Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Internet of Things Is a Surveillance Nightmare (dailydot.com)

Posted by msmash on from the internet-of-broken-things dept.

An anonymous reader writes from a DailyDot's Kernel Mag article: Welcome to the Internet of Things, what Schneier calls "the World Size Web," already growing around you as we speak, which creates such a complete picture of our lives that Dr. Richard Tynan of Privacy International calls them "doppelgangers" -- mirror images of ourselves built on constantly updated data. These doppelgangers live in the cloud, where they can easily be interrogated by intelligence agencies. Nicholas Weaver, a security researcher at University of California, Berkeley, points out that "Under the FISA Amendments Act 702 (aka PRISM), the NSA can directly ask Google for any data collected on a valid foreign intelligence target through Google's Nest service, including a Nest Cam." And that's just one, legal way of questioning your digital doppelgangers; we've all heard enough stories about hacked cloud storage to be wary of trusting our entire lives to it. [...] But with the IoT, the potential goes beyond simple espionage, into outright sabotage. Imagine an enemy that can remotely disable the brakes in your car, or (even more subtly) give you food poisoning by hacking your fridge. That's a new kind of power. "The surveillance, the interference, the manipulation the full life cycle is the ultimate nightmare," says Tynan. [...] That makes the IoT vulnerable -- our society vulnerable -- to any criminal with a weekend to spend learning how to hack. "When we talk about vulnerabilities in computers... people are using a lot of rhetoric in the abstract," says Privacy International's Tynan. "What we really mean is, vulnerable to somebody. That somebody you're vulnerable to is the real question." The state of security around IoT, the chip or sensor-equipped devices connected to each other over the Internet, is deeply concerning. Just in the past few months, we have seen several instances of these devices getting hacked. We have also seen things such as Shodan, a search engine for the Internet of Things that can allow someone to browse vulnerable webcams. Many people continue to overlook the significance and potential consequences of their "smart" devices getting compromised. Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee. You see these devices are connected to your Wi-Fi network, which gives them the ability to interact with other gadgets connected to the same network. When attackers manage to access one of these devices, it's only a matter of time before they own your entire network.

9 of 156 comments (clear)

  1. Too late by Anonymous Coward · · Score: 5, Insightful

    The convenience is worth the risk. The dumb-ass majority has spoken.

    1. Re:Too late by NatasRevol · · Score: 4, Insightful

      Fair point. But did they have any other options?

      Are there secure IoTs?

      Maybe, just maybe, the developers/manufacturers are at some fault.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Too late by Anonymous Coward · · Score: 1, Insightful

      Yes, they could have said "no". Your scale does not need to talk to the fridge. Your thermostat does not need to talk to Google.

    3. Re:Too late by Penguinisto · · Score: 4, Insightful

      Fair point. But did they have any other options?

      Actually, as consumers, they (mostly) do have options - lots of them.

      In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle. This means not bothering with the cute little automated/networked thermometers, televisions, refrigerators, etc...

      To be honest, I don't see much value in them anyway - at least not at this time; I'm perfectly capable of setting a thermostat (or throwing another log into the wood stove), and keeping a mental inventory of what's in my refrigerator. There are promising technologies/devices out (e.g. the Amazon Echo thingy), but in all honesty, they're nice-to-have things, not need-to-have (and unless you're severely disabled, nearly all of them are not much more than glorified monetization opportunities for whoever sells the thing to you - again, see also the Amazon Echo thingy).

      Anyrate, yes the consumer (that is, you and I) have the ultimate power over how much these things influence and potentially control our lives and out stuff.

      Now there may be exceptions (say you bought some swanky condo or rented an apartment that has all this stuff in it), but they can be disabled to an extent (or even hijacked by you if you know how and see a use for doing so.) It ultimately depends on you.

      Eventually, I can see where you'd have no choice but to buy such things because alternatives would cease to exist... but even there, you can simply, say, assign them to an SSID that you've throttled down to 14.4k or some obscenely low rate, then take the extra step of firewalling the shit out of that network to allow only established/related ports. Or, just hack the thing to taste (after all, phones can be jailbroken fairly quickly, so...)

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    4. Re:Too late by Lumpy · · Score: 4, Insightful

      "Are there secure IoTs?"

      yep all of mine are. because I made them.

      I dont use stupid "cloud" crap for my IOT devices they talk to the server in my home, and the ones in the vacation home talk over an encrypted VPN to my home.

      it's the consumer crap designed to spy on you that are the problem, not IOT.

      --
      Do not look at laser with remaining good eye.
  2. Re:One population's security nightmare... by tnk1 · · Score: 3, Insightful

    is every Three Letter Agency's wet dream.

    Maybe not. Yes, the ability to spy on people might be useful for them, however, they're frequently charged with the protection of US citizens as well.

    If IoT is vulnerable, it is not just vulnerable to the NSA or FBI, it is vulnerable to Russia, Iran, North Korea, China, and anyone else who wants to try a hand at it. That's not a situation that would have everyone at the FBI (for instance) uncorking a bottle of champagne.

  3. It's mostly just about rebranding stuff by Sax+Russell+5449D29A · · Score: 4, Insightful

    I think the whole IoT marketing movement is about rebranding existing technologies. Remotely accessible cameras and wearable technology have been around for a very long time practically unchanged, but now they're suddenly categorized under an ambiguous umbrella term. Most of the IoT tech have been security nightmares since day 1 so we shouldn't suddenly worry about them now, we should have worried about them for over a decade. Googling for weakly protected webcams, for example, has been around since the early 2000's and it's been a "new phenomenon" every five years or so.

    If there are devices in my home or car that I find intrusive, they can't be secured properly or they somehow threaten my privacy, I'll get rid of them. This of course becomes a bit problematic once we start running out of alternative manufacturers, but I don't think that'll be a problem for a long time to come. Our cars will most likely be the first that we have least choices with as laws have started to mandate certain wireless technologies to be implemented in them.

    The very least steps everyone should take to secure networked devices of any kind is to set up a proper firewall at home and whitelist addresses they can connect to. Or even bar them behind a VPN. Wouldn't be something every average Jane and Joe can do, but that's another story.

    --
    -SR
  4. Therac moment by Okian+Warrior · · Score: 5, Insightful

    Software in medical devices was considered inconsequential for a couple of decades, and then the Therac device came out and killed several patients.

    At the time, the FDA took a close look at software and decided that we need regulations to keep the software more safe.

    I look at the programming in cars right now and note that we haven't had our "Therac" moment. Car manufacturers keep closed source and there's no regulations about how the code should be designed for safety. (Safety for the car, yes. Safety for the software, none.)

    It'll probably take a couple of hackers making cars floor the accelerator randomly in a city for government to wake up and impose common-sense regulation.

    We'll get it straightened out once a couple of people get killed.

  5. Re:Privacy is a lot cause by Penguinisto · · Score: 3, Insightful

    Short of completely abandoning modern society and living off the grid there is no way to maintain what was previously known as privacy.

    Sure there is - you just have to work at it.

    The cost to secure IoT devices and retroactively secure the internet age is so massively prohibitive it beyond the wildest of dreams for any realist..

    Umm, really?

    1) buy a cheap wifi router, give it a unique SSID
    2) tie all your IoT crap to that new SSID
    3) rig the router to QoS down to something ungodly tiny (2400 baud ought to do it), or just don't connect it to the Internet at all after the initial install/update for the device. Be certain that if it is connected, you block all incoming ports at the firewall.
    4) (for the truly paranoid) If it has a camera, a bottle of cheap black nail polish is like $3 or so. If it has a microphone, clip if off or cover it with epoxy.

    So far, we've spent less than $50, and most of that was for the new router - if you have an older router, just press that into service and it'll all cost you less than a couple of hours plus the price of a large latte... *shrug*.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?