New attack vectors introduced at CES

The annual Consumer Electronics Show (CES) is underway this week, and companies are unveiling their upcoming advances in technology.

So far, I’ve read about two things that can be attached to networks, bringing security concerns with them.

First, echoing an earlier post of mine, Samsung has announced a washer and dryer with wi-fi.

The reasoning behind this is that consumers can remotely start and monitor their laundry through smartphone apps, plus get alerts when it’s done.  This actually sounds pretty cool.

Of course the concern is that you are adding a strange new appliance to your home network.  I haven’t seen the full details of how the washer and dryer communicate, but its possible that they could become pivot points for someone to get into your network.

Here’s a plausible scenario:  Someone buys this washer and dryer set and puts it in their home.  They modify the firmware to include a secret backdoor, and sell their house with the washer and dryer included.

This previous owner now has internal access to the new owner’s network.  They can use that connection for illegal or unscrupulous activities, attracting any law enforcement response to the unsuspecting new owner.  They will claim innocence and insist they were hacked, but if there’s no rootkit or botnet found on their machines, will anyone think to look at the washer and dryer?

The other new product to include a network connection at this year’s CES is the Nikon D4.

This new flagship camera boasts many impressive advances (as it should for the $6,000 price tag).

One feature is the ability to connect directly to a network, and then be controlled via web browser.

The really interesting thing here is that the camera is running a lightweight http server.  Like the washer and dryer, this can potentialy be modified for nefarious purposes.  Unlike the washer and dryer, this is a portable device that could be plugged into any ethernet network (or hooked up to wi-fi).  So, someone hacks the firmware so that the http server does something evil (backdoor, spreads a worm, etc.).  Then just plugs the camera into a network they want to attack.

Of course, a properly secured network would not allow a rogue device to communicate with anything, but properly secured networks are few and far between.

 

Advertisements

Intermission

I’m going to interrupt my usual technical blogging to:

  1. Plug a contest that I’d rather enjoy winning.  Crave Photography (http://cravemyphotography.com/blog/) is running a giveaway, with the top prize being a high quality 85mm lens in either Nikon or Canon mount.
  2. Begin my first non-security post (I have a new security post coming immediately after this one if anyone is interested)*

To stay on topic with the contest, I’ll do this first non-security post on photography.

My wife and I spend a lot of our spare time taking pictures of our children.  My son is nearly three, and my daughter just turned  one.

THEY NEVER SIT STILL.

This makes photographing them very challenging.  To get a crisp image indoors you generally need a shutter speed somewhere north of 1/125.  There are a few ways we have tried to get good pictures with varying amounts of frustration:

  1. Use a direct flash.
    • PROS – lots of light, good shutter speed
    • CONS – can cause harsh shadows and blackout background
  2. Use an indirect flash (bounce behind)
    • PROS – Evenly lights subject and background, good shutter speed
    • CONS – Can add color cast if not bouncing off white surface, some angles cast odd shadows
  3. Use a fast lens wide open
    • PROS – Can utilize natural/available lighting
    • CONS – If shooting close up, the depth of field is unforgivingly small.
  4. Push the ISO to its limits
    • PROS – Can get your ideal shutter and aperture for the shot using natural/available light
    • CONS – depending on the camera, noise in the image may be unacceptable.

I think the next step would be to set up studio lighting, but there is no chance of that happening anytime soon.  Our house is cramped enough as is.

Anyway, I just wanted to post a little something to get started on my photography writing.  I’ll probably add more posts with pictures in the future.

 

*At the time of writing I have approximately one person reading this blog.  Thanks Will.