Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beware the Ticking Internet of Things Security Time Bomb

Posted by Soulskill on from the also-beware-of-all-time-bombs dept.

alphadogg writes: A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven't baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming. LogMeIn's Paddy Srinivasan says most Internet-of-things OEMs "barely even have IT staff," so they aren't capable of developing rigorous security even if they wanted to. IBM’s Andy Thurai says most companies are rushing technology to market to try to monetize you as much as possible, and they aren't even willing to give you a cut for the data you supply. Regulations may help, but probably not enough and definitely not soon.

23 of 131 comments (clear)

  1. Why connect EVERYTHING? by Ateocinico · · Score: 2

    Connectivity seems to be this decade's fin tail and chrome craziness.

    1. Re:Why connect EVERYTHING? by Marginal+Coward · · Score: 3, Funny

      I'm not sure if I'll connect EVERYTHING. However, I plan to connect at least my refrigerator to the Internet in order to give the power to curdle my milk to Kim Jong Un. If he makes use of that, then Snap, Crackle, Pop and I will know for certain that he's truly EVIL.

    2. Re:Why connect EVERYTHING? by Bing+Tsher+E · · Score: 2

      I could use a newer refrigerator, our current one was second hand when we bought it thirteen years ago. So if clueless people start selling off their nice refrigerators because they're 'dumb' there will probably be deals to be had.

  2. DHCP and a Firewall by avgjoe62 · · Score: 4, Funny

    I run DHCP, only allowing MAC addresses I want to get a routable address. And just in case, I also run a firewall where I can see what devices are connecting to the outside world.

    The day my toaster tells me it NEEDS an internet connection to make toast is the day make toast over a campfire.

    --

    How come Slashdot never gets Slashdotted?

    1. Re:DHCP and a Firewall by freeze128 · · Score: 4, Funny

      Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.

    2. Re:DHCP and a Firewall by CanadianMacFan · · Score: 2

      That's okay, all your devices have connected to your neighbour's poorly configured open network and have been sending your private information to the world for years now.

    3. Re:DHCP and a Firewall by Drethon · · Score: 4, Funny

      Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.

      Oh it may try...

  3. car analogy by turkeydance · · Score: 2

    from back in the day when cars talked to you: "your door is ajar". fail. a local woman wrecked her new car when she heard "spirits" talking to her.

  4. Re:The times we live in by fuzzyfuzzyfungus · · Score: 2

    The difference is the number and sneakiness of systems thus compromised.

    Back in the day, when an 8086 was real money and whatnot, you could be fairly sure that only the identifiable computer on your desk was sophisticated enough to be disobeying you; because you couldn't afford enough transistors, even if the market could supply them, for anything else to be.

    Now, thanks to Progress, basically anything from 99 cents on up is probably turing complete, phoning home to the mothership, and host to a mixture of 'consumer analytics platforms' and egregious security flaws.

  5. Some 'Things' more valuable than others by Frobnicator · · Score: 4, Interesting

    Periodically some "things" on the IoT get revealed as publicly accessible. Cameras and conference room equipment particularly have caused problems in the past.

    In homes, it may be some lolz to mess with lights of a stranger. It may be costly to the homeowner when someone modifies the HVAC settings to crank the programmable thermostat during the day. A skript kiddie could cause a neighborhood to all lose their AC compressors, and then we're talking tens of thousands, perhaps hundreds of thousands in some areas.

    Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume. Cameras on TVs are a great combination if thieves can guess your neighborhood, then identify your house, then identify you are not home.

    Similarly with garage doors. That industry has come a long way, in the 70s and 80s you could get a universal garage door remote that would work on many homes in a neighborhood, some thieves would clean out the garages and close the door when done. New IoT garage remote controllers lack the basic protections implemented decades ago.

    And most obviously, security cameras in and around a home are increasingly common as an IoT item. Do you REALLY want those images out there?

    Many ISPs make it rather easy to iterate through neighborhoods as they provide convenient DNS access like c-111-222-333-444.town.state.comcast.net. A quick scan of a town to find all the customers with open security cameras, a bit of time to identify the homes in that neighborhood that look interesting on camera and have a few open IoT devices... and you've got a loot schedule. Most of the scans could be easily automated, only requiring some human criminals to look at them once they've found a neighborhood with enough interesting devices exposed.

    --
    //TODO: Think of witty sig statement
    1. Re:Some 'Things' more valuable than others by cusco · · Score: 2

      I still find frelling **security** equipment without the ability to change the default password on it. Obviously we don't install it, but the stuff is sold as "professional grade" and costs big piles of money.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  6. We'll Party Like It's 1999. by marienf · · Score: 5, Interesting

    I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote,
    sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves,
    garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked. X10 had no notion of authentication. Probably still hasn't.

    Now, I had to drive around, because I was using a commercial-grade transmitter, my range and impact were limited.

    Now, Imagine that kind of attitude, but with everything just a few network hops away, no range limits, and with the Invisible Hand clearly not having spanked the market into having a clue.

    Image a person less mature than me and that same kind of attitude, today. Or several thousands of them. Spread over the globe.

    I can image the havoc, I'm having trouble imagining the useful applications.. A matter of age? I'm not near to connecting stuff I don't have to.

    Imagine what would happen if the Silons attacked, also.

    1. Re:We'll Party Like It's 1999. by FranTaylor · · Score: 2

      Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

      Yeah whatever, scare-monger, that solar flare will knock out the power station whether or not you have sensors on your refrigerator. So you mean we have to be prepared for when the power goes off? Yeah this is the USA, you can count on the power to go out at least a couple of times a year. Are you prepared for that?

  7. why wait for that? by slew · · Score: 3, Interesting

    The Ticking Time Bomb of Car Fob Security is already upon us and I suspect that this will explode long before the IoT bomb even has a chance to finish winding up...

    1. Re:why wait for that? by Em+Adespoton · · Score: 2

      Car fobs require proximity. The whole problem with IoT is that the proximity hurdle is removed -- which means everyone around the world who has an idea about how to use your device has the ability to attempt it. Just like with Internet-enabled cars. Now some cars have the ability for a remote attacker to both pinpoint their location AND unlock the doors, via script. Insecure car fobs have nothing on that (I remember when physical keys could often be swapped within car model).

  8. If an IOT device phones home DO NOT BUY IT by atrimtab · · Score: 5, Interesting
    if you cannot completely turn that intrusive privacy robbing feature OFF permanently. Devices that phone home to their real corporate master are not owned or controlled by YOU.

    It is really that simple. That means don't buy Dropcam or a Nest or any of the other "easy to use" everything is stored "in the cloud" IOT devices that are out there and are the most heavily promoted.

    There are nwtwork security cameras you can secure easily and control the recordings of. There are also "home automation" devices that only talk to each other within a defined area using reasonable encryption. You just have to be very careful and research what you are buying.

    I note that in my last visit to BestBuy every IOT and home automation device promoted was more useful to the company who manufactured it that was collecting all the customers data than to the customer.

    You can program your home router to block all outgoing traffic except from devices you select and you will find that many IOT devices will no longer work if you block their ability to "phone home."

    --
    Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
    1. Re:If an IOT device phones home DO NOT BUY IT by kheldan · · Score: 2

      I have a better idea: Don't buy any 'Internet of Things' devices in the first place. Nobody needs them.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    2. Re:If an IOT device phones home DO NOT BUY IT by Zero__Kelvin · · Score: 4, Funny

      Ah, yes, Grashopper. I've been around long enough to remember when people said that exact same thing about a "home computer." "Don't buy any 'Personal Computer' devices in the first place. Nobody needs them., they used to say :-)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:If an IOT device phones home DO NOT BUY IT by AchilleTalon · · Score: 2

      It seems there is a lot of confusion about IoT. It is not about house automation at all, it may be about it, but it is not the main target for IoT. However, the vendors are jumping in the marketing bandwagon and decide to rename everything they were already providing or extend the capabilities of their gizmo with useless internet extensions just to call it an IoT device. Unfortunately, many conclude the IoT is about useless gizmo that are spying at you or whatever.

      IoT is rather than about devices to monitor parking space and let car drivers know where there is spots available in order to save time and reduce gas consumption in the dense areas of the city, it is about monitoring the garbage collection for a city to make it more efficient or ensure proper billing and so on. It is not about your f...g fridge or your f...g lights or your f...g thermostat or whatever else stupid you can think about.

      --
      Achille Talon
      Hop!
    4. Re:If an IOT device phones home DO NOT BUY IT by AmiMoJo · · Score: 3, Insightful

      I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

      Maybe it's time for an open source secure IoT platform that companies can use. As well as an OS it would need to provide stacks for doing common IoT stuff in a secure way, that has privacy controls built in.

      Buffalo ship routers with DD-WRT installed, advertised as a feature. Maybe some kind of certification process could be created, that includes the ability to do updates to the core OS and remote shut-down via blacklist if products are ever found to be vulnerable and unfixable.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:If an IOT device phones home DO NOT BUY IT by Hognoxious · · Score: 3, Insightful

      I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

      I find it depressing that people confuse "don't waste money on useless shit" with "avoid new technology".

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  9. Re:The times we live in by Bing+Tsher+E · · Score: 2

    When an 8086 was real money, an 8048 was only a few bucks, so things haven't changed as dramatically as you make it seem.

  10. Re:The NSA want's to know what's in your fridge by gbjbaanb · · Score: 2

    You misunderstand the problem.

    With Smart TVs recording your watching habits in order to send you adverts, there is the potential for someone else to get access to it and record everything else about you.

    One day you'll get a link to a website that shows you and your babysitter 'earning an extra bonus' with a payment demand to have it removed - all of which was recorded by your smart TV but sent to a Russian hacker rather than Samsung.