Beware the Ticking Internet of Things Security Time Bomb

alphadogg writes: A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven't baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming. LogMeIn's Paddy Srinivasan says most Internet-of-things OEMs "barely even have IT staff," so they aren't capable of developing rigorous security even if they wanted to. IBM’s Andy Thurai says most companies are rushing technology to market to try to monetize you as much as possible, and they aren't even willing to give you a cut for the data you supply. Regulations may help, but probably not enough and definitely not soon.

The NSA want's to know what's in your fridge

[TylerJWhit]

With Samsung recording data on the Smart TV's, it's not too far-fetched that the IoT will in large part be a system of tracking end users to inundate them with more targeted Ads.

Re:The NSA want's to know what's in your fridge

They also want's to know about you're grammer,

Re:The NSA want's to know what's in your fridge

Mi grammers fine and so it mi granpa

Re:The NSA want's to know what's in your fridge

And this is why I didn't spring for the "know it all" fridge.

Re:The NSA want's to know what's in your fridge

[gbjbaanb]

You misunderstand the problem.

With Smart TVs recording your watching habits in order to send you adverts, there is the potential for someone else to get access to it and record everything else about you.

One day you'll get a link to a website that shows you and your babysitter 'earning an extra bonus' with a payment demand to have it removed - all of which was recorded by your smart TV but sent to a Russian hacker rather than Samsung.

Re:The NSA want's to know what's in your fridge

[chrish]

But just think of the awesome TV shows!

Blackmail: https://www.youtube.com/watch?...

Re:The NSA want's to know what's in your fridge

[TylerJWhit]

This is a possibility. This is why Baby Monitors were such a scare. But I didn't misunderstand the problem.

The times we live in

IBM’s Andy Thurai says most companies are rushing technology to market to try to monetize you as much as possible, and they aren't even willing to give you a cut for the data you supply.

When was this ever not the case?

Re:The times we live in

[fuzzyfuzzyfungus]

The difference is the number and sneakiness of systems thus compromised.

Back in the day, when an 8086 was real money and whatnot, you could be fairly sure that only the identifiable computer on your desk was sophisticated enough to be disobeying you; because you couldn't afford enough transistors, even if the market could supply them, for anything else to be.

Now, thanks to Progress, basically anything from 99 cents on up is probably turing complete, phoning home to the mothership, and host to a mixture of 'consumer analytics platforms' and egregious security flaws.

Re:The times we live in

[Bing+Tsher+E]

When an 8086 was real money, an 8048 was only a few bucks, so things haven't changed as dramatically as you make it seem.

Re:The times we live in

[FranTaylor]

today chips with 8048 cores are fractions of a penny in large quantity, so yes they have changed pretty dramatically

never mind the IOT.

Never mind the IOT security problems, we have security problems with our Things of the Internet. Networking equipment being compromised to distro malware... which should be scarier due to their, you know, traffic-handling capabilities.

http://pastebin.com/TL916tkA
http://pastebin.com/x1YqVv5T
http://pastebin.com/weeAZTQB
http://pastebin.com/wnQ3HKZ6

*some* of these people *claim* it isn't a default-password issue.

Shocking

[Fire_Wraith]

Companies, rushing to get things out to market, not bothering to do enough testing, nevermind rigorously ensuring that they've secured their products?
Inconceivable!
Next you'll probably try and tell me that they'll threaten to sue security researchers that expose the inevitable flaws rather than simply fixing them.

Re:Shocking

[xxxJonBoyxxx]

It's not just the developers. A lot of legal teams are just taking their web-based privacy rules and applying them to systems who know exactly who you are. For example, Lowes' IRIS system: http://iotsecuritylab.com/iot-...

Re:Shocking

Obama tried to let states do it on their own, but strangely, so many of them refused, and for some reason, the federal government had to step in.

Then the private companies hired to undertake it failed to do the job right.

I wonder why.

Re:Shocking

[Zero__Kelvin]

To be fair, it really isn't true that there are no companies focusing on security. Indeed, every IoT Journal I read talks about it quite a bit.

Why connect EVERYTHING?

[Ateocinico]

Connectivity seems to be this decade's fin tail and chrome craziness.

Re:Why connect EVERYTHING?

[0123456]

Why connect EVERYTHING?

$$$$$$$$$$$$$$

What more reason do you need?

Re:Why connect EVERYTHING?

What better way to convince a large number of people to replace big ticket items like refrigerators or washing machines?

Re:Why connect EVERYTHING?

[Marginal+Coward]

I'm not sure if I'll connect EVERYTHING. However, I plan to connect at least my refrigerator to the Internet in order to give the power to curdle my milk to Kim Jong Un. If he makes use of that, then Snap, Crackle, Pop and I will know for certain that he's truly EVIL.

Re:Why connect EVERYTHING?

[SeaFox]

Once everything is connected a company will be able to use the shoddy IoT security to peek around your house and learn what brands/models of appliances and other products your own. Think how easy market research will be! No more have to convince people to complete a survey by giving them some freebie.

Re: Why connect EVERYTHING?

Imagine all the compatibility issues that will pop up when your appliance doesn't apporve of your non-DRM food, or another manufacturer's device nearby.

Re:Why connect EVERYTHING?

[Bing+Tsher+E]

I could use a newer refrigerator, our current one was second hand when we bought it thirteen years ago. So if clueless people start selling off their nice refrigerators because they're 'dumb' there will probably be deals to be had.

Re:Why connect EVERYTHING?

[thegarbz]

Analytics. Other than Chrome plating having connectivity and the ability to collect data is useful. Unfortunately the term IoT has been abused by corporations to the point where IoT now means Internet of Things I Know About Customers. But there are real benefits to the IoT movement when the user is in control of the data.

Case in point: My wireless power meter. The company manufactured a dongle for a PC that logs history of power use. Naturally this dongle reports power use to the company and you have to access that data via the company website. I instead opted for a non-connected device and hacked together a little wireless IoT bolt on to it which reports the same data but this time to me and me alone. It was very useful in tracking inefficiencies in my house and has effectively already paid for itself over the past year.

But to me the use wasn't worth the privacy invasion. It's not connectivity which is evil here.

Re:Why connect EVERYTHING?

[FranTaylor]

Infrastructure like railroads, bridges, etc. can be fitted with a massive number of telemetry sensors at low cost. Many bridge inspections could be done remotely if the bridge is covered with thousands and thousands of strain gauges. The USGS and the weather service can offer more and better information to the public with more advanced sensor networks. Maybe with enough sensors and the right software, we could predict earthquakes. Who knows? The technology is not there.

The security wonks tell us over and over to re-use existing security structure, but there is no existing model for this type of thing, so people are forced to roll their own, with the usual consequences.

Re:Why connect EVERYTHING?

[FranTaylor]

But to me the use wasn't worth the privacy invasion.

You know the power company already has a really tremendous ability to monitor your power usage on a continuous basis. They can tell if you stay up late, they can tell if you sneak home during the day to cheat on your wife. They can tell how much you run your electric dryer so they can tell how many people are living in your house. They can probably tell you what model of refrigerator you own, just from looking at the power curves. No doubt your wife's lawyer or your insurance company (or someone else's insurance company) could find some sort of expert witness who will swear to the accuracy of the data. You've already let them peer into your daily life just by signing up for service.

Re:Why connect EVERYTHING?

[thegarbz]

My power company is heavily regulated and I have a strong legal representation in the form on a local consumer ombudsman.

I can't say the same for a 3rd party entity where I don't even know which country they are based in.

Oh and I don't have a smart meter so unless someone is sitting down outside my switchboard, no they can't do the above, but I'm also significantly less concerned about my power company having this information given that their business model isn't based around the collection of customer data. The same can't be said for a lot of companies.

Ultimately. What do I get, what do I need to get, and what do I need to give? Just because I'm forced to buy power through the power company doesn't mean I need to voluntarily give the same information to another third party when I don't get anything in return. This is the same reason I don't use things like gmail (voluntary and nothing in return) but I'm happy to leave location tracking on my phone (voluntary and lots of things in return).

Re:Why connect EVERYTHING?

[bemymonkey]

Have you ever been at the store and wondered if there was anything else you needed to replenish in your fridge? Wouldn't it be great to pull up a webcam view of the interior right at that moment? Or how about making sure your oven and stove and iron are off? Or getting a video call on your smartphone when someone rings your doorbell while you're not home?

These are just a few of the things that I personally would find useful or at least interesting - I'm sure other people have entirely different lists of things that would be useful or interesting to them. However, in order to allow all of us to do the things we want, we need to first connect, well, pretty much everything to the internet.

It needs to be well-planned and secure, of course... which is why I won't be installing any of this stuff unless I've vetted it myself first.

Re:Why connect EVERYTHING?

gmail (voluntary and nothing in return)

Except, you know, email...

Re:Why connect EVERYTHING?

You can do all of this and use these sensors without putting them directly on the Internet. There is this thing call "Point to Point" connections. Use these and connect back to a central command and control center. At least add the ability to use VPN or SSH connections.

The bitch here is a lot of these sensors you are talking about use telnet for their connectivity with something like root and a blank password to connect.

You are a fucking idiot building anything that connects to the Internet that uses telnet and a blank or lame password.
Sensors are great if built properly and configured properly. Still air gapped with point to point is best.
Not everything needs to be connected directly to the net.

Routers

Doesn't matter, most WiFi IOT devices will never get packets out of the house. Home WiFi routers rarely handle more than 32 devices.
IOT will require all the home WiFi routers to be replaced to allow enough connected devices.
Let alone the radio interference it will create.

DHCP and a Firewall

[avgjoe62]

I run DHCP, only allowing MAC addresses I want to get a routable address. And just in case, I also run a firewall where I can see what devices are connecting to the outside world.

The day my toaster tells me it NEEDS an internet connection to make toast is the day make toast over a campfire.

Re:DHCP and a Firewall

[freeze128]

Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.

Re:DHCP and a Firewall

But how else will your toaster order more bread from Amazon?

Re:DHCP and a Firewall

[devforhire]

I run DHCP with a white list MAC filter also, but I still have virus protection on my mobile devices and PCs.

Re:DHCP and a Firewall

I run DHCP

If you have an eye for security, don't. Also, use some damned port security. As in only allowing specific MAC addresses on specific switchports. Everybody forgets port security.

Re:DHCP and a Firewall

Is this a competition how high you can stack snake oil? Well, here we go: I hide my SSID, my DHCP only serves known MAC addresses, my local network is behind NAT, I only get my apps from the official app store, antivirus scans on-access and I make continuous backups because I use RAID.

Re:DHCP and a Firewall

[Em+Adespoton]

Good luck getting your antivirus software to scan your toaster....

Re:DHCP and a Firewall

[CanadianMacFan]

That's okay, all your devices have connected to your neighbour's poorly configured open network and have been sending your private information to the world for years now.

Re:DHCP and a Firewall

[Bing+Tsher+E]

I am more worried about bacterial infestations in my kitchen appliances.

Re:DHCP and a Firewall

Fail thinking raid is backups ?

Re:DHCP and a Firewall

[Drethon]

Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.

Oh it may try...

Re:DHCP and a Firewall

[antdude]

Those frakking Cylons! :P

car analogy

[turkeydance]

from back in the day when cars talked to you: "your door is ajar". fail. a local woman wrecked her new car when she heard "spirits" talking to her.

Re:car analogy

I'd wreck the car too if it tried to convince me a door is a jar.

Re:car analogy

It is grabbed with the hand and contains glass. Sounds like a door is a jar.

Quality of software from hardware makers

If the NSA where not a reason enough to shutdown the IoT, the idea of hardware makers writting many embeded OS in every device sends a cold down my spine.

Hardware makers just don't care about software and they do shitty stuff. Having many of these devices around like that will literally means having software connected to a network that have not updated and is running a outdated and bugged version of a OS. It seems a recipe to disaster.

Some 'Things' more valuable than others

[Frobnicator]

Periodically some "things" on the IoT get revealed as publicly accessible. Cameras and conference room equipment particularly have caused problems in the past.

In homes, it may be some lolz to mess with lights of a stranger. It may be costly to the homeowner when someone modifies the HVAC settings to crank the programmable thermostat during the day. A skript kiddie could cause a neighborhood to all lose their AC compressors, and then we're talking tens of thousands, perhaps hundreds of thousands in some areas.

Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume. Cameras on TVs are a great combination if thieves can guess your neighborhood, then identify your house, then identify you are not home.

Similarly with garage doors. That industry has come a long way, in the 70s and 80s you could get a universal garage door remote that would work on many homes in a neighborhood, some thieves would clean out the garages and close the door when done. New IoT garage remote controllers lack the basic protections implemented decades ago.

And most obviously, security cameras in and around a home are increasingly common as an IoT item. Do you REALLY want those images out there?

Many ISPs make it rather easy to iterate through neighborhoods as they provide convenient DNS access like c-111-222-333-444.town.state.comcast.net. A quick scan of a town to find all the customers with open security cameras, a bit of time to identify the homes in that neighborhood that look interesting on camera and have a few open IoT devices... and you've got a loot schedule. Most of the scans could be easily automated, only requiring some human criminals to look at them once they've found a neighborhood with enough interesting devices exposed.

Re:Some 'Things' more valuable than others

[cusco]

I still find frelling **security** equipment without the ability to change the default password on it. Obviously we don't install it, but the stuff is sold as "professional grade" and costs big piles of money.

Re:Some 'Things' more valuable than others

Its not a matter of "value" - it is a matter of "reliable". Older cars were generally more reliable because there were fewer things to go wrong. Cars that accelerate out of control and cannot be turned off is a product of injecting overly complicated technology into devices that do not need it. Not only does it pointless increase cost, increase waste (much of the high technology equipment cannot be disposed of easily) it reduces reliability *and* introduces the specter of security vulnerabilities. I have a 2002 car that has an electronic ignition, a central computer etc etc etc and it is giving me kittens because it keeps malfunctioning in strange ways that the technicians cannot track down.

Injecting overly complex technology into devices that should be simple is simply bad engineering and is being driven by a bunch of marketing techno hipsters who are too young (and too hip) to realize how big of a mistake they are making. But that's OK, I simply won't use it myself. I'll give me money to the people who understand proper engineering principles and have a good laugh at the people whose lives become pointless complex and frustrating by buying pointlessly over-engineered devices.

Re:Some 'Things' more valuable than others

[Bob9113]

Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume.

Oooo, I like the way you think, you beautiful bastard. :)

Re:Some 'Things' more valuable than others

[0123456]

Older cars were generally more reliable because there were fewer things to go wrong.

Uh, no, they weren't. You might be able to fix a 1970s car when it broke down, but they broke down a lot more. Go back to the 1930s, and there were even less things to go wrong, but you were probably doing maintenance on those things every weekend to ensure they didn't break down.

Re:Some 'Things' more valuable than others

People have different opinions on the terms "maintenance", "reliable", and "broke down" when it comes to vehicles. Historically older vehicles require much more maintenance but when an issue was encountered they would often still run poorly while newer vehicles may stop dead in their tracks for a rather small reason (cam/crank position sensors for example). The mechanical components in the older carburetor vehicles just prior to the mandated emission controls when properly maintained and not abused would last very long.

Many people are complaining about the same thing in appliances (fridges, stoves, dishwashers, washers, dryers, etc) where they strive for efficiency, low maintenance, and connectivity but fall short on reliability compared to their brethren from the 70s.

Re:Some 'Things' more valuable than others

[Bing+Tsher+E]

My 2006 Ford Ranger has modern infrastructure where I want it, but none of the new electronic bells-and-whistles. Okay, it does have a horn, but the only non-stripped option is the CD player in the radio. The windows have cranks, the doors open with a key. The key is duplicated for a few dollars. And it's so plain and dull that it's not likely to get stolen because of not having a 'security' electronic keyfob.

It's also black, like all Fords are supposed to be.

Re:Some 'Things' more valuable than others

My 2006 Ford Ranger has modern infrastructure where I want it, but none of the new electronic bells-and-whistles. Okay, it does have a horn, but the only non-stripped option is the CD player in the radio. The windows have cranks, the doors open with a key. The key is duplicated for a few dollars. And it's so plain and dull that it's not likely to get stolen because of not having a 'security' electronic keyfob.

It's also black, like all Fords are supposed to be.

I have a black 2011 Ford ranger, still the same!

Re:Some 'Things' more valuable than others

[Ol+Olsoc]

Older cars were generally more reliable because there were fewer things to go wrong.

Uh, no, they weren't. You might be able to fix a 1970s car when it broke down, but they broke down a lot more. Go back to the 1930s, and there were even less things to go wrong, but you were probably doing maintenance on those things every weekend to ensure they didn't break down.

And how. Anyone remember changing points and plugs? 15,000 mile non speed rated tires? Water pumps that lasted 20 K miles?A car that is just about finished at 100,000 miles? Rust holes at 60 K miles

Yes, they were easier to work on, but yes, you worked on them a lot

My first car, a 65 Buick Skylark, was a nice car for the time, was continually being worked on. But it was just SOP because everyone elses was too.

Today's cars are marvels. My last two I put 200 K and almost 300K miles on with almost no replacement parts except a radiator on one, and a water pump on the other.

Is this kind of like inviting those damn teenagers to walk around on my lawn?

Re:Some 'Things' more valuable than others

[FranTaylor]

it's also a death trap, using it as your daily vehicle is an enormous risk compared to a modern vehicle

did you count the potential cost of your death in your financial analysis?

Re:Some 'Things' more valuable than others

[sound+vision]

I have a 2001 Ranger and the key definitely costs triple digits to duplicate and includes the RFID-type chip. Of course this is the XLT model with automatic everything, the base models could be different.

Re:Some 'Things' more valuable than others

a 9 year old vehicle is a "death trap" and not "modern"?

I drive a 2001 Chrysler and feel perfectly safe. I'm sure how one drives has much more to do with safety than if your car is 1 year old 9 years old or 14 years old.

Like many Chryslers, it's had a few minor problems. The CD changer broke while under warranty, but since then the who stereo has stopped working.

People like to rip on Chrysler, but I've spent less than $1,000 on repairs since buying it new. An O2 sensor went bad and one of the roof latch broke.

Re:Some 'Things' more valuable than others

[sjames]

The parts you mention are not more reliable today because of the added complexity, it's better materials and the manufacturing tech. Transplant that to the design of a '70s car and the benefit would remain.

That's not to say that the ECU fine tuning constantly isn't helpful, it is. It would be better still if it was as open as the mechanical design of a car from the '70s. That and if the replacement parts didn't cost a small fortune due to being harder to duplicate and easier to sue over due to copyrighted firmware.

We'll Party Like It's 1999.

[marienf]

I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote,
sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves,
garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked. X10 had no notion of authentication. Probably still hasn't.

Now, I had to drive around, because I was using a commercial-grade transmitter, my range and impact were limited.

Now, Imagine that kind of attitude, but with everything just a few network hops away, no range limits, and with the Invisible Hand clearly not having spanked the market into having a clue.

Image a person less mature than me and that same kind of attitude, today. Or several thousands of them. Spread over the globe.

I can image the havoc, I'm having trouble imagining the useful applications.. A matter of age? I'm not near to connecting stuff I don't have to.

Imagine what would happen if the Silons attacked, also.

Re:We'll Party Like It's 1999.

[rtb61]

Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected. Keep in mind, major solar flare with our planet just happening to be in it's path is not if but when, it will happen. How long will it take to repair the damage when all the information systems required to repair the damage is down.

New regulations are required to ensure essential infrastructure can be maintained manually and repaired manually. That hard copies are retained on sites for repair and maintenance procedures.

One down the cloud will go down and go down hard for quite a long time in digital terms and it will cause huge problems.

Re:We'll Party Like It's 1999.

[Ol+Olsoc]

Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

Just imagine if the Carrington event happened today?

Re:We'll Party Like It's 1999.

[FranTaylor]

Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

Yeah whatever, scare-monger, that solar flare will knock out the power station whether or not you have sensors on your refrigerator. So you mean we have to be prepared for when the power goes off? Yeah this is the USA, you can count on the power to go out at least a couple of times a year. Are you prepared for that?

Re:We'll Party Like It's 1999.

[rtb61]

For fools like you http://en.wikipedia.org/wiki/S.... Who, you gonna call, no one. "Ice cores containing thin nitrate-rich layers have been analyzed to reconstruct a history of past solar storms predating reliable observations. Data from Greenland ice cores, gathered by Kenneth G. McCracken and others, show evidence that events of this magnitudeâ"as measured by high-energy proton radiation, not geomagnetic effectâ"occur approximately once per 500 years, with events at least one-fifth as large occurring several times per century. However, more recent work by the ice core community (McCracken et al. are space scientists) shows that nitrate spikes are not a result of solar energetic particle events, so use of this technique is in doubt. Beryllium-10 and Carbon-14 levels are considered to be more reliable indicators by the ice core community. These similar but much more extreme cosmic ray events, however, may originate outside the solar system and even outside the galaxy. Less severe storms have occurred in 1921 and 1960, when widespread radio disruption was reported. The March 1989 geomagnetic storm knocked out power across large sections of Quebec. On July 23, 2012 a "Carrington-class" Solar Superstorm (Solar flare, Coronal mass ejection, Solar EMP) was observed; its trajectory missed Earth in orbit. Information about these observations was shared first publicly by NASA on April 28, 2014."

Re:We'll Party Like It's 1999.

[John_Sauter]

I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote, sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves, garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked....

Imag[in]e a person less mature than me ....

I am finding it difficult to imagine a person less mature than yourself.

Re:We'll Party Like It's 1999.

I've come a long way :_)

Re:We'll Party Like It's 1999.

[Trogre]

Troll level: Awesome

We need governmental regulation of IoT security

[BUL2294]

While I'm not a fan of government regulations, they do play an important role in society. For example, car safety is as a result of government regulation. Unfortunately, many non-IoT devices don't get firmware updates. To make matters worse, the devices that manufacturers want to make IoT are often household durable goods (e.g. appliances, thermostats, etc.), that don't get replaced every year.

Personally, I feel that IoT durable good devices devices should get security fixes for 20 years--via regulation. Unwilling to do that? Then don't go IoT...

Re:We need governmental regulation of IoT security

[silas_moeckel]

Yea because that is not trivial to get around, Oh the OEM we bought it from folded, we do not have the source code etc.

Re:We need governmental regulation of IoT security

[Bing+Tsher+E]

The agencies like the UL (non-governmental) could require the source code in escrow for any devices seeking their 'approval.' Said 'approval' is a checkbox item, like UL approval is, for Insurance companies.

A completely private-enterprise solution that just needs some lawyers involved to implement. Imagine that!

Re:We need governmental regulation of IoT security

[Ol+Olsoc]

While I'm not a fan of government regulations, they do play an important role in society.

Of course they do. The present day trend of having to apologize for things that sane people believe in is so old. It's like apologizing that your doctor has to have a license.

Re:We need governmental regulation of IoT security

[FranTaylor]

A completely private-enterprise solution that just needs some lawyers involved to implement.

Maybe you should look at the electronics section of your local drugstore and tell us how many of the USB charging devices have "UL" stamps on them. "None" will be my guess. All of the people who bought these devices, are they all in continuous violation of the fire codes? What is anyone going to do about it?

And guess what, in China you can print "UL" or "FCC" on anything you want to, they sure don't care, and who actually looks through the thousands of container loads that arrive in the US every day to see if the items have fake UL stamps? Nobody, that's who. Your idea is useless, because just like UL, everyone will just ignore it.

Re:We need governmental regulation of IoT security

[itzly]

So, all foreign made products should have their source code handed to the NSA so they can check for weak security ?

Re:We need governmental regulation of IoT security

[silas_moeckel]

First off having codes does not mean having the rights, often thats a complex mess on a commercial app. Secondly the build environment is also a complex bit and needed to actually make things work.

It seems to make more sense to work towards the M&M security policy. An edge device that connects the home devices to the internet and deals with a lot of the security aspects. You still need communications security inside the house but if trust is only placed in that one gateway controler.

That said I see things moving to direct wifi connects for mains powered devices, a decent microcontroller and wifi module is down to a few bucks, that is far cheaper that any zwave etc radio. This coupled with every company's desire to have a cloud something that they can try to get a few bucks a month for "special" features to effectively get rent forever. Hell I got a battery powered wifi connected IoT device (wink propane gauge) already.

Malware of Things or ....

There is a reason people are starting to call it the "Malware of Things" and that is we have already been down this road before and it turned out badly. This time down the new road there are plenty of bad guy type hackers licking their chops at a whole new playground of stuff to break into for nefarious gains.

why wait for that?

[slew]

The Ticking Time Bomb of Car Fob Security is already upon us and I suspect that this will explode long before the IoT bomb even has a chance to finish winding up...

Re:why wait for that?

[Em+Adespoton]

Car fobs require proximity. The whole problem with IoT is that the proximity hurdle is removed -- which means everyone around the world who has an idea about how to use your device has the ability to attempt it. Just like with Internet-enabled cars. Now some cars have the ability for a remote attacker to both pinpoint their location AND unlock the doors, via script. Insecure car fobs have nothing on that (I remember when physical keys could often be swapped within car model).

Re:why wait for that?

[FranTaylor]

no amount of electronics will prevent thieves from putting your car onto a flatbed truck

faraday cages still work pretty well to block radio signals

if they really really want to break into your car, there is no way to stop them

Re:why wait for that?

>faraday cages still work pretty well to block radio signals

Until you take it out of the cage and it uploads all the stuff it has in queue while it was in the cage.

Re:why wait for that?

[itzly]

Most devices will sit behind a router with NAT and/or firewall. They can phone out, but you can't reach them from the outside.

Re:why wait for that?

Most IoT devices UPNP a hole through the firewall and the router happily obliges them. NAT isn't the same as a firewall and does nothing to stop inbound traffic, so I don't know why you even included that part.

Re:why wait for that?

Car fobs don't require proximity : http://www.usatoday.com/story/money/cars/2015/05/07/technology-car-break-ins/70939336/

If an IOT device phones home DO NOT BUY IT

[atrimtab]

if you cannot completely turn that intrusive privacy robbing feature OFF permanently. Devices that phone home to their real corporate master are not owned or controlled by YOU.

It is really that simple. That means don't buy Dropcam or a Nest or any of the other "easy to use" everything is stored "in the cloud" IOT devices that are out there and are the most heavily promoted.

There are nwtwork security cameras you can secure easily and control the recordings of. There are also "home automation" devices that only talk to each other within a defined area using reasonable encryption. You just have to be very careful and research what you are buying.

I note that in my last visit to BestBuy every IOT and home automation device promoted was more useful to the company who manufactured it that was collecting all the customers data than to the customer.

You can program your home router to block all outgoing traffic except from devices you select and you will find that many IOT devices will no longer work if you block their ability to "phone home."

Re:If an IOT device phones home DO NOT BUY IT

[kheldan]

I have a better idea: Don't buy any 'Internet of Things' devices in the first place. Nobody needs them.

Re:If an IOT device phones home DO NOT BUY IT

[Zero__Kelvin]

Ah, yes, Grashopper. I've been around long enough to remember when people said that exact same thing about a "home computer." "Don't buy any 'Personal Computer' devices in the first place. Nobody needs them., they used to say :-)

Re:If an IOT device phones home DO NOT BUY IT

Actually, there are some good use cases like: Elder care.

Exterior video surveillance, remote control keypad door locks that can be unlocked securely, sensors on doors and motion sensors can provide families with ways to assist an elderly parent with memory or physical issues remotely without intruding too much.

There are IOT products that can provide this that do not 'phone home' to manufacturers. But it does take research to find them.

Re:If an IOT device phones home DO NOT BUY IT

Ah, yes, Grashopper. I've been around long enough to remember when people said that exact same thing about a "home computer." "Don't buy any 'Personal Computer' devices in the first place. Nobody needs them., they used to say :-)

And still, nobody needs a computer.

Re:If an IOT device phones home DO NOT BUY IT

home automation device promoted was more useful to the company who manufactured it that was collecting all the customers data than to the customer.

That is why this space is doing wonderful and going to flame out all at the same time. This space can not comprehend people do not want to give them their data.

When I worked on this stuff. I made it 100% clear to my customers I am the middle man I do not want your data. I will only retain it for about a week if you do not pick it up I blow it away I am not your server. As soon as you pick it up I blow away my copy I need the space for other things. They always got this odd look on their faces like it was just assumed I would want their data.

Re:If an IOT device phones home DO NOT BUY IT

Sometimes it's just to circumvent the user's NAT. When you're connected outside of your LAN and still want to connect to your home IoT gateway, then what? Not only is NAT a problem, dynamic IP is too. The most user-friendly way is to have the gateway poll a server to which the user also connects using an app.

The other reason is that it is difficult for users to configure the network. So they powered up their IoT device. Now they can use WPS, or connect by cable. Then how does the app know the IP address? How does it know if it changed? All these things can be solved, but the user just thinks 'this is a hassle'. He wants it to 'just work'. This is easy when all the user has to do is connect to www.iot.evilcorp.com/dashboard

Re:If an IOT device phones home DO NOT BUY IT

[AchilleTalon]

It seems there is a lot of confusion about IoT. It is not about house automation at all, it may be about it, but it is not the main target for IoT. However, the vendors are jumping in the marketing bandwagon and decide to rename everything they were already providing or extend the capabilities of their gizmo with useless internet extensions just to call it an IoT device. Unfortunately, many conclude the IoT is about useless gizmo that are spying at you or whatever.

IoT is rather than about devices to monitor parking space and let car drivers know where there is spots available in order to save time and reduce gas consumption in the dense areas of the city, it is about monitoring the garbage collection for a city to make it more efficient or ensure proper billing and so on. It is not about your f...g fridge or your f...g lights or your f...g thermostat or whatever else stupid you can think about.

Re:If an IOT device phones home DO NOT BUY IT

[AmiMoJo]

I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

Maybe it's time for an open source secure IoT platform that companies can use. As well as an OS it would need to provide stacks for doing common IoT stuff in a secure way, that has privacy controls built in.

Buffalo ship routers with DD-WRT installed, advertised as a feature. Maybe some kind of certification process could be created, that includes the ability to do updates to the core OS and remote shut-down via blacklist if products are ever found to be vulnerable and unfixable.

Re:If an IOT device phones home DO NOT BUY IT

[Hognoxious]

I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

I find it depressing that people confuse "don't waste money on useless shit" with "avoid new technology".

Re:If an IOT device phones home DO NOT BUY IT

EXACTLY!!! Vote with your wallet. Do not buy this crap that phones home just so that corporations can collect more of what should be private information! We need to let these ultra greedy corporations know that we will not tolerate being spied upon by the products that WE PAY FOR!

Re:If an IOT device phones home DO NOT BUY IT

Not only do you need a computer you also need the Internet at least in some countries.
And I mean NEED as in primary right for citizen.

The reason is quite simple, in the Netherlands for example:
1. Every Dutch person must (be able to) file taxes.
2. The tax office requires you to file taxes over the Internet (no more paper forms).
3. Taxes are private, and privacy is protected by law. (no library / no accountant office)
4. Therefor you need a computer and internet at home.

Re: If an IOT device phones home DO NOT BUY IT

+1

Re:If an IOT device phones home DO NOT BUY IT

[gbjbaanb]

Absolutely. If there was a secure framework for network-connected IoT devices with documented measures to implement the administration or user management, then we'd get secure devices. Without it, we will have servers listening on port 80 to anyone who wants access.

It'll need a fancy logo like DLNA has, and some form of certification so manufacturers know they must use it in order to get customer acceptance, and that gets you into the world of standards bodies and all the politics that goes with it. Still, an OSS framework for IoT networking still seems a great idea, even if it means its easier to implement networking functionality for these devices, with security as an added bonus for the manufacturer.

Re: If an IOT device phones home DO NOT BUY IT

Some people said that, sure. Nobody could say with certainty that buying a home pc was a very real immediate security threat though. It took the internet to make that statement somewhat true, but even then the benefits outweigh the risks.

IoT stuff is all risk with almost no real benefit.

Re: If an IOT device phones home DO NOT BUY IT

That's because we as a society made the idiotic decision to give complicated and dangerous things to stupid people.

You can blame corporations all day, and rightly so. However, us geeks deserve blame too, for inventing this crap in the first place. So many of us are shortsighted and lack proper ethics.

Re:If an IOT device phones home DO NOT BUY IT

[Trogre]

I think you'll find the prevailing attitude is "avoid useless technology".

Granted there is a certain level of geek cred for connecting something to the net that has never been connected before, but at a practical level I have absolutely no need for my television, kettle or frickin light bulbs to be Internet connected.

Now that it is well established that 1) Governments want to spy on you and 2) Companies want to spy on you, I would expect that you, a reasonably seasoned Slashdotter, would see the folly in a novelty convenience against massive security implications.

Re: If an IOT device phones home DO NOT BUY IT

Hackers gonna hack. We'll hook up our coffee makers and model trains to our ham radios, gee whiz. Nothing wrong with that.

It's the wide-eyed visionaries, who see visions of billions in sales if only they can make that gee-whiz hacker toy sleek and sexy and Just Work, who make the big messes like IoT.

Wozniaks are not the problem. Jobses are the problem.

Re: If an IOT device phones home DO NOT BUY IT

[TylerJWhit]

I wouldn't say it has no benefit. Remember when phones first had internet. It had no real benefit then, but now.... yeah, it's extremely helpful.

Re:If an IOT device phones home DO NOT BUY IT

[TylerJWhit]

LOL, yup!

You mean IoUT, right?

IoUT -- Internet of Unsafe Things

Cost shift

By putting insecure devices on the Internet, manufacturers are shifting the costs of internet security to the end users and their internet service providers.
It's about time we had a court case where a manufacturer was sued in court for being woefully negligent in the security features of their product and for companies like "Underwriters Laboratories" to start testing and certifying Internet-connected devices about whether they can be safely connected to the Internet out of the box (or not).

Lacking a security model

[LessThanObvious]

The primary issue as I see it with IoT is the lack of a good security model that ordinary people can reference. You wouldn't stick an unmanaged Windows desktop out on the internet, expose a service and expect it not to be vulnerable. Why would we treat an inexpensive gadget any different? Security happens in layers, so if the device is going to be out on the internet then it needs a firewall protecting it, it needs some intelligent filtering so private data doesn't leak out (even to the device vendor) and malicious exploit attempts don't get in, it needs to know how to allow only your devices like your phone inbound and not just anyone on the internet. It needs a serious password and it needs encryption where appropriate. I'm not sure what products exist at a reasonable cost in the market today that are up to the task. The products at a reasonable cost that don't take high level network expertise may not exist at this point. Another concern that will come out of the lack of a good security model is that many services may not go from your phone or laptop to the device directly, they may place the service provider in between, in which case it becomes very hard to allow only authorized users to attempt to connect and to treat the provider or vendor as an untrusted entity. In short, allowing the IoT device itself to be solely responsible for it's own security is a flawed model that will be certain to fail time and time again.

Re:Lacking a security model

[Darinbob]

I'm pulling my hair out working hard to get a high quality security system into place on a device where it barely fits, only to see an article that says "ticking time bomb!" We're not all idiots. I suspect most of us aren't. The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.

Problem is that the media and purveyors of panic are focusing on the dumb end of the market, the consumer devices, the vendors jumping on the bandwagon just to get the IoT label, etc.

Re:Lacking a security model

[LessThanObvious]

Yeah, I don't agree with the ticking time bomb insinuation, that's a little dramatic compared with reality.

Re:Lacking a security model

[phantomfive]

The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.

Is it using OpenSSL? If so, then it's insecure.

Re:Lacking a security model

[Darinbob]

I don't. but...

I'm pretty sure OpenSSL has been fixed. They had a patch within a few days, and they've even bumped the version number since then to 1.0.2. Maybe you're thinking of commercial software which is sometimes slow to push out fixes.

Re:Lacking a security model

[phantomfive]

Nah, heartbleed was almost certainly not the only serious security vuln in OpenSSL. The quality of the codebase guarantees that there will be bugs.

Re:Lacking a security model

[FranTaylor]

it would be a miracle rivaling the birth of christ if openssl were actually fixed

Re:Lacking a security model

Yeah real stuff like open smart grid is well designed, nothing to see here, nosiree - https://www.schneier.com/blog/archives/2015/05/amateurs_produc.html

Re:Lacking a security model

[Darinbob]

The ultimate faith based security?

ZigBee

So, starting 12 years ago, ZigBee had a security working group to specifically address these very things. It was, of course, a pain in the neck in many ways. But it was intended to provide a good secure platform for developers and vendors.

On the other hand, TinyOS, starting in 2000 had very little in the way of security and has also not been adopted by much more than academics and experimentalists, or those who have other means of handling or avoiding the security issues.

These are always considerations and trades that must be handled.

Smart Meters Provide IP Over Your Home Electricity

Good luck firewalling every wall outlet when all your stuff is designed to phone home via IPv6 over AC.

And like smart TV's now, future devices won't fully work if firewalled. Because reasons, that's why.

IoT Launchpad Security Project

[DamonHD]

Hi

We're working on a project (in public) to try to help secure out-of-the-box links from low-power cheap sensor nodes to the concentrator (or equivalent) in IoT networks.

Eg see:

http://www.earth.org.uk/note-o...
and
http://lists.opentrv.org.uk/pi...

to pick a couple of related items.

Anyone who'd like to help us get this right with solutions open source, please do contact us eg via @OpenTRV on Twitter or email.

Rgds

Damon

I'm there.

[swschrad]

not buying that crap. except my alarm system.

wait a minute...

The Internet of never updated easily pwn3d things

[cant_get_a_good_nick]

No message needed.

EZ fix

[Snotnose]

You get hacked via a company's product, company pays 3x damages. Doesn't matter if the company makes a web browser or a thermostat. Never happen, but it would solve the problem. Would also kill IoT in it's tracks.

Re:EZ fix

[FranTaylor]

company pays 3x damages .. it would solve the problem

That's not how it works. 3x damages bankrupts the shell corporation holding the distribution rights, nobody actually gets any money, the anonymous stakeholders walk away with no loss.

ibm to the rescue

And what exactly is IBM going to do to help?

They're just pissed they're missing out. That's what happens when you lay off all your good employees. You're the last one to dinner.

Fear Mongering

There no market in cryptolocker snatching and encrypting you fridge contents.
IoT is just convergence of already existing proprietary control systems with NO SECURITY to IP enabled systems that have little or add on security.
It's still totally 100% dependent on the Systems Integrator to asses the risks and install the systems securely, to a level that suits the end customer.
More than likely the swipe card you used to get into the office this morning sent the card ID in clear text as 1 & 0 on two 12V wires that pulsed low to send the 26bit sequential card ID. No Crypto, if your really lucky the card reader has a tamper switch to detect removal and access to the two wires.

Greed and stupidity...

[gweihir]

Always the same story. They are just making the same mistakes again that have been made before with workstations, servers and mobile devices. But this time they really could have known better, so this can only be a combination of greed and stupidity.

Pah blah fan what no just no

IoT idiocy. In the race to the connected home they forgot who should have the right to connect.

Russians now control your fridge.

Good day sir.

Good point

[laird]

It's a good point that as IoT devices proliferate there are security implications because your house will have dozens or even hundreds of devices all talking TCP/IP using whatever random protocols and implementations each device's manufacturer came up with.

That being said, I think it's unrealistic to imagine that each little company should hire their own security experts to make their own rock-solid stack, because many of these devices are home-made, or made by little startups, etc. And even if every manufacture aggressively tracked technology, users won't upgrade their firmware constantly.

Instead, I'd suggest that a better option would be to standardize the basic communications and develop a FOSS hardened communications stack for IoT devices, and push IoT producers to adopt it, so that everyone at least builds on a secure platform. There are many communications stacks for IoT, but the problem (IMO) is that they're generally proprietary by companies trying to "win" in a battle between IoT stacks, and because there are so many code bases, and they are proprietary, they can't be trusted, and even if they are trusted, they can't be used by all developers because they're tied to proprietary platforms.

So what we need is an IoT stack, secure and efficient enough to run on tiny processors (Arduino...) ideally grounded in an open standards group such as the IETF. And with a marketing program to drive all IoT platforms to adopt it. Of course, there can be multiple competing implementations as there are with all network stacks. That's valuable from a security perspective, because it prevents everyone from running one code base and thus having the same security vulnerabilities. And, of course, competition makes everything better, as they compete to be more efficient, secure, etc. As long as they are interoperable, and based on a fundamentally secure design.

Of course, this won't fix all problems - you can certainly build an insecure app on top of an secure protocol - but at least it'll eliminate a bunch of "basic" problems, like identity and securing streams, etc.

Micro$haft

is at it again, preventing us from keeping our data safe. Incredible.

Speaking of X10...

[antdude]

What happened to them? I haven't seen or heard them for a while. I just see GoPro and others these days.

Quick Mable

Reboot the refrigerator, the toilet is overflowing!