FBI PSA CYA ASAP

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,534
The FBI wants you to know that all sorts of new kids toys have the ability to leak what might very well be sensitive information about your kids online. Just ask Alexa or Google Home.

The FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments. Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions. These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.
 
I'm guessing they are referring to "toys" that can connect to wifi in some way. There is a reason why I won't touch that stupid shit.
 
Wait, why is the FBI telling us this? Must be a reverse psychology attempt.
 
Too much of this internet connected stuff is designed and implemented by amateurs. By amateurs I mean people that don't have the training and/or experience in creating products where "correctness" is required. That means starting with requirements (to define all functionality and correct behaviors) and ending with V&V. There are a lot of steps in between (including security reviews), but if this kind of professional process is not used, then the device will be insecure. It's all a function of time-to-market and final cost, of course, but as always you get what you pay for.
 
Kind of surprised the NSA has not yet provided a "buy this, not that" for security. The "that" of course being toys which they have already hacked into.
 
Too much of this internet connected stuff is designed and implemented by amateurs. By amateurs I mean people that don't have the training and/or experience in creating products where "correctness" is required. That means starting with requirements (to define all functionality and correct behaviors) and ending with V&V. There are a lot of steps in between (including security reviews), but if this kind of professional process is not used, then the device will be insecure. It's all a function of time-to-market and final cost, of course, but as always you get what you pay for.

Eh, I don't think it's so much that - I think it boils down to ANYTHING that connects to a network or the internet has to have updates on a regular basis. Period. No matter how diligent you are with your initial release, holes will be found eventually somewhere down the line.
 
Eh, I don't think it's so much that - I think it boils down to ANYTHING that connects to a network or the internet has to have updates on a regular basis. Period. No matter how diligent you are with your initial release, holes will be found eventually somewhere down the line.
While I agree that having the ability to update the firmware in the field is necessary, that is not a solution to poor software design and implementation. Take for example, the aforementioned firmware updating process. Many just install TFTP and use the same password on every device. No locked boot-loader or digital signing of the new image. So once the password is discovered, it is simple for a hacker to upload new firmware, including changing the password. We should not accept a "patch it later" mentality to security.
 
So we accepting what they say this time or just blowing it off as corruption/deep state. Really confusing to me.
 
It's sad people are so fucking dumb, the FBI feels the need to warn them.

What they need to warn people about are the robots that are going to KILL US ALL!!!!!
 
Back
Top