Green Tractor Talk banner

1 - 20 of 21 Posts

·
Registered
Joined
·
4,337 Posts
Discussion Starter #1
Consumer Reports was looking at security of smart TVs and found not only do many of them have security problems, many require you to agree to them keeping track of what you watch. Basically if you don't agree your smart TV becomes a dumb TV. Everything you watch is reported to the manufacture to target ads to you. Either through the TV or your smartphone if you use that as a remote control.

https://www.consumerreports.org/televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumer-reports-finds/
 

·
Registered
Joined
·
3,789 Posts
Yup and if you have a dumb tv and a cable box, guess what your cable company is doing when you are flipping channels, using their dvr, watching on demand, etc...

You really have to put up an antenna to watch content without being tracked.
 

·
Registered
Joined
·
11,759 Posts
Consumer Reports was looking at security of smart TVs and found not only do many of them have security problems, many require you to agree to them keeping track of what you watch. Basically if you don't agree your smart TV becomes a dumb TV. Everything you watch is reported to the manufacture to target ads to you. Either through the TV or your smartphone if you use that as a remote control.

https://www.consumerreports.org/televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumer-reports-finds/
was just on the nightly news here. wife says see-someone is watching u--i said to her-well i hope i get a few pennies for my contributions of what i watch. :mocking:

jeeper's in the past 5 to 6 yrs since i've been off work, i highly doubt if a giant warehouse has room to store the info on what i have watched on tv, net flix, amazon, etc.
 

·
Registered
Joined
·
1,965 Posts
Hiya,

I knew it, my buddy's dad was right, he used to tell everyone the big red eye on the front of the cable TV box that they installed back in the late 70's was filming what they did in their living room, we all laughed at him, who knew he was 40 years ahead of the times.....


Other IoT reads

175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher | ZDNet

https://hackernoon.com/iot-hacks-and-vulnerabilities-347dbe2ef98c


https://www.sans.org/reading-room/whitepapers/threats/hacking-bus-basic-manipulation-modern-automobile-through-bus-reverse-engineering-37825
 

·
Registered
Joined
·
2,843 Posts
George Orwell was right on the money with 1984...
 

·
Registered
Joined
·
11,759 Posts
George Orwell was right on the money with 1984...
ok-:dunno:who or what did george know back then.

:hide: sorry i guess i could of googled him, but on the news tonight it showed how google is watching me too.:lol:
 

·
Registered
Joined
·
2,729 Posts
I am just wrapping up a project to completely redesign my home network. I went with a Ubiquity Edge Router X and several managed switches. It started because we started adding more IoT devices on our network and I have been building homemade home automation equipment. Mainly starting with voice control for things in my shop to work out the bugs before implementing it in the house. I didn't like all these things on my network so I went with a more intelligent router and managed switches so that I can create Virtual Local Area Networks (VLANs). By doing this and using firewalls on the router I can completely isolate the IoT VLAN from the rest of my home network. Because I only have a single gigabit copper run to the shop meant I had to do VLANs. Once I had the hardware I expanded it further so the Kids have their computers on a separate VLAN so that the DHCP Scope hands out different DNS settings which also limit what they can go to yet my network has full access to anything. Currently I am up to 5 VLANs but I am still making tweaks. Next on the list is to replace my Wireless Access Points with ones that can do VLANs as well.
 

·
Registered
Joined
·
1,965 Posts
I am just wrapping up a project to completely redesign my home network. I went with a Ubiquity Edge Router X and several managed switches. It started because we started adding more IoT devices on our network and I have been building homemade home automation equipment. Mainly starting with voice control for things in my shop to work out the bugs before implementing it in the house. I didn't like all these things on my network so I went with a more intelligent router and managed switches so that I can create Virtual Local Area Networks (VLANs). By doing this and using firewalls on the router I can completely isolate the IoT VLAN from the rest of my home network. Because I only have a single gigabit copper run to the shop meant I had to do VLANs. Once I had the hardware I expanded it further so the Kids have their computers on a separate VLAN so that the DHCP Scope hands out different DNS settings which also limit what they can go to yet my network has full access to anything. Currently I am up to 5 VLANs but I am still making tweaks. Next on the list is to replace my Wireless Access Points with ones that can do VLANs as well.
Hiya,

The one weak point in the consumer grade network hardware is the security of the chipset to be accessed using a known root equivalent account, not the root/admin account. Consumer equipment has this type of access to make patching and upgrading easy for the end user. The accounts and PW's are well known on the darkweb so once someone figures out what brand of hardware they are dealing with, they are 1/2 way to getting in. Enterprise FW hardware, for example Cisco, Palo alto, Checkpoint etc. don't use this secondary root account system.

Another caution is that any wireless AP's and IoT devices also have this type of attack vector, even if you have segmented them on a unique vLAN and changed the root/admin PW, they can still be accessed by someone that can capture traffic off the wi-fi. It is very easy to spoof a MAC address and wifi encryption can be decrypted in minutes using the encryption options in consumer grade AP's and routers. WPA-2 PSK can be decrypted with just 4 packets is what I'm reading. If you want to really secure your wifi you need to stand up a Radius server and issue your own certs and encryption. Also, turn off SSID broadcasting for your WiFi AP's

One of the simplest ways to segment a network is to set up multiple FW's and create DMZ's for devices you don't want to have talking to the protected networks. For my home network, I went with a 3 FW tier using 3 separate non-routable address ranges and kept the highest value traffic on the inner most network. The FW's are all different brands of used enterprise equipment as are the layer 2 and 3 switches, this way the same attack vector that works for the first in the chain won't work for the 2ed or 3rd and since they would have to deal with non routable address', it makes hopping to the 2ed one a lot more difficult. The AP's are also enterprise grade using Radius and VPN. Not that I need this level of security as my property is rural and large enough they they would need to be on my property to be in range but when I lived next to a university, my wifi was probed daily, I eventually setup a live CD Linux honeypot on it's own AP that would keep them occupied and distracted from my real network.
 

·
Registered
Joined
·
2,338 Posts
I am just wrapping up a project to completely redesign my home network. I went with a Ubiquity Edge Router X and several managed switches. It started because we started adding more IoT devices on our network and I have been building homemade home automation equipment. Mainly starting with voice control for things in my shop to work out the bugs before implementing it in the house. I didn't like all these things on my network so I went with a more intelligent router and managed switches so that I can create Virtual Local Area Networks (VLANs). By doing this and using firewalls on the router I can completely isolate the IoT VLAN from the rest of my home network. Because I only have a single gigabit copper run to the shop meant I had to do VLANs. Once I had the hardware I expanded it further so the Kids have their computers on a separate VLAN so that the DHCP Scope hands out different DNS settings which also limit what they can go to yet my network has full access to anything. Currently I am up to 5 VLANs but I am still making tweaks. Next on the list is to replace my Wireless Access Points with ones that can do VLANs as well.
TV manufacturers are interested in understanding your viewing habits so that they can be certain to design their TV's with the appropriate list of apps and such as well as potentially offer streaming services themselves. Sony, as an example, gets you to agree to sending them this information in exchange for things like allowing the TV to call home to see if there are firmware updates. If you don't agree, they don't track you. And it becomes YOUR responsibility to ensure that the firmware gets updated when needed by downloading it to a USB stick.

Firewalls, ACL's, and VLAN's aren't going to help in this specific scenario, because you'll have to block ALL access for the TV to call home, and that means that it also won't be able to check for firmware updates. Additionally, the local TCP stack on the TV will get loaded with "SYN_SENT" open sockets that will start to slow the TV's operation down.

You can lock everything down, but as soon as you actually access something that's allowed (like streaming a movie), your ISP "knows what you're doing". Everything is about demographics (and has been for a long time), and you only understand trends and such by collecting and analyzing data. Anyone that HAS data, sells it to those that want it - it's the way of the world.
 

·
Registered
Joined
·
2,729 Posts
Hiya,

The one weak point in the consumer grade network hardware is the security of the chipset to be accessed using a known root equivalent account, not the root/admin account. Consumer equipment has this type of access to make patching and upgrading easy for the end user. The accounts and PW's are well known on the darkweb so once someone figures out what brand of hardware they are dealing with, they are 1/2 way to getting in. Enterprise FW hardware, for example Cisco, Palo alto, Checkpoint etc. don't use this secondary root account system.

Another caution is that any wireless AP's and IoT devices also have this type of attack vector, even if you have segmented them on a unique vLAN and changed the root/admin PW, they can still be accessed by someone that can capture traffic off the wi-fi. It is very easy to spoof a MAC address and wifi encryption can be decrypted in minutes using the encryption options in consumer grade AP's and routers. WPA-2 PSK can be decrypted with just 4 packets is what I'm reading. If you want to really secure your wifi you need to stand up a Radius server and issue your own certs and encryption. Also, turn off SSID broadcasting for your WiFi AP's

One of the simplest ways to segment a network is to set up multiple FW's and create DMZ's for devices you don't want to have talking to the protected networks. For my home network, I went with a 3 FW tier using 3 separate non-routable address ranges and kept the highest value traffic on the inner most network. The FW's are all different brands of used enterprise equipment as are the layer 2 and 3 switches, this way the same attack vector that works for the first in the chain won't work for the 2ed or 3rd and since they would have to deal with non routable address', it makes hopping to the 2ed one a lot more difficult. The AP's are also enterprise grade using Radius and VPN. Not that I need this level of security as my property is rural and large enough they they would need to be on my property to be in range but when I lived next to a university, my wifi was probed daily, I eventually setup a live CD Linux honeypot on it's own AP that would keep them occupied and distracted from my real network.
This is just the first step in what will be a long process. By no means is what I outlined the final overall network plan. While it is great to use enterprise grade hardware it isn't like Cisco and the other enterprise class systems are free from issues. Here is a good example from just over the last few days. We are scrambling to address this issue at work now.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

I do have some enterprise grade equipment laying around but one must walk a fine line when it comes to home equipment. What is my risk? I could do quantitative risk analysis figuring out my ALE but I am not a business. At what point is good enough all I need and at one point does maintaining my home network become a full time job? The last thing I want to do is spend all day at work doing this stuff and get home doing more of the same. It is fine to a point but really, how big of a target am I? What steps can I take to Reduce/Mitigate, Assign/Transfer, Accept or ignore said risk?

As far as using that enterprise class equipment. I could buy it new but it isn't cheap and I would rather spend my free money on other things. I could pick up used equipment that has been retired for a decent price typically once it is end of life in a business application. However for most businesses it is end of life because updates are no longer available. So is it really better to run enterprise hardware without remediation for known exploits? I agree with the concerns with your lower end consumer grade equipment. Way too many back doors. But it isn't like you can fully escape them in the enterprise. Look at the Cisco reference above or the Intel mess that has been going on over the last few months between Spectre, Meltdown and Management Engine issues. These issues are not only at low end consumer grade equipment but also the hardware running our vShpere environment. The way I look at it is I would rather go with something more middle of the road in the "prosumer" market. Ubiquity isn't enterprise class equipment like Cisco and in a corporate environment I wouldn't deploy it, well not at least when talking their routers. I guess their long range wireless stuff is pretty good. It isn't something you are going to find walking into Walmart though either. They are not targeting home users. Maybe a SOHO if the person was more advanced that your average user but mainly your smaller offices up to 100 or so users is kind of their market. An organization without the funding for high end stuff but maybe an IT Staff of 1-2 people that are jack of all trade type people. While there is a GUI, it is pretty limited. You are better off diving into the CLI and that will scare off most average users. Most importantly there is a support system and updates come out for it without having to rely on a SMARTnet account with Cisco. Sure we may have access to that from work but technically I am talking home use. Same goes for other accounts like MSDN. Sure I have an account, but should I be spinning up servers with it at home when work pays for my subscription? Have I done it? Sure, I needed to test out something for work but didn't have time to wait for someone else to spin up a test environment for me so I built my own. It wasn't a perfect replication of the corporate environment but it got the job done and if something went boom the only thing at risk was my home environment so work was fine with me doing it. I could have probably used the evaluation version of server but it takes time to build Active Directory do I really want to go through all of that every 180 days? No, it is easier to have at least that up and running. After all that is what the dev licensing models are for. Also, Ubiquity is well known enough and used by plenty of security researchers out there in their personal networks. I am sure a lot of them have Cisco or Palo Alto equipment as well but I know the Edge Router and Edge RouterX is popular with people working in this industry so people tend to poke at it. It's feature set is also pretty darn hard to beat for $60. It is a router that is far more capable than anything in the consumer market.

As I mentioned there are layers of security that are yet to come. I mentioned switching out my consumer grade WAPs for what will most likely be Ubiquity WAPs. Not completely settled on that but 80% sure. I am not in a rush for this and am waiting a bit to see how WPA-3 pans out. There is getting to be more chatter about this recently. Not sure how much I like about it being developed behind closed doors but we don't have much choice in the matter. For now I can get by for a few months with my mix of consumer grade stuff and see how things play out. Because I am probably waiting for now, the next phase will probably be moving some equipment around. I need to move where my cable modem and router is located so that I can set up an older computer that I have set aside to run pfSense. They are currently in my livingroom and I don't want a PC chugging away with pfSense 24x7 there. I can relocate this equipment to my basement pretty easily. That will probably be a spring/summer project because I need to do some rewiring. Once that is in place, that will be the primary firewall which is a different system and platform that the router. The router will be a secondary layer of firewall with its main job really being to filter traffic between my VLANs more so than protection from the outside but it will do that as well. The management network for all switches and the router is on a separate non-routable network. Currently the only way to access the router and switch management interfaces is from a really long CAT5 cable in the livingroom that reaches where I sit watching TV. Well, I guess there is nothing stopping me from assigning that VLAN to a VM on my HyperV machine because it is connected to one of the managed switchs on a trunk port. I would have to look and see if that VLAN is on the trunk port to that machine. I could take it out on the switch side and lock that down a bit more. Then short of some form of backdoor it would be tough to get to any of my management interfaces. Well unless someone had physical access and all bets are off then.

One of the other phases will be setting up MFA for logging into the VPN connection. Currently using certificates but I want to add MFA to the mix to complicate things a bit. I am sure there will be additional phases as time goes on.

I don't think I have ever broadcast my SSID but really that is a minor thing to get around. I have a laptop running Kali and I have lost count the number of times I have broken into my network broadcasting my SSID or not and with all the various levels of encryption and various brands of consumer grade WAPs. This is something I do against my home equipment. Not the local coffee shop or at work. I am sure you are familiar with this distro and therefore aware that MAC addresses don't mean much when using less common operating systems like this. Not that MAC address filtering does much but I can't use it because of systems like this that I use because every time I boot up that machine it gets a new MAC address. However even in more widespread platforms like Hyper V and VMWare, because everything is virtualized, it is very easy to assign whatever MAC I want to any platform even if it isn't easily configurable in the operating system.

Like you I am in a more rural area. While someone could probably connect to my wifi from the road, I can see the road from my livingroom and they are not going to do it without special antennas but those can be made with something as simple as an old Pringles can. Part of this is because of distance and part because I live in a near faraday cage with the steel sliding that is on my house. The pole barn/shop also has wifi but that is steel siding and roof so it is the same way. Some signal gets out from the window openings but the range is pretty limited. Sure I am not always there looking out my window to see if someone is stopped at the end of my driveway aiming an antenna at my house but where I live it is a dead end road with enough houses where everyone knows everyone's vehicle to raise suspicion. Our houses are far enough away from each other that we have a certain amount of separation, well kind of. Our lots are narrow but deep and while I can see home networks from the homes to my left and right, across the street or the houses behind us are all much too far away for normal antennas built into a laptop. Those neighbors to my right and left could likely see my networks but I don't worry much about them as we are all on good terms. Their technical level is of such that they would come to me for issues that they have. That might change as their kids get older but they seem to be more into hockey than computers.

Like I said this is going to evolve a lot more over the next year or so as I have time. Like in a corporate environment the firewall layers are always going to be evolving. Time is the battle there. I will likely make my IoT network a DMZ and that has been on my list of configuration changes. There are enough devices that live there to make it look like your average home so someone might not take the time to dig much more to discover other layers. I really don't have a lot for commercial IoT. My TVs are smart TVs but are not connected to Wifi or physical connections to the network. No need to. I do have some Google Home Minis, Nest, Nest Protects, Chromecasts. The light control stuff I am doing is all home built and uses MQTT with Home Assistant running on a VM in the house which is the reasoning for setting up the VLAN. I needed to get the isolated network from the Hyper V machine in the house to the pole barn where I am doing home automation stuff right now. At some point Home Assistant may get moved to a RaspberryPi and physically sit in the IoT network. I have other priorities right now though as I balance risk with paranoia with some nice to have features.
 

·
Premium Member
Joined
·
10,991 Posts
I just don't see what all the fuss is about. My biggest concern has always been tuning stations that don't use the "clicky knob".

old-TV.jpg
 

·
Registered
Joined
·
2,729 Posts
TV manufacturers are interested in understanding your viewing habits so that they can be certain to design their TV's with the appropriate list of apps and such as well as potentially offer streaming services themselves. Sony, as an example, gets you to agree to sending them this information in exchange for things like allowing the TV to call home to see if there are firmware updates. If you don't agree, they don't track you. And it becomes YOUR responsibility to ensure that the firmware gets updated when needed by downloading it to a USB stick.

Firewalls, ACL's, and VLAN's aren't going to help in this specific scenario, because you'll have to block ALL access for the TV to call home, and that means that it also won't be able to check for firmware updates. Additionally, the local TCP stack on the TV will get loaded with "SYN_SENT" open sockets that will start to slow the TV's operation down.

You can lock everything down, but as soon as you actually access something that's allowed (like streaming a movie), your ISP "knows what you're doing". Everything is about demographics (and has been for a long time), and you only understand trends and such by collecting and analyzing data. Anyone that HAS data, sells it to those that want it - it's the way of the world.
Totally agree. Not the point of segregation. It more has to do with being able to keep a device which I have limited control over what is has for patches or not possible to patch from talking with other devices on my network which are more trusted. I have smart TVs in the house. So far they have only the ability to connect to a wired network and they are not plugged in. The next TV very well may have wifi but I won't add it. When I watch TV it is using my Comcast Cable Box with DVR so I know they see what I watch live, DVR or via On Demand. For smart functions I have chromecasts. I know Google is tracking what I watch on Netflix and Amazon Prime and those companies are tracking what I watch on their subscription. None of this has anything to do with network segregation and my firewalls are not currently blocking those outbound connections. However I do have several large network ranges blocked for certain countries that I don't want to talk to.
 

·
Premium Member
Joined
·
10,991 Posts
Sony, as an example, gets you to agree to sending them this information in exchange for things like allowing the TV to call home to see if there are firmware updates. If you don't agree, they don't track you. And it becomes YOUR responsibility to ensure that the firmware gets updated when needed by downloading it to a USB stick.
Actually, this is my PREFERRED method of receiving updates. It allows you to adopt the "If it ain't broke don't break it" process.
 

·
Registered
Joined
·
2,338 Posts
Actually, this is my PREFERRED method of receiving updates. It allows you to adopt the "If it ain't broke don't break it" process.
The problem is that the definition of "broke" can be very different for different folks. In the case of the most recent security issues, it was ABSOLUTELY broke, and most folks wouldn't have perceived an issue because there was no way to identify a problem until your system were hacked because the SSL components were weak.
 

·
Registered
Joined
·
1,067 Posts
Personally, I gave up on the tech wars. This entire thread is the reason my name is on a security memo from 2 credit card companies that got hacked. Every fn thing is on some server linked to the internet. Nothing is safe and the people hacking are state sponsored. They don't even care that we know it as there's literally nothing we can do to stop it. Security of any information is a myth. When they want it, they'll get it.
 

·
Registered
Joined
·
592 Posts
The problem is that the definition of "broke" can be very different for different folks. In the case of the most recent security issues, it was ABSOLUTELY broke, and most folks wouldn't have perceived an issue because there was no way to identify a problem until your system were hacked because the SSL components were weak.
If the Smart TV is not connected to a network, then you're not using the smart functions. It doesn't matter at that point if it even supports SSL, because you're not connecting to anything.
 

·
Registered
Joined
·
2,338 Posts
If the Smart TV is not connected to a network, then you're not using the smart functions. It doesn't matter at that point if it even supports SSL, because you're not connecting to anything.
Yes, that's very true.

HOWEVER...

Those that have a Smart TV, and -ARE USING- functions like content streaming, need to keep their set's firmware and the applications up to date. With Sony Bravia sets, that means that you have to accept the usage terms, and THAT includes allowing them to collect your usage data and send it back to them continuously. If you opt out of that, you can still keep the firmware up-to-date in your set (and you absolutely should) by downloading the updates from Sony to a USB stick and then plugging that into the set.

The general issue is that Sony (as a specific example that I can speak to) requires you to allow them to actively collect your usage information in exchange for them pushing notice to your TV of there being a new firmware available. If you deny Sony the right to your info, they won't notify you of updates. And, if you're using even one app on the TV (let's say it's the DLNA / UPNP movie player to access movies on your home network / desktop), then you are potentially connected to the Internet and it is extremely important to keep the firmware updated.
 

·
Registered
Joined
·
2,523 Posts
I’m more concerned about my smartphone than the tv. I don’t care if big brother knows what shows I watch. That dam phone seems to know everywhere I have been, and when. it knows which roads I travel and when . I get surveys and asked to do reviews on places / stores I’ve been to. Places that I paid in cash and they store or restaurant would not have any info on me.

I don’t think I have anything to hide, but do I really need big brother knowing how often I eat fast food, how much time I spend a bars or gun shops / shooting ranges. Or that I don’t go to a gym . :unknown:
 

·
Registered
Joined
·
2,338 Posts
I’m more concerned about my smartphone than the tv. I don’t care if big brother knows what shows I watch. That dam phone seems to know everywhere I have been, and when. it knows which roads I travel and when . I get surveys and asked to do reviews on places / stores I’ve been to. Places that I paid in cash and they store or restaurant would not have any info on me.

I don’t think I have anything to hide, but do I really need big brother knowing how often I eat fast food, how much time I spend a bars or gun shops / shooting ranges. Or that I don’t go to a gym . :unknown:
I'm guessing you have an Android phone because the Goole Maps app on those phones drives you crazy with requests to add photos and reviews wherever you stop.

I really wish there was a way to disable a LOT of that background functionality on Android without losing the foreground usefulness when you really DO want your phone to know where you're at (like when you're looking for directions to someplace and want to see how to get there from where you are at that exact moment).
 

·
Registered
Joined
·
2,523 Posts
I'm guessing you have an Android phone because the Goole Maps app on those phones drives you crazy with requests to add photos and reviews wherever you stop.

I really wish there was a way to disable a LOT of that background functionality on Android without losing the foreground usefulness when you really DO want your phone to know where you're at (like when you're looking for directions to someplace and want to see how to get there from where you are at that exact moment).
I do have an Android phone. I’ve had it for a number of years, overdue to get a new one. It just started with asking for reviews around the 1st of the year. It always has give traffic updates, time to home, etc.
 
1 - 20 of 21 Posts
Top