[Info-vax] VMS and the Internet of Things (IoT)

Sun Nov 6 14:18:59 EST 2016

On Sunday, 6 November 2016 16:25:03 UTC, Kerry Main  wrote:
> > -----Original Message-----
> > From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> > Of Bob Koehler via Info-vax
> > Sent: 14-Sep-16 9:45 AM
> > To: info-vax at rbnsn.com
> > Cc: Bob Koehler <koehler at eisner.nospam.decuserve.org>
> > Subject: Re: [Info-vax] VMS and the Internet of Things (IoT)
> > 
> [snip..]
> 
> Another interesting article .. a company's data was being stolen
> via a soda machine that had been installed internally. 
> 
> http://bit.ly/2eshdNP
> "What had happened, Coffey said, was that the company had a new
> soft drink vending machine installed and because the machine had
> both a credit card reader and was able to automatically order
> replenishment, it was connected to the company network. What
> nobody thought about was that the soda machine, like most IoT
> devices, had no security.
> 
> When the security staff discovered that data was being stolen
> from the company, they learned that data was first being copied
> from the company servers to the soda machine enabling the hackers
> to transfer the data to their own servers.
> 
> This happened because there was no coordination when the soda
> machine was attached to the network and nobody realized that the
> machine should be put outside of the company firewall, separate
> from corporate network. And, of course, nobody was monitoring the
> data transfers from the soda machine because it was, after all,
> just a soda machine"
> 
> 
> Regards,
> 
> Kerry Main
> Kerry dot main at starkgaming dot com

Psst, Kerry.

Don't tell anybody, but modern networked photocopiers
(which also scan and print, ie multi-function printers
aka MFP) have been offering a variant on this theme
for over a decade, not least because they frequently and 
"legitimately" have both internal LAN access (so people
can print and scan things) and external network access
(so the machine can be remotely managed and otherwise
phone home as required).

The original concern was stuff stored on the hard drive
in the MFP, stuff which could be accessed by the trusty
photocopier repair people who come with their own 
laptops and without any security checks (they did at one
secure UK site I'm familar with, and when someone
suggested to both IT and corporate security that there
might be various levels of weakness here, the response
wasn't encouraging).

These days, even if the photcopier as supplied by the
vendor doesn't have a hard drive, it's a piece of cake 
to add spy capability later using a small format
computer (e.g. the ubiquitous Raspberry Pi hidden
somewhere in the innards of the machine, maybe using
private WiFi to get data out).

It's 11 o'clock at night. Do you know what your MFP
is doing, and what it has been doing during the day?
E.g. saving a copy of selected documents it printed or
scanned, ready for disguised upload to HQ when nobody
is expected to be watching... 

Allegedly, obviously. And obviously HP Inc wouldn't do that,
but some of those nasty foreign spy companies might.

Meanwhile, more than a few years ago, vending machine
suppliers were solving the "phone home" issue by using
things like cellular modems in the machine, thereby
keeping them off the corporate network and avoiding
most of the issues described in the article.

I briefly worked with a multinational vending machine 
management company who were using cellular connectivity
to solve the day to day connectivity needs. My work was
part of a Y2K exercise, which gives a hint as to how
long ago it was.

That company is long gone, but the core connectivity
and security need appears to still exist, and the cheap
and simple solution (which involves no real opportunity
for the "security" companies) is apparently of little
interest to tech media. Fancy that.

Interesting times.