The cybercriminals in control of Kimwolf -- a disruptive botnet that has infected more than 2 million devices -- recently shared a screenshot indicating they'd compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.
A web-based control panel, allegedly for the Badbox 2.0 botnet, at the ip address 45.134.212.95. This users panel lists seven authorized users, all but one of which have email addresses ending in the chinese email service qq.com. Two of the users on this list map directly to domains tied to the Badbox 2.0 botnet.
"Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding" white paper by NIST (US National Institute of Standards & Technology) - Goals for improving security of adding new IoT devices on a network:
• unique per-device network credentials
• zero-touch onboarding
• configurable trust policies
• continuous assurance
Protocols implementing them include WiFi Easy Connect & BRSKI, if built-in & supported by network. https://csrc.nist.gov/pubs/cswp/42/towards-automating-iot-security-implementing-trust/final#cybersecurity#IoT#networking#tech
New, from me: The Kimwolf Botnet is Lurking in Corporate, Govt. Networks
A new Internet-of-Things botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.
An illustration showing the head of a robot with arrows pointing down to two computer screens below. The robot's head has antennae sticking out diagonally from the top of its square head, almost resembling a TV box.
Many people ask, why #Jabber a.k.a. #XMPP is technically successul (used by Whatsapp, Zoom, Grindr, Fortnite, Google FCM, and many more), but is still not the federated instant messaging for the people.
Now, it's not about missing features, technical shortcomings, or bad UX. No, the reason simply is: Jabber does not have a cute #mascot!
As the traditional icon for Jabber is the #lightbulb 💡, I wonder, if an animal performing #bioluminescence would fit?
In all honesty, I think the Glowing Octopus is the more appropriate to convey the idea that #XMPP is the best suited open #IETF standard protocol for a wide arrange of assorted technologies that go from #IM to #OnlineGaming, #WebRTC and #SocialNetworks to #IOT ..
Just like an octopus, it's flexible, adaptable, fast, amazingly intelligent and its arms can be stretched long enough to reach anything it wants ...
No matter where you look at, XMPP is out there doing its job and doing it well. To the point that if you are talking about the "Internet" you are talking about email, web browsing or something that ( even if you don't know it ) it's actually running XMPP as an integral part of it.
holy shit I just saw the ad video for AI microwave (yes, you read that right!) made by Chinese tech company and presented at CES 2026, and it's already a strong candidate for the best Internet of Shit tech of 2026
🐱 New Blog Post: Petlibro Smart Pet Feeder Vulnerabilities (Partially Fixed, $500)
Found critical vulns in Petlibro - one of the biggest smart pet feeder companies:
Auth bypass via broken OAuth - just need Google ID (public info via Google APIs) to login as anyone
Access any pet's data, devices, serial numbers, MAC addresses
Hijack any device - change feeding schedules, access cameras
Access private audio recordings (mealtime messages to pets)
Add yourself as shared owner to any device
The worst part? They "fixed" the auth bypass by making a new endpoint... but left the old vulnerable one active for "legacy compatibility." Two months later, still working.
Also tried to get me to sign an NDA AFTER paying the bounty. That's not how contracts work.
Anyone know the deal with the #ESPHomerp2040_pwm output component? It exists, but it's undocumented and I can't find any reference to in on the ESPHome website 🤔
Chińskie samochody nie tylko szpiegują wszystko, co się da, ale mogą w chwili konfliktu stać się narzędziem destrukcji na naszych ulicach - takie wnioski wynikają dla mnie z opublikowanego właśnie raportu Ośrodka Studiów Wschodnich, czołowej polskiej instytucji państwowej analizującej sytuację międzynarodową na wschodzie.
Jeśli to nie otworzy nam oczu na zagrożenia związane z nieostrożnym wdrażaniem technologii, to czy jest dla nas nadzieja?
Polecam zarówno sam raport, jak i podcast - w zależności od tego, czy ktoś woli coś do czytania czy do słuchania:
I am rather surprised I haven't seen an AWS IoT alternative that sits on top of something like NATS. I feel like this could be low hanging fruit to write a service that does most of the things AWS IoT does by pub/sub-ing to all the $aws/* reserved topics and implementing them with NATS as the MQTT broker.
I recently saw a post describing a "smart" kettle that required an app or voice command to boil water. The user noted, "I can have tea as long as they have a wifi connection. Welcome to the 21st century."
This is the defining characteristic of modern tech-horror: a device made functionally inferior to its "dumb" ancestor by the addition of a microchip. The failure mode of a normal kettle is a pot; the failure mode of a smart kettle is a brick.
If you think the kettle is bad, here are five devices that prove we have peaked as a species and are now sliding rapidly backward.
The $400 Bag Squeezer (The Juicero)
Price: $400 (Launch price: $700) The Superior Alternative: Dieter Rams’ classic Braun Citrus Juicer ($60) or Human Hands ($0).
Juicero was a Wi-Fi-connected cold-press juicer. You bought proprietary bags of chopped fruit, put them in the machine, and it pressed them.
The "Smart" Feature: It read a QR code on the bag to ensure it hadn't expired. If the internet was down or the bag was expired, it would refuse to make juice. It is vital to note that the QR code checked the expiry of the bag, not the actual juice quality.
The Stupid Reality: Bloomberg News revealed that if you just squeezed the bag with your hands, you got the same amount of juice in the same amount of time. It was a $400 rolling pin that required a software update to function.
Furthermore, the machine’s refusal to operate on "expired" bags highlights a fundamental misunderstanding of biology. The main selling point was the ability to bulk-make juice to store. But juice is already pre-stored in nature's perfect packaging: fruit. An unpeeled orange is essentially juice with a shelf-life, contained in a biodegradable wrapper. The Juicero was a subscription service for squeezing a bag, offering less functionality than a mechanically rotated plastic cone from the 1970s.
The Bluetooth Salt Shaker (Smalt)
Price: $199 The Superior Alternative: Peugeot Paris u'Select Salt Mill ($45) + JBL Go Speaker ($30) + LED Candle ($10). Total: $85.
"Smalt" is a large plastic centrepiece that holds salt. It looks like an "ergonomically" designed, off-brand Waterpik.
The "Smart" Feature: It has a Bluetooth speaker (because you want your salt to play the soft jazz of Kenny G) and mood lighting, because you want your salt shaker to be a candle too. You can "dispense" salt by pinching a circle on your smartphone screen or asking Alexa to "dispense one teaspoon of salt."
The Stupid Reality: It requires batteries and a firmware connection to use gravity. The dispensing mechanism is a study in anti-ergonomics. To use the app, you must hold the heavy dispenser over your food with one hand. You must hold your phone with the other. However, a "pinch" gesture requires two fingers on the screen. Unless you place the phone on the table—taking your eyes off the food—or have a prehensile tail, the geometry of seasoning your soup is ridiculous.
Alternatively, you can talk to it. Because nothing kills the vibe of a dinner party faster than shouting commands at your table setting. This is objectively less functional than an electric button-mill (one thumb), a manual mill (two hands, one action), or the pinnacle of culinary interface design: putting your fingers in a bowl of salt.
Price: $99 The Superior Alternative: A stainless steel fork ($2) and basic etiquette.
A fork designed to help you lose weight by eating slower.
The "Smart" Feature: It contains a motion sensor that tracks how many bites you take per minute. If you eat too fast, the fork vibrates in your mouth to tell you to slow down.
The Stupid Reality: It has to be charged. If you run out of battery, you just have a very heavy, thick fork. Also, users reported that if you "scoop" your food (like peas) rather than "stab" it, the fork doesn't register the bite, incentivising you to eat like a shovel to trick the algorithm.
Eating like a peasant? Shovelling the grub in there like a pig at a trough? The Hapifork brings you all the joy of being hit on the head with a guide to table manners by a Victorian mistress, all for the low cost of $99. It is essentially a vibrator for your teeth that rattles your dentures when you enjoy your meal too much.
The Egg Tray with an App (Quirky Egg Minder)
Price: $50 The Superior Alternative: The cardboard carton the eggs come in (Free) + Eyes.
Numerate enough to earn currency to purchase useless goods, but too lazy to count to twelve? The Quirky Egg Minder is the kitchen egg accountant you never thought you needed.
The "Smart" Feature: It connects to Wi-Fi to tell you how many eggs you have left while you are at the store. It has LED lights next to each egg to tell you which one is the "oldest."
The Stupid Reality: It turned a glance into a tech support issue. Most people eat eggs in the order they grab them, rendering the LED "aging" system useless. If the battery died or the Wi-Fi disconnected, it often reported you had zero eggs when you had a full tray. It solved the non-existent problem of "egg blindness" by introducing the very real problem of "connectivity failure."
The Hairbrush with a Microphone (Kérastase Hair Coach)
Price: $200 The Superior Alternative: A comb (invented approx. 5500 B.C. in Ancient Persia).
The "Smart" Feature: It has a microphone that listens to the sound of your hair breaking. It also has an accelerometer to tell you if you are brushing too hard.
The Stupid Reality: It requires you to sync your hair-brushing data to an app. It "gamifies" brushing your hair, giving you a "hair quality score."
It must be noted that the "hair quality score" has nothing to do with the actual biological state of your keratin; it is simply a game score. It effectively turns your morning routine into a round of Guitar Hero for your scalp, where you must hit the strokes perfectly to avoid a low score, only the prize is anxiety rather than applause.
Archaeologists date the first combs to 5500 B.C. For over 7,000 years, humans—from Cleopatra to the architects of Ayurvedic medicine—managed to maintain their hair without a microphone. We could make a joke about the unruliness of Medusa’s hair here, but a microphone on a hairbrush wouldn’t do much for her split roots; every time a viper struck the bristles, the accelerometer would trigger a "Brushing Force Warning."
The Verdict
We are filling our homes with landfills-in-waiting. We are trading simple mechanics for complex, fragile software.
If a normal kettle breaks, you can still boil water in it on a stove. If a smart kettle breaks, it’s a paperweight that might be DDOS-ing a server. Remember that the next time AWS-East goes down.
Bezpieczeństwo IoT nie może być traktowane po macoszemu! 🚨
Jan Adamski i Marcin Rytel podzielą się wynikami badań i testów penetracyjnych wybranych urządzeń IoT, pokazując, jak krytyczne luki mogą realnie zagrozić milionom użytkowników.
➡️ Poznaj autorską metodologię PMIoT, umożliwiającą wykrywanie podatności na wielu warstwach: od aplikacji mobilnych, przez komunikację sieciową, po analizę kryptograficzną.
➡️ Zobacz kulisy odkrycia CVE-2023-4617 (CVSS 10.0) - krytycznej luki umożliwiającej zdalny dostęp do popularnych urządzeń smart.
➡️ Poznaj bazę VARIoT, która agreguje informacje o podatnościach w świecie IoT.
➡️ Dowiedz się, jak przebiega proces odpowiedzialnego ujawniania podatności.
🎯 Nie przegap szansy i dowiedz się, jak realnie chronić użytkowników i systemy w erze IoT! Dołącz do #OMHconf 👉 https://bit.ly/OMH-bilety
Prelegenci na Oh My Hack:
Jan Adamski i Marcin Rytel
"S in IoT stands for security? Jak odkryliśmy krytyczną lukę umożliwiającą zdalne przejęcie popularnych urządzeń IoT"
An embedded Linux distro is a lightweight, purpose-built version of Linux tailored for devices with limited resources. It includes only the essential components needed to run efficiently on specific hardware and apps
Here are some of the most popular embedded Linux systems 😎👇 #iot#raspberrypi
In April 2004, Mark Shuttleworth invited a dozen Debian operating system developers to his London flat, where they brainstormed and laid out the features of what would become Ubuntu.
Today, Ubuntu has over 40 million desktop users worldwide, and it powers top #supercomputers, servers, clouds, #IoT devices, and more!
🎉 Happy Birthday, @ubuntu! 🐧🎂
🎉 Happy Birthday, @ubuntu! 🐧🎂 ...