this post was submitted on 12 Nov 2023
1480 points (96.0% liked)

tumblr

3452 readers
605 users here now

Welcome to /c/tumblr, a place for all your tumblr screenshots and news.

Our Rules:

  1. Keep it civil. We're all people here. Be respectful to one another.

  2. No sexism, racism, homophobia, transphobia or any other flavor of bigotry. I should not need to explain this one.

  3. Must be tumblr related. This one is kind of a given.

  4. Try not to repost anything posted within the past month. Beyond that, go for it. Not everyone is on every site all the time.

  5. No unnecessary negativity. Just because you don't like a thing doesn't mean that you need to spend the entire comment section complaining about said thing. Just downvote and move on.


Sister Communities:

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] dlok 3 points 1 year ago (4 children)

And what's the worst an internet connected thermostat could do, discomfort you to death? If someone got into my Google account past 2fa etc id have bigger worries.

[–] [email protected] 21 points 1 year ago (2 children)

For me it's more the privacy aspect. IOT devices tend to be network weak points. Things like Alexa constantly listening. I could see myself self hosting home assistant maybe in the future but not of the things smart devices enable are really a value add for me personally.

[–] CosmicCleric 5 points 1 year ago* (last edited 1 year ago) (1 children)

You don't need home devices to lose your privacy like that. Your phone's themselves are constantly listening in.

Was talking to the wife in the car one time about buying a new pair of tennis shoes, and when I got home that evening and watched YouTube videos and such, I was getting so many tennis shoe ads it was actually quite spooky.

[–] [email protected] 6 points 1 year ago

Oh definitely, I go to a lot of effort to try and mitigate it (graphene OS, no Facebook, social media, pihole for network wide ad blocking, simplelogin for email aliasing, no smart devices) but there's always plenty of invasive apps/services even you're privacy conscious.

[–] LemmyIsFantastic -5 points 1 year ago (2 children)

Jesus Christ "always listing".

No they aren't. Not in any sense that even explained in common sense language to normal people.

They are listening to what amounts to be a key pair(s) voice imprint. That's done at a hardware level. And despite it be career making and be worth millions nobody has reported any large scale beach of trust in many years.

The major players have an excellent track record of being secure.

[–] [email protected] 3 points 1 year ago

The major players have an excellent track record of being secure.

Facebook doesn't.

[–] [email protected] 1 points 1 year ago (1 children)
[–] LemmyIsFantastic 1 points 1 year ago (1 children)

Whatever you say. Still not a single person who can list consumer devices using this tech.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Whatever you say astroturfer.

But it does not look like like they are secure at all

Hey, we even have leaks... .

Tell your boss to update your script

[–] LemmyIsFantastic 0 points 1 year ago* (last edited 1 year ago) (1 children)

First, the attacker needs to be within wireless proximity of the device, and listen to MAC addresses with prefixes associated with Google. After that, they can send deauth packets, to disconnect the device from the network and trigger the setup mode. In the setup mode, they request device info, and use that information to link their account to the device and - voila! - they can now spy on the device owners over the internet, and can move away from the WiFi.

Congrats, you found a single instance. It was patched via the security program. It relied on physical proximity.

Then you link another scenario where an utterly insignificant portion of users data was shared with partners.

It's grasping at straws and both those incidents are unrelated to always on recording. None of that shit you linked is related in the least bit. It's slippery slope bullshit you're trying to pull.

Astroturfing 🤣🤣🤣 good lord I wish I could get paid arguing with uninformed privacy zealots.

[–] [email protected] 1 points 1 year ago (1 children)

So much so for your "excellent track record of being secure." right? Specially this taking almost a year to be patched. Now image the exploits that were found not by researchers, but malicious parts...

I mean, if you were a paid astroturfer I could understand, because people have to make ends meet right. But doing that for free? What a dystopian world we live in

[–] LemmyIsFantastic 0 points 1 year ago* (last edited 1 year ago)

Holy shit, you really are stuck on this 100% unrelated local access hack 🤣

I guess you'll never use tls again cause of its history right?

[–] [email protected] 20 points 1 year ago (3 children)

The issue is that the thermostat can be used as a jump box into your network.

That's when/where all the nefarious things happen.

[–] [email protected] 6 points 1 year ago

This is why I like boarderless security, and did even before all these smart devices came around. Every device should be responsible for its own security. It meant your laptop is still protected when you're on some random wifi network. Networks shouldn't be built like eggs; hard on the outside, soft on the inside.

It does take more technical skill to setup, though.

[–] [email protected] 5 points 1 year ago (1 children)

Or they could just dime out the heat/AC and give you a huge energy bill. Or kill the furnace in the winter, while you're on vacation, and let your pipes burst.

[–] RGB3x3 2 points 1 year ago* (last edited 1 year ago) (1 children)

Nobody is doing that. A hacker doesn't cause chaos just for the fun of it. They have nothing to gain by playing with your thermostat when they can spend less man-power exploiting corporations for money and data.

[–] [email protected] 1 points 1 year ago (1 children)
[–] RGB3x3 1 points 1 year ago

Yeah, but:

The downside, though, is that installing the ransomware, currently, requires the hackers to either have physical access to the thermostat or trick the victim into loading malicious files on the device on his own.

And if a hacker is in your home, they're not a hacker. They're just a burglar.

[–] [email protected] 2 points 1 year ago (1 children)

Realistically speaking who targets an individual house in the hopes of accessing something important and usable when companies lose millions of customer financial and personal information basically every month?

[–] Nahdahar 5 points 1 year ago (1 children)

Nobody attacks an individual house, people exploit vulnerabilities en masse.

[–] RGB3x3 1 points 1 year ago (2 children)

To do what though? People are worried about their internal network being compromised, but the average person has basically nothing worth stealing on their home network given the insane amount of work it takes to compromise it.

The fears of your internal home network being compromised are way overblown.

[–] [email protected] 1 points 1 year ago

It's not just damage to your home network, it's using that as part of botnets do do other crime. And it's collecting data on you for sleazy purposes, that then gets leaked (sometimes) to those who want to use it for crime.

the insane amount of work it takes to compromise it.

Really?

The great thing about software is once you develop an insane trick to get into one child's internet-connected doll (oh yes, there's that too) you can roll it out to try ten million dolls across the world.

[–] Nahdahar 1 points 1 year ago (1 children)

A main example that comes to mind is nanny cam or iot security cam ransoms for example. They don't target specific individuals at first, they exploit a mass vulnerability, gather sensitive footage then blackmail. Another example, while not directly affecting IoT users' lives was the Mirai botnet attack.

[–] [email protected] 1 points 1 year ago

This implies looking at hundreds of thousands of nanny cams, for probably lots of hours before you end up with any footage thts worthy of 'blackmail'. And I'd bet many homes would literally never have anything blackmail worthy even happen on camera. Oh no, they saw me naked!?! What am I going to do if my coworkers found out I walk around naked in my own home. I'd just tell them to take a hike and release my naked footage if they really wanted to.

[–] [email protected] 12 points 1 year ago (3 children)

I think that example is probably the most serious one. If you live in regions that go to -40c you most definitely don't want your thermostat to just stop heating the house.

[–] [email protected] 1 points 1 year ago (2 children)

Whats -40c I only know freedom units. Im guessing its -20f

[–] [email protected] 11 points 1 year ago

Coincidentally -40c is also -40f

[–] [email protected] 11 points 1 year ago

Believe it or not, it's also -40f :D for once we're all happy.

[–] dlok 1 points 1 year ago (1 children)

Pretty extreme example, and im sure you would manually intervene at that point

[–] [email protected] 8 points 1 year ago

Sure it's definitely an extreme example for the sake of argument but it's one with potentially severe consequences (what if it happens while everyone is sleeping, or while all humans are away with only pets in the house, etc etc).

It's happened before too: https://news.sophos.com/en-us/2016/01/18/nest-smart-thermostat-glitch-leaves-cold-feet-and-steaming-mad-customers/

[–] [email protected] 1 points 1 year ago

At the same time, it's nice to be able to check what temperature it's at while you're away. I have a zwave thermostat myself, gives "smartness" without the reliance on someone else's computer.

[–] CosmicCleric 5 points 1 year ago (1 children)

And what’s the worst an internet connected thermostat could do

Raise your AC and or Heating bills?

[–] dlok 0 points 1 year ago (1 children)
[–] CosmicCleric 5 points 1 year ago

Without you noticing though?

They'd time it for when you are on vacation.