In the Level1 News July 17 2020 an interesting aspect was brought up about a topic that has multiple mentions in information security in general: 10:28 - Home security cameras can tell burglars when you’re not in, study shows
I thought I should share this via the forum to allow a better exchange of ideas and thoughts on this.
@wendell and team brought the news of the security camera study.
This not only applies to security cameras, but all wireless data actors in a household. All of them provide some degree of information on:
How many people live in the household (when monitoring over a longer time period)
How many are currently home
Do they have wireless security cameras
Any other wireless device information
All this, thanks to the fact that as the word wireless implies, it goes through walls and leaves the house, allowing malicious entities to track even movement inside the house to a certain degree.
It is in general an interesting attack vector to sniff out a neighborhood via cheep wireless collector and auto send an SMS in case of the usage dropping for a certain SSID for a pre defined amount of time.
Question to the forum:
Are we already at a point where starting to think about this is reasonable?
What are effective counter measures that help future society defend against this type of data collection attacks (other than going wired-only)
If malicious groups gather all that data, plus cross it with leaked device data from stores on devices that shop regularly, do we need to protect our wireless identify better than now, to not raise potentiality of platforms selling “high valued targets that are on vacation” like data via whatsapp to more simple minded criminals?
Some answers I can think of now are:
having devices that random re-generate their wireless identity every now and then
if wireless is a thing at home, have mock devices that simulate a static noise equivalent to average use, thus not impacting performance
give devices (if possible) a different MAC address, so that eg. potential malicious individuals think you have eg. more security cameras
raising awareness to our friends and family to what it means to be “wireless” and how they can without adding lots of problems deal with it. EG.: GPS/phone-location based application that enables wireless only when you are at home (eg. Llama on android)
Thanks for all your thoughts beforehand and hope this is informative to those not having thought about this at all so far.
PS.: At the time of posting, the Level1 post linking through one-tab for this video does not exist yet.
As someone that has recently started the de-cloud my life thing, yeah, I think it is important to start educating people on these things. I know that at least in the USA, people are lazy and are willing to trade their freedoms for convenience (don’t try to ask them to do something not-selfish though. See /pol for details).
Eventually the technology becomes so easy to implement and dumbed down so that the lowest common denominator can get themselves in trouble.
Example:) Wired cameras offer more security. But your average person ain’t got time to crawl around in the interior walls and run cable and setup a network for that. But with my wifi camera with WPS, I I need to do is run power to it or run it off a battery and then hang it up.
I can guarantee you right now, that if you go into a neighborhood right now, you will see a whole bunch of wireless access points broadcasting their SSIDs with xfinity and a password of 123456789 or 1qaz2wsx, or and etc. Never fails. just because people can do it, does not mean that they should.
I don’t have any cameras yet, but that is the next step once I finish adding all of my IoT light switches and outlets. My wife keeps harping on wireless cameras because she wants to help. She does not want to put in the work. I explained to her, you are going to need to run power anyway and external power is not going to do it so we are going to do PoE. One hidden cable.
We are also planning on turning on the automation so that lights turn on randomly while we are not home an that they are tied to motion sensors, alarms, and cameras so that it would at least appear that we are home. ADT won’t be able to do anything except call the cops. I can do that, with my own recording and pictures.
Honestly, wireless proliferation has helped technology advance to the masses but at a great cost. Wired is not the panacea that we want, but make the malicious people work for it.
Same here in Europe. Don’t think this would be different at any other place and to be honest, why should it? We should have systems allowing us to be lazy and have a reasonable trade off between security (in all senses) and convenience.
I guess this mainly does not happen as it is hard to demand those things from companies, when we lost those values due to being spoiling by the latest economy and industrialization to some extend. And the revenue driven short and long term goals, instead of manifesting a proper business with good quality value products, short term “fancy” things are sold better, so those make the market and kill everyone doing different, as the people valuing those things are not growing enough to allow those business to stay.
Fortunately we do have groups of people that organize meetings at schools and teach children the importance of how to handle and identify one’s own sensitive data and basics of “the internet” (link to german info page).
It would be nice to just not having to care.
The idea behind having a password on wireless is/was for 2 reasons:
restrict access to the local network
encrypt traffic
(WPS takes care to some degree, when a PIN is used…)
I personally would like to see a standard that allows the following:
plug in a new device X into the network
optional: let the user scan a QR code individual to the device for a pre-shared key like feature (without him needing to know what this is)
(pre) authorized phone/laptop gets notification of X wanting to: access other devices of the same vendor, access to internet (domain: X dot org), “register” so to say its service to the local mesh (avahi like)
This would allow a no trust network, with encrypted traffic by default, encapsulating all devices from one another except the ones explicitly approved, including www access. … but that goes off topic.
That very same thing has been a sane default my parents did since I can remember. Having a time based power switch attached to some lamps in the house and letting them go off at intervals simulating someone being there.
Including wireless devices that can live off grid thanks to the efficiency of today’s solar panel we are evolving to a more connected society.
Data collection is and has always been the goal of most in power, as it not only allows for a lot of mischieve, but also allows to identify potential future issues and guide to a better utopia (leaving it open to who’s utopia this is going to be).
Good luck with being allowed to place cables in the wall to run PoE.
Moving one’s own live a little bit more into consciously spreading data and limiting it is definitely a way to go.