That's a clear violation of the CFAA. This crime carries prison time. How come they threw teenagers in prison but not the people responsible for doing it en mass?

There are a different set of laws for me and you. Corporations and CEOs play by their own rules.

How is this a violation against the CFAA?

Unauthorized network access? Literally the whole point of the thing.

I would argue the point was the opposite. It began with a request for authorization.

I don't see how this is any different than walking into a building and telling the concierge you're a maintenance worker.

Because the IoT devices are invited, EULA and all. You aren't invited just because you walked in.

Most people I know never invited network scanning. They were surprised by a Trojan holding their new TV hostage though (if they even noticed.)

The illegal part there isn't requesting access it's lying about being a maintenance worker to gain access.

Consent is tricky. Many people are not aware of what they are giving authorization to. That would make it uninformed consent. Add dark patterns in and I think it is easy to say that some people are not only unaware of what they are authorizing, but purposefully being misled.

Let's be real, most people are tech illiterate. If someone can't read a contract and there is no one there to explain it to them, then they are not engaging in informed consent.

Of course we have to ask if this is ethical or not. But let's not boil the conversation down to "we asked, so it is right." One side is arguing that the person didn't give informed consent and the other side is arguing that consent was given simply because a button was pressed.

It's honestly an ethical discussion of if this is right or not.

> It began with a request for authorization.

Yes, by asking someone who doesn't have permission to give that authorization to do so.

What access controls are being bypassed?

Wait, so using a program like wireshark to scan a network is illegal in and of itself??

I thought you had to use the information nefariously for there to be a crime.

How can receiving broadcasts be illegal?

Wireshark is passively listening on incoming traffic, so no.

Running tools like nmap have gotten people in trouble though, and it varies by country.

https://nmap.org/book/legal-issues.html

If it's a clear violation maybe sue them for breaching your network?

I don't even have non-free mobile OSes on my network much less this.

Because people blindly accept terms of service.

It's not people's fault that terms of service are intentionally designed to be as long-winded as possible if you want any hope of using a product or service.

Team of lawyers and psychologists vs teach illiterate user. Seems like a fair fight to me.

Is this separate from mDNS [1]? A lot of smart TVs and PCs increasingly use mDNS to support some fairly handy consumer features, like AirDrop, being able to setup your TV with your phone, network printing/scanning, ChromeCast, whole-home control of lights & other IoT devices, etc.

[1] https://en.wikipedia.org/wiki/Multicast_DNS

The incident I'm referring to was about LG [1]. The report includes network captures, so I'd trust it.

Apparently, some chinese smart TV brands have been doing similar things, but I wouldn't be surprised if most other vendors have caught up and used stealthier techniques.

[edit] Here's the news about those chinese TVs [2] and the original report [3]

[1] https://arstechnica.com/information-technology/2013/11/lg-sm...

[2] https://www.theregister.com/2021/05/04/skyworth_gozen_smart_...

[3] https://www.v2ex.com/t/772523

Small point: LG is a Korean company, not Chinese.

Right, those are two distinct incidents (and years apart).

Sorry if that wasn't clear.

Iirc the ebay thing was yet another way to fingerprint you to re-identify fraudulent account creators.

That might be a justification you could slip past a judge who doesn't understand...

I wonder if I could rob a bank, then if I got caught claim "I was just checking to make sure they had enough money to cover my deposits!"

Many common wifi APs (eg TP-link EAP225) will allow you to create separate wifi networks on different VLANs. You can use this to isolate internet of shit devices onto their own networks where they can’t talk to your other devices, without increasing your hardware costs or causing wifi interference.

You’ll need a router/firewall and an AP that are both VLAN-aware. I personally use an EAP225 and some eBay industrial PC running freebsd.

And/or some routers offer 'AP Isolation' or 'Client Isolation' to prevent devices from communicating with each other (I am always glad to see public networks configured this way, but at home it'd be a pain to not be able to shell from one box into another etc.)

It only “leaks” your ip if you are trying to use webrtc features with a vpn, otherwise web rtc is perfectly fine to use without concern for most people.

Interesting! That's not how I read the ublock origin docs:

"Keep in mind that this feature is to prevent leakage of your non-internet-facing IP adresses. The purpose of this feature is not to hide your current internet-facing IP address -- so be cautious to not misinterpret the results of some WebRTC-local-IP-address-leakage tests found online."

That said, my Firefox 91 and Safari don't leak local IPs regardless of the ublock setting.

Warrants more investigation perhaps.

I believe newer versions of WebRTC use mdns to mask local IPs:

https://bugs.chromium.org/p/chromium/issues/detail?id=878465

Great find! Here's the IETF draft [1], submitted by Apple (which would explain why I'm not seeing leaks on Safari)

[1] https://datatracker.ietf.org/doc/html/draft-mdns-ice-candida...