Slashdot Mirror
Stanford Starts the 'Secure Internet of Things Project'
An anonymous reader writes: The internet-of-things is here to stay. Lots of people now have smart lights, smart thermostats, smart appliances, smart fire detectors, and other internet-connect gadgets installed in their houses. The security of those devices has been an obvious and predictable problem since day one. Manufacturers can't be bothered to provide updates to $500 smartphones more than a couple years after they're released; how long do you think they'll be worried about security updates for a $50 thermostat? Security researchers have been vocal about this, and they've found lots of vulnerabilities and exploits before hackers have had a chance to. But the manufacturers have responded in the wrong way.
Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
The internet-of-things is here to stay.
To the contrary, in my experience most things that have a catchy name before they are implemented go nowhere. Multicasting, Named Data Networking, Internet of Things, OLP, Web Ontology, Neural Networks, etc. The project is more focused in sounding trending than in finding reasons why things want to access the internet (presumably so that your toaster can watch youtube videos while you are away?)
Successful projects usually start from the other end. People first create a small iteration of the thing that proves the concept, it starts to catch up (fancy name might be created here but this is entirely optional) and one day you turn around and its taken over the world.
...from my experience with embedded engineers, the past cluster-f*cks implemented by that category of engineer (think SCADA), and the more-of-the-same coming down the pike (think "we'll just invent our own security rather than using proven solutions"), it's doomed from the start. These are guys that optimize down to the last 1/8 of a bit of RAM, the last 10Hz of processing speed, the last milliwatt of power. Given that mindset, they don't have a clue that security is a top line concern for anything that communicates with the outside world. The necessary solutions are just way outside their sense of scale.
There is also this intrinsic mistrust of anybody else's code, which is polar opposite to the instincts required to do proper security. Of course, if you see the crap code they get force-fed from the chip vendors, and anything else that has to run in 16K of code space, it's not hard to see where the bunker mentality comes from.
But I've peeked into that world, and I don't see it changing. That's going to be a Very Bad Thing(tm).
The safest strategy for connecting everything in your home to the internet is....don't.
Why the fuck do you need to connect your front door lock, your coffeemaker, and your refrigerator to the internet?
Forget to lock your door? GO BACK AND LOCK IT. People have been doing it for 1000 years and the world continues to spin.
Don't want to get up in the morning to turn on your coffeemaker? Either a) get up and stop being a pussy or b) get one of the umpteen programmable ones, or c) just plug your damn coffeemaker into a christmas-light timer set to power up before you wake up.
Want your refrigerator to tell you when you're almost out of milk or better still, to automagically order restocks of food? LOOK INSIDE IT. Decide what you need to buy. THEN GO TO THE STORE. You'll meet actual humans there, and interact with them. I suspect there's more actual human value to that than to the supposed minutes you'll save (so you can what, play more video games? Do some more work emails?) not doing those things.
-Styopa