internet for me. I am
| well aware that there are "smart" models out there and their
| prevalence is probably on the rise but it surprises me that
| someone so opposed to everything being internet-connected has
| so many such appliances.
|
| I'm in the UK, are these smart appliances way more common in
| the US or something?
| klabb3 wrote:
| If you've ever tried to use these extra "connected features",
| you'll notice that they are completely useless.
|
| Aside from the small detail that these things don't really
| solve any problem, these companies are not... let's say
| software savvy.
| beardyw wrote:
| If only there was a kind of toothbrush which doesn't use the
| internet. Seems like an opportunity.
| pixxel wrote:
| Calm down grandad, the benevolent cloud demands tooth data and
| it will have its data.
| WalterBright wrote:
| Wouldn't one have to give the toothbrush your wifi password so it
| can connect?
| tmiku wrote:
| One probably has to enter the wifi password in an app and then
| the connection info gets sent to the brush via Bluetooth.
| That's how my smart watch behaves.
| zzyzxd wrote:
| > Though we don't have the finer details of the DDoS story, it
| serves as yet another warning for device owners to do their best
| to keep their devices, firmware, and software updated; monitor
| their networks for suspicious activity; install and use security
| software; and follow network security best practices.
|
| Maybe they should only allow qualified consumers with required
| certification to purchase such a smart toothbrush.
| accrual wrote:
| > monitor their networks for suspicious activity
|
| Indeed. It's asking the same people who only know their router
| as a box where the internet comes from to run a packet capture
| and interpret the results.
| abdullahkhalids wrote:
| The call if of course on device owners, and not device
| manufacturers whose responsibility it truly is to manufacture
| secure devices.
| d4mi3n wrote:
| 100% agree, but I have to wonder how much of the problem is
| that the cost of security is:
|
| A. Not mandated
|
| B. Increases cost of the product
|
| At what point would people just prefer a regular toothbrush
| if a smart one doesn't provide enough utility to justify the
| cost?
|
| This isn't specific to toothbrushes, but I wonder what
| products or services wouldn't exist if they were made to be
| secure (or safe/ethical/sustainable/etc). Makes me wonder how
| many existing externalities are causing hard to measure
| problems that could be prevented by making a higher quality
| product.
| imglorp wrote:
| Is nobody going to mention Java running on the toothbrush?
|
| One might guess the firmware included a battery controller,
| bluetooth or wifi stacks, a little storage, and business logic
| for buttons and brushing.
| cfeduke wrote:
| 3 billion devices run Java!
|
| ;)
| duohedron wrote:
| "3 Billion Devices Run Java"
|
| Maybe not all of them should.
| tjasko wrote:
| Why does it matter? Embedded Java is quite popular.
| https://en.wikipedia.org/wiki/Embedded_Java
| Thaxll wrote:
| That's the reason why you need some serious router at home, one
| with vlan capabilities so all those iot devices get sandboxed
| network wise.
| Freebytes wrote:
| I dread the inevitable "Internet dildo wars of 2037" where
| millions of networked dildos and refrigerators wreaked havoc on
| the entire Internet causing billions in damage. "Suspects remain
| at large."
| RajT88 wrote:
| "ChatGPT-enabled Internet-Connected Dildo" is a devastating
| insult for internet commenters.
| Twirrim wrote:
| That's a really flimsy article. Someone is claiming 3 million
| smart toothbrushes were used in a DDoS, but no one is talking
| what/who/how. That seems like the kind of extraordinary claim
| that requires at least some kind of evidence.
|
| There is surely at least some technical details that enabled them
| to identify the toothbrushes, right?
| blacksmith_tb wrote:
| It also seems odd that even if you (maybe unknowingly)
| connected your 'smart' toothbrush to wifi, it would be exposed
| to the public internet. Aren't most people using some kind of
| clunky cable modem etc. from their ISP, which would have a
| basic inbound firewall?
| d1sxeyes wrote:
| Hypothetically, let's say these toothbrushes connect
| periodically to an API from which they fetch firmware
| updates. If you're able to MitM that connection, you could
| deliver whatever you like as a firmware payload to the
| toothbrush. Or maybe someone designed the toothbrush to open
| ports using UPNP to enable a remote connection to tell the
| toothbrush that the update server has moved to a new URL?
| Retr0id wrote:
| There's lots of ways for this expectation to be broken.
|
| The most obvious is UPnP, where the device can ask the
| gateway router to forward ports.
|
| The second is the fact that devices on the LAN are accessible
| to _other_ devices on the LAN. Malicious JS in a webpage can
| scan for and compromise other local devices.
|
| And the third is the fact that whatever serves code to the
| toothbrush (whether it's firmware updates, or an HTML5
| dashboard) can be compromised. In the latter case, it could
| be something as simple as persistent XSS.
| gtirloni wrote:
| _> The second is the fact that devices on the LAN are
| accessible to other devices on the LAN. Malicious JS in a
| webpage can scan for and compromise other local devices._
|
| Which browser API enables that?
| Retr0id wrote:
| HTTP, it's all the rage these days. (via <form>, fetch,
| XMLHttpRequest, et al)
| gtirloni wrote:
| Ah ok, so we are talking about dumb old methods. I
| thought it was something like the fancy APIs that are all
| the rage these days.
| Retr0id wrote:
| There was a brief window when people knew that if they
| used non-HTTP protocols, then malicious webpages couldn't
| talk to it.
|
| But now even "native" apps are web apps, and IoT devices
| all use web APIs too. They can be locked down through
| CORS etc., but it's easier for devs to set `Access-
| Control-Allow-Origin: *` and worry about it "later".
| metadat wrote:
| I was skeptical at first, but did some superficial
| scouting.. it's trivial for a malicious website to do
| nasty things to any internal resource which doesn't have
| a strict CORS policy.
|
| https://security.stackexchange.com/questions/177486/can-
| webs...
|
| As the adage goes, the "S" in IOT stands for "Security".
| Retr0id wrote:
| Yes, I have (non-public) variations of the
| https://rootmy.tv/ exploit that can fully compromise an
| LG smart TV from the browser session of any other LAN-
| adjacent device.
| blacksmith_tb wrote:
| I suppose you could just loop through all the IPs for
| some common ranges like 10.0.0.0/16 and 192.168.0.0/16
| looking for a given port, if you knew the toothbrushes
| exposed it and there was something exploitable there,
| that makes sense.
| metadat wrote:
| Even 192.168.1.0/8 will probably get you ~95% coverage
| for residential networks.
| Retr0id wrote:
| It's even easier if the device has assigned itself a
| "toothbrush.local" hostname via mDNS etc.
| zoeysmithe wrote:
| A lot of home, small business, or neglected enterprise
| routers and firewalls are broken into permanently. Many of
| these will not auto-update their firmware or the attackers
| got in before the patch was available.
|
| Then the initial actor sells access to them to other actors.
| I believe the Ubiquity Edge router, a small/medium/AV
| industry favorite, was paired with other exploits by a state
| actor to perform attacks on high value orgs.
| Retr0id wrote:
| I'd like to see more details too, but it's not that
| extraordinary in my opinion - par for the course for low-cost
| wifi-enabled appliances.
| stcredzero wrote:
| This headline reads like a story element from the Silicon Valley
| TV series.
| hsuduebc2 wrote:
| In 2024 there will be flying cars!
|
| Meanwhile.
| the_wolo wrote:
| Dental Denial of Service
| dessant wrote:
| A warning about Philips electric toothbrushes: you cannot turn
| off Bluetooth on them, even if you are not using the smart
| features.
|
| Also be careful with all Philips air purifiers that support Wi-
| Fi, because the remote control feature cannot be disabled. They
| create a Wi-Fi hotspot that you need to connect to with a
| smartphone to finish setting up the device, but if you don't use
| these features, the air purifier will create a permanent Wi-Fi
| hotspot, waiting to be exploited.
| whyenot wrote:
| You might not be able to turn bluetooth off, but you can choose
| not to pair them with anything (or remove the pairing after
| setting up the device).
| dessant wrote:
| The issue is what happens to these toothbrushes in a couple
| of years when their vulnerabilities will be discovered. Their
| inevitable exploitation could be prevented by simply allowing
| to turn off bluetooth. Or even better, only enable bluetooth
| if the user wants to set up and use these smart features, at
| least in that case the vulnerable firmware can be updated
| using the smartphone app.
| ethbr1 wrote:
| "Shipped dumb by default" is enticing as a legal
| requirement.
|
| Have a colorful switch to enable it, whatever.
|
| But poor security posture out of the box, for a
| questionably-supported, poorly-developed, long-lived
| physical device seems important enough to mandate slight
| one-time inconvenience.
|
| In the future, this bullshit is going to be looked back at
| like default passwords on ISP WAPs.
| dmix wrote:
| What risks could a WiFi hotspot on an air purifier expose if
| it's not connected to the network or a computer?
| LesZedCB wrote:
| you could believe you're inhaling purified air but, lo! you
| are breathing _impure_ air, muahahaha!
| kps wrote:
| You may _think_ you 're joking, but 4 days ago:
| https://news.ycombinator.com/item?id=39223982
| rightbyte wrote:
| Worst case would be a fire hazard. Maybe produce too much
| poisonous ozone.
|
| If the hardware is fail safe I guess it can waste
| electricity.
| dessant wrote:
| Anyone in Wi-Fi range can exploit the device. The sensors of
| the air purifier can be used for spying, and the device could
| also serve as a hopping point for exploiting other devices in
| your home.
| mynameisvlad wrote:
| > The sensors of the air purifier can be used for spying
|
| To be able to... know if your target's house has a lot of
| pollutants? Is particularly warm? There is practically no
| useful information that can't be gleamed by just looking
| through their windows, blinds and all.
|
| > and the device could also be used as a hopping point for
| exploiting other devices in your home.
|
| It's not connected to your home network, that's the whole
| reason for the hotspot existing. How, exactly, could it be
| used as a hopping off point, except to other devices with
| hotspots that... can just be exploited in the first place.
| snapcaster wrote:
| You're lacking in imagination, and maybe the conceptual
| idea of "sensor fusion". Multiple seemingly innocuous
| data streams in isolation can be combined to create
| sensors you wouldn't have imagined
| mynameisvlad wrote:
| Do you understand what data is available in a smart air
| purifier?
|
| Please, explain exactly what sensor fusion would get you
| actionable data out of the PM2.5 sensor and "gas sensor"
| in a Philips smart air purifier.
| yread wrote:
| If the sensors don't detect your farts for a while you're
| probably not at home so the burglars can come in
| burningChrome wrote:
| I finally got rid of one of my fitness watches that had
| dreadful battery life and I couldn't figure out why. After a
| few months of this, I finally realized the same thing, you
| can't turn off the bluetooth on it. The app on your phone and
| the watch are constantly searching for each other to always
| sync and the alternative is to unpair the watch, use it, re-
| pair, sync and go which became a total headache, but did in
| fact give me better battery life.
|
| The weird thing is I complained to the company's CSR people
| online and they had no idea why the battery was so bad and just
| told me to try and factory hard reset the phone as there must
| be something I changed in the settings.
|
| I switched over to Polar and now the watch I have lasts 5 days
| on a single charge - quit the change from about a day or less.
| inglor_cz wrote:
| My Garmin stays connected to my Samsung smartphone via
| Bluetooth constantly and will last about 6-8 days on a single
| charge. I can't imagine charging my watch every night.
| LeifCarrotson wrote:
| I've been using Garmin GPS watches for more than a decade,
| they get two weeks on a single charge (double or triple that
| if you don't use 24/7 heart rate, or GPS, or Bluetooth/Wifi,
| but even on long trips I don't need months without a charge).
| And they have Bluetooth that syncs with my phone for weather
| data and optionally shows notifications, but it doesn't need
| a phone connection to be a great watch.
|
| Sure, my top-end Fenix 6 Pro cost $750 new in 2019, and very
| little of that is hardware BOM (there's a lot of price
| segmentation), but it's still just as good as it was then.
| It's honestly extremely refreshing to deal with a company and
| an app that tries to build and sell good hardware rather than
| tricking you into a subscription.
| throwway120385 wrote:
| I've gotten 5-7 days out of a charge with my entry-level
| Vivoactive 3 even 4 years later. They're very good.
| UberFly wrote:
| I'm reminded of this that I read a few days ago:
|
| Home assistant picked up my neighbours Bluetooth toothbrush and
| now I can see when they brush their teeth.
|
| https://old.reddit.com/r/homeassistant/comments/1306pcw/home...
| Animats wrote:
| Send them a message if they miss a brushing.
| HnUser12 wrote:
| Same with my samsung tv and my neighbour keeps trying to pair
| her watch to it for reasons I don't know.
| SoftTalker wrote:
| She most likely doesn't know either.
| whyenot wrote:
| Assuming that the article accurately reports the facts (I have my
| doubts) and these unnamed toothbrushes were used in DDoS attacks,
| it seems like the obvious deterrent would be for the harmed party
| to sue for damages. That seems like it work to deter companies
| from making internet connected when they aren't really needed.
| usefulcat wrote:
| Came here expecting to find something from The Onion
| jakub_g wrote:
| Every internet-of-shit device should be legally required to go
| through a security audit, and the vendor should commit to
| mandatory 5 years of API being up + 5 years of security updates,
| with N days to fix CVEs with severity over a certain threshold.
|
| Would make the shitty vendors think twice before creating piles
| of e-waste due to zero cost of entry.
| mikkohypponen wrote:
| If It's Smart, It's Vulnerable.
| GrumpyNl wrote:
| Why you would buy a toothbrush that needs a app and wifi is
| beyond me.
| tjasko wrote:
| This article is strange & many details are lacking. All the big
| smart toothbrushes use BLE and are not WiFi-connected. Tried to
| fact-check the article, but nothing.
|
| A bunch of BLE chips are also WiFi capable, so not ruling out
| that someone compromised the firmware to enable WiFi
| functionality, but I wonder how they were able to connect to WiFi
| to trigger a botnet in the first place.
|
| Quite skeptical of this article, while the premise of the danger
| of IoT devices still remains, nonetheless.
| a321neo wrote:
| >A bunch of BLE chips are also WiFi capable, so not ruling out
| that someone compromised the firmware to enable WiFi
| functionality
|
| The ESP32 is now used as a general-purposed chip even in
| applications where an 8-bit MCU would have been enough. A
| remotely exploitable vulnerability in the ESP32/SDK could have
| large-scale consequences.
| exe34 wrote:
| Leaves open the question of how they joined the network -
| WiFi passwords and such. Maybe stolen from the phones/laptops
| and then sent to the device as part of the exploit?
| Cpoll wrote:
| > but I wonder how they were able to connect to WiFi to trigger
| a botnet in the first place.
|
| Wardriving for oral health?
| depereo wrote:
| It's not something that actually happened. It's just some
| bullshit that's gone viral.
|
| https://cyberplace.social/@GossiTheDog/111886558855943676
| a_shoeboy wrote:
| I wish my lone internet-of-shit device worked well enough to
| participate in a botnet. My house came with an internet connected
| sprinkler system--if the power blips, the sprinkler system boots
| up before the WIFI router, can't connect and then refuses to work
| until rebooted. I realized this when my lawn started dying.
| rkagerer wrote:
| I have an older Phillips toothbrush without Bluetooth, Internet
| or vendor-locked heads, and it charges wirelessly in a glass cup.
| I love it.
|
| I recently tried to buy a second one and could only find newer
| models with all these garbage features I don't want. Who the hell
| wants their toothbrush to connect to the internet? Wound up
| turning to eBay to find stock of the old one.
|
| It might sound cruel, but I hope the moron who decided to add
| these features into their product, and the lackey who implemented
| it, are having a bad day and reflecting on the wisdom of what
| they did.
| jhbadger wrote:
| Wifi is silly, but there really is a benefit to the
| Bluetooth/app connection -- it is used to see where you are
| brushing and spots you are missing. My dentist definitely has
| seen an improvement in the plaque in my back teeth since I
| started using a smart toothbrush that uses an app on my phone.
| kwhitefoot wrote:
| > spots you are missing
|
| Just brush each tooth systematically. My dentist tells me
| "Just keep doing what you are doing." I have the cheapest
| Braun Oral-B with a two minute timer. I've worked out by
| trial and error that that is about the time to stroke each
| face of each tooth about twelve times. Now I do that even if
| it takes a bit longer than two minutes because I occasionally
| brush slower.
| progbits wrote:
| How does it know the location you are brushing?
| zelphirkalt wrote:
| Bluetooth from the teeth! It is in the name ; )
| MichaelMoser123 wrote:
| Stanislav Lem wrote the "Washer Tragedy" where washing machines
| got smarter and were taking over. I think he would have been
| proud of these toothbrushes...
| BlueTemplar wrote:
| Still better than three million plain infected toothbrushes,
| which is what this looked at first glance !
| nottorp wrote:
| Waiting for the refrigerator...
| beeandapenguin wrote:
| Which toothbrush company/product are they referring to? The stock
| image implies Phillips, but I don't see any mention of that in
| the article.
|
| Never thought I'd be judging a toothbrush based on cybersecurity,
| but here we are...
___________________________________________________________________
(page generated 2024-02-06 23:00 UTC)