"As bankers, do we care if our customers connect their refrigerator to the Internet? I say we should care," said J. Paul Leavell, senior marketing analyst at Charlotte Metro Federal. "If you're paying for groceries with your refrigerator, as a banker I want to have my credentials in your refrigerator making that payment."


The most obvious IoT application for banks is in payments. In a commonly floated scenario, a customer's refrigerator senses the household has run out of milk and orders a fresh carton from the local grocery store. The payment seamlessly takes place in the background.


A good experience would incent the customer to use a bank app for this rather than a built-in payment system. Loyalty programs could flow through such an app, and the bank could collect data that could be used in marketing and customer service.


"The Internet of Things opens up a wonderful opportunity for us to get into the lives of our customers and segment them even further than we have in the past," Leavell said.

http://www.americanbanker.com/news/bank-technology/why-the-internet-of-things-should-be-a-bank-thing-1077911-1.html

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.


http://krebsonsecurity.com/wp-content/uploads/2016/02/FI9286P.pngThe FI9286P, a Foscam camera that includes P2P communication by default.



This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!


I first became aware of this bizarre experiment in how not to do IoT last week when a reader sent a link to a lengthy discussion thread (http://foscam.us/forum/foscam-dialing-out-to-suspect-hosts-t17699.html) on the support forum for Foscam, a Chinese firm that makes and sells security cameras. The thread was started by a Foscam user who noticed his IP camera was noisily and incessantly calling out to more than a dozen online hosts in almost as many countries.


Turns out, this Focscam camera was one of several newer models the company makes that comes with peer-to-peer networking capabilities baked in. This fact is not exactly spelled out for the user (although some of the models listed (http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Delectronics&field-keywords=foscam+p2p) do say “P2P” in the product name, others do not (http://www.amazon.com/review/RFM7GAPVPH6RD/ref=cm_cr_rev_detup_redir?_encoding=UTF8&asin=B00I9M4HBO&cdForum=Fx1BLJ13RLI7PNQ&cdPage=1&cdThread=Tx2YIXUHKRE2TPS&newContentID=Mx2RJN1XPG6RJVR&store=photo#Mx2RJN1XPG6RJVR)).


But the bigger issue with these P2P -based cameras is that while the user interface for the camera has a setting to disable P2P traffic (it is enabled by default), Foscam admits that disabling the P2P option doesn’t actually do anything (http://foscam.us/forum/foscam-dialing-out-to-suspect-hosts-t17699-40.html#p70740) to stop the device from seeking out other P2P hosts online (see screenshot below).

http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

If you’re curious about an IoT device you purchased and what it might do after you connect it to a network, the information is there if you know how and where to look. This Lifehacker post (http://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940) walks through some of the basic software tools and steps that even a novice can follow to learn more about what’s going on across a local network.

internet of things and the future of hacking:



We've increasingly covered how the "internet of poorly secured things" has contributed to a rise in larger DDoS attacks than ever before (https://www.techdirt.com/articles/20160926/09571235632/internet-poorly-secured-things-is-fueling-unprecedented-massive-new-ddos-attacks.shtml). The barely-there security standards implemented by companies more interested in hype than quality meant it didn't take long before hackers were able to incorporate "smart" refrigerators, power outlets (https://www.techdirt.com/articles/20160819/07473935285/your-smart-power-outlets-are-now-botnets-thanks-to-internet-broken-things.shtml), TVs and other IoT devices in the kind of DDoS attacks that recently took down (https://www.techdirt.com/articles/20160926/09571235632/internet-poorly-secured-things-is-fueling-unprecedented-massive-new-ddos-attacks.shtml) security researchers like Brian Krebs. The end result is DDoS attacks that continue to break records, first 620Gbps in the Krebs attack, then more recently a 1.1 terabits per second attack on a French web host (http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/).


But just how bad have things become? A new report by Akamai warns (https://www.akamai.com/us/en/about/news/press/2016-press/akamai-threat-research-team-identifies-openssh-vulnerability.jsp) that hackers are using a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through IoT devices. SSH certainly can be implemented securely, but as with every other security aspect of the IoT, many hardware vendors aren't bothering to do so. Akamai's data indicates roughly 2 million devices have been compromised by this type of hack, which the firm dubs SSHowDowN.https://www.techdirt.com/articles/20161013/09232735787/akamai-12-year-old-ssh-vulnerability-fueling-internet-of-broken-things-ddos-attacks-worse.shtml

Huge attack on Dyn DNS today, half of USA internet struggling

Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb (https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/); and that's just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties. https://boingboing.net/2019/01/29/fiat-lux.html