Slashdot Mirror

← Back to Stories (view on slashdot.org)

New WiFi HaLow Protocol May Bring Old Security Issues With It

Posted by timothy on from the danger-everywhere dept.

Trailrunner7 writes: Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own, a new WiFi protocol designed specifically for IoT devices and appliances is on the horizon, bringing with it all of the potential security challenges you've come to know and love in WiFi classic. The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it's designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities. But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol.

13 of 65 comments (clear)

  1. Great idea! by mwvdlee · · Score: 5, Funny

    I've always wanted to be able to control traffic lights.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re: Great idea! by tlhIngan · · Score: 2

      Sorry to burst your bubble but wireless has been used for well over a decade in various infrastructure systems. Not more than a mile away from where I'm sitting are a string of traffic lights all linked by wireless for better traffic flow. I have little doubt that the vendor for them took few if any security precautions, like many vendors they probably rely on security through obscurity. While I fully agree that there should be significant limits on wireless integration, there are ways to implement it safely. To do so however we need fully open and vetted protocols and systems with fail-safes in the CERTAIN EVENT that a security exploit is found/abused. An example with traffic lights would be hardware set limits for light times and safety rules, so that even of someone hacked the wireless they couldn't set both roads to green or green. And of course networked and critical systems should be separate pieces of hardware, with little if any two way communication from the network side to the critical side.

      Actually, even WiFi has been using 900MHz for a long time now - it's not standard, but I am aware there are several implementations that use 802.11g at 900MHz instead of 2.4GHz. Proprietary of course, but you get with it all your standard WiFi security - open, WEP, WPA, WPA2.

      As for traffic lights, they actually do have protection - the outputs of the controller pass through a verifier to ensure unsafe states for the lights do not happen - if that happens, they immediately start the blinking light behavior to indicate the signal is down and prevent the controller from controlling the lights until the verifier is reset.

      You can't override this - the verifiers have the line-voltage signals as inputs (just before going to the lights) and the only output is really "signal failure". After all, they're really just checking to make sure two intersecting greens don't happen (either green through, or turning arrow greens that conflict), or that pedestrian lights make sense (considered a green), etc.

      Traffic light intersections are "simple" enough that it's actually possible to enumerate all the states they could be in and only allow the valid ones. Even the most complex of intersections generally are easy to figure out the valid light patterns in a state table.

  2. Finally by vikingpower · · Score: 2

    a way to put offline all these CCTV cameras in Europe's cities. Or aim them at the heavens. Bring it on !

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    1. Re: Finally by bill_mcgonigle · · Score: 2

      I understand you're having problems with your Police State. Have you tried turning it off and back on again?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. "Could" by 93+Escort+Wagon · · Score: 5, Insightful

    The article basically says all this could happen. It says nothing about the new protocol; nor does it talk about anything specific that's known about it.

    It pretty much boils down to "here's a new protocol, and since new protocols often have security holes, this one may also have security holes."

    --
    #DeleteChrome
    1. Re:"Could" by gstoddart · · Score: 2

      No, but I will still maintain that a new protocol, coupled with the lazy bastards writing IoT products, is pretty much 100% guaranteed to create new security holes.

      Because every time we get a new protocol we get companies who do a lousy job of adhering to it, and every single company making consumer electronics demonstrates time and time again they're lazy/incompetent/cheap/indifferent to properly implementing security.

      I refuse to believe the companies making IoT things won't fuck up and create new security issues ... because they've been doing it for quite a long time already.

      The newsfeed here on Slashdot tells me pretty much constantly these people cannot be trusted with security. Short of new reasons to think that will change, I'm going to assume nothing will.

      --
      Lost at C:>. Found at C.
  4. FUD by OzPeter · · Score: 4, Insightful

    TFA is pure unadulterated FUD

    --
    I am Slashdot. Are you Slashdot as well?
  5. I am Cassandra by Sir+Holo · · Score: 3, Insightful

    Does anyone else around here ever get tired of being a Cassandra?

    People won't heed warnings about stupid new 'tech devices'. But 10 years later, once it has bitten them in the ass, they complain to us that we weren't emphatic enough.

    Society gets what it asks for.

  6. Dupe. Uninformative. Silly speculation. by Bearhouse · · Score: 4, Interesting

    Bonus points for overuse of the word "protocol".
    By the way, the "much longer range" (debatable)...that's a function of the wavelength guys, not the protocol.

    Anyway, dupe. Was widely discussed here the other day; can be bothered to find TFA.
    Was a nice nerdy conversation about range vs. antenna design vs. signals stomping all over each other...
    More info on 11ah here;
    https://en.wikipedia.org/wiki/...

    Don't see how this will bring any more - or less -security. If, and it's a big if, people learn from the mistakes of the past, then our previous experiences with wifi should make people more aware of the design risks and take proper steps to secure stuff.
    Of course, with all of the continuing revelations about hard-coded passwords, crap firmware and backdoors in everything from routers (both pro and consumer grade), "smart" meters and "smart house security solutions" *cough* the betting is probably that cheapo IoT devices will be as insecure as hell.
    But that's hardly the fault of the standard...

  7. Re:We don't need another band by Rob+Lister · · Score: 5, Interesting
    AC, all of what you wrote misses almost completely.

    The IEEEE is the Goldilocks looking for the perfect spectrum and I am not sure that's even realistic.

    Perfect is in the eye of the objective.
    * 2.4GHz band is ideal for many applications but not all.
    * 5GHz band has more bandwidth than 2.4 but also less range.
    * 900MHz band has less bandwidth than 2.4GHz band but also more range.

    So what is your objective?

    One can argue that there was no need for the HaLow because other protocols exist for communicating on that range, but that's a different argument. If other protocols suit the objective better, nothing prevents them from being used.

  8. in other news... by ooloorie · · Score: 2

    The next release of the Linux kernel could contain old security problems. The next release of OS X could contain old security problems. The next smart card standard could contain old security problems.

  9. Re:but why? by Rob+Lister · · Score: 2

    Thermostats?

    I agree that it is a little silly to put each and every little thing on-line, but my wifi thermostat has been very, very useful. I can't imagine the need to connect the 'fridge though. A wifi stove would be about as useful as the 'cook time' feature I never use. A wifi coffee maker would be about as useful as its clock I never bother setting (besides, a clock should just *know* what time it is). Now where is my wifi stapler?

  10. 902 - 928 MHz Garbage Band by sillivalley · · Score: 2

    Does anyone remember home cordless phones moving off the 902 - 928 MHz band to 2.4 GHz a decade or more ago, to escape all the garbage filling that chunk of spectrum?

    Amateur radio operators have that band (33cm) as a secondary allocation -- and can run up to 1500 Watts. Ha-Lo? Good-Bye! It's also primary to ISM (Industrial, Scientific, Medical) equipment. Still a lot of cordless phones, baby monitors, wireless audio and video extenders.

    And that's the home of the "new" Ha-Lo devices... Oh, the strategies .AH uses will help some, but they'll still be susceptible to all the other crap already operating on that band. And remember, FCC Part 15 means they have to put up with whatever's out there.

    If anything, they're hoping most of that crap has aged out of existence. There's still a lot out there. Oh, it's also ITU region 2 only -- the Americas. No sales in Europe, and no (legal anyway) sales in China, Japan, etc.