Why IoT Security Is So Critical

An anonymous reader writes: Software engineer Ben Dickson starts off an opinion piece about Internet of Things security with this amusing comment: "Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would've laughed at you and said you watch too much James Bond. But today, if you tell me that hackers with malicious intents can use my toaster to break into my Facebook account, I will panic and quickly pull the plug from the evil appliance." Dickson then lays out many of the issues with securing internet-connected devices, and explains the work being done to make them more secure. He highlights areas that manufacturers must focus on: "In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system. ... There also must be a sound plan for installing security updates on IoT devices. Each consumer will likely soon own scores — if not hundreds — of connected devices. The idea of manually installing updates on so many devices is definitely out of the question, but having them automatically pushed by manufacturers also can be a risky business."

Why "IoT" security is so critical

is because morons won't stop adding devices to the "IoT" instead of leaving them dumb like they should be. FFS this is a problem created by a trend with no benefits in the first place.

Re:Why "IoT" security is so critical

Butbutbut I need to turn on the toaster from the bedroom so the toast is ready when I arrive in the kitchen!

Re:Why "IoT" security is so critical

[TheRaven64]

Unless the toaster can also cut the bread and insert it, then there isn't much value in being able to turn it on remotely. There are lots of reasons where it might be nice to have some connectivity though:

• If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.
• If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

  Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

• It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

These are just the ones that come to mind immediately. I'm sure there are other applications.

Re:Why "IoT" security is so critical

If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.

How does the toaster know it's you in the shower and not someone else ?

If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

Sound like a potential DOT attack to me (Denial of Toast)

Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

Beeping would do the same thing, or gosh even the popping up the toast on most toasters is noisy enough already.

It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

You already got the bread out of the fridge to put into the toaster, a sane person would already have taken the butter at that point so it can soften a little. This is silly talk.

Re:Why "IoT" security is so critical

[Viol8]

"ike ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed."

And the thermostats need to be online because....?

"I can also think of devices like the fridge or freezer to be able to talk to the internet to be more cost efficient - cool extra during cheap hours and cool less when electricity is more expensive."

Wtf? Perishable food needs to be kept cool regardless of the price of the electricity unless you want to risk food poisoning to save a few pennies.

There is absolutely NO reason for ANY kitchen appliances to be online or have any kind of network presense whatsoever unless you such a bone idle sack of fat that you can't even be bothered to open a fridge door to check whats inside but would sooner do it via an app.

Re:Why "IoT" security is so critical

[gbjbaanb]

Fridges work by being a closed air-con unit, as part of that process they draw moisture out of the air. Bread, placed in a fridge therefore goes stale quicker.

To keep bread, either freeze it (and let it slowly defrost at air temperature to get it back to best condition) or put it in a closed container like a bread bin. Or buy bread so laced with chemicals that there's hardly any flour used in its production.

Re:Why "IoT" security is so critical

[Viol8]

"Don't plug this shit in if you don't want to use it."

And what happens if it gets to the point where I don't have a bloody choice because the fridge refuses to work unless its downloaded some new firmware or whatever?

"et us have these devices to save money and help the planet"

Help the planet? You having a laugh? You might want to check out the mess the mining the precious metals for all our playtoy devices causes and then the pollution from their refining and the manufacture of the device itself plus transportation.

This is nothing but tech for its own sake keeping the Oooh shiny! crowd happy.

Re:Why "IoT" security is so critical

[JohnFen]

You can do all of these things right now without involving the internet at all.

DOA

Google/phone manufacturers cant even keep android phones patched more than a few years. What makes people believe that "IoT" devices will do any better?

Re:DOA

[peragrin]

Look at smart TV's and the number of updates that they get.

Manufacturer's goals are not compatible with IoT concept. you own your TV for a decade or more between replacing it. Refrigerator's can go 20+ years easy.

Do manufacturer's really want to provide support that long? if the answer is no then it doesn't belong in the Iot category.

Why the Internet of Things is so stupid

[mbone]

Fixed that headline for you.

Engineers with a hammer treating everything as a nail, and marketeers seeking to mine information from everyone's daily actions are evidently a very bad combination.

Re:Why the Internet of Things is so stupid

[gstoddart]

Yup, just say no to this crap.

The only thing I want to be internet connected is my computers, my tablet, and only very rarely my phone.

The rest of this internet connected crap I have no interest in, because I assume the security is incompetently written, and the product is mostly geared to allow analytics and ads ... none of which I have any interest in.

An endless series of crap products which are connecting to the intertubes is just marketing hype.

what a bunch of b.s.

[NostalgiaForInfinity]

There also must be a sound plan for installing security updates on IoT devices.

No, not really. If your home network security assumes that every single attached device is patched and secure, you have already lost. You should deploy your IoT devices in such a way that, even if they get compromised, the damage is limited.

Also of concern are huge repositories where IoT data is being stored, which can become attractive targets for corporate hackers and industrial spies who rely on big data to make profits.

I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster. "Corporate hackers and industrial spies" generally don't go after such low value data, they go after credit card numbers and corporate secrets.

What is evident is that the IoT will become an important part of our lives very soon, and its security is one of the major issues that must be addressed via active participation by the entire global tech community.

No, it really doesn't need to be. Unless you have specific and clear evidence to the contrary (plus an assumption of liability by the manufacturer), consider all IoT devices to be inherently insecure and use them accordingly.

Always the same stupid story, again and again

[gweihir]

First, it was mainframes that were insecure. When they were finally secured, the same mistakes were repeated with workstations. Then the same mistakes were repeated with PCs. Now they are repeated with mobile phones and with cars. Next they will be repeated with IoT.

The problem is that most people are completely unable to learn from experiences made by others, and so they repeat the same stupid mistakes whenever there is a new application field. The experts are available and could do better, but they do not get used, because all the bright-eyed "innovators" do not have a clue what they are doing.

IoT is the continued infantalisation of people

[Viol8]

Too lazy to check the fridge? There's an app for that. Too stupid to be able to pull your own curtains? There's an app for that. Too bone idle to turn off a light switch? There's an app for that.

Soon the infants masquerading as adults will require robots to wipe their backsides for them and spoon feed them mush for dinner (chew solids? Too much effort). You think the passengers on the starship in Wall-E were just a joke? Hardly - its where we're heading.

Meanwhile all these human vegetables will have all their private data sucked up by corporations and hackers to be used as they please.

Because right now

[rsilvergun]

someone could be in my kitchen, digitally making themselves a grilled cheese sandwich with neither my knowledge or consent. And don't say it's just my teenager, I can't get her to step foot in a kitchen.

It's not critical.

[Lumpy]

My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

WE don't. what we need is 100% open on all the devices so that as the owner of a device I can use it with whatever I want in whatever way I want. heavy security means I will never ever be able to do that.

All of the IOT (I really hate that acronym) crap needs to talk to a single hub and that when allowed to communicate out needs security. There needs to be absolutely ZERO security on the inside protected network other than what already exists with decent systems like Z Wave or Zigbee where they get a key from the hub they join and only talk to that network. can it be still hacked? yes but not by the typical thief who really would not care to as all he has to do is a smash and grab.

My toaster does not need to tweet or talk to westinghouse's servers. it needs to talk to my HA hub, and from there I can decide if it needs access to post to slashdot that my double cinnamon raisin toast is done.

Re:What is IoT?

[Lumpy]

Hackers are not going to do a home invasion. Stop being a paranoid conspiracy nut who likes spreading fear.

Less than 7% of all burglaries are home invasions (US gov data, go look it up). you have a significantly higher chance of dying in your bathtub, or your car exploding on your way to work than a home invasion.

Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers. That last 1%? done by people you know.

Typical Slashdot discussions now

[hodet]

Anything on IoT becomes a shitfest discussion of toasters and fridges. Fuck what happened to this place.

Wrong security model

[silas_moeckel]

The it's got wifi and connects to the cloud model is broken by design. It's a great marketing thing to make you replace your outdated bits every few years since they are no longer compatible. But a model that is reliant on lots of vendors to do constant updates to deal with newly uncovered issues fails as white good vendors forget about a model the instant a newer version comes out. All of the cloud features have been how can we nickle and dime you

You need basic encryption/authentication/replay prevention on the network. The device(s) that control those networks need to be secure. We have openhab etc in the opensource side and a small pile of black boxes with varying levels of local intelligence. My vera can not reach the internet it's in an isolated network along with a few other IP based IoT like my garage door controler some DIY kit etc. Oddly it chugs along just fine with openhab relaying any external info it needs like when I should be arriving home or the weather forecast. Sure if there is a network level exploit to zwave, insteon, zigbee or whatever will need to get firmware upgrades on bits. Bet far better to make something thats not intended to be a 20+ year lifespan embed device be the thing thats get upgraded etc. The last thing I want is my fridge having to phone home to do anything, to be reliant that some cloud is still there and supports my 20-30-40 year old device. Sensors can be very well defined it's not like some software upgrade will add a new sensor. Lightbulbs are getting smarter with RGBW and color temps as well as dimming, would expect motion sensing ambient light levels etc to be pretty standard soon. But who wants to worry that the cheap chinese bulbs they got at walmart wont get security patches a couple years from now.