Forget Huawei, The Internet Of Things Is The Real Security Threat

We've noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn't supported by much in the way of hard data. And while it's certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don't really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.

Week after week we've documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.

The latest case in point: a popular Chinese GPS tracker, used to track everything from vehicles to kids and the elderly, has been found to contain a significant flaw that can trick the device into handing over GPS data using little more than a text message. The devices, which are made in China and rebranded and sold by more than a dozen companies, can also be used as remote surveillance devices, notes cybersecurity researchers:

"Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless."

While the device can be protected with a PIN, that setting isn't enabled by default, and the researchers found the devices can be remotely reset, bypassing the pin anyway. This is, if you hadn't been paying attention, kind of the norm when it comes to IOT devices. By the time flaws like this are exposed the company involved has usually moved on to marketing new devices with an entirely new array of vulnerabilities. And since most such devices don't offer much in the way of transparency, consumers usually are largely clueless to the fact that their devices are putting their private data at risk.

Security researchers keep warning us that the check is going to come due on the internet of things front, and we're not taking the warnings seriously:

"This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people's lives without their knowledge," said Fidus' Andrew Mabbitt, who wrote up the team's findings. "This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn't going to end well."

As security researchers have been saying for several years, it's likely going to take a major attack on significant infrastructure and some significant fatalities before we wake up out of our collective stupor. In the interim DC is obsessed with whether companies like Huawei are covert Chinese spies, but largely apathetic to the fact that the internet of broken things already provides all the spying opportunities a nosy government or rogue actor would ever need.