Why IoT Security Is So Critical

An anonymous reader writes: Software engineer Ben Dickson starts off an opinion piece about Internet of Things security with this amusing comment: "Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would've laughed at you and said you watch too much James Bond. But today, if you tell me that hackers with malicious intents can use my toaster to break into my Facebook account, I will panic and quickly pull the plug from the evil appliance." Dickson then lays out many of the issues with securing internet-connected devices, and explains the work being done to make them more secure. He highlights areas that manufacturers must focus on: "In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system. ... There also must be a sound plan for installing security updates on IoT devices. Each consumer will likely soon own scores — if not hundreds — of connected devices. The idea of manually installing updates on so many devices is definitely out of the question, but having them automatically pushed by manufacturers also can be a risky business."

Why "IoT" security is so critical

is because morons won't stop adding devices to the "IoT" instead of leaving them dumb like they should be. FFS this is a problem created by a trend with no benefits in the first place.

Re:Why "IoT" security is so critical

Butbutbut I need to turn on the toaster from the bedroom so the toast is ready when I arrive in the kitchen!

Re:Why "IoT" security is so critical

[Z00L00K]

Well, there's no need for a toaster to be able to do internet, but look at other things that actually can benefit from it - like ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed.

Personally I would set up a separate network for my devices that controls my home. But it would still be good from the security point of view if the devices themselves have protections built in against abuse.

I can also think of devices like the fridge or freezer to be able to talk to the internet to be more cost efficient - cool extra during cheap hours and cool less when electricity is more expensive.

Re:Why "IoT" security is so critical

[TheRaven64]

Unless the toaster can also cut the bread and insert it, then there isn't much value in being able to turn it on remotely. There are lots of reasons where it might be nice to have some connectivity though:

• If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.
• If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

  Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

• It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

These are just the ones that come to mind immediately. I'm sure there are other applications.

Re:Why "IoT" security is so critical

I do Internet of Things = Idiot.
Wider Area Network of Things = WANT

I've just filed my first patent for nano fleas which swarm around me filming me from every direction so I don't even need a selfie stick. They have the added bonus of helping me sniff my own farts and helping me give ratings based on my vegan/paleo diet (depending which side of the fence I swing). Based on the smell of my farts they also find me suitable grinder dates in my vicinity.

But I'm a new age hipster spiritualist so I'm AC because my whole social media persona revolves around the concept I don't need things at all, unless they glorify my vanity and make me feel smug.

Re:Why "IoT" security is so critical

If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.

How does the toaster know it's you in the shower and not someone else ?

If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

Sound like a potential DOT attack to me (Denial of Toast)

Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

Beeping would do the same thing, or gosh even the popping up the toast on most toasters is noisy enough already.

It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

You already got the bread out of the fridge to put into the toaster, a sane person would already have taken the butter at that point so it can soften a little. This is silly talk.

Re:Why "IoT" security is so critical

You already got the bread out of the fridge to put into the toaster, a sane person would already have taken the butter at that point so it can soften a little. This is silly talk.

Sane people don't put bread in the fridge.

Re:Why "IoT" security is so critical

[Enter+the+Shoggoth]

Obligatory Talkie Toaster

Re:Why "IoT" security is so critical

There is nothing sane about this entire thread

Flying toasters should be enough for everyone

Re:Why "IoT" security is so critical

All the things you mention could be done with a home network without the internet. The hacking games with an internet connected network are scary. Turn the toaster or stove on to create a fire hazard. Turn the refrigerator off to create unsafe food storage. And last but not least give companies or the government fine grain surveillance of peoples personal lives.

Re:Why "IoT" security is so critical

[Viol8]

"ike ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed."

And the thermostats need to be online because....?

"I can also think of devices like the fridge or freezer to be able to talk to the internet to be more cost efficient - cool extra during cheap hours and cool less when electricity is more expensive."

Wtf? Perishable food needs to be kept cool regardless of the price of the electricity unless you want to risk food poisoning to save a few pennies.

There is absolutely NO reason for ANY kitchen appliances to be online or have any kind of network presense whatsoever unless you such a bone idle sack of fat that you can't even be bothered to open a fridge door to check whats inside but would sooner do it via an app.

Re:Why "IoT" security is so critical

[Viol8]

"Sane people don't put bread in the fridge."

Err, they do if they want their bread to keep longer than a few days before going stale.

Re:Why "IoT" security is so critical

"Sane people don't put bread in the fridge."

Err, they do if they want their bread to keep longer than a few days before going stale.

Chilling bread doesn't stop it going stale. It does stop it going mouldy (or rather it slows it down), but it doesn't stop it going stale.

Re:Why "IoT" security is so critical

[angel'o'sphere]

For most kinds of bread and most climates the bread kept outside of the fridge lasts longer and tastes better.
However: no idea where you live ;)

Re:Why "IoT" security is so critical

Bread kept in the freezer lasts longer still. It doesn't taste as good as when fresh, but if you're toasting it, that's moot, anyway.

Re:Why "IoT" security is so critical

Cows eat bread. Moooooooo!

Re:Why "IoT" security is so critical

Use systemd man, no need for that fancy IoT bs.

Re:Why "IoT" security is so critical

[Aqualung812]

And the thermostats need to be online because....?

Because some power companies currently and more will soon give you a price break for cutting usage during a surge in demand. Sometimes this can be predicted, sometimes it can't. Hence the need for real-time comms.

Wtf? Perishable food needs to be kept cool regardless of the price of the electricity unless you want to risk food poisoning to save a few pennies.

For a refrigerator, you're likely right. Think about a freezer, though. Maybe you're set to -10C most of the time. However, you're going to be gone all day and your usage patterns don't show you opening the freezer in the morning, maybe it is better to cool everything to -25C overnight, and then NOT run the compressor until you get above -10C again. During the evening, though, DON'T chill it to -25C, because you're just going to open the door again and let out all the cold.

There is absolutely NO reason for ANY kitchen appliances to be online or have any kind of network presense whatsoever unless you such a bone idle sack of fat that you can't even be bothered to open a fridge door to check whats inside but would sooner do it via an app.

Opening the door is what creates energy usage. Having an app to keep inventory can drastically reduce usage as you stand there like a bone idle sack of fat and stare at your inventory, letting all the cool air out that your device will use electricity to replace.

Re:Why "IoT" security is so critical

[gbjbaanb]

Fridges work by being a closed air-con unit, as part of that process they draw moisture out of the air. Bread, placed in a fridge therefore goes stale quicker.

To keep bread, either freeze it (and let it slowly defrost at air temperature to get it back to best condition) or put it in a closed container like a bread bin. Or buy bread so laced with chemicals that there's hardly any flour used in its production.

Re:Why "IoT" security is so critical

[Errol+backfiring]

Well, one of the reasons that these devices are connected is to harvest data. That is why they are open to the net in the first place, and that is the major security problem. If such a device only accepts traffic from the local network with decent encryption, it creates too little data to even get noticed. But if it blabs to the outside world all the time, it is literally begging to be used as an infiltration vector.

Re:Why "IoT" security is so critical

[Viol8]

"Because some power companies currently and more will soon give you a price break for cutting usage during a surge in demand. Sometimes this can be predicted, sometimes it can't. Hence the need for real-time comms."

Oh please. I warm my house to be the temp I want it to be. I'm not going to shiver to save a teeny tiny amount of cash. If you're that skint then you won't be able to afford all this tech anyway - wear a jumper.

"Opening the door is what creates energy usage. Having an app to keep inventory can drastically reduce usage as you stand there like a bone idle sack of fat and stare at your inventory, letting all the cool air out that your device will use electricity to replace."

Heres a novel idea - use that thing in your head called a "memory" and use it to remember whats there when you go to the fridge to get something out. And it takes little to cool air - its the solids and liquids that use up the power. However replacing a fridge thats been hacked and broken by some sociopath costs a damn site more.

Re:Why "IoT" security is so critical

[Aqualung812]

Here's a novel idea: Don't plug this shit in if you don't want to use it.

For those without photographic memory, or those that don't mind putting on a jacket to save some money, let us have these devices to save money and help the planet, and let's work on making them safer.

Re:Why "IoT" security is so critical

"Sane people don't put bread in the fridge."

Err, they do if they want their bread to keep longer than a few days before going stale.

Or they live in an area in which cockroaches make an appearance so regular fumigation of the building is necessary. When I lived in Texas the only things kept in my kitchen cupboards besides pots and pans and cutlery was canned goods. Everything else edible was stored in the refrigerator or freezer.

Re:Why "IoT" security is so critical

[Jawnn]

Your point are all valid, but only one requires an Internet connection, and even then, it could and should be kept from accessing anything but the host/IP required to do it's simple job. Jeezus H Christ, have we fallen so far that "application" now means something you get from the cloud and run on your phone?

Re:Why "IoT" security is so critical

I'm 35 for at least 5 years I've done well to remember most times why I opened the refrigerator in the first place, much less the entire contents from the last time I opened the door. Even worse, I've got 4 other humans in my house that can and do remove items from the fridge.

Re:Why "IoT" security is so critical

[kilfarsnar]

Unless the toaster can also cut the bread and insert it, then there isn't much value in being able to turn it on remotely. There are lots of reasons where it might be nice to have some connectivity though:

• If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.
• If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

  Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

• It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

These are just the ones that come to mind immediately. I'm sure there are other applications.

I know you're going with the example provided, but this is ridiculous. Are we bringing in high technology and introducing a much lager attack surface just so people don't have to wait for their toast?

Re:Why "IoT" security is so critical

[Viol8]

"Don't plug this shit in if you don't want to use it."

And what happens if it gets to the point where I don't have a bloody choice because the fridge refuses to work unless its downloaded some new firmware or whatever?

"et us have these devices to save money and help the planet"

Help the planet? You having a laugh? You might want to check out the mess the mining the precious metals for all our playtoy devices causes and then the pollution from their refining and the manufacture of the device itself plus transportation.

This is nothing but tech for its own sake keeping the Oooh shiny! crowd happy.

Re:Why "IoT" security is so critical

But you can do that, while still having a pretty-damn-dumb toaster. The toaster should be just another I/O device, not a whole other host.

Re:Why "IoT" security is so critical

[laie_techie]

All the things you mention could be done with a home network without the internet. The hacking games with an internet connected network are scary. Turn the toaster or stove on to create a fire hazard. Turn the refrigerator off to create unsafe food storage. And last but not least give companies or the government fine grain surveillance of peoples personal lives.

Isn't that the first principle of any security design? Limit exposure to the outside as much as possible. Your database should not be directly accessible from the internet (indeed, firewall rules should only allow access from the machines which need it). You probably don't need to access your toaster from outside your LAN. It makes sense for your fridge to have a limited interface to the outside world - VPN for you to query if you are running low on eggs, or PUSH technology to inform you the milk is about to expire; I don't like the idea of the fridge performing purchases without human interaction (eg. why should the fridge know my payment information?). Come to think of it, there should probably be a single interface to the outside world (which could have hardened security).

Re:Why "IoT" security is so critical

My coworker's kid left a sandwich in a schoolbag in a closet in June and didn't discover it again until school resumed in September. What concerned her was that the bread was not mouldy. She won't buy Wonder anything any more.

Re:Why "IoT" security is so critical

[Dutch+Gun]

And the thermostats need to be online because....?

Because otherwise they'd have to sell you the devices rather than renting them to you.

Re:Why "IoT" security is so critical

Unless the toaster can also cut the bread and insert it, then there isn't much value in being able to turn it on remotely. There are lots of reasons where it might be nice to have some connectivity though:
  If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.
If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I

On behalf of all humanity, please kill yourself. Seriously, just kill yourself.

Re:Why "IoT" security is so critical

Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

This is the most pathetic, self-absorbed thing I've ever heard. Is your "life" SO complex and busy that you need remote notification when your fucking toast is done??

Re:Why "IoT" security is so critical

[NostalgiaForInfinity]

There is absolutely NO reason for ANY kitchen appliances to be online or have any kind of network presense

There are plenty of reasons, such as monitoring the temperature in your refrigerator to make sure things haven't gotten too warm, keeping track of inventory and expiration dates, starting dinner a few hours before getting home, monitoring the health and maintenance status of appliances.

unless you such a bone idle sack of fat that you can't even be bothered to open a fridge door to check whats inside but would sooner do it via an app.

if you're a single male living in a single household from whom cooking consists of sticking a TV dinner into the microwave, that's the view you would take. But guess what: your life isn't the measure of all things in the world.

As for IoT kitchen devices, an unsecured toaster on your network just shouldn't be a security problem, not because of the toaster itself, but because networks should be set up so that a compromised node doesn't compromise the entire network.

Re:Why "IoT" security is so critical

I have a stand-alone timer on my water heater. It uses night-time rates to heat up and shuts off during the day. The water stays hot all day, especially when nobody's home. I could see connecting it if electricity prices were to start fluctuating during the daytime.

Re:Why "IoT" security is so critical

[Idisagree]

Please tech journalists - stop trying to make the idiot of things (IoT) happen. It's not going to happen the way you want it to!

Re:Why "IoT" security is so critical

[Z00L00K]

First: Level of cooling can vary and using technique like Glauber's salt can keep the actual temperature within the stipulated range for the food for storage. As long as the freezer is closed the temperature will be pretty steady for hours, but waiting an hour to turn on the cooling won't make much difference - and if you cool extra in the morning before the price rises if you are billed by the hour then it might not need cooling until much later.

Re:Why "IoT" security is so critical

[Z00L00K]

On the thermostats being online - well, if the thermostat is in a network with one thermostat per room then it may be a good idea to network it with the radiator valves and with the air condition unit. The better you know the indoor climate the better you can manage it. One central thermostat is like tuning a watch with an axe. One room can be in shadow and need heating while another is getting sunshine and need cooling. A smart ventilation system with a sensor network will offer an opportunity to manage the airflow for best comfort in all rooms with least energy wasted.

Using IPv6 may be a smart idea to ensure interoperability and monitoring. Getting additional information from the net like weather report and energy price means that the ventilation system can become even more cost effective.

Re:Why "IoT" security is so critical

[C0dey]

Commander Adama likes this.

Re:Why "IoT" security is so critical

[JohnFen]

You can do all of these things right now without involving the internet at all.

Re:Why "IoT" security is so critical

[JohnFen]

Wha?? Putting bread in the fridge guarantees that the bread will become stale in under 10 hours. Freezing is even worse.

Re:Why "IoT" security is so critical

[JohnFen]

Well, there's no need for a toaster to be able to do internet, but look at other things that actually can benefit from it - like ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed.

How are those cases different? I'm not seeing how the internet has to be involved for any of them.

Re:Why "IoT" security is so critical

[JohnFen]

There are plenty of reasons, such as monitoring the temperature in your refrigerator to make sure things haven't gotten too warm, keeping track of inventory and expiration dates, starting dinner a few hours before getting home, monitoring the health and maintenance status of appliances.

None of which require an internet connection.

Re:Why "IoT" security is so critical

[KGIII]

I used to live alone. I'm going to be returning home with someone. I can't even imagine how many times I've opened the fridge door after forgetting why I went to the kitchen in the first place. I'm pretty sure that the added person in the house isn't going to help matters much.

I'm also not sure how she's going to react to having my friends meander in and out of the house at random and at odd hours. They don't help either. I don't lock my doors (honest people are honest and criminals will just kick it in - I live in the sticks). So, it's not uncommon to find someone who isn't me in my kitchen, helping themselves to something to eat or drink - in fact, I keep things in their for them.

Re:Why "IoT" security is so critical

[KGIII]

How about a device, sort of like a firewall or a WSUS setup, that collects data from the internet and then allows only a one-way access from your devices to update, get rates (these needn't be completely real-time, say polling every ten minutes or something) for electricity, and whatnot. They could check for signatures, match hash values, and ensure that the updates were legit/signed. Using something like PNP or automated port forwarding, they could automatically configure what they need for information and where to get it. The device would allow access in - to the device itself, and then disseminate updates from there.

It's not perfect but may be close enough and it could be a pretty dumb terminal-type of appliance. I'm not sure if I'm explaining it well but, that's the best I'm going to do at the moment.

Re:Why "IoT" security is so critical

[KGIII]

When I retired, I went on a bender and did a whole ton of drugs. (I've disclosed that before. I'm okay with the world knowing.) During this time, I kind of worried about my sanity. So, I went to a head shrinker. The head shrinker was a learned lady who felt I should attend a group therapy session. Which I did. I kind of liked it. I learned about CBT and stuff. Kind of neat... I went for quite a while, it was helpful.

Anyhow, during this session I too became a learned man and what instructions were given seem accurate. The wisdom passed to me was that you can tell how generally tolerant people are by their willingness to cope with temperature fluctuations. To parse this as a typical /.er - if you can't stand some variable temperatures then you're an intolerable fuck.

As an aside; I am not crazy. See, the difference between batshit insane and eccentric is a matter of wealth. When I sold my business, I retired. I retired because I'd accumulated some wealth. Thus, it stands to reason, I'm no longer crazy - I'm just eccentric. *tada.wav* (Eventually, I left the therapy sessions, it was full of crazy people and I felt I was taking time from them.)

Re:Why "IoT" security is so critical

[NostalgiaForInfinity]

None of which require an internet connection.

Little is "required". People like Internet connections for the IoT because it's convenient and, contrary to what TFA claims, is low risk.

Re:Why "IoT" security is so critical

It's this demand for instant gratification for every personal whim that has made mobiles such a pain in the ass. A girl cut in front of me to get to the door and then slowed her pace as she opened the door because she couldn't keep her bobdamn eyes off the thing while doing something so menial as opening a door and getting on her fucking way. I wish I could slap the phone out of the hands out of every idiot I see on the sidewalk dawdling along. Even worse are the turds on bikes with headphones in and a phone in their hand. I'd love to see them wipe out. Hard.

Re:Why "IoT" security is so critical

[tehcyder]

"Sane people don't put bread in the fridge."

Err, they do if they want their bread to keep longer than a few days before going stale.

Is this a serious comment? Bread doesn't last longer than a couple of days before going stale regardless of what you do with it. Unless you are buying some weird, horrible, white chemical pudding instead of actual bread.

For toast, you can always slice some bread and keep it in the freezer. But actual bread needs to be fresh.

Re:Why "IoT" security is so critical

[tehcyder]

"Sane people don't put bread in the fridge."

Err, they do if they want their bread to keep longer than a few days before going stale.

Or they live in an area in which cockroaches make an appearance so regular fumigation of the building is necessary. When I lived in Texas the only things kept in my kitchen cupboards besides pots and pans and cutlery was canned goods. Everything else edible was stored in the refrigerator or freezer.

I think the Texas Tourist Board need to hire a new PR agency.

Re: Why "IoT" security is so critical

More likely caused by idiots that lack any imagination and just want to sit staring at their wall as drool drops down their chin. Then they're the first rabid nutter to scream when their pet rock losses Internet access.

Iot is for cows.

Mooooo!!!!!

Re:Iot is for cows.

[Z00L00K]

Well, that's already in place. Each cow have a dongle around the neck and then that is used to identify the cow so a system can keep track of how much milk that's produced, which quality it has and then the cow get the correct amount of food from it.

Re:Iot is for cows.

There was TED talk that almost convinced me that IoT would let me talk to dolphins and gorillas.

DOA

Google/phone manufacturers cant even keep android phones patched more than a few years. What makes people believe that "IoT" devices will do any better?

Re:DOA

[peragrin]

Look at smart TV's and the number of updates that they get.

Manufacturer's goals are not compatible with IoT concept. you own your TV for a decade or more between replacing it. Refrigerator's can go 20+ years easy.

Do manufacturer's really want to provide support that long? if the answer is no then it doesn't belong in the Iot category.

Re:DOA

[Z00L00K]

Built in limited lifetime of the device. "Sorry the product you have is end of life, no more updates. Buy a new one."

Re:DOA

Or don't pull in a full OS with all its security issues that needs to be patched.
There is very little reason for a toaster or refrigerator to have rewritable file storage and ability to serve complex web-pages.
If you look at devices with embedded software there are plenty of alarm systems and traffic control that doesn't need to be updated beyond the first year when it was tested.
With a single application and a minimal TCP/IP stack that provides an interface that is accessed from a home control server it is possible to write software that is safe enough. (And no, you don't have to patch it for SSL vulnerabilities, the packets between the control server and the device doesn't leave your home.)

For the things I want from IoT it doesn't even matter if they are secure or not. I have no need to control anything in my home remotely.
I just want to check if the door to the refrigerator is closed and if the oven is left on so I don't have to worry about it.
Both are visible through the kitchen window so the information is already publicly available, I just can't check it when I'm halfway to the office.

Re:DOA

Google/phone manufacturers cant even keep android phones patched more than a few years. What makes people believe that "IoT" devices will do any better?

This problem will "solved" by windows 10. Self-patching systems that the user has little control over. I just died a little inside.

Re:DOA

[AmiMoJo]

Manufacturers see the IoT as a great way to make otherwise perfectly good appliances obsolete. They would rather you didn't keep your TV for 10 years or your fridge for 20 years. Actually our last washing machine was over 30 years.

They are banking on consumers being short sighted and not realizing that the cool gimmick their new fridge has will be useless in a year or two. Brand loyalty is dead so they don't care about giving a good impression. Consumers choose by price, fashion and gimmicks so as long as they can come up with another iFridge 6+ in a couple of years they are fine. Plus the rapid evolution of phone technology has been training people to replace expensive items every couple of years.

Re:DOA

This is why manufacturer's love the idea so much. A fridge lasting 20 years is a terrible for sales.
If they can shift the perception of fridges (or toasters or whatever) into the "high tech" category then the hope is that we will then apply our existing "high tech only lasts 3-5 years" bias rather than standard "low tech like fridges lasts 20+ years" bias to more (low tech) things.
Once that's done they can start shovelling even shittier shit down our throats at inflated prices and most people will say "thank you, here's my wallet, can I have another serve please sir?" every few years when the old one breaks/gets hacked/apple brings out a new i-fridge/whatever. You know, just like we do with phones.

tl;dr: follow the money.

Re:DOA

[tehcyder]

This is why manufacturer's love the idea so much. A fridge lasting 20 years is a terrible for sales.

Our family is on its third fridge (and third washing mahince) in a little over ten years. Maybe it's different if you buy a really high quality (expensive) machine?

We tend just to get the cheapest one with a name we've heard of.

IOT

[stooo]

If morons don't do it, Chinese manufacturers will do the IOT for you

http://thehackernews.com/2013/...

Why the Internet of Things is so stupid

[mbone]

Fixed that headline for you.

Engineers with a hammer treating everything as a nail, and marketeers seeking to mine information from everyone's daily actions are evidently a very bad combination.

Re:Why the Internet of Things is so stupid

Not only that, manufacturers are totally excited to sell light bulbs for $50 instead of $1.
Don't disturb the marketplace by scaring people off LOL
Some day they might realize that the time saved to flip that light switch is by far outweighed by the time required to make sure you don't have a backdoor in your apartment.

Re:Why the Internet of Things is so stupid

[gstoddart]

Yup, just say no to this crap.

The only thing I want to be internet connected is my computers, my tablet, and only very rarely my phone.

The rest of this internet connected crap I have no interest in, because I assume the security is incompetently written, and the product is mostly geared to allow analytics and ads ... none of which I have any interest in.

An endless series of crap products which are connecting to the intertubes is just marketing hype.

Re:Why the Internet of Things is so stupid

Exactly! This IoT crap is just corporations trying to find more ways to spy on people and collect what should be private information! There will be no security and no privacy for those who buy into this sh*t! Unfortunately Joe Sixpack will only think "Oh cool! I can flush my toilet from my phone!" never thinking that his internet connected toilet is reporting how often he pees and poops, whether he had the runs, and how much toilet paper he used to some corporation!!

Think an IoT toilet is silly or stupid? You can bet it will happen!

IoT and Privacy Complaints

And yet we see people blaming more and more privacy invasions on companies like Apple in the iCloud Hack that exposed various celebrity nudes. More and more data that people add to the internet means the more private moments will be exposed to entertain the sick perverts of the world. Not to mention the IoT's could allow people to gain access to accounts via question and answer password resets. What is your favorite food? Well per your toaster you love Bagels and per your fridge you love Strawberry Cream Cheese; so your favorite food is Bagel with Strawberry Cream Cheese voila instant access to said account.

Re:IoT and Privacy Complaints

More and more data that people add to the internet means the more private moments will be exposed to entertain the sick perverts of the world.

You mean "sick perverts" who get off on known when and for how long I toast my bread in the morning? Which wash cycle I'm using? Oh, we must protect those "private moments"! Legislation to the rescue!

what a bunch of b.s.

[NostalgiaForInfinity]

There also must be a sound plan for installing security updates on IoT devices.

No, not really. If your home network security assumes that every single attached device is patched and secure, you have already lost. You should deploy your IoT devices in such a way that, even if they get compromised, the damage is limited.

Also of concern are huge repositories where IoT data is being stored, which can become attractive targets for corporate hackers and industrial spies who rely on big data to make profits.

I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster. "Corporate hackers and industrial spies" generally don't go after such low value data, they go after credit card numbers and corporate secrets.

What is evident is that the IoT will become an important part of our lives very soon, and its security is one of the major issues that must be addressed via active participation by the entire global tech community.

No, it really doesn't need to be. Unless you have specific and clear evidence to the contrary (plus an assumption of liability by the manufacturer), consider all IoT devices to be inherently insecure and use them accordingly.

Re:what a bunch of b.s.

I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster.

It's not just the toaster. The "dream" of IoT is every disposable thing in your house and on your person is connected to the 'net. The data from one sensor might not tell anyone much, but when they are aggregated you have a total fucking panopticon.

Re:what a bunch of b.s.

I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster.

It's not just the toaster. The "dream" of IoT is every disposable thing in your house and on your person is connected to the 'net. The data from one sensor might not tell anyone much, but when they are aggregated you have a total fucking panopticon.

Just imagine someone monitoring the data feed from the house down the street where an attractive young woman lives by herself. After a few days, definitely after a month, a complete profile of her activities could be constructed.

Re:what a bunch of b.s.

[NostalgiaForInfinity]

Just imagine someone monitoring the data feed from the house down the street where an attractive young woman lives by herself. After a few days, definitely after a month, a complete profile of her activities could be constructed.

Really? Like what? That she keeps her house at 65F? That she wakes up at 6:30 am and goes to bed ad 10 pm? That she does laundry twice a week, usually on a Thu and Sun? That she usually leaves for work at 8:00 am and returns at 5:30 pm? So what?

Re: what a bunch of b.s.

So nobody should have the right to that data, especially for free. Profiling someone's activities can lead to all kinds of harassment and even false accusations of crimes, or do you think that law enforcement would never abuse something like this?

How about insurers? Come home late all the time? Maybe you drink too much or engage in other activities they don't like, and your rates go up for no reason you can figure out.

You may be perfectly ok sharing your every move on Facebook, posting pictures of exactly what you eat to instagram, and storing all your sensitive data on a cloud server, but that doesn't mean everyone else wants that. I can always choose to share a detail about my life to certain people under certain circumstances. You can't choose to un-share things as a practical matter once life teaches you the hard way why too much sharing of personal data is a stupid idea--and that's only a matter of time.

Re:what a bunch of b.s.

[JohnFen]

Such as whether or not she's home at a given time, or whether or not she has company, for two obvious examples. But examples aren't needed. Even if the data really is meaningless and harmless (which it is not), it is still a fact that it's nobody's damned business.

Re:what a bunch of b.s.

[NostalgiaForInfinity]

Such as whether or not she's home at a given time, or whether or not she has company, for two obvious examples.

I wasn't objecting to the idea that you can get some information about people, but that you can get a (and I quote) "complete profile".

But examples aren't needed. Even if the data really is meaningless and harmless (which it is not), it is still a fact that it's nobody's damned business.

And that is precisely why such data is legally and technologically protected. What we are discussing here is what the risk is when such protections occasionally fail, and the answer is that the risk is pretty much nil.

Re:what a bunch of b.s.

[tehcyder]

Just imagine someone monitoring the data feed from the house down the street where an attractive young woman lives by herself. After a few days, definitely after a month, a complete profile of her activities could be constructed.

Really? Like what? That she keeps her house at 65F? That she wakes up at 6:30 am and goes to bed ad 10 pm? That she does laundry twice a week, usually on a Thu and Sun? That she usually leaves for work at 8:00 am and returns at 5:30 pm? So what?

I think at least some of that information would be useful to a potential burglar or rapist, don't you?

Re:what a bunch of b.s.

I think at least some of that information would be useful to a potential burglar or rapist, don't you?

So could the information from walking by her house and noticing her car in the driveway. That doesn't mean we get rid of sidewalks, cars, or light bulbs.

I'm sorry, but the proposition that putting your toaster and lights on the Internet places you at risk for rape is utterly ludicrous.

Re:what a bunch of b.s.

[painandgreed]

I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster. "Corporate hackers and industrial spies" generally don't go after such low value data, they go after credit card numbers and corporate secrets.

They will be going after the credit card numbers and corporate secrets, the point is that your toaster would be the weak link in your systems. If they can hack the toaster, they can get the admin password for the toaster as well as the addresses of all the other things in the house. Form there try that admin password on something like the fridge. Most people will probably reuse the same password for all their appliances so they now have admin access to the fridge which has a reorder system for items keep there. Even if your credit card info is not kept in the fridge, it knows which system does have it, and that system trusts the fridge. There are other possible cases such as the IoT being a mesh network, then any of your home appliance is hacked, it can act as a man in the middle attack. Just as people didn't think about how phones can track their movements everywhere, there will be things that smart appliance will do that nobody really understands all the unintended consequences of.

Re:what a bunch of b.s.

[NostalgiaForInfinity]

They will be going after the credit card numbers and corporate secrets, the point is that your toaster would be the weak link in your systems. If they can hack the toaster, they can get the admin password for the toaster as well as the addresses of all the other things in the house. Form there try that admin password on something like the fridge.

That's utter nonsense. Most IoT devices run on Z-Wave or ZigBee networks and are paired by button presses; they don't have network passwords or user passwords, and have no TCP/IP access. They speak specialized protocols to a single IoT hub sitting somewhere in your home.

Furthermore, even for the few IoT devices that do run on WiFi, as I was saying: If your home network security assumes that every single attached device is patched and secure, you have already lost.

Just as people didn't think about how phones can track their movements everywhere, there will be things that smart appliance will do that nobody really understands all the unintended consequences of.

What makes you think people "didn't think about how phones can track their movements"? Lots of people thought about it. Lots of people also concluded it's not a problem. I find it convenient, actually, that I can find out where I was at any time in the past that have have had my phone; it's functionality I wouldn't want to miss.

how about lazy ass idiots learn some life skills

Instead of depending on technology for everything. This is the same as the internet connected cars, focus on driving you moron you dobt need to update your fb status while driving on the highway. Chevy commercials who plug away theor 4g connected cars is retarded, you make sh1t cars and you are trying to sell them as smartphones

Always the same stupid story, again and again

[gweihir]

First, it was mainframes that were insecure. When they were finally secured, the same mistakes were repeated with workstations. Then the same mistakes were repeated with PCs. Now they are repeated with mobile phones and with cars. Next they will be repeated with IoT.

The problem is that most people are completely unable to learn from experiences made by others, and so they repeat the same stupid mistakes whenever there is a new application field. The experts are available and could do better, but they do not get used, because all the bright-eyed "innovators" do not have a clue what they are doing.

Re: Always the same stupid story, again and again

People who live in glass (IoT) houses shouldn't throw stones, right?

Re:Always the same stupid story, again and again

[roca]

Entirely agree, except it's even worse because the "finally secured" part never actually happens.

IoT is the continued infantalisation of people

[Viol8]

Too lazy to check the fridge? There's an app for that. Too stupid to be able to pull your own curtains? There's an app for that. Too bone idle to turn off a light switch? There's an app for that.

Soon the infants masquerading as adults will require robots to wipe their backsides for them and spoon feed them mush for dinner (chew solids? Too much effort). You think the passengers on the starship in Wall-E were just a joke? Hardly - its where we're heading.

Meanwhile all these human vegetables will have all their private data sucked up by corporations and hackers to be used as they please.

Re:IoT is the continued infantalisation of people

[Ol+Olsoc]

Soon the infants masquerading as adults will require robots to wipe their backsides for them and spoon feed them mush for dinner (chew solids? Too much effort).

For as much as your post seems like "keep off my lawn" vitriol.....

It's absolute truth

I run a amateur radio competition. Essentially make as many contacts with as many locations as possible over a certain time.

Once upon a time, we required mailed in summary sheets (a way to get the logging started, plus some other info we need that isn't in the contact logs.)

But in the age of email, some people would spend hours telling me to go die in a fire because it was too much effort to fill out the pdf and print and mail it.

Kinda makes sense even if they are willing to waste more time arguing than doing, so I eliminated the mailing requirement.

Then it was too much effort to fill out the PDF and email it.

Now, you can right click on most logging program's menus in the scoring section and create a perfectly good summary and email it.

And I'm now getting some complaints of how much trouble that is.

Re:IoT is the continued infantalisation of people

I've heard plenty of boogieman stories about IoT devices. To hear it discussed you'd think that the purpose of an IoT light bulb is to gather my bank passwords and broadcast them to a shadowy hacker syndicate. Let's get real. If I've got an IoT device that is compromised, what can it do? If it can do the nasty things everyone seems to think, can it do it while still performing it's intended functions without me noticing a difference? Is there somewhere I can find the known vulnerabilities?

Re:IoT is the continued infantalisation of people

[Viol8]

"If I've got an IoT device that is compromised, what can it do?"

Its a computer - it can do anything the hacker wants it to do within the limitations of its hardware. That could involve sniffing your network, overloading the wiring, compromising other devices, being an anon gateway, you name it.

Re:IoT is the continued infantalisation of people

And how is that different than any other computer in my house? I've got a desktop, two laptops, two tablets, two phones, a router, a router I've configured as a hub with OpenWrt, two set top boxes, a PS3, a wi-fi enabled blu ray player, a networked AV receiver, a wii, and an IoT device. Most if not all of those are more or less a computer. I've got no particular reason to think that any one device is more secure than the other. Even if I were inclined to dive in to the inner workings almost all of them have security code that I'd never be able to see. If I can't do that for the devices that must be connected for normal functionality, why the hell should I care about my convenience items? Is it just the potential of putting another computer on my network or are there some real known threats and are they systemic or can I do smart purchasing and keep a secure house. My IoT device saved me several thousand dollars in renovation costs, I'm not going to ditch it just because it is another unknown on my network.

Re:IoT is the continued infantalisation of people

[Viol8]

"And how is that different than any other computer in my house?"

Go back and read the title of this article.

"I'm not going to ditch it just because it is another unknown on my network."

And that demonstrates why so many idiots in this world get hacked.

Re:IoT is the continued infantalisation of people

Ok. Title, Summary, Article. I still haven't seen what makes these specialized computers any different than any of the other security scandals any of my other more acceptable computers have.

Re:IoT is the continued infantalisation of people

[NostalgiaForInfinity]

That could involve sniffing your network, ... compromising other devices, being an anon gateway, you name it.

IoT devices usually run over low speed, low power networks separate from WiFi, so they can't even see WiFi traffic. For the few devices that people do put on WiFi, they are likely much less of a risk than a Windows or Mac computer, since the primary attack vectors against computers--Web, e-mail and apps--don't exist.

overloading the wiring,

An IoT toaster or light bulb has no magical capabilities that a regular toaster or light bulb doesn't also have.

Re:IoT is the continued infantalisation of people

[Incadenza]

IoT devices usually run over low speed, low power networks separate from WiFi, so they can't even see WiFi traffic. For the few devices that people do put on WiFi, they are likely much less of a risk than a Windows or Mac computer, since the primary attack vectors against computers--Web, e-mail and apps--don't exist.

Are you sure?

Re:IoT is the continued infantalisation of people

[KGIII]

Well yeah, the summary should be automatically filled in by the data from the SDR, it should have meta data included automatically. Hell, they shouldn't even have to do that (next). Next they'll not even want to click the button to sign anything but have it all done automatically - just ship the meta data off in XML and you have something autonomous do the scoring based on meta data collected from the Google Maps API. Hell, they won't even have to sign up for the contest - just use push notifications over an app (modern app appers app apps, after all) and they'll automatically be enrolled.

Pretty soon, they won't even be making contact. They'll just have that same app connecting to others with the same app, collecting the meta data, having it shipped off (in XML, no less) collected by your server. The server will push out the notifications as to the standings. They won't even have to do anything, when they get the notice that the contest is on, it will run automatically and make the contacts in the background on their behalf - to other SDR devices who are also doing the same thing. Well, what do they win?

I'm only partially joking but, if nothing changes, then perhaps the writing is on the wall. With a few hours, I was able to pass every single test on the ARRL (I think that was the URL) site - the prep exams, knowing only some of the material from long-since-past EE classes in the late 1980s. I simply noted the errors and the answers and memorized it. What work needs to be done, really?

I think I needed to take each practice exam a few times total with only one of them (oddly the easiest one) needing a couple more tries. After that I was able to score an acceptable score on each. A few more tries, I think I spent maybe three or four hours total - over a week, and I was able to get a perfect score on all of them, in a row. I decided to not get my license, I'd end up hurting myself. I do have a radio - I do not broadcast.

I have some ham friends. My system is their emergency station. They did pretty much all the work. I kind of know how the equipment works but I don't do much with it except to poke and listen once in a while. They want me to put in a tower and a "shack." Some sort of standby thing in case of a crisis? I probably will let them do it and pay for it this upcoming spring. They do all the work. Another friend has a 180' tower, all in pieces, to sell to me. He used to work setting up and dismantling radio towers and his boss gave him the tower as partial payment.

Honestly, I don't know much about it. I think the term they used was "cold standby." They've used the equipment for some sort of crisis response practice where they had a bunch of people set up in a few areas around Maine (invited the public and any locals to test and play and learn - had some seminars and stuff too as I recall) and they had a dozen people or so at my house, all poking and doing what they do.

Nice group of people. If the poop hits the fan then, I suppose, I'll figure out the rest of what I need. They've shown me how to do quite a bit of it but I probably know what I know by rote. I can probably figure out the rest but I haven't. I don't mind the expense (it's actually fairly trivial and they do all the work and I pay by nodding and pretending I understand) and I figure it may do some good some day.

Re:IoT is the continued infantalisation of people

[GuB-42]

And why should I wipe my backside if a robot can do it? Yes I am lazy, laziness is progress. Should I call you lazy because you are not hunting the meat you are eating (or grow your own vegetables, or carry your own water, or...)?
This doesn't mean that we should be lazy for everything, we can still have hobbies or do sports, but if robots can do my chores, that's perfect for me.

Re:IoT is the continued infantalisation of people

[NostalgiaForInfinity]

Yes, I'm sure. Which part of "usually" did you not understand?

Obviously, there are a bunch of WiFi-connected IoT devices, but they are the exception.

Re:IoT is the continued infantalisation of people

[Ol+Olsoc]

Well yeah, the summary should be automatically filled in by the data from the SDR, it should have meta data included automatically. Hell, they shouldn't even have to do that (next). Next they'll not even want to click the button to sign anything but have it all done automatically - just ship the meta data off in XML and you have something autonomous do the scoring based on meta data collected from the Google Maps API.

There are a few contests that use live updating on teh web. Turns out to be a hassle for any contest that uses Mobiles, Portables or Rovers. But Hams are kind of like Slashdot users, som on the edge, and some worried about teenagers on their lawns. So we get a lot of different lod formats.

Would be cool if the scoring was done the moment the contest ended.

I'm only partially joking but, if nothing changes, then perhaps the writing is on the wall. With a few hours, I was able to pass every single test on the ARRL (I think that was the URL) site - the prep exams, knowing only some of the material from long-since-past EE classes in the late 1980s. I simply noted the errors and the answers and memorized it. What work needs to be done, really?

Yes, the practice exams are more like a beginning, a low bar to entry, than being very difficult.

I decided to not get my license, I'd end up hurting myself.

Reminds me - one of the issues I have with the testing is that the Entery level - the Technician, is allowed to play with High power amplifiers. Legal limit can be 1500 KW, depending on the band. And the tube amps ( surprisingly, hollow state high power amps are still relevant) can pack a wallop of a shock if one isn't careful. An RF burn is nothing to sneeze at. I took a shock from 50 watts when I first got my General license, and it was seriously painful, and burnt a small hole in my finger. Freakin' smoke rose from my fingertip.

Instant RF respect.

Another friend has a 180' tower, all in pieces, to sell to me.

Whoa - that's a serious tower.

I figure it may do some good some day.

In Maine, it will probably come in handy at some point. I've always said the reason that Amateur radio works so well in emergencies is that we don't have much structure. Just geeks who understand Propagation and how to hook the things up, so whoever survives can be a big help. Just like the first casualty of war is the battle plan, all of the communication organization of emergency agencies goes away as soon as the emergency ensues.

I have some fun with modern SDR rigs. I have a FlexRadio 6300, and it is the sort of Radio a computer geek would use. Digital modem use is also fun. I gotta stop talking about it, cuz next thing you know, I'll be taking about the awesomeness of direct conversion and low phase noise and all that stuff. Dunno if your friends do any Digital work, but we send forms and files over HF and VHF. As well as just type a lot to each other. The ideal marriage between computer and radio.

Re:IoT is the continued infantalisation of people

[tehcyder]

My IoT device saved me several thousand dollars in renovation costs

Yes, but did it save them because it was connected to the internet?

Re:IoT is the continued infantalisation of people

So you are saying you can't find a reasonable occurrences where a computer, a cell phone, or a home networking appliance shipped to the store in a compromised state and the companies didn't rush to patch?

Idiots shouldn't be using technology.

This is why.

What is IoT?

[XxtraLarGe]

My boss asked me "What is IoT?", so I explained it to her. I told her it was a collection of "smart" appliances that are connected to the internet, so that you could dim the light bulbs in your living room from your smart phone, or you could adjust the thermostat in your house so it is nice & warm when you get home, or you could preheat the oven to 450 on your way home from the store. On the flip side, hackers could turn off your lights prior to a home invasion, turn your thermostat off during a cold spell so your pipes freeze, or preheat your oven to 600 degrees while you're on vacation.

Re:What is IoT?

[Lumpy]

Hackers are not going to do a home invasion. Stop being a paranoid conspiracy nut who likes spreading fear.

Less than 7% of all burglaries are home invasions (US gov data, go look it up). you have a significantly higher chance of dying in your bathtub, or your car exploding on your way to work than a home invasion.

Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers. That last 1%? done by people you know.

Re:What is IoT?

[gbjbaanb]

On the flip side, hackers could turn off your lights prior to a home invasion

lol, and then what are they going to do - intimidate me with a Klingon axe-thingy and demand all my caffeinated beverages?

Re:What is IoT?

[dablow]

It's not just the hackers, the government could essentially kill you by disabling everything that keeps you alive (heating, ability to store and cook food, the ability to remain warm and sheltered etc etc.). No need for costly drones.

They will be able to track your every single breath...They will know when you cheated on your taxes just by looking at the quality of beer your purchased.....

Re:What is IoT?

Hackers could data from your connected devices to figure out when you are away from home (or on vacation) and use that to time their break in without risk of being disturbed.
Hackers won't do the burglary themselves but sell the info online to interested parties.

Also hackers will turn your IoT devices into a botnet using it for breaking into other sites - basically what's happening today with computers.

Re:What is IoT?

[mlush]

I think hackers are going to be more interested in using IoT to hack a WiFi Password via a smart kettle

Re:What is IoT?

And they can do that by simply watching your house, yet they dont.

Re:What is IoT?

[XxtraLarGe]

Hackers are not going to do a home invasion. Stop being a paranoid conspiracy nut who likes spreading fear.

Chillax dude, the examples were tongue-in-cheek. My boss got a good laugh out of it, why can't you?

Re:What is IoT?

gang members are using drones to transport drugs and keep surveillance on targets for extortions, what makes you so sure they won't be utilising the services of "hackers" to fulfil their agendas. If it can earn money illegally, it will be done.

Re:What is IoT?

[JohnFen]

Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers.

Most malicious hackers are not highly educated or skilled. They're script kiddies running tools made by someone else.

Re:What is IoT?

[KGIII]

Pfft... That'd require they leave the basement!

Re:What is IoT?

Because it's cold and visible out there. Now they can do that from their comfy sofa.
Bonus points: you can propose jobs/opportunities to wannabe burglars, Uber-style, except they will pay you for the intel. Uber-ization of the entire economy is good, right?

Re:What is IoT?

[tehcyder]

Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers.

Most malicious hackers are not highly educated or skilled. They're script kiddies running tools made by someone else.

So what? If the tools work you're not going to care whether you were fucked over by a 13 year old in his basement or Dr Evilgeniushacker in a lair beneath a volcano.

Re:What is IoT?

[painandgreed]

My boss asked me "What is IoT?", so I explained it to her. I told her it was a collection of "smart" appliances that are connected to the internet, so that you could dim the light bulbs in your living room from your smart phone, or you could adjust the thermostat in your house so it is nice & warm when you get home, or you could preheat the oven to 450 on your way home from the store. On the flip side, hackers could turn off your lights prior to a home invasion, turn your thermostat off during a cold spell so your pipes freeze, or preheat your oven to 600 degrees while you're on vacation.

More likely those hackers will route spam through your toaster, use your fridge as a bot net, make your oven a tor gateway, and make the computer that controls your lights host bit torrent. Or just use them to sniff household network traffic to find anything to use there and possible man in the middle attacks. For that matter, what's the chances somebody will use the same household password on all their appliances including the wifi router and home computer so that when they hack one, they have access to all?

Because right now

[rsilvergun]

someone could be in my kitchen, digitally making themselves a grilled cheese sandwich with neither my knowledge or consent. And don't say it's just my teenager, I can't get her to step foot in a kitchen.

Re:Because right now

[radarskiy]

Distributed Denial of Sandwich attack

It's not critical.

[Lumpy]

My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

WE don't. what we need is 100% open on all the devices so that as the owner of a device I can use it with whatever I want in whatever way I want. heavy security means I will never ever be able to do that.

All of the IOT (I really hate that acronym) crap needs to talk to a single hub and that when allowed to communicate out needs security. There needs to be absolutely ZERO security on the inside protected network other than what already exists with decent systems like Z Wave or Zigbee where they get a key from the hub they join and only talk to that network. can it be still hacked? yes but not by the typical thief who really would not care to as all he has to do is a smash and grab.

My toaster does not need to tweet or talk to westinghouse's servers. it needs to talk to my HA hub, and from there I can decide if it needs access to post to slashdot that my double cinnamon raisin toast is done.

Re:It's not critical.

[JaredOfEuropa]

I much prefer a Z-Wave / Zigbee solution over WiFi solutions as well. For the reason you stated, but there is another reason: WiFi sucks. I've yet to find an access point that is really reliable, and does not require frequent reboots. And with dozens or even hundreds of devices on one WiFi network, it's going to suck even harder. In contrast, I find my Z-Wave network to be extremely reliable. Besides, even if Z-Wave device firmware was somehow compromised, it would still have a much harder time getting through the hub out to the internet compared to compromised WiFi devices.

We do need better security though. Casual thieves are not going to hack your Z-Wave setup, but when such setups become more prevalent you can expect cheap hardware that will do the hacking for them. Like the GPS / GSM jammers popular with car thieves; these things can be had for under $100. It's not hard to build a box that can detect and access a Z-Wave network, there's just not much of a market for one. Yet. Thankfully, Z-Wave locks already use encrypted comms with the HA hub, and the upcoming new version of the standard allows better security for other devices as well, without having to compromise on the usability of the devices by the owner. Openness will still be determined by your hub.

Re:It's not critical.

[Lumpy]

Problem is we already have had wireless Alarm systems for well over 2 decades and are extremely common and we still dont have simple thief boxes to override the door sensors.

Thieves don't CARE about your door sensor, they kick it in, let the alarm wail as it dials the alarm company and make off with your TV set and everything else that is easily snatched before the police even get the phone call that someone is breaking in. 20 minutes later a cop might drive by the house.

They don't need to override anything, they know that unless you are currently there with a shotgun in hand, your iot sensors are not even a bother to them.

I have smartthings and sensors at home for one thing. to let me know I was robbed, so I should head home to board up the window they broke, and to trigger the cameras to record evidence so that my insurance company does not try to pull the "prove you were robbed" bullshit they pulled on me last time.

Re:It's not critical.

[Ol+Olsoc]

My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

You are right - but it won't happen that way. Manufacturers will want to be able to push updates, Google will want to know what is being bought and used, (I suspect eventually, little rfid chips in all foodstuffs so an inventory can be done and reported back so you'll be able to get a suggested grocery list complete with ads on some app on your smartphone),food manufacturers will want Google's data, the electric company will want access for power control, ADT will want access for their security services, police will want access for evidence collection and more effective swatting if need be, maybe even making certain that people on parole or under restrictions don't have beer in the house - remember those rfid chips I was talking about?

An Internet of Things is of much less utility if they can't monetize and collect as much data as possible.

Re:It's not critical.

But it is already headed that way. Look up Wink, Smartthings, IRIS, and the others, all of the current systems are like he describes. These do not need any "security" as they are going through a hub and are on a private network. I agree with the lumps point, this call for security is simply people that have zero clue about IOT whining to get some public exposure. They are nothing more than Chicken little of the digital age.

Re:It's not critical.

[Ol+Olsoc]

But it is already headed that way. Look up Wink, Smartthings, IRIS, and the others, all of the current systems are like he describes.

As soon as it catches on, are you saying the big boys won't get involved, and turn it into data? I can see Google getting involved, and selling at a discounted rate, and now things start opening up.

I mean, if the IoT is going to be secure and internalized as you guys figure, it will be really bucking the trend. Why on earth wouldn't it be turned into data? I can see my rfid on foodstuffs for the IoT refrigerator starting off as simple scanning of barcodes - who wouldn't want that info? People have shown a remarkable willingness to share their lives online so I have no doubt this will happen, and the secured private systems will end up an anachronism.

Re:It's not critical.

Yes, but those types of devices will become ubiquitous, because that's what the manufacturers will provide. Initially the smarter devices (especially wifi-enabled) will be the promoted products (because they're new) from BestBuy, Target, HomeDepot. And will become more and more common, until only the very lowest-end devices will be either dumb or non-wifi-enabled. It will just happen, it won't be a thought-out, planned process, and devices like those that you want will either never exist, or will disappear, in part because the parts needed for low-cost, mass-production in China will only come in one flavor.

Re:It's not critical.

Why would anything inside my home ever need to communicate out? Other than data gathering on me and my family, there is no reason for my thermostat to talk to anything else, same for the stupid toaster that sadly became a thing in this discussion.

Re:It's not critical.

[laie_techie]

Why would anything inside my home ever need to communicate out? Other than data gathering on me and my family, there is no reason for my thermostat to talk to anything else, same for the stupid toaster that sadly became a thing in this discussion.

Some scenarios being pushed include adjusting your thermostat because you're heading home earlier / later than usual, being able to remotely turn on lights so no one knows you're not home, standard home security set up (such as accessing cameras, alerting you to a break in), etc. Your thermostat probably doesn't need to talk with your microwave.

Re:It's not critical.

[Lumpy]

My thermostat doesn't need to talk to anything. a simple programmable thermostat saves exactly the same amount of money that a smart networked one that delays heating by 30 minutes would. Honestly, my neighbor has a NEST and he saves absolutely nothing compared to the identical house I live in next to him with my Stock bryant thermostat that is "programmable" that I set once back when I moved in and have not touched again since.

Exact same houses, and zero savings or comfort gains from his $300 thermostat.

Re: It's not critical.

[MarkH]

Agreed hub to device symmetric key secures that path. But it just makes the hub a more valuable target the more powerful devices connected to it get ( turning on a light versus opening garage door.

Re:It's not critical.

[laie_techie]

My thermostat doesn't need to talk to anything. a simple programmable thermostat saves exactly the same amount of money that a smart networked one that delays heating by 30 minutes would. Honestly, my neighbor has a NEST and he saves absolutely nothing compared to the identical house I live in next to him with my Stock bryant thermostat that is "programmable" that I set once back when I moved in and have not touched again since.

Exact same houses, and zero savings or comfort gains from his $300 thermostat.

As I said, it might be nice to notify your thermostat that you will arrive home earlier than normal. 95% of the time once you've programmed in your schedule you won't change it (small exception of adjusting for daylight savings time twice a year). 99% of the time you remember to turn off lights and lock doors. Each consumer needs to see if the benefits are worth the costs.

Re:It's not critical.

no they are not.

Re:It's not critical.

So you want a single point of failure "hub", with which everything else communicates with over unencrypted wireless? What could possibly go wrong?

Re:It's not critical.

[painandgreed]

My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

Perhaps they're thinking that all this stuff will mostly likely be wireless and as accessible to your neighbor or from the street outside your house as to whatever it's supposed to be talking to. While major appliances might get dedicated wire, unless they do network over power, they're probably not going to wire for every place you might put a lamp or toaster.

Get it all right.

IOT is a truly bad idea in its current iteration. The reasons cannot even be fully enumerated.

Re:Get it all right.

[dablow]

There is absolutely no iteration of IOT that will ever be right.

Not until they make all programming 100% secure and bug proof. Which is at the moment impossible.

Typical Slashdot discussions now

[hodet]

Anything on IoT becomes a shitfest discussion of toasters and fridges. Fuck what happened to this place.

Re:Typical Slashdot discussions now

[AmiMoJo]

Indeed, the biggest area for IoT, the area I happen to work in, is sensor networks. Say you have a vast water distribution network that you need to monitor. Typical ones leak 30-40% of the water out, so you are probably interested in figuring out where the leaks are, as well as metering everyone's usage for billing purposes.

In the past you had to send people out to take readings everywhere. Now you can put IoT sensors everywhere and they send you the data at regular intervals. It's getting so good already that leakage is down to below 20% in some places, at which point it often isn't worth fixing the remaining small leaks (e.g. you won't dig up a road just to fix a crack losing â5/month of water).

Sadly a lot of this stuff is insecure. It's just that there is little interest in screwing with it at the moment. You could send some fake sensor readings... Maybe cheat on your water or electricity bill for a while. The thing is, because there are so many sensors they would quickly notice that the numbers don't add up and come to investigate.

Re:Typical Slashdot discussions now

[hodet]

This is what the IoT is all about. There are tonnes of other examples as well. How about the guy who invented a system that monitors power usage at his elderly mothers house from his web browser. He knows her routine enough to see power spikes when he should (like the kettle making tea at 10am every morning). If usage looks out of the ordinary he immediately checks up on her to make sure she is ok.

Lots of great stuff happening in maker space. People coming up with all kinds of ingenious way of using embedded devices, like monitoring humidity and temperature for specific applications, water levels...all sensor based. Raspberry Pi's, Arduino, Beaglebones..this to me is exciting and brings an aspect back to computing that is reminiscent of the early days and what got many of us into technology in the first place. It's too bad this is no longer the place to share that joy. But like and idiot I keep coming back here expecting/hoping it can change. But it doesn't, this place is dead. Time to logout for good.

Re:Typical Slashdot discussions now

Couldn't agree more. This used to be a site for tech enthusiasts; now it's full of get-off-my-lawn luddites who'd rather go back to the days of text-only and 48k memory. (not that there's anything wrong with the command line - I still spend a large fraction of my computing time there)

Of course IoT is stupid without security. But there are plenty of useful applications that have little security risk. The hysteria over IoT here is tiresome. It's just as stupid as the example given in the summary - "use my toaster to break into my Facebook account." Or bank account. Sure, because there exist toasters now with Facebook integration, or ever will be such things. Much rolling of eyes here.

I have an internet-connected garage door opener (actually a "wifi gateway" that acts as another remote for my non-internet garage door opener) . I can feel the luddites getting worked up already - "but a burglar can hack it to let themselves in!!!" Yeah, or they can smash my window and save themselves a hell of a lot of trouble. Nobody who wants to burglarize my house will find out what brand of wifi garage door remote I have, hack into their system (or my secured wireless network), brute-force or otherwise obtain my password, and open the door via the service. This is a truly ridiculous hypothetical scenario.

On the contrary, my IoT device has saved me from potential theft a couple of times. Occasionally the garage door opener likes to reopen the door as I'm driving away (the standard dumb opener, not the separate IoT part); without the wifi remote, I'd never know this. But I have it set to send me a notification any time the door has been open for more than an hour. An hour later, when I'm at work I get the notification; I check the camera I have installed in the garage, confirm the door's open, and send the command to close it. Much better than 9-10 hours of a free invitation for all to come by and take what they want.

I have other devices connected for my own convenience - light switches, cameras, and yes, a thermostat. None of these, if hacked, can do any real damage. The majority of them are firewalled off from actual internet connectivity - I have a secure server that interacts with them and acts as my gateway. Basically a hub but it's a computer with my own software that I like to tinker with. I've taken steps to make myself comfortable with the security level; paranoia is not necessary.

And if any service that controls one of these devices gets massively hacked such that pranksters are turning on/off millions of lights and opening random garage doors across the country? I'll block them at the firewall and/or otherwise pull the plug. Crisis averted.

What is this IoT you speak of?

Is this IoT anything like the Internet???

Re:What is this IoT you speak of?

Yes, but unlike the Internet IoT has the following features:

1. It is CLOUD compliant.
2. It is web scale. You can plug right in and it scales right up.
3. It supports auto sharding.
4. It also supports in-memory data grid, elastic main memory, and scale out computing.
5. It is able to write all its data to Dev Null but most of the time it writes it data to the mothership (some times called Big Data)

*Big Data should not be confused with FAT data as they are different.

Why I'm standardizing on the Raspberry Pi

[Btrot69]

I've been on something of a roll setting up Raspberry Pi's as something of a family IoT cloud.
While it's probably not (yet) completely secure from hackers like the NSA, I do have a lot of confidence in Debian/Raspbian linux. With 7 million RPi's sold and lots of volunteers working on it, I expect it will be getting security updates for a long time.

I've got nice simple Python fabric scripts that I run from my laptop to keep everything up-to-date, setup ssh keys, firewalls, knockd, motion webcams, temperature and humidity sensors and private MQTT brokers and loggers.

Its not all foolproof yet -- but I'm learning a lot, and expect to open source it.

Wrong security model

[silas_moeckel]

The it's got wifi and connects to the cloud model is broken by design. It's a great marketing thing to make you replace your outdated bits every few years since they are no longer compatible. But a model that is reliant on lots of vendors to do constant updates to deal with newly uncovered issues fails as white good vendors forget about a model the instant a newer version comes out. All of the cloud features have been how can we nickle and dime you

You need basic encryption/authentication/replay prevention on the network. The device(s) that control those networks need to be secure. We have openhab etc in the opensource side and a small pile of black boxes with varying levels of local intelligence. My vera can not reach the internet it's in an isolated network along with a few other IP based IoT like my garage door controler some DIY kit etc. Oddly it chugs along just fine with openhab relaying any external info it needs like when I should be arriving home or the weather forecast. Sure if there is a network level exploit to zwave, insteon, zigbee or whatever will need to get firmware upgrades on bits. Bet far better to make something thats not intended to be a 20+ year lifespan embed device be the thing thats get upgraded etc. The last thing I want is my fridge having to phone home to do anything, to be reliant that some cloud is still there and supports my 20-30-40 year old device. Sensors can be very well defined it's not like some software upgrade will add a new sensor. Lightbulbs are getting smarter with RGBW and color temps as well as dimming, would expect motion sensing ambient light levels etc to be pretty standard soon. But who wants to worry that the cheap chinese bulbs they got at walmart wont get security patches a couple years from now.

IoT precursor

IoT can never really live up to its promise as long as we're on IPv4. IPv6 is an important part of the promise, and a precursor to its meaningful fulfillment.

That is a solved problem. We just don't care.

Sounds like the usual rule-of-thumb applies here, whether the computer is on a desk or happens to be a kitchen appliance:

Don't get your hardware and software from the same party (same goes for services; they must be a third party separate from the other two). You shouldn't be relying on manufacturers for software maintenance; software maintenance comes from the community (or from yourself).

We already know this on the desktop and in the server room. Every time you violated it, it cost you money, capabilities and reliability, so eventually you caught on and now its seen as simple common sense (though it actually took a long time to figure out).

We know it on the handheld (pretty much every smartphone-related annoyance reminds us of the problem) but live in denial. Now we're going to extend this denial to the kitchen, and the car, and what else?

Re:how about lazy ass idiots learn some life skill

[laie_techie]

Instead of depending on technology for everything. This is the same as the internet connected cars, focus on driving you moron you dobt need to update your fb status while driving on the highway. Chevy commercials who plug away theor 4g connected cars is retarded, you make sh1t cars and you are trying to sell them as smartphones

Internet connectivity in cars usually is not for the benefit of the driver (GPS being an obvious exception), but for the passengers. Kids get bored on long road trips, so give them internet access to stream songs / movies to placate them.

Any time you have a multi-tasker, the device is generally good at one task and mediocre or poor at the other. Do you want a mediocre phone with a great PDA, or a mediocre PDA with a great phone? Do you want a great car where connectivity was a secondary thought, or great connectivity in a mediocre car?

Perfect is the enemy of good

My refrigerator works quite fine with it's "dumb" thermostat. When it gets too cold in it, do you know what it does? It shuts its bloody self off! Turns itself back on too when it gets too warm? Magic I tell you! It's almost like it's "smart". These sorts of things tend to work far better when they are at a fixed setting rather than being farted around with every 30 minutes. My oven has one of these magic thermostats too, though as hard as it is for my lazy ass to get up and turn the oven on, I manage to do it just fine! And you know what, it cooks things at the right temperature with the magic thermostat!

If you want to hack my appliances and HVAC system, you'll need a hacksaw.

The most secure device is the one that isn't attached to a network.

Be wary of someone who wants to sell you anything IoT, he's going to want to sell you the same crap again in 3 years from now. Do you really want your house to be on the same upgrade cycle as the PC industry has done for years? I think not.

IoT not for me

[JohnFen]

The last thing in the world I want is more of my devices sending data about me and my belongings to servers that I do not control.

For what I hope are obvious reasons.

Re:Lair of The Lesbians

[tehcyder]

This has good troll potential, but you need to tailor it to the slashdot crowd.

The usual method is to mock the Linux operating system and/or say how great Microsoft is and involve plenty of racism and gay sex to confuse everybody.