Not Just No

Not just no, but hell no. I’d use an even stronger word, but I try to keep this blog within shouting distance of being safe for work.

As anyone who reads this blog regularly has probably guessed, I’m talking about the just-announced Amazon Key service.

For those of you who haven’t heard about Amazon Key, it’s the Big A’s take on an idea Walmart introduced recently: a way for delivery people to put your packages inside the house, so they can’t be stolen.

Walmart’s version, by the way, is a little creepier: they’re offering the service for groceries, and it includes putting them in your fridge. For now, Amazon Key seems to be limited to setting your packages inside the door and leaving it at that. I say “for now” because it’s apparently their way of getting a foot in the door (sorry) and will be expanded later to offer services such as dog walking and housekeeping.

The way the service will work is relatively straightforward: you (well, not you, because I hope everyone reading this blog is smart enough to give Amazon Key a pass) buy a particular Wi-Fi camera and smart lock. Once they’re installed, if you don’t answer the door, your friendly package delivery peon can contact somebody at Amazon HQ, who will remotely unlock the door. You get an alert on your phone and can use your phone and the camera to watch the peon put your packages inside. Presumably the door will lock again when it’s closed.

Amazon claims they’ll be vetting the delivery people. That’s nice. They also claim to vet the current delivery people. You know, the ones who park in the middle of the street and hurl packages over the fence. (A side note: since I wrote that post, I’ve seen several female Amazon delivery peons. Most of them were accompanied by males who were, unlike the women, not wearing any Amazon logo-bearing clothing. Does Amazon also vet those security ride-along people?)

Amazon also says they’ll be carrying insurance to cover you against delivery issues, property damage, or theft. That’s nice. They also explicitly warn against using the Amazon Key service if you have pets who might come to the door. So, clearly they don’t think the insurance will cover lost pets–nor do they want to deal with lawsuits from their gig economy, vetted delivery peons seeking to make the Big A responsible for their dog bites and/or allergic reactions.

But leave that aside.

Remember last year, when a researcher found that “twelve of sixteen locks he bought at random had either no security or absolutely horrible security“? I’ve seen nothing to make me think matters have improved in the last fourteen months. Granted, Amazon is better than many companies about issuing software updates to products they sell under their own name. But it’s not entirely clear to me whether the lock will be Amazon-branded, let alone Amazon-built.

Then there’s that camera. Look back another year, when reports were going around about baby monitors. At that time, nine out of nine popular baby monitors were found to have serious security flaws. Don’t think camera manufacturers have improved their security in the past two years: cameras have been prominent contributors to the waves of zombified Internet of Things attacks we’ve seen in the past year, beginning with last October’s Mirai malware-controlled mess.

But leave that aside, too.

Suppose everything works perfectly according to Amazon’s plan. Amazon is already a huge target for hackers. Do you think giving them the ability to remotely unlock doors will make them less of a target? Do you believe their security is that much better than, say, Target? Experian? Hell, a quick Google search should remind you that the National Security Agency can’t keep their own data secure.

As far as I’m concerned, a massive security breach at Amazon exposing the personal information of millions of customers is only a matter of time.

I’ll pass on Amazon Key, thanks. I hope you will too.

Another Failure Mode

Oh, goody! A whole ‘nother way the Internet of Things is getting security wrong.

Last month, security researcher Charles Henderson wrote about his experience trading in his car.

Briefly, both he and the dealer wiped all of his personal information out of the car–phone book, garage door opener, list of authorized devices. And yet, months later, the car still showed up in the app on his phone.

It’s not that the dealer and the manufacturer were unaware of security. Henderson makes it clear that they took the correct steps. But the focus of the team that designed and built the app and integrated it with the car’s systems was obviously on the “first owner” scenario, and not enough attention was paid to the possibility that someone might want to sell their car.

And it’s not just auto makers who have that problem. Henderson mentions another researcher who purchased a used home automation hub and found that doing a factory reset only wiped the configuration on the device itself; it didn’t touch the cloud-based configuration which included, among other things, the list of devices authorized to control the hub.

Right: even after wiping the device, the original owner would still have had access to every light bulb, every thermostat, and every door lock connected to the hub.

Still feeling cheerful about your Amazon Echo or Google Home giving you voice control over your house? After all, you’re not planning to sell that device, are you? No? Well, what if something goes wrong and you have to send it in for service? Are you certain you’re going to get the same device back? How confident are you that your original device won’t wind up being refurbished and resold?

Let’s face it: this isn’t a new problem, and we should have seen it coming. How many stories have you seen in the newspaper about someone buying a used computer and finding porn on the hard drive? Henderson notes that early smartphones lacked a way to wipe them for resale, and it was only after many well-publicized tales of people buying used phones for nefarious purposes that a wipe command was added.

Nor is there a good solution. Even if every new IoT device was designed with security as the first consideration, there are still millions of gadgets out there that have no security and no way to upgrade them to add it. In many cases, the company that made them isn’t even in business any more.

Teamwork

So many of my posts only show one of the cats, you all must be getting a false impression. Yes, I’ve shown you several of them using each other as pillows, but beyond that, not much.

But they really do hang out together when they’re awake, too.
19-1

Case in point.

Mid-afternoon. The mail had already been delivered, which meant there was no reason to hide in the closet, so several of them decided to sprawl on the stairs and watch the world go by.

That’s Sachiko on the lowest step, by the way.
19-2

As you can see, she’s not nearly as relaxed as that first shot would suggest. Even when she does relax, she’s still usually on alert; I’m not sure I’ve ever seen her sleeping, at least not so soundly that anything larger than a moth could sneak up on her.

Which is, of course, part of the reason she gets along so well with ‘Nuki, our self-appointed Chief of Security.
19-3

Naturally, any time we open the sliding door, it calls for a two-member security team to ensure that nothing gets through the screen door. They’ll stay on duty for hours until we come to our senses and lock the house down again.

Such dedication! Such comradeship! Such gratuitous self-indulgence!

Insecure Things

OK, enough cheerful peanut-based posts. Back to the usual cynical doom and gloom.

Multiple sources are reporting depressing news about baby monitors. A company called Rapid7, Inc. tested nine devices from eight different companies. They found that every single one had serious security flaws that would allow an attacker to view the video stream from the camera, change its configuration, or launch attacks on other devices on the owner’s Wi-Fi network.

If you’ve been paying any attention to security matters in the last few years, you probably aren’t surprised about Rapid7’s findings. Just as there’s no such thing as a bug-free program, there’s no such thing as a secure Internet-connected device.

What is surprising to me is just how bad the manufacturers’ responses were when they were informed of the vulnerabilities. Philips–or rather, Gibson Innovations, who hold the license to sell baby monitors under the Philips brand name–is working on a fix, although no timeline has been set for its release. None of the other seven manufacturers is planning to fix the flaws in their products. According to the article on Ars Technica, Rapid7 couldn’t locate one manufacturer, several didn’t even acknowledge receipt of Rapid7’s notification, and some stated flat-out that they saw no reason to look at the report.

If it were just baby monitors, it might not be a big deal, but let’s not forget that consumer electronics manufacturers are pushing more and more Internet-connected devices into the market. It’s not just TVs and video players (many of which have had their own security failings) anymore. Refrigerators that monitor their contents and nag you to go shopping–or simply place orders for grocery delivery themselves. Clothes washers and driers, dishwashers, ovens, furnaces, lights, smoke and carbon monoxide detectors, and door locks all have network connections.

Keep in mind that the baby monitors weren’t cheap models from fly-by-night companies. They included well-known brand names and some of the most popular models. Yet only one manufacturer is apparently willing to stand behind their product and resolve the problem. If that attitude carries over into other appliances, well, you might give some thought to buying up a stock of locks and light bulbs now while you can still get ones that don’t require a network connection.

“But wait,” I hear you say. “What if I just don’t set up the network connection? Won’t I be safe then?”

Probably not.

First, many “Internet of Things” devices are designed to set themselves up–scan for a network and join it automatically, or in some cases, they establish their own network parallel to your regular Wi-Fi.

Second, some devices won’t work until they’ve been set up. I recall a review of a Bluetooth-controlled door lock, which unfortunately I can’t find at the moment, which will not lock until you pair it with a smartphone and run an app to set the combination for the manual push-button mechanism. (At that, it’s arguably safer than a lock that comes with a default combination printed in its manual.)

Third, if the device doesn’t self-configure and you don’t set it up, it will remain in its default configuration. Most likely, it will have a default password–or not password at all–allowing anybody who scans for Wi-Fi signals to find it and configure it for their own purposes. Do you really want your next-door neighbor to control your thermostat? How about your dishwasher? Better go apologize for that loud party last month before you install your new app-controlled garbage disposal.

Fairness In the Media

I was looking at the site stats the other day. Sounds thrilling, doesn’t it? I’ll admit, it can be boring, but it has to be done. After all, you never know when it will let you correct a serious social injustice.

No, really!

Specifically, I was looking at the number of times I’ve posted about the feline members of the household. Observe:

  • Kaja – 27 articles
  • Watanuki – 26 articles
  • Rhubarb – 25 articles
  • Kokoro – 20 articles
  • Yuki – 19 articles

Can you believe it? It’s a wonder the Poof and the Floof are even still talking to me. And yet they do. She still spends the night curled up on my lap or behind my knees. He still does his best to ensure that my elbows are squeaky-clean. OK, usually he starts licking my elbow in the middle of the night when I’m trying to sleep, but I’m pretty sure he means well.

So, to redress the balance a little–and make sure I stay in their good graces–here are a few pictures.


Kokoro has a crowded schedule of sleeping on the bed,
ky1

sleeping on the floor in the sun,
ky2

helping Maggie solve computer problems,
ky3

and manning–well, felining–the home laser defense turret.
ky4


Yuki is even busier, what with sleeping on the stairs,
ky5

sleeping on the bed,
ky6

helping me develop plot points (“And then what happens? Uh-huh. Sounds fascinating. Really.”),
ky7

and watching baseball (although he’s easily distracted–I believe this time it was the sound of a can of gooshy food being opened).
ky8

Still, despite their differences and their busy schedules, Kokoro and Yuki still find time to relax together over a nice bowl of catnip tea.
ky9

Well, OK, maybe not.

They’re At It Again

Time for another roundup of cat-related news from around the world.

Adriana Lee reports that her cats didn’t take it well when she installed a home monitoring system to keep tabs on them.

We’ve talked about the risks of insufficiently-secured home monitoring systems before, but we missed this one. According to Adriana, the system had been in place for less than a day when the motion sensor alerted her to feline activity in the bedroom. She switched on the camera just in time to witness one of the cats lying down on her pillow, looking at the camera, and then coughing up a hairball on her side of the bed.

Clearly the cats were up to something nefarious and didn’t want her to catch them at it. We all know from the movies that premature revelation of a villain’s plans for world domination are the most common reason why the plans fail. Surely the cats are well aware of that fact too.

Or maybe they’re not after world domination. Maybe they’re members of the growing class of feline masterminds. Adriana doesn’t say where she lives, but it could be that her cats are controlling James Lawlor of Clearwater, Florida. Mr. Lawlor was arrested when he tried to walk out of Walmart pushing a shopping cart filled with cat food.

He claimed that he planned to sell the food to a friend with 300 cats, but how likely is that? It seems obvious that his claim is really a cover story to avoid revealing his feline controller, who’s attempting to set up a food supply independent of any human. Stocking a secret command post is an expensive proposition; any savings you can realize through control of weak-minded humans is money you can put into catnip-infused champagne for your victory party.

A bit of sad news on the subject of feline overlords: The infamous Colonel Meow passed away last week. The Colonel’s minions request that memorial contributions be sent to Seattle Persian and Himalayan Rescue. My presumption is that SPHR is a front established by the Colonel’s successor, and the funds will be used to further the Colonel’s dream of world domination.

Not all cats are as blatant in their methods as Colonel Meow. Take a peek at this post by Devan McGuinness. The post, clearly ghost-written by a cat, makes it clear that humans should dump their spouses and lavish all of their love on their feline overlordscompanions. Her ten reasons why a cat is the perfect valentine are a frightening peek into the way cats want us to think of them. I’m particularly taken by number 4: “Hanging out at home is also their idea of a really good time.” Forget all the times the cats have tried to dash past your feet when you open the door or squeeze out of a barely-opened window. They don’t want to get out to further their nefarious plans at all. You clearly are hallucinating. Your cat wants nothing more than to stay at home and watch “Love Actually” with you (per reason number 8).

One last note. Our feline masters are figuring out that sometimes it’s worthwhile for them to team up and work together to extend their control over humans. Case in point: there are currently two groups competing to open the first “cat cafe” in the U.S. Both groups are in the SF Bay Area, and one suspects that the competition between them owes as much to the rivalry between San Francisco and Oakland as it does to the battle for market- and mind-share. Both groups are affiliated with rescue/adoption organizations, so the potential for the feline masters to use the cafes to infiltrate formerly cat-free homes is obvious.

The race to open first–both groups are targeting this summer–is still neck-and-neck. Both groups have tentative approval from the appropriate zoning and health departments, both have secured partial funding, and both are still looking for appropriate spaces.

KitTea, in San Francisco, seems to be somewhat ahead in website development, but Oakland’s Cat Town Cafe has an active Indiegogo page for funding, as well as pledged support from Pet Food Express.

Stay tuned. When (or if) either group manages to get their venture off the ground, I’ll be sure to do an on-the-spot report.

Flying Monkey Security Service

Quite a while ago, I posted a video of Ooki Brothers Security on the job, guarding the house against the evil squirrels who invade the bird feeders.

Before there was Ooki Brothers Security, though, Kaja and Rhubarb, better known collectively as the Flying Monkeys, were on the job.

Evil squirrels take no vacations, and neither do our feline security services.

Flying Monkey Security Service

(As usual, you can click the picture for a larger version.)