Mirai-based DDoS attack highlights benefits of Apple's secure HomeKit platform

2»

Comments

  • Reply 21 of 29
    FlorianFfmFlorianFfm Posts: 1unconfirmed, member
    xixo said:
    People are going to keep buying crap kit based upon the price and not the security.
    This DDOS is only the beginning. There will be more and bigger events before anything is done to improve security.
    This is a disaster waiting to happen. To the general public it won't matter if Apple are secure or not, all IOT thingamyjibs will be tarred with the same brush.

    There are millions of devices in transit from China. The vast majority will be totally insecure.

    I am beginning to wonder if this is the beginning of the end of the internet as we know it.
    With millions and millions and millions of devices working together in a DDOS event short of pulling the plug on every home router you can't stop it in a month of sundays.

    Some of us have made a stand against all IOT devices Homekit or not. None will be connected to any network I have any control over for the forseeable future.
    And they will continue to buy cheap kit and continue to use the cheap kit they already have until some law enforcement authority breaks down their door and arrests the user for contributing to a terrorist organization. Or those companies with deep pockets affected by such DDoS attacks and other attacks take these idiots to court and have their names run through the media before being heavily fined by the courts for said contribution to hacking activities, being that intent does not have to be proved under the DCMA.
    More likely solution is something like the MAC addresses assigned to insecure devices will be blocked by the ISP and eventually devices will have to be certified by the FCC to comply with some minimum security standards in order to be saleable. 
    and then someone will spoof your MAC address to match the ban list and force you offline
    Well, first of all this would only work if you have an ISP managed router in your home; otherwise only the devices dynamic IP address, not its MAC address can be seen outside your local network. So once you are beyond that first hop it becomes difficult to detect a devices vendor, even w/o any spoofing...
  • Reply 22 of 29
    mike1mike1 Posts: 1,871member
    dachar said:
    I have ordered upgraded wifi hardware for my heating system to make it compatible with HomeKit. The manufacturer has recently informed me there will be a delay with supply as it is taking longer than expected to get the hardware appooved. I guess this means Apple are not approving quickly. If Apple are serious about HomeKit then they need to put more resources into supporting hardware manufacturers. A similar view has been expressed about ApplePay in that Apple should be doing more to get the retailers on board.
    Maybe the devices you want to purchase are not yet approved because they fail to meet the standards. Maybe Apple has pointed out their flaws and they had to do some more work. A comment like "longer than expected to get hardware approved" could easily be the fault of the hardware manufacturer. You really don't know and therefore choose to blame Apple. In reality, if this is the company's first time trying to have a HomeKit product approved, it may take a few passes.
    igorsky
  • Reply 23 of 29
    igorskyigorsky Posts: 422member
    Let me see if I have this right: Chinese manufacturer, possibly with state encouragement (or mandate), builds IoT devices with a GRIEVOUS security flaw, distributes them to US citizens convinced cheaper has to be better, then we're set up to have major components of the Internet downed by a botnet composed mainly of these devices. To paraphrase Jeff Foxworthy, "We may be as dumb as they think we are."

    I am shocked that this point has not been brought up more often since the incident. Any Chinese IoT products sold in the US should be expected to contain such grievous flaws because it benefits China and their state-sponsored hacking campaign against the US.  I have a security camera at home made by Yi that I will be disconnecting asap.
    edited October 2016
  • Reply 24 of 29
    igorskyigorsky Posts: 422member
    dachar said:
    I have ordered upgraded wifi hardware for my heating system to make it compatible with HomeKit. The manufacturer has recently informed me there will be a delay with supply as it is taking longer than expected to get the hardware appooved. I guess this means Apple are not approving quickly. If Apple are serious about HomeKit then they need to put more resources into supporting hardware manufacturers. A similar view has been expressed about ApplePay in that Apple should be doing more to get the retailers on board.

    What do you expect Apple to do to get retailers on board?  Put a gun to the heads of the CEOs?  

    Also, this long approval process that you're referring to is a positive...it means Apple is serious about security and wants to make sure every product using the HomeKit name is qualified to do so.  Retailers have been slow to adopt HomeKit and ApplePay because it benefits their bottom line not to do so, plain and simple.
    edited October 2016 robertwalter
  • Reply 25 of 29
    Good to know  Apple has us covered. The only device not a part of HomeKit yet is my Nest Thermostat. I sure hope they'll reconsider their stance and join HomeKit one day. 
  • Reply 26 of 29
    Here's what I see happening next...

    At some point someone will tally a list of manufacturers with exposed IoT shipped products.  It should be interesting to see the list.

    Second, since the Mirai code is out there and the vulnerability pretty well known, I expect the large U.S. based ISPs to take a more proactive role on this since much of this unexpected botnet traffic happened over their networks.  For example, Comcast regularly scans for botnets on their networks from user machines and I expect they will add this to their list of things to blacklist.  it wouldn't be that hard to blacklist certain IoT devices at the MAC address level using the provided router if it were required or even disable the user entirely.
  • Reply 27 of 29
    Enviro G said:
    Good to know  Apple has us covered. The only device not a part of HomeKit yet is my Nest Thermostat. I sure hope they'll reconsider their stance and join HomeKit one day. 
    Not likely.  First, they are Google now and Google has their own IoT strategy.  Nest has benefited from Google's network security engineering team even before the acquisition as many were early Nest customers and offered their services off-hours to help Nest better lock down their devices.

    Second, it would require new generation hardware since Homekit is a hardware-based solution.

    I'm not saying it's impossible....introducing a Nest Thermostat (or the Protect smoke detector) with Homekit might induce a bunch of consumers to upgrade which could be a good sales strategy.  I'd certainly consider it if they introduced such a product.
  • Reply 28 of 29
    Enviro G said:
    Good to know  Apple has us covered. The only device not a part of HomeKit yet is my Nest Thermostat. I sure hope they'll reconsider their stance and join HomeKit one day. 
    If they did, you'd have to buy a new thermostat anyway because your nest lacks the HomeKit coprocessor.  Since that's the case, instead of waiting, you might start looking at mfi thermostats to see if there is one that suits you. (Also because I think, pure speculation of course, that it is unlikely that Google will sign on to use HomeKit.)

    edit:  ninjaed by sevenfeet. :0)
    edited October 2016
  • Reply 29 of 29
    sevenfeet said:
    Here's what I see happening next...

    At some point someone will tally a list of manufacturers with exposed IoT shipped products.  It should be interesting to see the list.

    Second, since the Mirai code is out there and the vulnerability pretty well known, I expect the large U.S. based ISPs to take a more proactive role on this since much of this unexpected botnet traffic happened over their networks.  For example, Comcast regularly scans for botnets on their networks from user machines and I expect they will add this to their list of things to blacklist.  it wouldn't be that hard to blacklist certain IoT devices at the MAC address level using the provided router if it were required or even disable the user entirely.

    Although I agree with you that it would be a great idea, since the Chinese Ministry of Justice started rattling its legal sabre in the direction of Brian Krebs for defamation, I wonder how many folks would feel comfortable enough to setup such a name and shame site. 

    I think it would take the FCC and CPSC working together to publish such a list (and even then they probably done have the balls to do it.)
Sign In or Register to comment.