The Internet of Things Is the Password Killer We've Been Waiting For

jfruh writes: You can't enter a password into an Apple Watch; the software doesn't allow it, and the UI would make doing so difficult even if it did. As we enter the brave new world of wearable and embeddable devices and omnipresent 'headless' computers, we may be seeing the end of the password as we know it. What will replace it? Well, as anyone who's ever unlocked car door just by reaching for its handle with a key in their pocket knows, the answer may be the embeddable devices themselves.

What will replace it?

[turkeydance]

the NSA enabled code. don't leave home without it.

wow

This is one of the rare cases where the title doesn't ask the question, yet the answer is still no.

Re:wow

No, no. Lets start hardcode security into devices. What could possibly go wrong?

Re: wow

[jovius]

I could imagine there being a collection of things, which one needs to place in the correct position for the access. No need to hardcode anything.

One has more or less certain unique things at home for instance. The position info would add to that.

The devices would be the user interface.

Re: wow

When you put food in the box, put the plug in the hole, then press the buttons in the right order the internet will cook it for you.

Re:wow

[AmiMoJo]

Android users have actually had this for a while with Smart Lock. For example, you can disable the PIN/password lock screen when your phone is paired with certain Bluetooth devices.

Re: wow

[Dragonslicer]

Admit it, you just want real life to be more like a video game.

Re: wow

My door key:
http://www.computerhope.com/games/games/pictures/riven35.gif

Re:wow

The devices still need to authenticate with each other, which will involve a password of some kind (a Cert, password or other identifier that can be converted into code and string compared in code)

China would start selling false IDs by merely copying someone's Auth IOT device

Re:wow

Just say NO! to IoT devices! You will be saying NO! to corporate spying and corporations collecting what should be private information. Information that will be used to track your habits, your diet, your daily life. And for what? So that they can send you "targeted ads". Of course all state and federal agencies will have access to this data collected about you just for the asking. Privacy? Whats that?

Of course they will say that "if you are doing nothing wrong, why do you object?" If anyone doesn't see why we have to kill IoT devices right now, I suggest that you read George Orwell's book titled 1984. George was more prophetic than he could have ever guessed!

Re:wow

Shh, nothing exists until Apple do it.

(I actually thought the article was a year old and had been posted in a CMS error at first. Such cutting. So edge.)

I'm working on apps without passwords

[GoodNewsJimDotCom]

In the app, you're always logged in once you register. Yes, I know it is a security breach, but so is losing your stupid phone.

You enter your email to register. And if you ever change phones, you simply do what is commonly known as a "password recovery", but don't actually get a password, you just get perma logged in.

Here's a secret for people who deal with hackers: Have the app generate a keygen unique to the phone: Time stamp it, time stamp it again on the first click, get the X/Y position, and you have a pretty unique code. Keep that code permanently with the installed app, so if they're banned and forget to uninstall your app, they're banned again. Also this key could be used to login automatically without even registering! But if they ever want to recover their account if they lose their phone, they should enter their email in the settings.

Re:I'm working on apps without passwords

[AuMatar]

ANd if they want to use their account on multiple devices? On their actual PC? On a PC at a firend's house or library?

And email recovery- laughable. If they lost their phone, which was almost definitely logged into their email, then they've lost everything.

Please name your apps, so I can be sure never to use them.

Re:I'm working on apps without passwords

[GoodNewsJimDotCom]

If a log off button is required, simple one could be put there if they really want to log off, but by default it is off unless they registered with email. Since the only way to log back on would require you to register in the first place. I think most people would love to just go straight to playing the game without registering anything to waste their time.

You're right if their email gets hacked, they lose everything. But that's no different than how the web operates now...

Re:I'm working on apps without passwords

In the app, you're always logged in once you register. Yes, I know it is a security breach, but so is losing your stupid phone.

You enter your email to register. And if you ever change phones, you simply do what is commonly known as a "password recovery", but don't actually get a password, you just get perma logged in.

Here's a secret for people who deal with hackers: Have the app generate a keygen unique to the phone: Time stamp it, time stamp it again on the first click, get the X/Y position, and you have a pretty unique code. Keep that code permanently with the installed app, so if they're banned and forget to uninstall your app, they're banned again. Also this key could be used to login automatically without even registering! But if they ever want to recover their account if they lose their phone, they should enter their email in the settings.

How is this different than plaintext FTP authentication or a cookie that says "IAMTOTALLYTHEREALJIMDOTCOMSECRETPASS12345"?

What if my phone gets malware and that skims the cookie? Are you just sending that same cookie every time, so any cell tower/wifi can automatically get a copy of my password on authentication, ala FTP?

What if my phone locks up and I just want to reinstall on the same phone after I wipe it?

You are using a password, you are just not letting the user easily check or change it. And not a good one.

Re:I'm working on apps without passwords

[GoodNewsJimDotCom]

Look if your phone gets malware or MITM and skims the logon normally, you're boned. You're boned in many ways since if you have malware you probably have a keystroke logger too. Yet this passwordless style won't ever let them know how to log onto your account. This is no different since your login/password phase of authentication is the same. In fact with the server giving you a quite long randomized password its better than someone's recycled password they use on every site.

If you don't enter an email and verify it, yes, you lose everything! This is why you enter your email and verify it, gain some virtual currency for completing the task. The thing is, it won't prompt you for this for about 10-30 minutes in since you don't have anything worth saving anyway, and no one wants detracted from seeing if the game is cool or not.

Re:I'm working on apps without passwords

[mlts]

With all the security available in device operating systems, there are better ways to do this:

When the app is created, have it generate a public/private keypair, store the private key in the OS's keystore (called KeyChain in both iOS and Android.) Then, on first authentication to the servers (you are using SSL/TLS for all communication, right?), the central server will store the device's public key's fingerprint. From then on, it functions like a client certificate, and can be optionally used with an app's PIN function for added security.

The benefit of this over a shared secret? Someone hacks the server, a list of key fingerprints will do an attacker no good to authenticate against (because they don't even have the key material that the fingerprint shows), and can be added/deleted per device. With iOS's and Android's keystore functionality, if the device is locked, the keystore is encrypted and inaccessible, providing another layer of protection on top of encrypting /data.

To the user, it functions exactly the same, but it is a lot more secure in virtually every way. The only way it would be less secure is if RSA or the public key algorithm in use was completely broken.

As for bans, you can easily do what Yik Yak and other apps do -- grab the IMEI (if available) and other serials (UDID), and ban by that. Then, even if the app is uninstalled, the phone is still blacklisted.

Re:I'm working on apps without passwords

[flaming+error]

"Someone hacks the server..."

Securing authentication servers isn't a new problem. User authentication on headless devices is.

The problem the article identifies is when someone loses their watch. Your suggestion authenticates the watch, but what really needs to be authenticated here is the user.

Re:I'm working on apps without passwords

[rtb61]

The big shift should be away from passwords and to passkeys. So you install the same passkey generating app on multiple devices and when you enter the same password on multiple devices, the app generates a different rotating different passkey for each separate site that device access. So you password never passes beyond your device and the app sets up a procedurally generated passkey that varies with ever access and the passkey accepting app handshakes to ensure that the passkey changes align, the server app also requires different keys from different devices, again changing upon every access.

So from an end user point of view, one passphrase accessing everything they connect to (likely at least one more passphrase for more secure banking services), with the app generating keys to access services with the client server app having established the pattern for future procedurally generated keys, so they match as the continually change upon each access. You would then need to be able to sync clients devices, so they can access the same site from multiple devices, this just tends to be more of accepting different keys from different devices for the same access, so the server just becomes aware of them and likely checks with the orginating device where possible for establishing new device access. When that fails normal extended authentication is required to re-establish a passkey pattern ie confirmation of personal details, email confirmation et al this to re-establish access between passkey client and passkey server.

So it requires an agreed standard and protocol to be used by all.

Re:I'm working on apps without passwords

[darkain]

"In security engineering, security through obscurity is the use of secrecy of the design or implementation to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them." - Sauce: https://en.wikipedia.org/wiki/...

TLDR: Your system is already a failure. Leave security up to the security experts.

Re:I'm working on apps without passwords

AFAIK, with the Apple Watch, that is a solved problem. If it is off the wrist for more than a second or two, it locks and prompts for a PIN.

Re: I'm working on apps without passwords

Why would it be a failure? It's actually a pretty elegant security design that for example the GMail app uses as well by default:

Attackers on other systems or from other apps cannot get to the password. This covers 99% of the risk.

There's a residual risk: if other apps can break their jail to root mode, or if your system is remote exploitable - but in those cases you are likely hosed no matter what, and requiring password entry won't eliminate those threats.

The best security design is the one that does not get in the way of productivity.

Re:I'm working on apps without passwords

[linuxrocks123]

Dude, he's not running a f*cking bank. He's obviously talking about a system for some phone toy like Angry Birds. Do you care if I can get into your Angry Birds account? Probably not much.

He's describing a system that is good enough for phone toys and things that require similarly low security. Like apparently Slashdot, which lets you perma-login with a browser cookie and redirects https to http rather than the other way around.

Re: I'm working on apps without passwords

What is this, .hack//Sign ?

Re:I'm working on apps without passwords

[MobileTatsu-NJG]

If only it were possible to change the password of your e-mail account...

Re:I'm working on apps without passwords

The one-password-to-rule-them-all sounds like KeePass.
The "procedurally generated passkey" you mentioned sounds like a One Time Password algorithm such as HOTP or TOTP; both of which are standards (rfc 4226/6238 i think)

HOTP support is built-into KeePass, and TOTP is available as a plugin. Not the simplest thing to setup, but I'd rather someone improve the current wheel before reinventing their own. Doubly so in security.

Re:I'm working on apps without passwords

What about zero-knowledge password proof? It works quite well against MITM attacks. That will protect you when your device is not compromised but but the network you are using to connect is. In worst case the attacker will only be able to hijack the current session but he will not be able to log in again later.
With just using a cookie if an attacker gets it he can log in any time he wants.

Re:I'm working on apps without passwords

ANd if they want to use their account on multiple devices? On their actual PC? On a PC at a firend's house or library?

When having a discussion about security, perhaps it's best not to sound like the average ignorant user who demands they are logged into every fucking device within 50 yards of them at all times. You sound like a 14-year old social media whore with this shit.

Real security usually involves sacrificing a little freedom. Sure it's a pain in the ass to require TFA on my services, and I don't check that box to entrust even my personal computers. It's a bit better than the alternative, and a hell of a lot better than trying to claim IoT is the answer. The only thing that shit will do will ensure thieves know exactly what hardware to target on an individual, no blackmail necessary.

Re:I'm working on apps without passwords

How can the user migrate to another device (possibly another brand incompatible with a full device backup/restore) and still keep his existing account ?

Re:I'm working on apps without passwords

[jedidiah]

Security that can't meet real world usability requirements is ultimately useless. It doesn't matter how much contempt you show for the end user.

Re:I'm working on apps without passwords

In your scenario of a hacked server, how is this any better than just storing a hash of the 'shared secret'? If a hacker obtains hashes of a shared secret, it's no more dangerous than if they get a list of public key fingerprints.

If the client device is compromised (The issue at hand, I believe), the 'secret' can be revealed in either case, be it the actual shared secret or the private key.

Maybe there was a subtlety in your idea that I missed.

That said, I am a huge proponent of using assymetric key cryptography for this kind of thing, but only where warranted. One thing I hate is when people use certain technologies to make something 'appear' more secure when said technology adds no security benefit...

Re:I'm working on apps without passwords

[mlts]

The public key allows for more flexibility than just a shared secret. For example, if one wants to store a blob on a untrusted cloud provider, they could store it encrypted to each device's public key. This can be made transparent to the user, since the user just has to "introduce" a device via another, already trusted device which would decrypt the data blob's master key with its own private key, add an encrypted entry for the public key of the device being introduced.

Another item is that if someone snatches hashes of passwords, all the users (or devices in this case) have to change their passwords next login, have their passwords locked out until they complete a recovery process, be be re-authenticated somehow that is different from the password. A list of key hashes gives no usable info to the intruder, as in they can't brute force a password that fits the hash.

Shared secrets have their place, but the advantage of going with the equivalent of client certs is that it lessens what amount of data is sensitive, and forces an intruder to modify data to add their public key for access. If the public keys are leaked, it doesn't do an attacker any good, unless they have broken RSA.

Re:I'm working on apps without passwords

I will ignore your first point for now - not because it is invalid, it is very valid :), but because I was only referring to the hacked server scenario. I absolutely agree that that extra functionality would be beneficial.

Back to the hacked server scenario, yep you are right. A list of PubKey hashes will be junk yes, and hashes can be brute forced, but if the shared secret is sufficiently long, this becomes a moot point pretty quick :)

But that is just pedantism, I do think I prefer the assymetric key solution in this case, just not for that hacked server reason :)

Re:I'm working on apps without passwords

[AuMatar]

Before going off on rants like this, I'd study what two factor authentication actually means. Hint: the idiotic idea I was responding to isn't even close.

mixed signals

[Gravis+Zero]

halfway through the article...

[ Don't miss: Welcome to the Internet of Things. Please check your privacy at the door. ]

Re:mixed signals

shutup. this takes us 1 step closer to living in a cyberpunk novel. we used to laugh at the idea of someone hacking a toaster, fridge, or running shoes. with IoT, it's becoming reality.

Re:mixed signals

[Falos]

You optimists could find a bright side to cancer. I'll concede your point, though this also means Hollywood and CSI episodes will be marginally less ridiculous.

RFID tags, obviously

[penguinoid]

Just implant yourself with an RFID tag. As a bonus, it will also reduce the chance that a surveillance camera misidentifies someone as you.

Re:RFID tags, obviously

Well, whether they're lying, just ignorant, or even correct, for the most part they all say the same thing about Democrats. Thanks for being part of the problem instead of the solution.

Re:RFID tags, obviously

[Hotawa+Hawk-eye]

So instead of a car thief just stealing your car by taking the keys from your hand or pocket, now they're going to have to chop off whatever body part contains the RFID tag that unlocks it. May I suggest installing the RFID tag in the tips of your fingers, to minimize the tissue loss? As an added benefit to RFID at/in your fingertips, after a couple robberies you'll be able to nail the Onion Knight (from Game of Thrones) Halloween costume!

Re:RFID tags, obviously

No they just have to clone your RFID, then you get to chop up your own hand to change your password. Same thing when they clone your fingerprint, iris, etc.

True, in a sense...

[fuzzyfuzzyfungus]

In the sense that both 'the internet of things' and 'passwords' can be described as "an egregiously maldesigned and actively user-hostile security clusterfuck; typically bodged together by people who don't know, don't care, or both", I suppose that 'IoT' would be a worthy successor.

In all other respects, what a load of tedious, meandering, bullshit to arrive at some vacuous generalities about a vaguely described non-solution.

Re:True, in a sense...

[gstoddart]

Yeah, the IoT is a lightweight proof of concept which nobody yet knows what to do with but are otherwise hoping catches on because it really sounds cool.

The problem with being a lightweight proof of concept is there is pretty much zero security in them thus far.

Derpa derp, internet of things, this is people spitballing about what it might be if it ever comes to pass.

The internet of things isn't even as far as being a solution in search of a problem. It's a construct desperately trying to become real enough to try to have a solution in search of a problem.

The only people who care about the internet of things are the people trying to tell us how awesome the internet of things will be.

Using it for security? Not bloody likely.

Re:True, in a sense...

[Darinbob]

Of course we know what to do with IoT. It exists today. It's not the gadget/smartphone loving hipster IoT that the media fawns over. But the smart grid is IoT, many SCADA systems could fit that description, other networks of sensor controllers that exist today, etc. Sometimes they do have passwords (which nobody enters by hand), sometimes they have to present certificates. There is a LOT of security in them.

Re:True, in a sense...

[gumbi+west]

The Internet of Things is something Bill Gates wrote about 20 years ago and it's about as close to reality as it was then. The real issue is that we need an embeddable computer that runs Windows (don't laugh, it's what people know) and costs about $0.05, maybe $0.25 is good enough, but I doubt it. Then We'll start to see the Internet of Things take off.

I have literally zero things that are not internet enabled that I wish were internet enabled. If someone offered me an enabled and non-enabled device I'd take the non-enabled device every time. It's one fewer thing to break and my device is that much less likely to get hacked and broken.

So, basically, it will have to get to the point where everything is enabled for me to buy these things. That will happen when a computer costs basically nothing $0.05 is basically nothing.

Re:True, in a sense...

[msobkow]

*LMAO* That's why you never hear about SCADA systems getting attacked or crippled, right?

Even the SWIFT banking network has had problems from time to time, and that is just about the most secure network on the planet short of those created by the military in a very short list of nation-states.

There is no such thing as "impenetrable security." Trusting devices that can't be or aren't regularly updated and which don't change their security certificates on a regular basis is just begging to be cracked.

Re:True, in a sense...

[phantomfive]

I was thinking something similar recently. So many restaurants have 'smart' cash registers now, you can order before you get there, or even have it delivered. The IoT is here.

Re:True, in a sense...

[Darinbob]

You think SCADA systems have not improved security? A few examples of old systems with bad security and they're all supposed to be that inept?

Re:True, in a sense...

[linuxrocks123]

People use smartphones now, and almost none of them run Windows. I don't think Windows is a requirement for IoT.

I do think some sort of use case is a requirement, and some form of standardization.

Re:True, in a sense...

[MobileTatsu-NJG]

I remember the same sentiment expressed against camera-equipped cell phones. Once people had them in their hands, it turned out the realities of how much pocket-space people actually had played a crucial role. Face facts: One day your friend is going to impress you with a tale of how his fridge told his smartphone while he was at the grocery store that he's out of otter pops. You may not believe that now, but sooner or later your free time will come at a premium and you're going to wish you had all the data about your domicile at your fingertips. Suddenly that five cents will turn into fifty dollars.

Your last hope of being right (right now I mean) lies with Edward Snowden.

Re:True, in a sense...

[thegarbz]

*LMAO* That's why you never hear about SCADA systems getting attacked or crippled, right?

Actually I haven't heard about a SCADA system properly setup with correct credentials setup over a proper link get crippled via a network. Many systems provide sound security out of the box often on the protocol level.

What you hear about often is idiots letting their SCADA systems get crippled often via default passwords, not enabling basic encryption, not enforcing basic security, or just plain old letting someone plug directly into it or into the process network, just like you hear that one of the most popular passwords in use today is still "Password"

Re:True, in a sense...

[gumbi+west]

Supply management is an interesting application. But is it even close to happening? I'd say RFID might make it possible but I don't think you can check multiple RFIDs at once.

Re:True, in a sense...

[gumbi+west]

I think it's really interesting how I'm moderated for this. 50% interesting 30% overrated and 20% troll. There is a lot of passion here about me being wrong.

Or perhaps it's the /. revulsion to having Windows take over. Pretty bad, in my mind, but the only thing worse would be Andriod with its total lack of privacy controls.

Re:True, in a sense...

[gumbi+west]

I might also mention that while I have a camera in my smart phones, I prefer my point and shoot or DSLR.

While the current gen of phones do take pictures perhaps even better than the point and shoots of old they aren't really up to snuff relative to the current gen of point and shoots, the GoPro. Also, neither can touch the DSLR for image quality. But the DSLR is really heavy and expensive enough that you have to think about theft whenever you have it outside of the house, so it's a real pain.

Re:True, in a sense...

[Attila+Dimedici]

The only people who care about the internet of things are the people trying to tell us how awesome the internet of things will be.

You are sadly mistaken. There are a large bunch of people who care about the Internet of things because they recognize what a boon it will be to mining personal data for the corporations who get their stuff adopted first. The IoT is the smart TV which reports your viewing habits, and random videos of your living room (or wherever your TV is) to the company which made it (Samsung, and probably others). I am sure there are other such devices.

Re:True, in a sense...

[dave420]

While that is partly true, you are forgetting the truly benevolent devices from trusted companies/organisations which can actually help people greatly, with no privacy cost. To ignore those is shooting yourself in the foot.

Re:True, in a sense...

*LMAO* That's why you never hear about SCADA systems getting attacked or crippled, right?

Actually I haven't heard about a SCADA system properly setup with correct credentials setup over a proper link get crippled via a network. Many systems provide sound security out of the box often on the protocol level.

What you hear about often is idiots letting their SCADA systems get crippled often via default passwords, not enabling basic encryption, not enforcing basic security, or just plain old letting someone plug directly into it or into the process network, just like you hear that one of the most popular passwords in use today is still "Password"

This is precisely what happened in the vast majority of incidents. The industrial network world also has it's management types who see no reason to spend money on properly setting up their automation systems securely.
-- IAACE (I Am A Controls Engineer)

Re: True, in a sense...

I have used ""Password"" for password for years, never had a problem with it

Re:True, in a sense...

It's already happening, man.

Medical devices are sending mass amounts of data to super computers for crunching. http://nanthealth.com/

Shipping containers are phoning home. http://www.iotevolutionworld.com/viewette.aspx?u=http%3a%2f%2fwww.iotevolutionworld.com%2fm2m%2farticles%2f399846-shipping-containers-employ-m2m-technology-monitor-perishable-loads.htm

Cars are sending diagnostic data.

All of this will have the effect of making every aspect of our lives more efficient and secure. An NFC chip on a phone that generates a one-time cipher to tap and open a lock would be far more secure than any key mechanism save the very best biometrics. It's happening now.

Re:True, in a sense...

[Attila+Dimedici]

While that is partly true, you are forgetting the truly benevolent devices from trusted companies/organisations which can actually help people greatly, with no privacy cost. To ignore those is shooting yourself in the foot.

I would agree with you, but even with your reminder I cannot think of any of those. In order to be "forgetting" them, I would have to be aware of them. So, would you care to enlighten me?

Re:True, in a sense...

Why do you constantly stalk\harass apk? Your post history's evidence of you doing it. don't attempt to deny it. Are you so obsessed with him doing better than you have in computing that you must stalk him harassing him constantly like a psycho you're showing us you are by doing it? He's challenged you to do better. It's evident you can't. You can't even prove his lists of points favoring hosts files wrong, agreeing with him he is correct on them from recent replies of yours in exchanges with apk you've had. So what's your problem? Jealousy?

Re:True, in a sense...

[jp10558]

The problem with Android is that you don't get root on your own devices. People who do run Cyanogenmod can run a simple application permissions "firewall" which is somewhat like HIPS on Windows. It can block or return blank or fake data on anything you don't think the app needs to function for you. And from the reports I've heard, almost no apps crash or refuse to run when this is done.

If we had actual control over our devices, we'd not have privacy issues.

It's pretty ironic the supposed security we would get from walled gardens with managed OSs actually just changed the hackers stealing info to anyone who wants to pay to steal info, but now it's legitimate because they paid someone to steal your info.

Re:True, in a sense...

[jp10558]

the truly benevolent devices from trusted companies/organisations

I don't think such a thing exists. And even if it does today, what about in 5 years? Think about sourceforge for instance...

Re:True, in a sense...

[gumbi+west]

It's not walled gardens, Apple actually lets you control the privacy settings on your device.

meh.

[Larryish]

Dice Holdings sucks the big hairy meatball.

the real password killer is...

[xxxJonBoyxxx]

So far, my "password killer" has been Google Authenticator and RSA SecurID on my Android phone. (I checked out of the Apple ecosystem when I cancelled cable but I'll bet they have the same things over there.) All my VPN connections and some of my web apps now use these.

btprox much

[silas_moeckel]

I've been using various forms of bluetooth proximity to automatically lock workstation forever.

Not Looking Forward To This

I'm not looking forward to a world where computers are everywhere and in everything. It's bad enough every moron has a mobile phone stuck in their face whilst they walk. I don't want my stove talking to the fridge. I don't want reminders from the fridge the milk is low. I don't want my toaster sending illegal packets to Yahoo! and then getting blacklisted. No. Simply no.

I want to use computers a tool when I want. I want to have to walk over to one like I do in my living room. I don't a world like Star Trek where I ask the computer stuff whilst I walk along. I like being human with all the constraints that come with being human. We can take this too far if we allow it.

Re:Not Looking Forward To This

[mlts]

Of course, I am leery of the next step above this... having to wait for an ad to play on the fridge before I can open the door, having to pay the stove manufacturer $29.99 a month so I can use the self-cleaning settings, finding my faucet won't turn on because it lost connection with the cellular tower as the telco dropped GSM for pure LTE, getting fined by my HOA because the freezer detected more than the alloted moving things via its camera in the house, and so on.

Then, there is the security nightmare. Think those IoT providers will pay more than lip service to ensuring their devices are not easy prey? Won't happen.

Finally, there are the higher prices. I don't feel like paying hundreds of dollars for a thermostat, or thousands of dollars for a fridge because it is "smart". If I wanted to pay top dollar for a fridge, depending on availability, I would get a propane or natural gas fridge, so my stuff stays cold even if there is a power outage.

Re:Not Looking Forward To This

[khasim]

Think those IoT providers will pay more than lip service to ensuring their devices are not easy prey? Won't happen.

Won't happen because it cannot happen. There will be some manufacturers who go out of business. Where's the updates then?

Not to mention the manufacturers dropping support for older models EVEN IF THEY STILL WORK. Gotta buy a new fridge because the old one isn't updated any more.

Even if they do put the minimal effort in being better than "easy prey", how many times have we seen secret backdoors suddenly becoming public knowledge?

Re:Not Looking Forward To This

[mlts]

If phone makers (and phones are not cheap items) in general won't provide updates for more than a version or two at most, then I doubt IoT device makers would provide much, if any, about updates.

IMHO, the best thing about IoT is to just say no.

There are ways to design IoT devices securely (for example, having them use a hardened, central hub that handles the communication through the Internet, so attacks on individual devices end up having to be physically local), but since IoT is such a "fad", security is at best an afterthought after the product design is rushed out the door, so I expect zero security whatsoever.

Re:Not Looking Forward To This

[Anne+Thwacks]

In reality, the hardened, central hub that shares the same hacked router credentials and NSA back door with the rest of my home.

Nope - the answer is not there.

IoT is the best known way to donate all your privacy to the lowest scum on earth - by which I mean all of them collectively, not the exact lowest - exactness will be missing.

Re:Not Looking Forward To This

[adolf]

I already trust my home router as a hardened, central hub for everything else: Why not trust it to be an IoT hub as well?

Re:Not Looking Forward To This

You don't want an absorption fridge. Seriously. They are horridly inefficient and will cost more to run on NG/LP than you pay for electric on a halfway decent newer fridge. Despite no moving parts, they're also still easier to break than a compressor based fridge. And parts cost more than normal residential fridges. A lot of RV owners that only occasionally dry camp rip the absorption fridge out when it breaks and swap it for residential. Efficient models, run off of batteries, can go for days without access to the grid or a generator.

Re:Not Looking Forward To This

My router is hardened.

It is about risk management. IoT isn't going away, and I'd rather see a secure hub/spoke topology than each device having its own 3G circuit leaving it wide open to the world.

Minimizing attack surface is a security 101 item. If you have a hub, or perhaps two hubs for n+1 redundancy, this means someone has to get through the firewall, then attack the hub... and the hub can be well designed (perhaps with a hypervisor stack to further separate processes into containers/VMs/jails.) It is a lot easier to secure that hub than a lot of little devices.

It can easily be done. Look at consoles. The latest gen consoles have been out for a while now and have a 0% piracy/hack rate. The previous gen went for over five years, and the guy who actually make the first dent on the PS3 went to jail for it. If consoles can be effectively secured from all threats local or remote, then it isn't that hard to make a dedicated hub unit for IoT devices that can do the same.

Just curious... what does the NSA have to do with a hardened hub anyway? Sounds like fear mongering, similar to how the local press mentions something relating to child predators when they need to turn up ratings.

I'm game for that (not being embedded gung ho for)

[Trax3001BBS]

DR TA

I use a password manager (Acerose, Win), so know my passwords are correct, yet can't access my Hotmail account due to it being questioned. Hotmail's only use for me is to forward my e-mail from .com's I've used it on to my newer e-mail address at Gmail; so I don't mess with it, as it's working. This isn't the only site that's questioned my password, those requiring a new account.

I'm feeling a little...

[pubwvj]

I'm feeling a little chipper!

Does it matter?

[drew_92123]

I'm sure whatever they come up with will suck just as much as a password.

No thanks

Well, as anyone who's ever unlocked car door just by reaching for its handle with a key in their pocket knows, keyless cars are 'increasingly targeted by thieves using computers'

There, fixed that for you.

Not embeddable devices, smartphones (or watches)

[swillden]

This is the right basic idea, I think, but I think everything will converge into a single device, either the mobile phone or a wearable. And as it becomes more and more central to everything we do, that device will become very smart about authentication.

The problem with using dedicated embeddable devices is twofold. First, the more of them you have to carry, the more difficult it is to keep track of them. With old-fashioned metal keys we've solved this with the key ring... but that creates its own problem. The more keys you add to it, the more valuable it becomes. Loss or theft become increasingly more problematic. And our metal keys open fewer, and less important, things than our electronic authenticators do.

So, it makes sense to combine the electronic keys in a single device, but then to use the capabilities it has that metal keys do not to solve the theft and loss problems. First, against loss, there must be a way of backing up all of the credentials, securely and automatically, so that in the event the device is lost they can all be recovered relatively easily. Some sort of remote server backup, to which you authenticate with some other mechanism that you protect very carefully (there are lots of options here, but a long, randomly-generated password printed out and stored in a safe place is a good option). That backup needs to be reliable and reliably accessible, but access need not be easy or convenient, since it should be rarely needed.

What about theft? This is where the smart device has huge advantages over dumber devices, because it can authenticate the user. This authentication needn't be particularly strong, but it should have good anti brute-force protections, and it should be smart. The goal is to make something that is extremely convenient for the user, but makes it relatively unlikely that someone else who gets it can use it. How could that work? Google is pushing towards this vision with Android Smart Lock features. The core idea is that the device shouldn't rely on a single signal, because that signal then has to be very strong.

It's worth looking at analogies with meatspace facilities that care a great deal about security. What they don't do is put a bank vault door on the exterior wall and rely on the strong combination lock to keep thieves out. Instead, they rely on layering of defenses, monitoring and active response.

What can your phone do? Quite a bit, probably. Not only does it have a touchscreen for entering passwords, it also has cameras, an accelerometer, GPS, various radios, compass, altimeter, microphones, a proximity sensor and probably other stuff I'm forgetting. In addition, it can know a lot about your habits, your plans (e.g. what's on your calendar) and more. With that wealth of signals, it should be possible for the device to determine with relatively high certainty whether or not it is still in your possession. Where it's uncertain, it can fall back to asking for authentication with, say, a fingerprint or simple PIN to increase its certainty. Or in more extreme cases, it can fall back to an even stronger password. The idea is to make authentication as seamless, transparent and automatic as possible... but as strong as necessary.

Or maybe a smart watch will be a better choice. It has pretty much all the same capabilities as a phone, but the advantage that you strap it to your body, making it harder to lose, and harder to steal. (Actually, I think over the next few years for many of us our phones will migrate onto our wrists; right now the smart watch is an extension of the phone, I think that will flip, with the handheld device becoming an extension of the watch providing a larger screen, aimable camera, etc.).

The "as strong as necessary" bit is important here, too. When the phone is going to use a stored authentication key to unlock something for you, the degree of certainty that it needs to have that you're you depends on what it's unlocking. If I'm using my phone to log me into slashdot on my laptop, I really cou

Re:I'm game for that (not being embedded gung ho f

[Trax3001BBS]

DR TA

This isn't the only site that's questioned my password, those requiring a new account.

E-mails being sent to verify ones identity (sometimes) are sent to only one E-mail address, they don't allow forwarding nor POP3ing them as I normally do to get my e-mail (it's caused problems in the past, yet now I'm aware of it).

Biometrics for all the "things"!

[tlambert]

Biometrics for all the "things"!

Sadly, there's not an ASCII art for the Trollface with the torch graphic...

IoT in a nutshell:

[rnturn]

``The only people who care about the internet of things are the people trying to tell us how awesome the internet of things will be.''

And telling us what backward, mouth-beathing Luddites everyone is who isn't racing to jump on the IoT fanboi bandwagon are.

Uh....

[weekendgeek]

Not sure what Apple Watch you've used, but if mine isn't on my wrist, I'm required to enter a numeric password if I want to see anything more than the watch face.

It's even greater than 4 numbers, too.

If it's on my wrist, the iPhone needs to be unlocked at which point the watch is unlocked as well.

smart cars

[sims+2]

anyone else have one of those cars that lets people steal items from your car while your in the store because the doors don't lock while your in range?

Re:smart cars

Also works if you're not actually in range and some "nice" person comes along with a set of antennas and is nice enough to relay the signals from your pocket to a place right beside your car. A simple button on the key would prevent that but hey, it's so cool right? You can design the best authentication handshake protocol in the world, but ultimately you depend on the physical attribute of proximity which you simply can't verify reliably.

Passive Keyless Entry is already broken

You do realize that the Passive Keyless Entry System you are talking about in the submission allows your car to be opened while you are in your house?
https://www.grc.com/sn/sn-508.pdf

But that's OK, just find one of the many other IoT with a great security track record to use as another example. Oh wait....

iButton

[hawguy]

I remember when the iButton (and the Java ring with a java iButton embedded in the ring) came out, *that* was going to eliminate passwords - just hold your ring up to the iButton reader on your door, your computer, or any thing you want to secure. Passwords are a thing of the past when you have your iButton.

It's only been 17 years, so I'm sure we'll start seeing the readers built in to computers any day now.

https://en.wikipedia.org/wiki/...

Re:iButton

[adolf]

I remember when iButtons came out a million years ago, and I've actually used them. Motorola likes to use them for some of their dispatch consoles and radios for licensing software features, and in some cases as keys to access particular radio systems.

And that's...it, although they do function in those roles rather well.

Re:iButton

[Lumpy]

They were used heavily for door access in many places. they work great. I still have a few ibuttons and the dev kit around. And I have the good ones that run java and have a RTC inside them, so you never send the keys in the clear but you instead do a challenge response incredibly high security in those, but very few places used them. Most of the ibutton door locks simply used the serial number if the ibutton as the key.

The US postal service used them for a while as identifiers on tubs until optical recognition tech surpassed it.

Wireless and optical recognition has really shot past all this.

Re:iButton

We don't have "iButtons" but every laptop I've used for the last 5-6 years in a corporate environment has had a smart card reader...
They started popping up at least 15 years ago.

Heck we had smart cards for our student ID's at college, that was 17 years ago.
Some of the computers back then (the laptops, and some of our thin clients, not really desktop machines) had the card readers built into them...

Very few computers required a card to log in when I started there...by my second year, none of them required a card to log in.... they turned that requirement off on the thin clients that had it...

Clearly hardware isn't what's holding us back.

Re:iButton

Golf courses typically use these for range balls. I haven't seen them anywhere else.

Who's waiting for it???

I'd like to know who is waiting for it. I certainly am not waiting for passwords to be killed. I only use passwords and never use two-step or more BS. Why? Companies seem to always want shit like my phone number. Well, google, you can F--k off, I'm not giving you my phone number. I'll just make awesome passwords, use different passwords for different websites and never link accounts and devices.

Re:Not embeddable devices, smartphones (or watches

[gweilo8888]

I think you're quite a bit too optimistic about the future with respect to the watch taking over from the phone. Even without doing 99% of what the phone does, the watch's battery life varies from modest (typical Android Wear now) to downright miserable (Apple Watch and, in the early days, Moto 360).

However, as a password killer my watch is already there. My phone is locked when it's more than about 15 feet from my Moto 360 smartwatch (and therefore, from me). I can still get into my phone easily, but others can't -- and dozens of times a day the watch stops me having to take the second or two to unlock the phone. And while it'd be awesome if the watch could be paired to my tablet at the same time and do the same thing for it (it can't), my tablet senses the presence of my phone and unlocks when it's around too, which is almost as good (if not quite as secure).

As for the PC, my laptop has a fingerprint scanner that gets me into Windows in a fraction of a second with no fuss. It can also log me into websites using Internet Exploder, but sadly not with Chrome, so we have some work to go still. Solve that nut, though, and passwords will be a thing of the past for me about 95% of the time.

Re:Not embeddable devices, smartphones (or watches

[Anne+Thwacks]

My laptop has a fingerprint scanner, but I have stopped using it because its faster to type the password in! - 8 characters, mixed case, with numerics. Because I type a lot, and scan my fingers rarely.

Might be OK on a touch phone, where typing is a painful process. Mine doesn't have a fingerprint scanner, and AFAIK, none of the ones with removeable batteries and SD cards do, so it is not an issue I am likely to encounter.

There's nothing wrong with...

[mark-t]

... tying something you physically possess to identification, but it should never be used standalone. A password, pass-phrase, or even a pin should still be required, because anything else can always potentially be taken from you, or worse yet... compromised. The additional factor of having some physical device that can further confirm your identity gives an added layer of security over the password by itself that can still be beneficial, but it should never be trusted to the exclusion of a password.

Re:There's nothing wrong with...

there's nothing wrong with the traditional password, either. it's a user's choice of a bad one, or the "other end's" poor protection and security of that chosen password, that's the problem

Re:Watch actually does have code if you want it

[MobileTatsu-NJG]

Since I'm unfamiliar with the watch I'd like to know why this comment is -1. Even my iPod Nano that I wore with as a watch had enough icons on the screen to prove pass codes are at least feasible with the form factor.

Copyright analogy

[mwvdlee]

You know how old-media companies always go on about how copying media is somehow "theft", even though we all know it's not?
Well, the problem with digital authentication keys is similar; it can get copied without you losing anything.
Attaching authentication to a physical item that actually CAN get stolen changes the game dramatically.
It's a single point of failure that will give a false sense of security.

Re:Copyright analogy

it's called a key...

it grants authentication into my house or my car. yes physical devices can get lost or stolen, but an electronic doohickey can be changed more easily than changing the locks in your house or car.

proximity based a. does not work either

if it is simple enough for a device to recognize you it can be faked. The device has to use radio waves and this makes it more vulnerable as has been proven few times already by e.g. stealing a car that had that feature on from the parking lot while owner was sitting in a restaurant.

my password

[Skapare]

... was just used to login to /.

Easy ... use watch+gestures for authentication

[CptJeanLuc]

Would be fun to observe people waving their hands in complex patterns detected by a built-in watch motion sensor to unlock things. The watch could even play a little tune to help synchronize arm movement to a beat. It would be easy to steel people's password though, if you got a good sense of rhythm and dance. Ok, this was meant as a bit of a joke. But the fun thing is we would probably get used to it, just like we got used to people talking to themselves on the street.

On a somewhat more serious note, authentication should in theory not be too hard. People could have e.g. electronic watches, which could be authenticated by some secure means - e.g. a fingerprint scanner on the back side plus enter a code in some way. Or it could be coupled with a mobile phone so that you use your cell phone to authenticate with the watch. The wristbands could have some type of wiring and/or sensors which informs the watch it is still on the wrist (plus pulse sensors to detect owner is alive and defend against the good old movie plot chop-off-the-arm attack), so no need to re-authenticate as long as the watch is not physically removed. The watch or some other gadget could be used to authenticate with other things.

The main problem I would see is some decent secure open standards for authenticating with "things". There will probably be a bunch of walled gardens which force you to choose between various closed ecosystems.

Re:Easy ... use watch+gestures for authentication

[Dragonslicer]

Would be fun to observe people waving their hands in complex patterns detected by a built-in watch motion sensor to unlock things.

Wow, I think you just implemented wizard spells with a somatic component. Add in voice recognition and the need to have your phone with you, and you've got verbal and material components too.

Re:Easy ... use watch+gestures for authentication

[CptJeanLuc]

Haha ... as a former RPG player, this gave me a good laugh. *Slow clap*

IoT

[buckfeta2014]

Fuck you and your pointless buzzword.

Again, a security joke

[rtkluttz]

It will be a cold day in hell when I use a cloud based authentication scheme to access my own shit. I'm not going to use a system where I have to ask someone else permission to use my shit. Anyone that does is eventually going to get what they deserve.

Not a good thing....

[Lumpy]

"Well, as anyone who's ever unlocked car door just by reaching for its handle with a key in their pocket knows, the answer may be the embeddable devices themselves."

BMW cars without this are secure and not easily stolen. BMW cars with "comfort access" are easily stolen.
Same with GM, Toyota, etc...

Nope, I am not trading security for convenience.

Re:Not a good thing....

[tom229]

I'm not sure about this claim. Whether it's a traditional key or a proximity key it still falls in the "something you have" category of security. And while I admit I don't know exactly how the proximity keys work I do know that if they use an rsa handshake then they're certainly more secure, than a laser cut key.

Re:Not a good thing....

I am sure about the claim, please feel free to google the security problems of the proximity key system and how it's the #1 way to steal cars. Thieves are using range extenders to get cars to authenticate to the fob so they can get in and drive away. the car will stay running after it's started.

Re:Not a good thing....

[Lumpy]

http://www.networkworld.com/ar...

You are not cracking the rolling code in the physical key chip on a car easily or for $17.00

Before you are unsure on claims, you should read up on the subject with google.

Re:Not a good thing....

[tom229]

some sophisticated thieves have laptops equipped with a radio transmitter" and use brute force attacks to find the correct and unique code of a car's key fob.

Thanks for the info. This definitely seems like poor design rather than a broken concept though. I'd like to see them brute force a 2048 bit RSA key. Wireless authentication protocols have the ability to be just as secure as anything else.

a bit early aren't we?

calling the trend is a bit much. That's like some having a cold and the next day we're sending someone through the town square yelling "Bring out your dead".

Security

[JasterBobaMereel]

Two factor secuirty : Something you know, Something you have, Something you are - Pick two

Something you know : Password
Something you have : Device, RFID etc
Something you are : Biomentrics

using only one is a bad idea

Also known as Something you forget, something you lose, something cease to be ....

Re:Not embeddable devices, smartphones (or watches

[tom229]

Actually, I think over the next few years for many of us our phones will migrate onto our wrists

And this is the problem with the culture at Google these days. Ever since all employees started using macbooks and they only hired 20 something's with thick frame glasses and "nerd" t-shirts they've been on a steady decline into the toilet. This geek tech culture is a serious blight. You people are ruining a once magnificent company. Oh ya... And get off my lawn.

So much FAIL!

[ramriot]

There is so much wrong with this article its not even funny. I don't blame the writer, he's just trying to tie a nice neat bow on a badly wrapped pig.

I had to laugh though when he twice gives the example of proximity unlock on cars as IOT security. These are the same devices that only guarantee proximity security by using signal strength and thus are easily defeated by a $17 signal booster available on eBay, which has been in the news as the cause of many thefts of the contents of vehicles.

By seriously the core issue here is authentication and concentration of secrets, and no matter how many extra factors you have this will not change because each new factor requires the service to store another secret to be stolen or live phished from you.

As I see it the only long term solution is a better single factor and one that puts the handling of secrets as close to the user as possible and contained in something that is hardened or prevented from running malware. Then have that device use a site specific asymmetric key pair to offer a zero knowledge proof of authentication to the service. In that way the services hold no authentication secrets and what they do hold cannot even be used by an attacker to infer linkage between services.

Unfortunately right now, there is nothing in production and widely available that can do this, not even the much vaunted FIDO an U2F will accomplish this as their choices have rendered those protocols only usable as a second factor. There is one Single factor protocol that is presently 18 months into its research and development that I think will satisfy all the requirements of what the article writer needs, that being SQRL from The Gibson Research Corporation. Which also has additional features that even allow complete recovery from a loss of control over its core secret.

Hmm

How about NO.

MOD PARENT UP

Came here to say the same thing. THIS is the correct answer, not some shitty article.

Soldes Pas Cher Chaussure de course Nike Free Run

[khenhaihua]

but also the juveniles and it leads the current fashion trend in the this competitive boot industry in the globe. The products which have various kinds of styles and functions have been acknowledged by many patrons presently in the fierce marketplace as they embrace the good durability as well as comfort for different ages. Meaningwhile air max 90 . the unusual and distinctive design can capture the regulars' eyes at once. Leather materials and pure wool texture are the key points in manufacturing the boots so that it can match people's feeling. The boots corporation are manufacturing all kinds of boots together with a choice of designs in order to fulfill different people's needs, so the boots are trendy engouh for you to go to each place and in any moment of the year. A range of kinds of boots are used in sundry fields, for instance, the watertight boots can keep your feet from wet, and the working boots are made for those who have to work in the outside. Interestingly, the company also holds the kids boots which are designed based on children's characteristic and usage. Undoubtedly, timberland casual boots are welcomed by scores of people, especially in the summer as the boots are used to enter to the bazaar in order to expand the earnings.

Embeddable devices are fine ...

[NoSalt]

Until the person who wants your password, access to your house/car, etc. cuts the embeddable device out of you to use it.

Re:Not embeddable devices, smartphones (or watches

[gweilo8888]

You should probably invest in a better laptop, then. I type extremely fast -- the only person I know who types faster than me is my wife -- and good thing too, because my entire career is based around my creating and typing my own content.

My laptop password is 11 characters and takes me somewhere between three-quarters of a second and a full second to type, from the moment my fingers reach the keyboard after having clicked in the password field. My fingerprint scanner takes somewhere between 0.25 and 0.5 seconds to swipe, and doesn't require me to select a field first -- I just swipe straight away that the login screen appears. And only very seldom do I need to swipe a second time.

The result is that I'm into my laptop somewhere around a second or more quicker, and without increasing my chances of carpal tunnel unnecessarily, no matter how slightly. (On any given day I likely login several dozen times, because my laptop locks itself regularly after a short, secure delay.)

Re:Not embeddable devices, smartphones (or watches

[cornjones]

Gah, i am so disappointed in slashdot. comments like the parent are why i come here. Somebody who spends their time thinking about an interesting problem and is willing to share some of that background. Instead of discussion we get people complaining about ... anything.

Anyway, thanks for the post. I like the way you are thinking and I love the idea of 'as secure as necessary'. I can see a future where my phone decides when it is still with me based on the myriad of data it collects (and helpfully shares) and unlocks my house as I get near (unless I mumble a 'kidnapped' signal in which case it should drop the machine guns and kill the bad guys trying to force their way in with me... B)

tbh, the steps to get there don't seem that far off either. I spent a bit of time trying to think of 'real' road blocks but i was able to dismiss most of them outside of time and money it would take to replace everything w/ an integrated version.

That of course assumes somebody wins a standard war and is able to push through a standard protocol for the authorization levels which the various apps and IoT vendors support. Which also needs someobdy to solve the patching problem on these IoT devices (which will hopefully allow us to move toward a solution to the security problem). gah, i was getting optimistic for a second there...

Kidding aside, I would like to explore this more. Any podcasts/blogs you recommend in this space?