Beware the Ticking Internet of Things Security Time Bomb

alphadogg writes: A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven't baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming. LogMeIn's Paddy Srinivasan says most Internet-of-things OEMs "barely even have IT staff," so they aren't capable of developing rigorous security even if they wanted to. IBM’s Andy Thurai says most companies are rushing technology to market to try to monetize you as much as possible, and they aren't even willing to give you a cut for the data you supply. Regulations may help, but probably not enough and definitely not soon.

The NSA want's to know what's in your fridge

[TylerJWhit]

With Samsung recording data on the Smart TV's, it's not too far-fetched that the IoT will in large part be a system of tracking end users to inundate them with more targeted Ads.

Re:The NSA want's to know what's in your fridge

[gbjbaanb]

You misunderstand the problem.

With Smart TVs recording your watching habits in order to send you adverts, there is the potential for someone else to get access to it and record everything else about you.

One day you'll get a link to a website that shows you and your babysitter 'earning an extra bonus' with a payment demand to have it removed - all of which was recorded by your smart TV but sent to a Russian hacker rather than Samsung.

Re:The NSA want's to know what's in your fridge

[chrish]

But just think of the awesome TV shows!

Blackmail: https://www.youtube.com/watch?...

Shocking

[Fire_Wraith]

Companies, rushing to get things out to market, not bothering to do enough testing, nevermind rigorously ensuring that they've secured their products?
Inconceivable!
Next you'll probably try and tell me that they'll threaten to sue security researchers that expose the inevitable flaws rather than simply fixing them.

Re:Shocking

[xxxJonBoyxxx]

It's not just the developers. A lot of legal teams are just taking their web-based privacy rules and applying them to systems who know exactly who you are. For example, Lowes' IRIS system: http://iotsecuritylab.com/iot-...

Re:Shocking

[Zero__Kelvin]

To be fair, it really isn't true that there are no companies focusing on security. Indeed, every IoT Journal I read talks about it quite a bit.

Why connect EVERYTHING?

[Ateocinico]

Connectivity seems to be this decade's fin tail and chrome craziness.

Re:Why connect EVERYTHING?

[0123456]

Why connect EVERYTHING?

$$$$$$$$$$$$$$

What more reason do you need?

Re:Why connect EVERYTHING?

What better way to convince a large number of people to replace big ticket items like refrigerators or washing machines?

Re:Why connect EVERYTHING?

[Marginal+Coward]

I'm not sure if I'll connect EVERYTHING. However, I plan to connect at least my refrigerator to the Internet in order to give the power to curdle my milk to Kim Jong Un. If he makes use of that, then Snap, Crackle, Pop and I will know for certain that he's truly EVIL.

Re:Why connect EVERYTHING?

[SeaFox]

Once everything is connected a company will be able to use the shoddy IoT security to peek around your house and learn what brands/models of appliances and other products your own. Think how easy market research will be! No more have to convince people to complete a survey by giving them some freebie.

Re:Why connect EVERYTHING?

[Bing+Tsher+E]

I could use a newer refrigerator, our current one was second hand when we bought it thirteen years ago. So if clueless people start selling off their nice refrigerators because they're 'dumb' there will probably be deals to be had.

Re:Why connect EVERYTHING?

[thegarbz]

Analytics. Other than Chrome plating having connectivity and the ability to collect data is useful. Unfortunately the term IoT has been abused by corporations to the point where IoT now means Internet of Things I Know About Customers. But there are real benefits to the IoT movement when the user is in control of the data.

Case in point: My wireless power meter. The company manufactured a dongle for a PC that logs history of power use. Naturally this dongle reports power use to the company and you have to access that data via the company website. I instead opted for a non-connected device and hacked together a little wireless IoT bolt on to it which reports the same data but this time to me and me alone. It was very useful in tracking inefficiencies in my house and has effectively already paid for itself over the past year.

But to me the use wasn't worth the privacy invasion. It's not connectivity which is evil here.

Re:Why connect EVERYTHING?

[FranTaylor]

Infrastructure like railroads, bridges, etc. can be fitted with a massive number of telemetry sensors at low cost. Many bridge inspections could be done remotely if the bridge is covered with thousands and thousands of strain gauges. The USGS and the weather service can offer more and better information to the public with more advanced sensor networks. Maybe with enough sensors and the right software, we could predict earthquakes. Who knows? The technology is not there.

The security wonks tell us over and over to re-use existing security structure, but there is no existing model for this type of thing, so people are forced to roll their own, with the usual consequences.

Re:Why connect EVERYTHING?

[FranTaylor]

But to me the use wasn't worth the privacy invasion.

You know the power company already has a really tremendous ability to monitor your power usage on a continuous basis. They can tell if you stay up late, they can tell if you sneak home during the day to cheat on your wife. They can tell how much you run your electric dryer so they can tell how many people are living in your house. They can probably tell you what model of refrigerator you own, just from looking at the power curves. No doubt your wife's lawyer or your insurance company (or someone else's insurance company) could find some sort of expert witness who will swear to the accuracy of the data. You've already let them peer into your daily life just by signing up for service.

Re:Why connect EVERYTHING?

[thegarbz]

My power company is heavily regulated and I have a strong legal representation in the form on a local consumer ombudsman.

I can't say the same for a 3rd party entity where I don't even know which country they are based in.

Oh and I don't have a smart meter so unless someone is sitting down outside my switchboard, no they can't do the above, but I'm also significantly less concerned about my power company having this information given that their business model isn't based around the collection of customer data. The same can't be said for a lot of companies.

Ultimately. What do I get, what do I need to get, and what do I need to give? Just because I'm forced to buy power through the power company doesn't mean I need to voluntarily give the same information to another third party when I don't get anything in return. This is the same reason I don't use things like gmail (voluntary and nothing in return) but I'm happy to leave location tracking on my phone (voluntary and lots of things in return).

Re:Why connect EVERYTHING?

[bemymonkey]

Have you ever been at the store and wondered if there was anything else you needed to replenish in your fridge? Wouldn't it be great to pull up a webcam view of the interior right at that moment? Or how about making sure your oven and stove and iron are off? Or getting a video call on your smartphone when someone rings your doorbell while you're not home?

These are just a few of the things that I personally would find useful or at least interesting - I'm sure other people have entirely different lists of things that would be useful or interesting to them. However, in order to allow all of us to do the things we want, we need to first connect, well, pretty much everything to the internet.

It needs to be well-planned and secure, of course... which is why I won't be installing any of this stuff unless I've vetted it myself first.

DHCP and a Firewall

[avgjoe62]

I run DHCP, only allowing MAC addresses I want to get a routable address. And just in case, I also run a firewall where I can see what devices are connecting to the outside world.

The day my toaster tells me it NEEDS an internet connection to make toast is the day make toast over a campfire.

Re:DHCP and a Firewall

[freeze128]

Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.

Re:DHCP and a Firewall

[devforhire]

I run DHCP with a white list MAC filter also, but I still have virus protection on my mobile devices and PCs.

Re:DHCP and a Firewall

[Em+Adespoton]

Good luck getting your antivirus software to scan your toaster....

Re:DHCP and a Firewall

[CanadianMacFan]

That's okay, all your devices have connected to your neighbour's poorly configured open network and have been sending your private information to the world for years now.

Re:DHCP and a Firewall

[Bing+Tsher+E]

I am more worried about bacterial infestations in my kitchen appliances.

Re:DHCP and a Firewall

[Drethon]

Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.

Oh it may try...

Re:DHCP and a Firewall

[antdude]

Those frakking Cylons! :P

car analogy

[turkeydance]

from back in the day when cars talked to you: "your door is ajar". fail. a local woman wrecked her new car when she heard "spirits" talking to her.

Re:car analogy

I'd wreck the car too if it tried to convince me a door is a jar.

Re:car analogy

It is grabbed with the hand and contains glass. Sounds like a door is a jar.

Re:The times we live in

[fuzzyfuzzyfungus]

The difference is the number and sneakiness of systems thus compromised.

Back in the day, when an 8086 was real money and whatnot, you could be fairly sure that only the identifiable computer on your desk was sophisticated enough to be disobeying you; because you couldn't afford enough transistors, even if the market could supply them, for anything else to be.

Now, thanks to Progress, basically anything from 99 cents on up is probably turing complete, phoning home to the mothership, and host to a mixture of 'consumer analytics platforms' and egregious security flaws.

Some 'Things' more valuable than others

[Frobnicator]

Periodically some "things" on the IoT get revealed as publicly accessible. Cameras and conference room equipment particularly have caused problems in the past.

In homes, it may be some lolz to mess with lights of a stranger. It may be costly to the homeowner when someone modifies the HVAC settings to crank the programmable thermostat during the day. A skript kiddie could cause a neighborhood to all lose their AC compressors, and then we're talking tens of thousands, perhaps hundreds of thousands in some areas.

Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume. Cameras on TVs are a great combination if thieves can guess your neighborhood, then identify your house, then identify you are not home.

Similarly with garage doors. That industry has come a long way, in the 70s and 80s you could get a universal garage door remote that would work on many homes in a neighborhood, some thieves would clean out the garages and close the door when done. New IoT garage remote controllers lack the basic protections implemented decades ago.

And most obviously, security cameras in and around a home are increasingly common as an IoT item. Do you REALLY want those images out there?

Many ISPs make it rather easy to iterate through neighborhoods as they provide convenient DNS access like c-111-222-333-444.town.state.comcast.net. A quick scan of a town to find all the customers with open security cameras, a bit of time to identify the homes in that neighborhood that look interesting on camera and have a few open IoT devices... and you've got a loot schedule. Most of the scans could be easily automated, only requiring some human criminals to look at them once they've found a neighborhood with enough interesting devices exposed.

Re:Some 'Things' more valuable than others

[cusco]

I still find frelling **security** equipment without the ability to change the default password on it. Obviously we don't install it, but the stuff is sold as "professional grade" and costs big piles of money.

Re:Some 'Things' more valuable than others

[Bob9113]

Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume.

Oooo, I like the way you think, you beautiful bastard. :)

Re:Some 'Things' more valuable than others

[0123456]

Older cars were generally more reliable because there were fewer things to go wrong.

Uh, no, they weren't. You might be able to fix a 1970s car when it broke down, but they broke down a lot more. Go back to the 1930s, and there were even less things to go wrong, but you were probably doing maintenance on those things every weekend to ensure they didn't break down.

Re:Some 'Things' more valuable than others

People have different opinions on the terms "maintenance", "reliable", and "broke down" when it comes to vehicles. Historically older vehicles require much more maintenance but when an issue was encountered they would often still run poorly while newer vehicles may stop dead in their tracks for a rather small reason (cam/crank position sensors for example). The mechanical components in the older carburetor vehicles just prior to the mandated emission controls when properly maintained and not abused would last very long.

Many people are complaining about the same thing in appliances (fridges, stoves, dishwashers, washers, dryers, etc) where they strive for efficiency, low maintenance, and connectivity but fall short on reliability compared to their brethren from the 70s.

Re:Some 'Things' more valuable than others

[Bing+Tsher+E]

My 2006 Ford Ranger has modern infrastructure where I want it, but none of the new electronic bells-and-whistles. Okay, it does have a horn, but the only non-stripped option is the CD player in the radio. The windows have cranks, the doors open with a key. The key is duplicated for a few dollars. And it's so plain and dull that it's not likely to get stolen because of not having a 'security' electronic keyfob.

It's also black, like all Fords are supposed to be.

Re:Some 'Things' more valuable than others

[Ol+Olsoc]

Older cars were generally more reliable because there were fewer things to go wrong.

Uh, no, they weren't. You might be able to fix a 1970s car when it broke down, but they broke down a lot more. Go back to the 1930s, and there were even less things to go wrong, but you were probably doing maintenance on those things every weekend to ensure they didn't break down.

And how. Anyone remember changing points and plugs? 15,000 mile non speed rated tires? Water pumps that lasted 20 K miles?A car that is just about finished at 100,000 miles? Rust holes at 60 K miles

Yes, they were easier to work on, but yes, you worked on them a lot

My first car, a 65 Buick Skylark, was a nice car for the time, was continually being worked on. But it was just SOP because everyone elses was too.

Today's cars are marvels. My last two I put 200 K and almost 300K miles on with almost no replacement parts except a radiator on one, and a water pump on the other.

Is this kind of like inviting those damn teenagers to walk around on my lawn?

Re:Some 'Things' more valuable than others

[FranTaylor]

it's also a death trap, using it as your daily vehicle is an enormous risk compared to a modern vehicle

did you count the potential cost of your death in your financial analysis?

Re:Some 'Things' more valuable than others

[sound+vision]

I have a 2001 Ranger and the key definitely costs triple digits to duplicate and includes the RFID-type chip. Of course this is the XLT model with automatic everything, the base models could be different.

Re:Some 'Things' more valuable than others

[sjames]

The parts you mention are not more reliable today because of the added complexity, it's better materials and the manufacturing tech. Transplant that to the design of a '70s car and the benefit would remain.

That's not to say that the ECU fine tuning constantly isn't helpful, it is. It would be better still if it was as open as the mechanical design of a car from the '70s. That and if the replacement parts didn't cost a small fortune due to being harder to duplicate and easier to sue over due to copyrighted firmware.

We'll Party Like It's 1999.

[marienf]

I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote,
sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves,
garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked. X10 had no notion of authentication. Probably still hasn't.

Now, I had to drive around, because I was using a commercial-grade transmitter, my range and impact were limited.

Now, Imagine that kind of attitude, but with everything just a few network hops away, no range limits, and with the Invisible Hand clearly not having spanked the market into having a clue.

Image a person less mature than me and that same kind of attitude, today. Or several thousands of them. Spread over the globe.

I can image the havoc, I'm having trouble imagining the useful applications.. A matter of age? I'm not near to connecting stuff I don't have to.

Imagine what would happen if the Silons attacked, also.

Re:We'll Party Like It's 1999.

[rtb61]

Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected. Keep in mind, major solar flare with our planet just happening to be in it's path is not if but when, it will happen. How long will it take to repair the damage when all the information systems required to repair the damage is down.

New regulations are required to ensure essential infrastructure can be maintained manually and repaired manually. That hard copies are retained on sites for repair and maintenance procedures.

One down the cloud will go down and go down hard for quite a long time in digital terms and it will cause huge problems.

Re:We'll Party Like It's 1999.

[Ol+Olsoc]

Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

Just imagine if the Carrington event happened today?

Re:We'll Party Like It's 1999.

[FranTaylor]

Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

Yeah whatever, scare-monger, that solar flare will knock out the power station whether or not you have sensors on your refrigerator. So you mean we have to be prepared for when the power goes off? Yeah this is the USA, you can count on the power to go out at least a couple of times a year. Are you prepared for that?

Re:We'll Party Like It's 1999.

[rtb61]

For fools like you http://en.wikipedia.org/wiki/S.... Who, you gonna call, no one. "Ice cores containing thin nitrate-rich layers have been analyzed to reconstruct a history of past solar storms predating reliable observations. Data from Greenland ice cores, gathered by Kenneth G. McCracken and others, show evidence that events of this magnitudeâ"as measured by high-energy proton radiation, not geomagnetic effectâ"occur approximately once per 500 years, with events at least one-fifth as large occurring several times per century. However, more recent work by the ice core community (McCracken et al. are space scientists) shows that nitrate spikes are not a result of solar energetic particle events, so use of this technique is in doubt. Beryllium-10 and Carbon-14 levels are considered to be more reliable indicators by the ice core community. These similar but much more extreme cosmic ray events, however, may originate outside the solar system and even outside the galaxy. Less severe storms have occurred in 1921 and 1960, when widespread radio disruption was reported. The March 1989 geomagnetic storm knocked out power across large sections of Quebec. On July 23, 2012 a "Carrington-class" Solar Superstorm (Solar flare, Coronal mass ejection, Solar EMP) was observed; its trajectory missed Earth in orbit. Information about these observations was shared first publicly by NASA on April 28, 2014."

Re:We'll Party Like It's 1999.

[John_Sauter]

I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote, sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves, garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked....

Imag[in]e a person less mature than me ....

I am finding it difficult to imagine a person less mature than yourself.

Re:We'll Party Like It's 1999.

[Trogre]

Troll level: Awesome

We need governmental regulation of IoT security

[BUL2294]

While I'm not a fan of government regulations, they do play an important role in society. For example, car safety is as a result of government regulation. Unfortunately, many non-IoT devices don't get firmware updates. To make matters worse, the devices that manufacturers want to make IoT are often household durable goods (e.g. appliances, thermostats, etc.), that don't get replaced every year.

Personally, I feel that IoT durable good devices devices should get security fixes for 20 years--via regulation. Unwilling to do that? Then don't go IoT...

Re:We need governmental regulation of IoT security

[silas_moeckel]

Yea because that is not trivial to get around, Oh the OEM we bought it from folded, we do not have the source code etc.

Re:We need governmental regulation of IoT security

[Bing+Tsher+E]

The agencies like the UL (non-governmental) could require the source code in escrow for any devices seeking their 'approval.' Said 'approval' is a checkbox item, like UL approval is, for Insurance companies.

A completely private-enterprise solution that just needs some lawyers involved to implement. Imagine that!

Re:We need governmental regulation of IoT security

[Ol+Olsoc]

While I'm not a fan of government regulations, they do play an important role in society.

Of course they do. The present day trend of having to apologize for things that sane people believe in is so old. It's like apologizing that your doctor has to have a license.

Re:We need governmental regulation of IoT security

[FranTaylor]

A completely private-enterprise solution that just needs some lawyers involved to implement.

Maybe you should look at the electronics section of your local drugstore and tell us how many of the USB charging devices have "UL" stamps on them. "None" will be my guess. All of the people who bought these devices, are they all in continuous violation of the fire codes? What is anyone going to do about it?

And guess what, in China you can print "UL" or "FCC" on anything you want to, they sure don't care, and who actually looks through the thousands of container loads that arrive in the US every day to see if the items have fake UL stamps? Nobody, that's who. Your idea is useless, because just like UL, everyone will just ignore it.

Re:We need governmental regulation of IoT security

[itzly]

So, all foreign made products should have their source code handed to the NSA so they can check for weak security ?

Re:We need governmental regulation of IoT security

[silas_moeckel]

First off having codes does not mean having the rights, often thats a complex mess on a commercial app. Secondly the build environment is also a complex bit and needed to actually make things work.

It seems to make more sense to work towards the M&M security policy. An edge device that connects the home devices to the internet and deals with a lot of the security aspects. You still need communications security inside the house but if trust is only placed in that one gateway controler.

That said I see things moving to direct wifi connects for mains powered devices, a decent microcontroller and wifi module is down to a few bucks, that is far cheaper that any zwave etc radio. This coupled with every company's desire to have a cloud something that they can try to get a few bucks a month for "special" features to effectively get rent forever. Hell I got a battery powered wifi connected IoT device (wink propane gauge) already.

why wait for that?

[slew]

The Ticking Time Bomb of Car Fob Security is already upon us and I suspect that this will explode long before the IoT bomb even has a chance to finish winding up...

Re:why wait for that?

[Em+Adespoton]

Car fobs require proximity. The whole problem with IoT is that the proximity hurdle is removed -- which means everyone around the world who has an idea about how to use your device has the ability to attempt it. Just like with Internet-enabled cars. Now some cars have the ability for a remote attacker to both pinpoint their location AND unlock the doors, via script. Insecure car fobs have nothing on that (I remember when physical keys could often be swapped within car model).

Re:why wait for that?

[FranTaylor]

no amount of electronics will prevent thieves from putting your car onto a flatbed truck

faraday cages still work pretty well to block radio signals

if they really really want to break into your car, there is no way to stop them

Re:why wait for that?

[itzly]

Most devices will sit behind a router with NAT and/or firewall. They can phone out, but you can't reach them from the outside.

If an IOT device phones home DO NOT BUY IT

[atrimtab]

if you cannot completely turn that intrusive privacy robbing feature OFF permanently. Devices that phone home to their real corporate master are not owned or controlled by YOU.

It is really that simple. That means don't buy Dropcam or a Nest or any of the other "easy to use" everything is stored "in the cloud" IOT devices that are out there and are the most heavily promoted.

There are nwtwork security cameras you can secure easily and control the recordings of. There are also "home automation" devices that only talk to each other within a defined area using reasonable encryption. You just have to be very careful and research what you are buying.

I note that in my last visit to BestBuy every IOT and home automation device promoted was more useful to the company who manufactured it that was collecting all the customers data than to the customer.

You can program your home router to block all outgoing traffic except from devices you select and you will find that many IOT devices will no longer work if you block their ability to "phone home."

Re:If an IOT device phones home DO NOT BUY IT

[kheldan]

I have a better idea: Don't buy any 'Internet of Things' devices in the first place. Nobody needs them.

Re:If an IOT device phones home DO NOT BUY IT

[Zero__Kelvin]

Ah, yes, Grashopper. I've been around long enough to remember when people said that exact same thing about a "home computer." "Don't buy any 'Personal Computer' devices in the first place. Nobody needs them., they used to say :-)

Re:If an IOT device phones home DO NOT BUY IT

Actually, there are some good use cases like: Elder care.

Exterior video surveillance, remote control keypad door locks that can be unlocked securely, sensors on doors and motion sensors can provide families with ways to assist an elderly parent with memory or physical issues remotely without intruding too much.

There are IOT products that can provide this that do not 'phone home' to manufacturers. But it does take research to find them.

Re:If an IOT device phones home DO NOT BUY IT

[AchilleTalon]

It seems there is a lot of confusion about IoT. It is not about house automation at all, it may be about it, but it is not the main target for IoT. However, the vendors are jumping in the marketing bandwagon and decide to rename everything they were already providing or extend the capabilities of their gizmo with useless internet extensions just to call it an IoT device. Unfortunately, many conclude the IoT is about useless gizmo that are spying at you or whatever.

IoT is rather than about devices to monitor parking space and let car drivers know where there is spots available in order to save time and reduce gas consumption in the dense areas of the city, it is about monitoring the garbage collection for a city to make it more efficient or ensure proper billing and so on. It is not about your f...g fridge or your f...g lights or your f...g thermostat or whatever else stupid you can think about.

Re:If an IOT device phones home DO NOT BUY IT

[AmiMoJo]

I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

Maybe it's time for an open source secure IoT platform that companies can use. As well as an OS it would need to provide stacks for doing common IoT stuff in a secure way, that has privacy controls built in.

Buffalo ship routers with DD-WRT installed, advertised as a feature. Maybe some kind of certification process could be created, that includes the ability to do updates to the core OS and remote shut-down via blacklist if products are ever found to be vulnerable and unfixable.

Re:If an IOT device phones home DO NOT BUY IT

[Hognoxious]

I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

I find it depressing that people confuse "don't waste money on useless shit" with "avoid new technology".

Re:If an IOT device phones home DO NOT BUY IT

[gbjbaanb]

Absolutely. If there was a secure framework for network-connected IoT devices with documented measures to implement the administration or user management, then we'd get secure devices. Without it, we will have servers listening on port 80 to anyone who wants access.

It'll need a fancy logo like DLNA has, and some form of certification so manufacturers know they must use it in order to get customer acceptance, and that gets you into the world of standards bodies and all the politics that goes with it. Still, an OSS framework for IoT networking still seems a great idea, even if it means its easier to implement networking functionality for these devices, with security as an added bonus for the manufacturer.

Re:If an IOT device phones home DO NOT BUY IT

[Trogre]

I think you'll find the prevailing attitude is "avoid useless technology".

Granted there is a certain level of geek cred for connecting something to the net that has never been connected before, but at a practical level I have absolutely no need for my television, kettle or frickin light bulbs to be Internet connected.

Now that it is well established that 1) Governments want to spy on you and 2) Companies want to spy on you, I would expect that you, a reasonably seasoned Slashdotter, would see the folly in a novelty convenience against massive security implications.

Lacking a security model

[LessThanObvious]

The primary issue as I see it with IoT is the lack of a good security model that ordinary people can reference. You wouldn't stick an unmanaged Windows desktop out on the internet, expose a service and expect it not to be vulnerable. Why would we treat an inexpensive gadget any different? Security happens in layers, so if the device is going to be out on the internet then it needs a firewall protecting it, it needs some intelligent filtering so private data doesn't leak out (even to the device vendor) and malicious exploit attempts don't get in, it needs to know how to allow only your devices like your phone inbound and not just anyone on the internet. It needs a serious password and it needs encryption where appropriate. I'm not sure what products exist at a reasonable cost in the market today that are up to the task. The products at a reasonable cost that don't take high level network expertise may not exist at this point. Another concern that will come out of the lack of a good security model is that many services may not go from your phone or laptop to the device directly, they may place the service provider in between, in which case it becomes very hard to allow only authorized users to attempt to connect and to treat the provider or vendor as an untrusted entity. In short, allowing the IoT device itself to be solely responsible for it's own security is a flawed model that will be certain to fail time and time again.

Re:Lacking a security model

[Darinbob]

I'm pulling my hair out working hard to get a high quality security system into place on a device where it barely fits, only to see an article that says "ticking time bomb!" We're not all idiots. I suspect most of us aren't. The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.

Problem is that the media and purveyors of panic are focusing on the dumb end of the market, the consumer devices, the vendors jumping on the bandwagon just to get the IoT label, etc.

Re:Lacking a security model

[LessThanObvious]

Yeah, I don't agree with the ticking time bomb insinuation, that's a little dramatic compared with reality.

Re:Lacking a security model

[phantomfive]

The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.

Is it using OpenSSL? If so, then it's insecure.

Re:Lacking a security model

[Darinbob]

I don't. but...

I'm pretty sure OpenSSL has been fixed. They had a patch within a few days, and they've even bumped the version number since then to 1.0.2. Maybe you're thinking of commercial software which is sometimes slow to push out fixes.

Re:Lacking a security model

[phantomfive]

Nah, heartbleed was almost certainly not the only serious security vuln in OpenSSL. The quality of the codebase guarantees that there will be bugs.

Re:Lacking a security model

[FranTaylor]

it would be a miracle rivaling the birth of christ if openssl were actually fixed

Re:Lacking a security model

[Darinbob]

The ultimate faith based security?

ZigBee

So, starting 12 years ago, ZigBee had a security working group to specifically address these very things. It was, of course, a pain in the neck in many ways. But it was intended to provide a good secure platform for developers and vendors.

On the other hand, TinyOS, starting in 2000 had very little in the way of security and has also not been adopted by much more than academics and experimentalists, or those who have other means of handling or avoiding the security issues.

These are always considerations and trades that must be handled.

IoT Launchpad Security Project

[DamonHD]

Hi

We're working on a project (in public) to try to help secure out-of-the-box links from low-power cheap sensor nodes to the concentrator (or equivalent) in IoT networks.

Eg see:

http://www.earth.org.uk/note-o...
and
http://lists.opentrv.org.uk/pi...

to pick a couple of related items.

Anyone who'd like to help us get this right with solutions open source, please do contact us eg via @OpenTRV on Twitter or email.

Rgds

Damon

I'm there.

[swschrad]

not buying that crap. except my alarm system.

wait a minute...

Re:The times we live in

[Bing+Tsher+E]

When an 8086 was real money, an 8048 was only a few bucks, so things haven't changed as dramatically as you make it seem.

The Internet of never updated easily pwn3d things

[cant_get_a_good_nick]

No message needed.

EZ fix

[Snotnose]

You get hacked via a company's product, company pays 3x damages. Doesn't matter if the company makes a web browser or a thermostat. Never happen, but it would solve the problem. Would also kill IoT in it's tracks.

Re:EZ fix

[FranTaylor]

company pays 3x damages .. it would solve the problem

That's not how it works. 3x damages bankrupts the shell corporation holding the distribution rights, nobody actually gets any money, the anonymous stakeholders walk away with no loss.

Re:The times we live in

[FranTaylor]

today chips with 8048 cores are fractions of a penny in large quantity, so yes they have changed pretty dramatically

ibm to the rescue

And what exactly is IBM going to do to help?

They're just pissed they're missing out. That's what happens when you lay off all your good employees. You're the last one to dinner.

Greed and stupidity...

[gweihir]

Always the same story. They are just making the same mistakes again that have been made before with workstations, servers and mobile devices. But this time they really could have known better, so this can only be a combination of greed and stupidity.

Good point

[laird]

It's a good point that as IoT devices proliferate there are security implications because your house will have dozens or even hundreds of devices all talking TCP/IP using whatever random protocols and implementations each device's manufacturer came up with.

That being said, I think it's unrealistic to imagine that each little company should hire their own security experts to make their own rock-solid stack, because many of these devices are home-made, or made by little startups, etc. And even if every manufacture aggressively tracked technology, users won't upgrade their firmware constantly.

Instead, I'd suggest that a better option would be to standardize the basic communications and develop a FOSS hardened communications stack for IoT devices, and push IoT producers to adopt it, so that everyone at least builds on a secure platform. There are many communications stacks for IoT, but the problem (IMO) is that they're generally proprietary by companies trying to "win" in a battle between IoT stacks, and because there are so many code bases, and they are proprietary, they can't be trusted, and even if they are trusted, they can't be used by all developers because they're tied to proprietary platforms.

So what we need is an IoT stack, secure and efficient enough to run on tiny processors (Arduino...) ideally grounded in an open standards group such as the IETF. And with a marketing program to drive all IoT platforms to adopt it. Of course, there can be multiple competing implementations as there are with all network stacks. That's valuable from a security perspective, because it prevents everyone from running one code base and thus having the same security vulnerabilities. And, of course, competition makes everything better, as they compete to be more efficient, secure, etc. As long as they are interoperable, and based on a fundamentally secure design.

Of course, this won't fix all problems - you can certainly build an insecure app on top of an secure protocol - but at least it'll eliminate a bunch of "basic" problems, like identity and securing streams, etc.

Speaking of X10...

[antdude]

What happened to them? I haven't seen or heard them for a while. I just see GoPro and others these days.