Slashdot Mirror

← Back to Stories (view on slashdot.org)

New WiFi HaLow Protocol May Bring Old Security Issues With It

Posted by timothy on from the danger-everywhere dept.

Trailrunner7 writes: Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own, a new WiFi protocol designed specifically for IoT devices and appliances is on the horizon, bringing with it all of the potential security challenges you've come to know and love in WiFi classic. The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it's designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities. But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol.

65 comments

  1. Great idea! by mwvdlee · · Score: 5, Funny

    I've always wanted to be able to control traffic lights.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re: Great idea! by Anonymous Coward · · Score: 1

      Whoever wrote the article is quite visibly stupid.
      Let's not replace all those hacky vendor-dependent implementations with one that will be well known, with security considerations fully described, because chinese hackers and smart fridges!

    2. Re:Great idea! by Anonymous Coward · · Score: 0

      Let alone smart cities...

    3. Re: Great idea! by Anonymous Coward · · Score: 0

      I have another idea: how about we replace hacky vendor-dependent implementations with one that will be well-known, with security considerations fully described, and we keep our safety-cricital systems like traffic lights, which have for generations functioned without wireless capability, the hell off of networks and especially wireless ones. We could extend this idea to other critical systems, like the power grid.

    4. Re: Great idea! by MachineShedFred · · Score: 1

      Exactly.

      Re-using the 900Mhz open spectrum is a very good idea, for very good engineering reasons - there are things you can do in 900Mhz that 2.4 and 5.1 Ghz can't at low power levels. And, in no way, is talking about fad consumer electronics that attach to the Internet for no added value whatsoever a reason not to re-use this spectrum that was relegated to garbage cordless landline telephones and the odd pair of pre-Bluetooth wireless headphones.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    5. Re: Great idea! by Anonymous Coward · · Score: 1

      Sorry to burst your bubble but wireless has been used for well over a decade in various infrastructure systems. Not more than a mile away from where I'm sitting are a string of traffic lights all linked by wireless for better traffic flow. I have little doubt that the vendor for them took few if any security precautions, like many vendors they probably rely on security through obscurity. While I fully agree that there should be significant limits on wireless integration, there are ways to implement it safely. To do so however we need fully open and vetted protocols and systems with fail-safes in the CERTAIN EVENT that a security exploit is found/abused. An example with traffic lights would be hardware set limits for light times and safety rules, so that even of someone hacked the wireless they couldn't set both roads to green or green. And of course networked and critical systems should be separate pieces of hardware, with little if any two way communication from the network side to the critical side.

    6. Re: Great idea! by macs4all · · Score: 1

      Exactly.

      Re-using the 900Mhz open spectrum is a very good idea, for very good engineering reasons - there are things you can do in 900Mhz that 2.4 and 5.1 Ghz can't at low power levels. And, in no way, is talking about fad consumer electronics that attach to the Internet for no added value whatsoever a reason not to re-use this spectrum that was relegated to garbage cordless landline telephones and the odd pair of pre-Bluetooth wireless headphones.

      Too bad Zigbee is relegated to 2.4 GHz only. This sounds like a possible solution for the RF pollution problem that Comcast is having with their Zigbee-based wireless security system, as reported in Slashdot in the last week or so.

    7. Re: Great idea! by tlhIngan · · Score: 2

      Sorry to burst your bubble but wireless has been used for well over a decade in various infrastructure systems. Not more than a mile away from where I'm sitting are a string of traffic lights all linked by wireless for better traffic flow. I have little doubt that the vendor for them took few if any security precautions, like many vendors they probably rely on security through obscurity. While I fully agree that there should be significant limits on wireless integration, there are ways to implement it safely. To do so however we need fully open and vetted protocols and systems with fail-safes in the CERTAIN EVENT that a security exploit is found/abused. An example with traffic lights would be hardware set limits for light times and safety rules, so that even of someone hacked the wireless they couldn't set both roads to green or green. And of course networked and critical systems should be separate pieces of hardware, with little if any two way communication from the network side to the critical side.

      Actually, even WiFi has been using 900MHz for a long time now - it's not standard, but I am aware there are several implementations that use 802.11g at 900MHz instead of 2.4GHz. Proprietary of course, but you get with it all your standard WiFi security - open, WEP, WPA, WPA2.

      As for traffic lights, they actually do have protection - the outputs of the controller pass through a verifier to ensure unsafe states for the lights do not happen - if that happens, they immediately start the blinking light behavior to indicate the signal is down and prevent the controller from controlling the lights until the verifier is reset.

      You can't override this - the verifiers have the line-voltage signals as inputs (just before going to the lights) and the only output is really "signal failure". After all, they're really just checking to make sure two intersecting greens don't happen (either green through, or turning arrow greens that conflict), or that pedestrian lights make sense (considered a green), etc.

      Traffic light intersections are "simple" enough that it's actually possible to enumerate all the states they could be in and only allow the valid ones. Even the most complex of intersections generally are easy to figure out the valid light patterns in a state table.

    8. Re: Great idea! by hidden · · Score: 1

      Not sure if you're being facetious: you know there are 900Mhz ZigBee radios, right? (The throughout is weak though)

    9. Re: Great idea! by Anonymous Coward · · Score: 0

      >An example with traffic lights would be hardware set limits for light times and safety rules, so that even of someone hacked the wireless they couldn't set both roads to green or green. And of course networked and critical systems should be separate pieces of hardware, with little if any two way communication from the network side to the critical side.

      This is something that people seem to forget. When designing systems, they often don't separate these things. And when considering the idea of putting things onto a network, they ignore the possibility of separating these things. The fact is that, like you said, it's possible and not difficult to do exactly that. Systems can receive and transmit data onto a network in a questionably secure manner while simultaneously maintaining enough oversight and control of itself so as not to allow dangerous consequences. Designed properly, the worst a hacker would be able to do would be to fuck up the traffic light timing to be inconvenient. No 4-way green, no conflicting greens, no sudden changes from green straight to red, etc. It would be annoying, but not dangerous.

    10. Re:Great idea! by Darinbob · · Score: 1

      It's a real thing though, remote configuration and monitoring of traffic lights, and wireless or wireless mesh is an approach actively being considered and implemented. That's why security is important, and better security than WiFi Alliance's WPA/WPA2 stuff. Generally this stuff is not on the "internet" despite the fashionable idea of calling these sorts of things "IoT".

    11. Re: Great idea! by Darinbob · · Score: 1

      The WiFi security isn't the best. But beyond that this is only a link layer security, it does not deal with security once a packet is already on the air. You need security from endpoint all the way to the back office and if that is strong then you don't need the link layer security except to prevent localized disruptions (fake APs, etc).

  2. Finally by vikingpower · · Score: 2

    a way to put offline all these CCTV cameras in Europe's cities. Or aim them at the heavens. Bring it on !

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    1. Re: Finally by bill_mcgonigle · · Score: 2

      I understand you're having problems with your Police State. Have you tried turning it off and back on again?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re: Finally by KGIII · · Score: 1

      *snickers* I probably shouldn't have but I read that and envisioned Clippy. Though, if there's a switch to turn it off - I'm not sure why you'd turn it back on again.

      --
      "So long and thanks for all the fish."
    3. Re: Finally by vikingpower · · Score: 0

      I'm at it. Again.

      --
      Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    4. Re:Finally by The-Ixian · · Score: 1

      From what I have heard, the protocol tops out at 100Kbps.

      So, no streaming video.

      --
      My eyes reflect the stars and a smile lights up my face.
  3. thanks dave by Anonymous Coward · · Score: 0

    that's the spirit https://www.youtube.com/watch?v=ScVi_L817ec

  4. "Could" by 93+Escort+Wagon · · Score: 5, Insightful

    The article basically says all this could happen. It says nothing about the new protocol; nor does it talk about anything specific that's known about it.

    It pretty much boils down to "here's a new protocol, and since new protocols often have security holes, this one may also have security holes."

    --
    #DeleteChrome
    1. Re:"Could" by Anonymous Coward · · Score: 0

      For a moment I thought you had misspelled "cloud".

    2. Re:"Could" by Anonymous Coward · · Score: 0

      Yeah, I was expecting the summary to summarise some of the security issues.

      Shouldn't have been surprised when it didn't.

    3. Re:"Could" by gstoddart · · Score: 1

      OK, then let's be more certain:

      We know damned well that the people who write the protocols in both the devices as well as the routers will do it in a lazy half-assed manner which is guaranteed to have gaping security holes in it. History tells us there is no "if", "might", "maybe", or "could".

      Over and over we pretty much see that this is almost guaranteed to happen.

      IoT is marketing hype, and as such this is being pushed to market by a bunch of people who don't value security, and bear no penalty for being lazy or incompetent. Which pretty much means they will be lazy or incompetent.

      I refuse to buy any of this IoT crap, or let it into my home. Because like every other bit of consumer electronics, I have zero confidence that until companies have legal and financial liability for doing a shitty job, they will have any reason to stop doing a shitty job.

      As long as some pointy haired boss can cut corners, or some marketing guy can insist on shipping to make it to market first ... the security holes are pretty much a given.

      And the last decade or more is pretty much what we see happening when these companies don't have any liability.

      If you don't think the IoT is going to be a gong-show of bad security, you haven't been paying attention, and naively believe the underlying problem will magically fix itself.

      Companies aren't going to change how they write security, because they have neither incentive to do it, nor penalties for not doing it.

      Which means if you think you'll magically get secure products you are delusional.

      --
      Lost at C:>. Found at C.
    4. Re:"Could" by U2xhc2hkb3QgU3Vja3M · · Score: 1

      To summarize the summary of the summary: people are a problem.

    5. Re:"Could" by MachineShedFred · · Score: 1

      The Internet of Useless Things doesn't predicate the use of a new lower frequency block in standardized layer-2 wireless communication. This could happen perfectly fine without the discussion of a web-enabled juicer.

      Tying the two together, which this article attempts to do, is complete nonsense. The WiFi consortium would have been looking at this for a long time before the current IoT horseshit started to take off.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    6. Re:"Could" by gstoddart · · Score: 2

      No, but I will still maintain that a new protocol, coupled with the lazy bastards writing IoT products, is pretty much 100% guaranteed to create new security holes.

      Because every time we get a new protocol we get companies who do a lousy job of adhering to it, and every single company making consumer electronics demonstrates time and time again they're lazy/incompetent/cheap/indifferent to properly implementing security.

      I refuse to believe the companies making IoT things won't fuck up and create new security issues ... because they've been doing it for quite a long time already.

      The newsfeed here on Slashdot tells me pretty much constantly these people cannot be trusted with security. Short of new reasons to think that will change, I'm going to assume nothing will.

      --
      Lost at C:>. Found at C.
    7. Re:"Could" by UnderCoverPenguin · · Score: 1

      If you don't think the IoT is going to be a gong-show of bad security, you haven't been paying attention

      It already is and has been for a while. Hard coded admin passwords, no or broken encryption implementations, "phoning the mothership", etc.

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    8. Re:"Could" by AmiMoJo · · Score: 1

      WiFi HaLow is likely to improve security, if anything. Rolling your own security is usually what leads to problems, so using something off-the-shelf and built into chipsets that have been verified by the manufacturer is going to be better than whatever solutions random IoT developers would come up with.

      Of course they will still find ways to screw it up, but as a baseline it should really help.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. We don't need another band by Anonymous Coward · · Score: 0

    The problem is none of the bands are wide enough to really provide the bandwidth that is desired. They keep trying new stuff which means every device must again have different chips in order to work. But something always seems to be lacking either in range, conflicts with other signals or a lack of real world speed because of range and signals. So now we go backwards from 5Ghz to under 1Ghz to try and fix range issues. Trouble is the range improvements may only add to another layer of cross path signal problems. The only reason 5Ghz worked so well with speed was that range kept the signals from competing and interfering and that it had plenty of channels to spread out the spectrum. If we could have done this with 2.4Ghz in the first place. That would have been a much better solution. We now know that 5Ghz has too many range and limitations due to lack of penetrating solid objects like walls and such. The IEEEE is the Goldilocks looking for the perfect spectrum and I am not sure that's even realistic.

    1. Re:We don't need another band by Rob+Lister · · Score: 5, Interesting
      AC, all of what you wrote misses almost completely.

      The IEEEE is the Goldilocks looking for the perfect spectrum and I am not sure that's even realistic.

      Perfect is in the eye of the objective.
      * 2.4GHz band is ideal for many applications but not all.
      * 5GHz band has more bandwidth than 2.4 but also less range.
      * 900MHz band has less bandwidth than 2.4GHz band but also more range.

      So what is your objective?

      One can argue that there was no need for the HaLow because other protocols exist for communicating on that range, but that's a different argument. If other protocols suit the objective better, nothing prevents them from being used.

    2. Re:We don't need another band by MachineShedFred · · Score: 1

      Wait...

      You mean that wireless communications engineers might actually know what the fuck they are doing, and make technical decisions based on the technical merits of the technology? Unpossible.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    3. Re:We don't need another band by acoustix · · Score: 1

      And all of the existing bands are overwhelmed. Good luck using any unlicensed frequencies in cities.

      --
      "A plan fiendishly clever in its intricacies"- Homer Simpson
    4. Re:We don't need another band by Rob+Lister · · Score: 1

      Traffic expands to fill the roads built for it. Quelle surprise.

    5. Re:We don't need another band by Rob+Lister · · Score: 1

      Yea, pretty much that. In a perfect world we'd have a dedicated, contiguous band from ~900MHz all the way to 5GHz (or beyond) with your router and client negotiating for the best channel given what it is trying to do. But perfect worlds elude us perfectly. But even were that so some folks would bitch. Probably here. Certainly here. And that's okay.

  6. FUD by OzPeter · · Score: 4, Insightful

    TFA is pure unadulterated FUD

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:FUD by Anonymous Coward · · Score: 0

      Headline says "classic" problems are coming back, article or summary does not discuss what any of these are. Just that it could be the case. Fucking dumb DICEdot.

  7. IT'S A TRAP! by Anonymous Coward · · Score: 1

    Noted how they're tweaking the laws to have a "terrorism" special case everywhere?

    Given the flexibility of the label, perhaps just having an nmap or a wireshark could get any of us in jail. Spreading about protocols with fat and enticing vulnerabilities is the best bait to catch all-too-curious people.

    Collaterals? Nah, we learned to cope with that.

  8. I am Cassandra by Sir+Holo · · Score: 3, Insightful

    Does anyone else around here ever get tired of being a Cassandra?

    People won't heed warnings about stupid new 'tech devices'. But 10 years later, once it has bitten them in the ass, they complain to us that we weren't emphatic enough.

    Society gets what it asks for.

    1. Re:I am Cassandra by GrumpySteen · · Score: 1

      You'd have a point if there was any substance to the article, but there isn't. There's a quote in the article, repeated in large, bold letters, which sums up what they're saying:

      âoeWhile the standard could be good and secure, implementations by different vendors can have weaknesses and security issues."

      But the large bold lettered part leaves out what followed; "This is common to all protocols,â and the entire article ignores that.

      There is no protocol available that is 100% secure against hacking, but using one that actually has open source implementations that vendors can use (or at least use as a reference for their own implementation) is a vast improvement over the current situation. What we have now are half-assed proprietary protocols whose primary purpose is to enforce incompatibility with third party products and lock you into purchasing from a single manufacturer.

      You aren't being Cassandra. You're being the descendant of the lone nutjob who ran around in the 70s screaming that nobody should implement TCP and everyone should stick with incompatible protcols because he thought nothing good could could possibly come from a universal standard.

    2. Re:I am Cassandra by thegarbz · · Score: 1

      Society gets what it asks for.

      What have we gotten? For all the various security breaches in the past few years one can still argue that as a society we are better off now than when we were more secure and less connected.

      What an amazing time to be alive!

    3. Re:I am Cassandra by Anonymous Coward · · Score: 0

      I've been asking for a year long black out and a return to the dark ages because vikings, crusaders and castles are the things I dream of and I'm sick of living in everyone else's never ending boring modern day dream.

    4. Re:I am Cassandra by GrumpySteen · · Score: 1

      PS: Dear slashdot,

      We all know that implementation takes time, but Unicode has been around for over twenty years now. Granted, you did spend about a decade (okay, two years or so, but it felt like a decade) screwing around with that crappy beta interface that everyone hated, but you gave up on that almost a year ago. You could have gotten this done by now if you hadn't been so intent on putting commercials (oh, sorry, videos) on the front page, but hey... bygones. Now would be a good time to fix something that people have literally been complaining about since the turn of the century.

    5. Re:I am Cassandra by KGIII · · Score: 1

      I dunno about all that? I use 27 Lithuanian boys that I trained to chitter like squirrels. They chitter my packets back and forth and if they send a malformed packet then I beat them with a stick (or a rubber hose - if I've got people over, LAN parties can be interesting) and they eventually learn to drop any unwanted packets. It beats a hosts file and functions as a firewall - all at the same time. There's a little latency around dinner time and a little less redundancy after "the incident" but it's pretty damned secure unless ICE happens to stop by. As for "the incident?" It turns out that the application of higher voltage does not actually result in greater throughput and the version regression means we're at 2.7 instead of 3.4. If Little Boris, that's what I call him - I don't actually know his name, keeps messing up his chittering we're probably going to be regressing to v. 2.6 pretty soon.

      Sadly, in the past I didn't have to add that the above is *humor* and that I don't really have 27 Lithuanian boys chittering my packets back and forth, but Slashdot's changed over the years. I should probably mention that it's *humor* (not even very good humor) lest I go downstairs and find ICE looking around for a collection of Lithuanian boys in my basement. Joke's on them though, there's no basement in this house.

      --
      "So long and thanks for all the fish."
    6. Re:I am Cassandra by antdude · · Score: 1

      Hi Cassandra. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    7. Re:I am Cassandra by Anonymous Coward · · Score: 0

      More through put is possible with higher voltage ... it all depends upon 'where' you attach the alligator clips ... you will need to experiment a little more.

    8. Re:I am Cassandra by Sir+Holo · · Score: 1

      The article lacked any substance.

      I was just making a general comment. . . in the wrong forum, apparently.

    9. Re:I am Cassandra by Sir+Holo · · Score: 1

      You'd have a point if there was any substance to the article, but there isn't. There's a quote in the article, repeated in large, bold letters, which sums up what they're saying:

      ...

      You aren't being Cassandra. You're being the descendant of the lone nutjob who ran around in the 70s screaming that nobody should implement TCP and everyone should stick with incompatible protcols because he thought nothing good could could possibly come from a universal standard.

      The article was crap. True.

      I was speaking generally. I did not finish RTFA.

      It just seemed an appropriate occasion to ask the question (based on the summary) – a general question. Not about net security, but about being a prescient person in general. Managers, politicians, and the general public ignore real innovations or warnings, and disregard the visionary types. They then later blame the engineers/programmers/scientists for not having 'done something sooner'.

      Prime example: Douglas Engelbart of SRC International. He and his team created the computer mouse, hypertext, and bit-mapped screen displays. In 1968, these and more were displayed at the 'Mother of All Demos'. Management had little to no interest in such useless things (LOL), so it wasn't until about 20 years later that someone named Steve was given a demo — He promptly asked to license the technology (much of which was not patented, due to management's blinders).

  9. Dupe. Uninformative. Silly speculation. by Bearhouse · · Score: 4, Interesting

    Bonus points for overuse of the word "protocol".
    By the way, the "much longer range" (debatable)...that's a function of the wavelength guys, not the protocol.

    Anyway, dupe. Was widely discussed here the other day; can be bothered to find TFA.
    Was a nice nerdy conversation about range vs. antenna design vs. signals stomping all over each other...
    More info on 11ah here;
    https://en.wikipedia.org/wiki/...

    Don't see how this will bring any more - or less -security. If, and it's a big if, people learn from the mistakes of the past, then our previous experiences with wifi should make people more aware of the design risks and take proper steps to secure stuff.
    Of course, with all of the continuing revelations about hard-coded passwords, crap firmware and backdoors in everything from routers (both pro and consumer grade), "smart" meters and "smart house security solutions" *cough* the betting is probably that cheapo IoT devices will be as insecure as hell.
    But that's hardly the fault of the standard...

  10. Longer Range by Anonymous Coward · · Score: 1, Insightful

    More "favorable" propagation maybe (for certain values of favorable)

    It'll have better range for the 6 months it takes the 900Mhz band to get shitted up with the 100's of devices now all within sight of each other and the digital screaming match begins. Remember when 2.4Ghz wifi would get you out the front door and 50 yards down the road, and how nowadays it'll barely get from the living room to the bedroom.

  11. in other news... by ooloorie · · Score: 2

    The next release of the Linux kernel could contain old security problems. The next release of OS X could contain old security problems. The next smart card standard could contain old security problems.

  12. but why? by jandersen · · Score: 1

    What I still can't grasp is this: apart from certain niche applications, why would anybody want a 'smart lightbulb'? And the wider question - isn't the whole IoT thing a solution looking for a problem to solve? So far, I can't for the life of me see a convincing reason to invest in the gadgets that have been proposed so far - kitchen appliances on the internet? Thermostats? I suppose home-surveillance might be somewhat interesting, but wouldn't it be rather light hearted to connect cameras looking at your private life etc directly to the open internet? "Oh, look, they've got a rather good collection of Royal Doulton statuettes, and a nice TV. And they always go away over the weekend ..."

    1. Re:but why? by Anonymous Coward · · Score: 0

      I'm guessing you haven't seen the videos of smart bulbs and movies or video games where the bulbs change colors to match the ambiance.

    2. Re:but why? by Rob+Lister · · Score: 2

      Thermostats?

      I agree that it is a little silly to put each and every little thing on-line, but my wifi thermostat has been very, very useful. I can't imagine the need to connect the 'fridge though. A wifi stove would be about as useful as the 'cook time' feature I never use. A wifi coffee maker would be about as useful as its clock I never bother setting (besides, a clock should just *know* what time it is). Now where is my wifi stapler?

    3. Re:but why? by Anonymous Coward · · Score: 0

      nope.

    4. Re:but why? by drinkypoo · · Score: 1

      What I still can't grasp is this: apart from certain niche applications, why would anybody want a 'smart lightbulb'?

      What I still can't grasp is this: apart from trolling, why would luddites use Slashdot?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:but why? by KGIII · · Score: 1

      I have a home surveillance system and I pretty much used off-the shell components for it. It is, technically, on the internet at the moment - because I won't be back home until spring. However, in order to access it you need to do so with a specific IP address and there are a few other things that are checked before you can access it. Once you've accessed it you can move a few of the cameras and view archive footage.

      It'll even jump to motion - so it can be scanned quickly and if things change it jumps to those parts if you want. You can't delete archive footage or anything by remote. Well, you can click the button but the permissions don't actually let it work - it doesn't throw an error or anything and the files are not deleted. There's a bit more to it but I'd rather not openly disclose the actual topography considering that I've given people directions to my house before and it'd be pretty easy to find.

      It's, for the most part, on its own network - complete with its own connection to the 'net and own hardware and IP address that's not shared with anything else. There's some storage mechanism that isn't entirely on its own network but that's pretty locked down too. Is it secure? Probably not completely - I can access it from remote, after all. Is it reasonably secure? I think so.

      When I return, it will get physically disconnected from the 'net and reconfigured in a slightly different manner. I don't even bother keeping it on when I'm in the area or when I'm home. I'd rather not disclose the specifics but, for the most part, I just spent a while looking at things said at sites like Slashdot, asked a few questions, and poked and prodded a few things until I found what seemed to work best. I didn't want to try writing my own, I wasn't sure what I'd end up doing wrong. I didn't want to buy someone else's solution because they generally have known flaws and it might be easier to figure out those flaws if it was a known system. It doesn't have a *direct* connection to the 'net or anything and only specific hardware is allowed to connect to it.

      I imagine someone local could eventually do something? It's not wireless but they could just smash a window and unplug stuff. I'm sure there's some level of insecurity as, after all, I can connect to it. So, there's that? I dunno... It's certainly not perfect but I guess it can count as an IoT thing? You can pan, zoom, and tilt a few of the cameras. You might see a moose or a deer. I have local friends who have access so I guess you could spot them. If I'd thought about it, I could have hooked up a paintball gun with a servo and you could shoot at 'em or something?

      --
      "So long and thanks for all the fish."
  13. Re:Dupe. Uninformative. Silly speculation. by Anonymous Coward · · Score: 0

    Actually, part of the protocol describes how the binary signal is mapped to analog (as radio is really an analog signal). The effective range is approximately determined by the distance at which noise overtakes the signal. Now, wavelength-dependent attenuation determines how quickly the signal degrades, and the noise typically is also wavelength-dependent. That indeed is independent of protocol. However, some protocol choices are more noise-tolerant than others. ADSL famously estimates noise to choose different analog representations, in order to maximize bandwidth.

    Back on topic, a good design can in fact prevent whole classes of security flaws. Not all, but things like "hardcoded passwords" can be avoided by outright banning of passwords in the protocol. For instance, replace that with a shared secret generation & exchange mechanism. (Passwords are shared secrets too, but their flaw lies in the generation. Hardcoded passwords are the ultimate generation bug)

  14. Re:Dupe. Uninformative. Silly speculation. by Anonymous Coward · · Score: 0

    In theory the encryption choices are limited to some degree because of bandwidth constraints. In practice none of that matters because the implementations will be half assed and broken regardless.

    Ask any hardware guy that worked for a vendor, chances are he STILL remembers most of the back doors employers had in their products. Which security company backdoors do I still remember? Major ones.

  15. don't connect * to the internet by Anonymous Coward · · Score: 1

    Seriously, you want to solve "old security issues" that are only an issue because you attached some random device to the internet that has no business being attached to the internet.

    The refrigerator, the thermostat, the kettle, the coffee maker, etc etc, these don't need connected to the internet. There is nothing about a thermostat that needs IP access to function.

    As for your lights etc, there is this amazing thing called a light switch. Sure it involves you getting up off your ass to turn the things on and off, but suck it up princess.

    I'm not being a Luddite either, some things work well enough being "dumb".

    1. Re:don't connect * to the internet by acoustix · · Score: 1

      Seriously, you want to solve "old security issues" that are only an issue because you attached some random device to the internet that has no business being attached to the internet.

      This new wireless protocol doesn't necessarily have anything to do with being connected to the Internet. But I do agree that there are too many devices and services connected to the Internet that have no business being connected to the Internet.

      --
      "A plan fiendishly clever in its intricacies"- Homer Simpson
  16. too soon connected, too late smart by LyingDown · · Score: 1
    Love this:

    Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own...

    My TV's sound bar crashed last night and needed to be power cycled - and not via the power button, that was non-responsive, I had to yank the power cord. I have grown accustomed to rebooting my Roku and my TiVo and occassionally even my Plex server, but the sound bar?

  17. 902 - 928 MHz Garbage Band by sillivalley · · Score: 2

    Does anyone remember home cordless phones moving off the 902 - 928 MHz band to 2.4 GHz a decade or more ago, to escape all the garbage filling that chunk of spectrum?

    Amateur radio operators have that band (33cm) as a secondary allocation -- and can run up to 1500 Watts. Ha-Lo? Good-Bye! It's also primary to ISM (Industrial, Scientific, Medical) equipment. Still a lot of cordless phones, baby monitors, wireless audio and video extenders.

    And that's the home of the "new" Ha-Lo devices... Oh, the strategies .AH uses will help some, but they'll still be susceptible to all the other crap already operating on that band. And remember, FCC Part 15 means they have to put up with whatever's out there.

    If anything, they're hoping most of that crap has aged out of existence. There's still a lot out there. Oh, it's also ITU region 2 only -- the Americas. No sales in Europe, and no (legal anyway) sales in China, Japan, etc.

  18. WTF... by Anonymous Coward · · Score: 0

    ...you've come to know and love in WiFi classic

    WTF?! It's not a soft drink. /RANT MODE (grin): When you semi-literate millennial fucks (not all of you mind you but certainly most of you) aren't getting the meaning of words complete wrong or "creatively reinventing" new meanings for words when perfectly adequate words already exist, you still can't seem to refrain from insisting on amping up the impact of your language with "high energy words." IT'S NOT A FUCKING ENERGY DRINK, EITHER! ;)

  19. Look for the bright side by bobdehnhardt · · Score: 1

    It's much more fun to consider the impending doom this protocol brings if you pronounce it to rhyme with "Hey Now" and imagine Jeffrey Tambor saying it.

  20. Not Smart by Anonymous Coward · · Score: 0

    "... make it attractive for use in applications such as connecting traffic lights and cameras in smart cities."

    That would not be 'smart'.

  21. Re:Dupe. Uninformative. Silly speculation. by Anonymous Coward · · Score: 0

    One reason it could bring lesser security is the lower power part.
    Security means more resources means more power means costly.
    Yep. This is a thing and has happened before, many times.

    In fact, it is quite common to have a decent high-level router for the home that has 2 networks, one with the best security you can get, and one set to low, basic security because a SHITLOAD of terrible and still pretty NEW devices with, at best, WEP.