Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Internet of Things Is a Surveillance Nightmare (dailydot.com)

Posted by msmash on from the internet-of-broken-things dept.

An anonymous reader writes from a DailyDot's Kernel Mag article: Welcome to the Internet of Things, what Schneier calls "the World Size Web," already growing around you as we speak, which creates such a complete picture of our lives that Dr. Richard Tynan of Privacy International calls them "doppelgangers" -- mirror images of ourselves built on constantly updated data. These doppelgangers live in the cloud, where they can easily be interrogated by intelligence agencies. Nicholas Weaver, a security researcher at University of California, Berkeley, points out that "Under the FISA Amendments Act 702 (aka PRISM), the NSA can directly ask Google for any data collected on a valid foreign intelligence target through Google's Nest service, including a Nest Cam." And that's just one, legal way of questioning your digital doppelgangers; we've all heard enough stories about hacked cloud storage to be wary of trusting our entire lives to it. [...] But with the IoT, the potential goes beyond simple espionage, into outright sabotage. Imagine an enemy that can remotely disable the brakes in your car, or (even more subtly) give you food poisoning by hacking your fridge. That's a new kind of power. "The surveillance, the interference, the manipulation the full life cycle is the ultimate nightmare," says Tynan. [...] That makes the IoT vulnerable -- our society vulnerable -- to any criminal with a weekend to spend learning how to hack. "When we talk about vulnerabilities in computers... people are using a lot of rhetoric in the abstract," says Privacy International's Tynan. "What we really mean is, vulnerable to somebody. That somebody you're vulnerable to is the real question." The state of security around IoT, the chip or sensor-equipped devices connected to each other over the Internet, is deeply concerning. Just in the past few months, we have seen several instances of these devices getting hacked. We have also seen things such as Shodan, a search engine for the Internet of Things that can allow someone to browse vulnerable webcams. Many people continue to overlook the significance and potential consequences of their "smart" devices getting compromised. Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee. You see these devices are connected to your Wi-Fi network, which gives them the ability to interact with other gadgets connected to the same network. When attackers manage to access one of these devices, it's only a matter of time before they own your entire network.

106 of 156 comments (clear)

  1. Too late by Anonymous Coward · · Score: 5, Insightful

    The convenience is worth the risk. The dumb-ass majority has spoken.

    1. Re:Too late by NatasRevol · · Score: 4, Insightful

      Fair point. But did they have any other options?

      Are there secure IoTs?

      Maybe, just maybe, the developers/manufacturers are at some fault.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Too late by Anonymous Coward · · Score: 1, Insightful

      Yes, they could have said "no". Your scale does not need to talk to the fridge. Your thermostat does not need to talk to Google.

    3. Re:Too late by JaredOfEuropa · · Score: 1

      Secure IoTs? Depends on what you mean by that. Standards like Z-Wave and Zigbee are already somewhat safer from remote tampering than WiFi-enabled devices since they operate on their own network. Hacking into them remotely or making them send data to a 3rd party involves hacking the central controller (if that controller even is connected to the Internet, though it often is). Certainly possible but it's a considerable extra hurdle. The networks themselves are fairly easy to hack, though the new version of Z-Wave adds encryption to make that a great deal harder.

      For the rest, it comes down to selecting what data to share with whom, when, and what risk you deem acceptable when sharing. And if you're worried about the CIA and their pals, don't do anything in the cloud, access your stuff via encrypted VPN or forego remote access completely and create an air gap between your smart home stuff and the LAN.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:Too late by Penguinisto · · Score: 4, Insightful

      Fair point. But did they have any other options?

      Actually, as consumers, they (mostly) do have options - lots of them.

      In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle. This means not bothering with the cute little automated/networked thermometers, televisions, refrigerators, etc...

      To be honest, I don't see much value in them anyway - at least not at this time; I'm perfectly capable of setting a thermostat (or throwing another log into the wood stove), and keeping a mental inventory of what's in my refrigerator. There are promising technologies/devices out (e.g. the Amazon Echo thingy), but in all honesty, they're nice-to-have things, not need-to-have (and unless you're severely disabled, nearly all of them are not much more than glorified monetization opportunities for whoever sells the thing to you - again, see also the Amazon Echo thingy).

      Anyrate, yes the consumer (that is, you and I) have the ultimate power over how much these things influence and potentially control our lives and out stuff.

      Now there may be exceptions (say you bought some swanky condo or rented an apartment that has all this stuff in it), but they can be disabled to an extent (or even hijacked by you if you know how and see a use for doing so.) It ultimately depends on you.

      Eventually, I can see where you'd have no choice but to buy such things because alternatives would cease to exist... but even there, you can simply, say, assign them to an SSID that you've throttled down to 14.4k or some obscenely low rate, then take the extra step of firewalling the shit out of that network to allow only established/related ports. Or, just hack the thing to taste (after all, phones can be jailbroken fairly quickly, so...)

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    5. Re:Too late by Lumpy · · Score: 4, Insightful

      "Are there secure IoTs?"

      yep all of mine are. because I made them.

      I dont use stupid "cloud" crap for my IOT devices they talk to the server in my home, and the ones in the vacation home talk over an encrypted VPN to my home.

      it's the consumer crap designed to spy on you that are the problem, not IOT.

      --
      Do not look at laser with remaining good eye.
    6. Re:Too late by Sir_Eptishous · · Score: 1

      it's the consumer crap designed to spy on you that are the problem, not IOT.

      Once it starts going mainstream, what do you think most people will be using?

      --
      We play the game with the bravery of being out of range
    7. Re:Too late by castionsosa · · Score: 1

      I'm in the same boat. Due to numerous other Wi-Fi links around where I live, at best, I get reliable signal in one room, but that pretty much it. Because there are just so many devices yakking on Wi-Fi, even the 5Ghz band, where devices are supposedly to find the channel that is used the least, are saturated.

      As for IoT devices, I do watch occasionally the Fiver channel on YT, which always has some new IoT item. Some are cool, others... why bother? If I were to spend the price premium for a "smart" fridge, I'd buy a refrigerator which runs on CNG or LP gas, as well as electric. Smart deadbolt? I'd like one that can tell me the status, and lock the deadbolt... but mechanically cannot unlock it from remote.

      I've never understood why IoT devices don't move to a hub/spoke model. A hardened, central hub that does the Internet communicating, and the devices use Bluetooth and are paired with the hub (or hubs). This way, physical proximity is needed to the devices to had endpoints, and the hub can have IDS/IPS rules to handle compromised endpoint devices. This would go a long ways in solving the IoT security disaster.

    8. Re:Too late by el_smurfo · · Score: 1

      https://zymbit.com/

    9. Re:Too late by castionsosa · · Score: 1

      You can make IoT secure. Devices can be put on separate network segments that can't see each other, are firewalled, with an IDS/IPS in place to minimize damage if compromised. Logs can be exported one way via syslog to a secure server, which can be searched by Splunk or an elk stack machine. Warnings can be handled by an application running locally that can do email or SMS. Hub/spoke architectures can be used with low bandwidth devices using Bluetooth. Heck, most IoT devices could be hardwired. The deadbolt? Many, many buildings have used electric strikes and locks, and that technology is reliable enough for home use. Alarm systems are better hard wired anyway.

      However, there is no money to be made by making IoT secure. As mentioned in other /. posts, the mantra, "security has no ROI" thrums loudly among most businesses. The IoT problems are solvable. It is a matter of won't, not can't.

    10. Re:Too late by kheldan · · Score: 1

      But did they have any other options?

      Certainly. You don't buy 'IoT' devices in the first place. Most of them are solutions in search of a problem, not the other way around, just ways to get tech-enthused people to spend their money on more toys that they didn't need until someone convinced them they did.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    11. Re:Too late by kheldan · · Score: 1

      Hack the devices and write your own firmware. Good luck with that.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    12. Re:Too late by NatasRevol · · Score: 1

      which is kind of my point.

      Don't blame the consumer when the mfgr is putting out shit product. While putting lipstick on it.

      --
      There are two types of people in the world: Those who crave closure
    13. Re:Too late by plover · · Score: 5, Informative

      The real problem with the IoT is that everyone and their brother is trying to be the One True Provider of All Home Automation, and they want to do it in the cloud so they can charge you for integrating with everyone else's clouds. Nest has the whole Nest-Certified thing, running in the cloud. Samsung has the Samsung Smart Home, running your washers, dryers, and air conditioners in their cloud. AssureLink will happily run your garage door openers in their cloud. Honeywell has their thermostat system, in their cloud. Rheem has their EcoNet for running hot water heaters, in their cloud. LG has a cloud service for their TVs. Schlage has a cloud for running door locks. D-Link has a cloud for viewing their security cameras. Fitbit cloud-enables your health data. Philips' cloud runs your Hue lights. And so on.

      Cloud solves some thorny problems. It enables easier configuration of the home user's environment by removing most of the barriers, which is critical to commercial success. Ordinary people don't know they need to poke a hole in their firewalls, and they also know they don't want to know all those technical details. But they still want to remotely access their IoThings from their iPhones. Having the IoThings phone home to the cloud means there's a central point to discover and communicate with them, making the consumer's installation woes less painful - ease of use is critical to driving sales. And the cloud can back up those configurations, allowing you to replace your old device 1.0 with new device 2.0, all without pain.

      Clouds can also improve end user security - from a certain kind of threat. If your home device is connecting to the cloud and never listening for input on its own, its attack surface is much smaller than if it has opened a port on your firewall. And when your home device needs a security patch, the cloud can push it. Obviously, that means your home devices place their trust in the cloud to be secure, which is the point of TFA.

      But the main problem cloud solves is that clouds provide an ongoing "service" for which the device provider can charge $9.99/month. And it's all about the continual extraction of money from the consumers. Why sell an overpriced sprinkler system only once when you can have that wealthy sprinkler system owner send your cloud service a check every single month? That's really why everyone wants to be the company that sells you the One True System, so they are the ones you're willing to pay on a monthly basis.

      What I want (and have) is a server in my house that handles the home automation communications and executes rules without requiring a cloud. Unfortunately, most of the commercial hubs come needlessly saddled with clouds. There is no technical reason for an Iris hub or a Wink hub to connect to a cloud, yet they do. Amazon Echo runs everything to the cloud, including your voice. Better systems make the cloud optional.

      There are also better choices on the horizon. OpenHAB is making great progress on providing an open source Java package that can handle a wide variety of home automation devices; GUI control is getting there, but setup and configuration is still a complex problem that's out of reach of the average homeowner.

      --
      John
    14. Re:Too late by Dutch+Gun · · Score: 1

      This seems like it could be done fairly easily in software right inside even consumer-grade routers, and would at least help in mitigating some of the security threats of these devices. These routers already offer "guest networks" on most newer models, so this seems like the next logical step. Just create a simple way at router setup/configuration time to create an "IoT network" as well which is isolated from anything else on the router for safety.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    15. Re:Too late by kheldan · · Score: 1

      You can blame the consumer in the same vein that a judge can tell someone 'ignorance of the law is no excuse'. The average consumer is about as security-savvy with things like this as they are about their Facebook posts. It's the whole 'I have nothing to hide therefore I have nothing to fear' attitude, which of course is utter and complete nonsense. Some consumers might hear and even understand that their Nest thermostat is accessible by hackers, but they don't really care. Of course imagine their faces in those final moments when their car is careening at full throttle towards a concrete abutment or a building and they can't stop it, because some jackass thought it would be lulzy to hack some random person's car and take it for a remote joyride.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    16. Re:Too late by Geeky · · Score: 1

      OpenHAB is one option, with a Z-Wave/Zigbee USB stick it might be able to replace a SmartThings/Nest kind of set up - if you don't mind a lot of work getting it all working (kinda like using Linux in the early days)

      Also look for devices that don't need the cloud but use it for additional features. Philips Hue lights talk to a hub that does talk to the cloud for remote control, but that hub has a simple REST API for local control. If you wanted to, you could block the hub from talking to the internet and use a home server / dynamic DNS setup with a home-brew web application to control the lights.

      Sadly most don't that - although you may be able develop your own code for SmartThings and the like, it all has to run in their cloud.

      --
      Sigs are so 1990s. No way would I be seen dead with one.
    17. Re:Too late by GuB-42 · · Score: 1

      The convenience would be worth the risk if it was convenient.
      Trouble is : it's not. The biggest problem is the lack of standardization. You can't buy any AC unit and expect it to be able to connect to any smart thermostat. You can't expect your IoT alarm clock to be able to turn on your IoT coffee machine without buying a specific machine, which, incidentally, makes poor coffee.
      And that's the problem, I buy things based on cost and how well they perform as things : I want a washing machine that washes well, doesn't use up too much water, doesn't make too much noise, is robust, affordable, etc... That's already a lot to ask so I don't want to add the "can it connect to the rest of my network" criteria, especially if there is a 99% chance that it doesn't.

    18. Re:Too late by turbidostato · · Score: 1

      "Don't blame the consumer when the mfgr is putting out shit product."

      Of course you can blame the customer.

      The only thing you can't blame the customer is for the thingie being there (I wanted X but X came with a, b and c tied to it) as soon as they buy something on purpose, customers are the ones to blame.

      What you can't do is just the opposite, blame the vendor. You know for sure the vendor will try to sell you the cheapest shit that maximizes their revenue. Heck, it's their damn job to do so! And the vendor is incurring costs when trying to sell you their new thingie, so the only way they'll continue selling it is if they in fact profit from that. They are selling that crap, sure indication they are profitting from it -and that's because of the customers, not the other way around.

    19. Re:Too late by The-Ixian · · Score: 1

      In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle.

      For me, it is because IoT is another way of saying "recurring monthly bill" or "forced obsolescence"

      Oh, look, I have a nice alarm clock that is connected to the internet, has an app store, collects data about me and will stop functioning when the manufacturer doesn't feel like supporting it any more.... what a deal!

      --
      My eyes reflect the stars and a smile lights up my face.
    20. Re:Too late by NatasRevol · · Score: 1

      You're working with the wrong vendors if you think it's their job to sell you the cheapest shit possible.

      --
      There are two types of people in the world: Those who crave closure
    21. Re:Too late by UnknownSoldier · · Score: 1

      The "dumb-ass majority" will quickly change their tune when their home gets p0wned, badly.
      i.e. Devices stay on consuming electricity, fridge constantly shuts off so they are forced to rebuy all their groceries, little Johnny's lights keep switching on/off all day, etc.

      I'm actually waiting for the hackers to have a field day with this; then maybe the dumb-ass majority will actually learn their lesson:

      * Just because you _can_ hook a device up to the internet, doesn't mean you _should_.

    22. Re:Too late by plover · · Score: 1

      Yeah, I looked at OpenHAB for a while, but their grandly named "OpenHAB Designer" turned out to be nothing more a copy of Eclipse running a text editor to modify the necessary half-dozen configuration files and check them for syntax errors. It is definitely not ready for an advanced installation professional, let alone the average homeowner.

      I've had great luck so far with Vera (getvera.com). It can use the cloud if you let it, but everything is configured and run locally. Configuration is not quite plugThe only reason for the cloud is secure remote access, as their API is unsecured and I wouldn't expose it to the web. The best thing about Vera is the very active community; they have developed literally hundreds of various applications that support all kinds of external devices. Some devices are locally accessed (OpenSprinkler), others reach out to web services to allow integration with a device that doesn't provide a local interface (Honeywell thermostats, for example.) All Vera's plug-in modules are defined in XML and written in lua, and you can run and test everything locally, so there are no giant hurdles to development.

      The bulk of my home runs on Z-Wave. I've had a lot of disappointing results, but once you finally discover and get rid of the troublesome devices from your Z-Wave network, things can improve. Essentially it's become one big experiment where I'm testing its ease-of-use on friends and family. I've learned a lot, I've bought a lot of crap, and I'm getting better at recognizing the stinkers.

      --
      John
    23. Re:Too late by Geeky · · Score: 1

      Very similar to my experiences with SmartThings - despite being sold here in the UK in a major high street store, it's not really ready for primetime, but you can work around the limitations. I haven't gone beyond lights and a plug socket yet, plus the motion/door sensors that come in the starter kit. It's been a bit of fun, I like playing with gadgets, but I wouldn't recommend it to anyone just yet

      Sounds like the big difference, when compared with Vera, is that ST is cloud based and the development options are... let's say quirky, at best.

      --
      Sigs are so 1990s. No way would I be seen dead with one.
    24. Re:Too late by phantomfive · · Score: 1

      I'm actually waiting for the hackers to have a field day with this;

      Then you might be interested in this.

      --
      "First they came for the slanderers and i said nothing."
    25. Re:Too late by DamonHD · · Score: 1

      Part of a recent project has been to make an IoT-friendly really robust secure link from device to hub or Internet server, all liberally licensed and open:

      https://github.com/DamonHD/Ope...

      This runs happily on Arduino-UNO (and slower) class hardware purely in software, eg including an AES-GCM implementation:

      https://github.com/opentrv/OTA...

      So yes, is the answer.

      We (OpenTRV) aim to get it on 400 million energy saving smart thermostatic radiator valves across Europe.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    26. Re:Too late by plover · · Score: 1

      Laugh if you want, but I really do have two "clouds" controlled by my smart house. They're ultrasonic mist emitters that fill our orchid-growing cabinets with fog, three times a day. It keeps the humidity inside the glass cases above 95%, which is ideal for some of the equatorial cloud-forest species.

      And yes, the electrical plug is kept safely outside of the cabinets. Condensing humidity is a very bad environment for electrical appliances.

      --
      John
    27. Re:Too late by DamonHD · · Score: 1

      We (OpenTRV) are building IoT devices that are decentralised and will work (well) without an Internet connection, smartphone or hideously complex instruction manual.

      Some of our target users don't have Internet connections or smartphones, for a start.

      Our devices can be connected up beyond a local hub (eg to control your heating better) if you wish, but making it possible to do without makes them inherently safer and more reliable IMHO.

      Yes, we're keen on OpenHAB integration, but Open Energy Monitor and MQTT and a few other things are on their way first.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    28. Re:Too late by Darinbob · · Score: 1

      Yes there are secure IoTs. Problem is with generic devices using generic operating systems with no security added or added as a late afterthought. Ie, "consumer" devices are the ones to beware of. Breaking into the coffee maker isn't giving you any access to your thermostat as they're not connected to each other except for using the same air space. A lot of these are relatively big and bulky devices, full android or linux maybe, with wi-fi networking and all its problems. Cheap devices made by companies with minimal profit margins sold to hipsters and yuppies and gadget-philes, consumers who want the bragging rights who don't care about or understand security. The devices in that case don't talk to each other, but they all talk to the common access point (wifi router) which is a weak link.

      I work on devices for utilities, municipalities, and the like. We never used to call them IoT until that term started being the fashion recently. But many of those customers are very insistent upon having good security. This extra panic about security is good and bad, the good thing is that it makes some the bigger customers start demanding security. The security for larger customers is by necessity complicated. Good security is never convenient, it means managing cerfiticate chains, providing temporary authority for field service or installers, auditing, etc.

    29. Re:Too late by John+Da'+Baddest · · Score: 1

      "OpenTRV conf / Saturday November 29th" - Would be helpful if you added the YEAR to your event dates, so the audience knows whether there's an upcoming event, or if your web presence is yet another ancient one-hit wonder.

    30. Re:Too late by Darinbob · · Score: 1

      Zigbee is old and crusty, the newest version is just strange and bloated and no one has really adopted it. It may die off except that big companies keep demanding Zigbee as a check-off box. The standards of this are new and evolving, and security isn't always there but the device makers are adding it anyway (and if you insist on alliance led standards for security then you'll get crap like WPA as a result when a manufacturer might actually have something better).

      Big problem is with the dumb IoT, devices that you really don't need but which want to be on the network and in the cloud. Thermostats and baby cams and such. But tell the Gen Z couple that they want a secure VPN to connect to their baby cam and their eyes will glaze over, since they just want an app on their phone. The makers in this fad market are hoping to monetize all that data in the cloud so that they can finally go IPO and retire before they turn 30.

      We really need to split up IoT into categories. After all any device or computer that is addressable on the internet is a part of the IoT, and some people even consider point-to-point bluetooth links to your phone to be IoT just so they can jump on that buzzword. IoT for home automation and baby monitors should not be in the same category as IoT devices for utility infrastructure or scientific data collection.

    31. Re:Too late by Darinbob · · Score: 1

      Blame the consumer for not asking about security options. If their thermostat is unsecure as an IoT device because it connects to their wifi router, then I wouldn't put any bets about the security of their laptop or smart TV either. The rise of security problems is not necessarily because of IoT security but because there are not so many more things all on the same internet. The security needs to be added even when the consumer is not asking for those features, even if it raises the cost of the products. I think it's good that Apple is encrypting phones and storage by default because the average user would not take that extra step on their own.

      To most people the internet is still a new concept. Even people who've grown up with the internet are treating it in naive ways. So right now IoT devices with zero security sounds like a dumb thing, but then look around and see how many wi-fi routers you can see from where you are which are open to everyone or which use WPA. Bad security is *everywhere* because few people take it seriously and few are as paranoid as they should be. Go back ten years and remember how full of security holes everything was, yet the security technology has not really gotten that much better over that period. What has changed is that more devices, companies, and users make use of existing security technology.

    32. Re:Too late by shubus · · Score: 1

      Maybe worth it to SOME. I've boycotted iOT devices and will continue to do so until high security has been adopted as industry standard. No, I'm not holding my breath. Where I live we've got a lot of tech-savvy criminals and I won't give them the iOT edge.

    33. Re:Too late by dbIII · · Score: 1

      I've never understood why IoT devices don't move to a hub/spoke model

      The same reason security is an afterthought :(

    34. Re:Too late by dbIII · · Score: 1

      I'm actually waiting for the hackers to have a field day with this; then maybe the dumb-ass majority will actually learn their lesson

      We are already knee deep in a malware swamp beyond the dreams of bad SF, yet it just keeps on getting worse and there are plenty that have not learned the lesson (or even smirk at those who have).

    35. Re:Too late by turbidostato · · Score: 1

      "You're working with the wrong vendors if you think it's their job to sell you the cheapest shit possible."

      That's not what I said. I said "the cheapest shit that maximizes their revenue".

    36. Re:Too late by beastofburdon · · Score: 1

      There aren't any that I am aware of. In order to get these things working in a fairly secure manner you have to build the system yourself. Everything I have seen for sale has required connection to the company's servers.

    37. Re:Too late by R.Mo_Robert · · Score: 1

      I've never understood why IoT devices don't move to a hub/spoke model. A hardened, central hub that does the Internet communicating, and the devices use Bluetooth and are paired with the hub (or hubs).

      Many do: Philips Hue, SmartThings, Iris (Lowes), VeraLite, and others do, except it's Z-Wave and/or ZigBee rather than Bluetooth that does the communicating. (Low-energy Bluetooth wasn't around when these standards were created, and Z-Wave and ZigBee also have the ability to form a mesh network rather than each needing to connect to the central bridge/hub.) WeMo is a notable one that doesn't work like this, as are Nest and several AppleHome Kit-capable products that connect directly to WiFi. I don't like those products.

      --
      R.Mo
    38. Re:Too late by RockDoctor · · Score: 1

      Which convenience is that?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    39. Re:Too late by allo · · Score: 1

      Easy. No Cloud. Why does your smart shoe need a cloud to communicate with your phone? Bluetooth is enough. Why doesn't your wlan lightbulb talk to your router as accesspoint, which can communicate with your mobile phone (some manufactures offer free dyndns with one click)? Why does it always need to use a cloud? One Cloud? At least two! The lightbuld talks with its manufacturer, which sends pings to google, which sends it to your phone as push message.

  2. Simple Solution by Anonymous Coward · · Score: 1

    If you don't want to get hacked, don't get things connected to the internet. If you want to know your milk is about to expire in your fridge, or turn your dryer on to fluff your clothes from your phone, then know the risks. If you don't care about those conveniences, don't pay for them and don't get a connected device. I can guarantee that you can still buy a fridge, dryer, coffee maker, and thermostat that aren't connected to the internet, and will still be able to for quite some time. Right now, the benefit is minor (or questionable) and the cost is more than marginal for connected devices.

    Just remember, they can't hack you if you aren't connected.

    1. Re:Simple Solution by silas_moeckel · · Score: 2

      I have a LOT of IoT devices oddly they can not connect to the internet. Frankly when you have devices and standards that need to last decades you're never going to cost effectivly put enough crypto on them. So build upon that assumption, break into my zwave network you can turn on lights or unlock a door or turn on the heat. You're not going to disable the security system merely some extra motion sensors. Break into my IoT wifi and you still can not get anywhere.

      At the end of the day the implementations that require the cloud to work are broken by design. I need my fridge to talk to my HA controler it should be the only thing that needs to talk to the world and be updated/replaced on a regular basis, no different that a wifi AP (frankly mosts homes it could easily live on the wifi ap). I need open standards not apple homekit lock in. Because at the end of the day nobody wants a maytag oven thats not compatible with their frigidaire freezer or samsung microwave but we also can not expect maytag to provide updates to new protocol 10,0 to a 20 year old oven. We can expect to get a HA controler than supports everything and keeps it reasonably secure within the confines of the protocol.

      --
      No sir I dont like it.
    2. Re:Simple Solution by Actually,+I+do+RTFA · · Score: 2

      If you want to know your milk is about to expire in your fridge, or turn your dryer on to fluff your clothes from your phone, then know the risks.

      But the risk is only because these stupid things are connected to the Internet. There's no reason they cannot use Bluetooth or similar. Connect to your cellphone when it is in range.

      --
      Your ad here. Ask me how!
  3. Just Need To Chip The Humans. by zenlessyank · · Score: 1

    This is going to be fun I hear.

  4. No shit. by Qbertino · · Score: 1

    Captain Obvious strikes again!

    --
    We suffer more in our imagination than in reality. - Seneca
    1. Re:No shit. by gstoddart · · Score: 2

      You know, until people act on it, or there are privacy laws in place, or the rest of the populace is outraged ... this is apparently quite far from "obvious".

      Say this to most people, and you'll get an eye-roll and a tick-box in the crazy column.

      --
      Lost at C:>. Found at C.
  5. Re:One population's security nightmare... by tnk1 · · Score: 3, Insightful

    is every Three Letter Agency's wet dream.

    Maybe not. Yes, the ability to spy on people might be useful for them, however, they're frequently charged with the protection of US citizens as well.

    If IoT is vulnerable, it is not just vulnerable to the NSA or FBI, it is vulnerable to Russia, Iran, North Korea, China, and anyone else who wants to try a hand at it. That's not a situation that would have everyone at the FBI (for instance) uncorking a bottle of champagne.

  6. Burning coffee machines? by Zumbs · · Score: 2

    Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee.

    Depending on how well the safeguards are on your coffee machine, the criminals could try to keep the water heating elements running after all the water has been transferred to the pot. Aside from the energy bill, this could have other interesting side effects ranging from a destroyed coffee machine to a burning coffee machine that could set your home on fire. Yes, yes, this is probably a wee bit too close to scare-mongering, but it does underline the need for safety by design.

    --
    The truth may be out there, but lies are inside your head
    1. Re:Burning coffee machines? by i.r.id10t · · Score: 5, Funny

      The wife asked me why I wear my gun when I'm just hanging around the house. I looked her dead in the eye and said, "the motherfucking decepticons". She laughed, I laughed, the toaster laughed, I shot the toaster, it was a good time.

      --
      Don't blame me, I voted for Kodos
    2. Re:Burning coffee machines? by dstyle5 · · Score: 1

      What if it was an Autobot there to protect you from that Keurig coffee maker that cracks the occasional "Optimus sucks" joke?

    3. Re:Burning coffee machines? by avandesande · · Score: 1

      You don't have to come up with any far fetched hypothetical situations. Just by keeping track of coffee makers they can develop lists that thieves can use to know when it is convenient to empty your house.

      --
      love is just extroverted narcissism
    4. Re:Burning coffee machines? by lrichardson · · Score: 1

      Insurance companies want access. Ya know, make sure you are in your house, with no more than a 3 day absence which would invalidate your household insurance. Or to make sure the temperature doesn't go down too low so they can a) call you to notify you of the problem, and b) if no-one home, remotely crank up the heat. There's also remote cut-offs for water, in case they detect the flow continuing for hours on end (thanks to the smart meter). Smoke detectors, so they can notify the fire department, again, if no-one calls. On one hand, all good intentions. (And probably good *overall*)

      OTOH, so much for home firewalls. Or in-home privacy. Your NEST and smart-TV (and bluetooth phone, if hooked in) all provide audio surveillance; your X-Box and smart-TV provide video surveillance; not to mention the nightmare of a big-brother your home-security system becomes. There have already been thefts where hackers have been able to determine no-one is home. Including one case where the fingerprint-scanner on the door allowed the hacker entry without any need for a key or crowbar. SWATting has become a real nightmare, and turning someone's heat or water or electricity off would appeal to the same trolls.

      It will take some high profile incidents - like cars or homes being hacked, possibly with loss of life - before the security side becomes important to the people pushing these technologies.

    5. Re:Burning coffee machines? by SuricouRaven · · Score: 1

      I can think of far better uses for a hacked coffee maker. Top of the list is as a tool for proxying further attacks through, followed by DDoS node, followed by a good place to set up a server holding some illegal stuff so I can post the link in public forum. The coffee side has little practical use - but there's a computer in there that can be abused. Or I could just be annoying and make it play The Coffee Song while brewing.

    6. Re:Burning coffee machines? by orledrat · · Score: 1

      Most toasters pack serious heat ya know, fuck around and they WILL bring the painini.

    7. Re:Burning coffee machines? by ArylAkamov · · Score: 1

      Yes, yes, this is probably a wee bit too close to scare-mongering, but it does underline the need for safety by design.

      I wouldn't call it that.

      It has been demonstrated that with exploitable laser printer firmware, it is possible to keep the laser heating to the point of melting the printer or catching the paper on fire.

  7. It's mostly just about rebranding stuff by Sax+Russell+5449D29A · · Score: 4, Insightful

    I think the whole IoT marketing movement is about rebranding existing technologies. Remotely accessible cameras and wearable technology have been around for a very long time practically unchanged, but now they're suddenly categorized under an ambiguous umbrella term. Most of the IoT tech have been security nightmares since day 1 so we shouldn't suddenly worry about them now, we should have worried about them for over a decade. Googling for weakly protected webcams, for example, has been around since the early 2000's and it's been a "new phenomenon" every five years or so.

    If there are devices in my home or car that I find intrusive, they can't be secured properly or they somehow threaten my privacy, I'll get rid of them. This of course becomes a bit problematic once we start running out of alternative manufacturers, but I don't think that'll be a problem for a long time to come. Our cars will most likely be the first that we have least choices with as laws have started to mandate certain wireless technologies to be implemented in them.

    The very least steps everyone should take to secure networked devices of any kind is to set up a proper firewall at home and whitelist addresses they can connect to. Or even bar them behind a VPN. Wouldn't be something every average Jane and Joe can do, but that's another story.

    --
    -SR
    1. Re:It's mostly just about rebranding stuff by RobinH · · Score: 1

      You won't know about all the ones that come in the appliances and vehicles you buy. They have no incentive to tell you.

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    2. Re:It's mostly just about rebranding stuff by RobinH · · Score: 1

      The vehicles, at least, are already including this call-home technology (think Ford) and it doesn't require you to actively do anything for it to call home. It probably uses the on-star-like system over cellular data, and is working to send data even if you don't subscribe to their service. As these technologies get less and less expensive, expect to see them in more and more products.

      --
      "I have never let my schooling interfere with my education." - Mark Twain
  8. Therac moment by Okian+Warrior · · Score: 5, Insightful

    Software in medical devices was considered inconsequential for a couple of decades, and then the Therac device came out and killed several patients.

    At the time, the FDA took a close look at software and decided that we need regulations to keep the software more safe.

    I look at the programming in cars right now and note that we haven't had our "Therac" moment. Car manufacturers keep closed source and there's no regulations about how the code should be designed for safety. (Safety for the car, yes. Safety for the software, none.)

    It'll probably take a couple of hackers making cars floor the accelerator randomly in a city for government to wake up and impose common-sense regulation.

    We'll get it straightened out once a couple of people get killed.

    1. Re:Therac moment by plover · · Score: 3, Informative

      Except the THERAC problem was almost the opposite of unregulated quality control. Because getting new software tested and certified was so very expensive, they decided to reuse their existing certified software in a new model of machine, thus avoiding the cost of the review process. The new device was slightly different, though, and more susceptible to the latent bug that caused the fatally high doses of radiation. (As I recall, it was an error handler in the patient name field that caused it to misinterpret the dose the technician selected.)

      The regulatory process was partially at fault for making regulations so burdensome the company would rather play a game to get around them. I'm not saying we shouldn't have rigorous testing for safety critical applications, but that certification testing needs to incorporate the whole application plus its intended environment, not just testing the different bits from the last time it was certified.

      --
      John
    2. Re:Therac moment by jimbob6 · · Score: 1

      Ah but most company's that design medical equipment get around this type of regulation through FPGA design.
      If its in a FPGA according to the regulators it doesn't count as software its connected hardware.
      Even to the extent that a microprocessor and memory can be simulated in a FPGA.
      Don't think that just because its regulated its safe most of the time the regulations are just an excuse to sell a bad product.
      After all if it passes all of the government's checkboxes it must be good right?

    3. Re:Therac moment by UnderCoverPenguin · · Score: 2

      I develop software for electronic controls in several industries, including automotive, so I am very familiar with the MISRA C Guidelines. They define a "safe subset" of C. The intention of the guidelines is really to make sure that certain, problematic features of C are being used correctly and only when needed. The idea being that when those problematic features are used, code reviews be performed to make sure the use is needed, correct and documented.

      The problems come in when the guidelines meet reality.

      Reviewing code for MISRA exceptions often distracts from reviewing code for other problems.

      In some organizations, management demands strict and complete compliance with the guidelines. This results in more code and more complex code, thus significantly increasing the amount of code to be reviewed - as well as increasing opportunities for bugs.

      In other organizations, blanket waivers are in place, requiring only that developers cite the relevant waivers when they use problematic features. This tends to make code reviews too lax.

      So, why do electronic control systems still use C? Because cheap, low resource microprocessors are still the rule for these mass produced devices. As an example, most of the devices I am working on - now and in the recent past - use a micro with 16 kilobytes of RAM and 256 kilobytes of ROM (Read Only Memory; what we use to hold the running application). and it runs at 40 MHz - about 50 times slower than a low end PC

      We have looked at alternatives. Not yet found one that fits our needs, though Rust looks close. (We know Rust's compiler is based on LVMM, so there might be back-ends for some of the (higher end) micros we use, but the ones we have found are all pre-Alpha quality.)

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    4. Re:Therac moment by Darinbob · · Score: 1

      There were standards and procedures before Therac. The regulation could have been tightened more with more audits of course. And some of the complaints there were kind of ridiculous, like using assembler or a custom OS, things that tons of medical devices still do very extremely good reasons. The problems ultimately were management problems.

      Interesting that one important cause of failure was reusing older software that had reliance on some hardware interlocks. Yet today it is practically a religion in most places, even with medical devices, that you must always reuse software and never write anything from scratch. Except that re-use should never short cut the testing, always assume that the tried and true library functions have bugs, and assume that the compiler and operating system are buggy as well (so many major bugs in commercial RTOSs it's not even funny).

    5. Re:Therac moment by Darinbob · · Score: 1

      We still use C because no one has really come up with a suitable replacement that lots of programmers know. There is a subset of C++ that is good, in fact preferrable to C, but that is often abused because someone will start expanding that envelope to use more and more C++ features until something breaks. They swear, just a simple template only a one line, then in a month or two they've got full page templates obsfuscating the code to hell and back. So C it is. You know Ada might be ok I'd be willing to a whole new device with it, except that it would be hard to find team members who know it or would be willing to learn it.

      (and it's tough to try to get those people to move away from the 70s and start using C99, and then I get complaints about having to use "const" I swear that is true and I'm not making it up)

      I've got 20KB RAM now but only 128KB flash for code. Coming from a project with a few megabytes, so everyone gets told to be lean and mean. And still some people copy and paste code the larger system and worry about memory usage just an after thought. Then they complain that they're overflowing the stack and can they have some more please (Oliver! jokes inserted as necessary).

      I've considered looking at llvm but there aren't any prebuilt compilers that I've found and the build instructions are way more complicated than gcc and I don't have the time to spend on that.

    6. Re:Therac moment by ArylAkamov · · Score: 1

      That is horrifying.

      Thanks for the nightmare fuel.

  9. Misunderstood headline! by asylumx · · Score: 2

    I read "Surveillance Nightmare" and though -- well that's good, I don't want things to be easy for surveillance. Boy was I wrong when I realized they meant it's a nightmare *because* of all the surveillance it makes possible!

    1. Re: Misunderstood headline! by Type44Q · · Score: 2

      Indeed. This is a Privacy Nightmare and a surveillance wet dream but I don't suppose expecting intelligently-written summaries is very realistic...

  10. unwanted by iggymanz · · Score: 1

    I don't want my fridge or my car hooked to the web at all, totally unnecessary. shit headed kid engineers and marketers are causing huge problems

  11. Re:One population's security nightmare... by NatasRevol · · Score: 1

    The problem is that they often see US citizens as criminals. You know, before all that stupid trial stuff.

    And if your point was valid, they wouldn't be fighting Apple in federal court for security, or been fighting them on it for several years now.

    http://www.bloomberg.com/news/...

    --
    There are two types of people in the world: Those who crave closure
  12. Privacy is a lot cause by plague911 · · Score: 1

    Short of completely abandoning modern society and living off the grid there is no way to maintain what was previously known as privacy. The cost to secure IoT devices and retroactively secure the internet age is so massively prohibitive it beyond the wildest of dreams for any realist. The best that can be hoped for is that some new concept of privacy is developed culturally. One where while we could access each-others most private lives we all collectively understand and respect that everyone will have some secret to dig up and choose to "let sleeping dogs lie".

    1. Re:Privacy is a lot cause by Penguinisto · · Score: 3, Insightful

      Short of completely abandoning modern society and living off the grid there is no way to maintain what was previously known as privacy.

      Sure there is - you just have to work at it.

      The cost to secure IoT devices and retroactively secure the internet age is so massively prohibitive it beyond the wildest of dreams for any realist..

      Umm, really?

      1) buy a cheap wifi router, give it a unique SSID
      2) tie all your IoT crap to that new SSID
      3) rig the router to QoS down to something ungodly tiny (2400 baud ought to do it), or just don't connect it to the Internet at all after the initial install/update for the device. Be certain that if it is connected, you block all incoming ports at the firewall.
      4) (for the truly paranoid) If it has a camera, a bottle of cheap black nail polish is like $3 or so. If it has a microphone, clip if off or cover it with epoxy.

      So far, we've spent less than $50, and most of that was for the new router - if you have an older router, just press that into service and it'll all cost you less than a couple of hours plus the price of a large latte... *shrug*.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:Privacy is a lot cause by Sir_Eptishous · · Score: 2

      Your suggestions are great for the current time frame.
      The question is, what happens when these IoT devices won't function correctly without a constant phone home.
      Updates, patches, etc.

      Just look at what they did with gaming.

      --
      We play the game with the bravery of being out of range
    3. Re:Privacy is a lot cause by Actually,+I+do+RTFA · · Score: 1

      I've always owned my modem. In fact, I think it is federal law (in the US, which almost certainly means it must be in the EU as well)

      But you can easily use a downstream router to accomplish the same plan, even if you don't own the modem.

      --
      Your ad here. Ask me how!
    4. Re:Privacy is a lot cause by Penguinisto · · Score: 1

      Good point... but by then, it is hoped that a dummy server and a few /etc/hosts entries will take care of that. Also, by then there will likely be packages you can load onto your goodies, much like one can do to their phone right now.

      It's a lot like DRM has gone all this time - measure, counter-measure.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    5. Re:Privacy is a lot cause by Actually,+I+do+RTFA · · Score: 1

      I think that you misunderstand. When i say my modem, I mean, I bought it from a 3rd. party. I administer it. I'm not aware, of the top of my head, of any missing features.

      Maybe if you want an integrated landline or something?

      See also, 3rd party cable boxes. It's the law.

      --
      Your ad here. Ask me how!
  13. BGS style computing by I4ko · · Score: 2

    Yet when I really think about it, I find that I have no good reasons to keep my computers connected to the internet. I went to BSG style networking at home. One network for local machines, going through a router that applies firewall riles in between, then another computer connected to the edge router, yet that computer isn't quite connected to the internet. I then run a virtual machine with an immutable hard disk and browser and make PPPoE connection from that VM to the router to gain internet routing. For every web page there is a separate instance of the VM (my underpowered server can run about 8 of these in parallel) and after I'm done with the page, the machine is shut down and new one created. I'm looking for more ways to automate it, and bring almost seamless experience, between the host and guest, but still the main idea is separation. I would rather return to usenet and irc, and other services from the 90s as the internet for me is medium for communication, not a medium for consumption. Why waste my time alone in my house facebooking on netflixing when I can go out to a bar or a cinema with a date?

    1. Re:BGS style computing by HexaByte · · Score: 1

      Why waste my time alone in my house facebooking on netflixing when I can go out to a bar or a cinema with a date?

      I almost believed you until that last line. You're not a real Slashdoter! They don't have dates!

      --
      HexaByte - he's a square and a half!
    2. Re:BGS style computing by I4ko · · Score: 1

      Well, I had to put the running joke in, didn't I.

  14. It really boils down to... by Sir_Eptishous · · Score: 1

    when these sorts of things become mandatory.

    We all see that eventually self driving cars will become mandatory and driving a car will become unthinkable. It is only a matter of time.
    Eventually, these IoT surveillance and control devices will become mandatory.
    Right now we aren't forced to buy internet connected appliances.
    Right now we aren't forced to buy internet connected cars.
    Right now we aren't forced to buy internet connected clothes, toiletries, etc.

    How long will that last?

    Once the First World fully embraces the IoT, not for any reason other than because "its cool", eventually it will become mainstream and commodified, just like having internet connectivity to your phone, computer and television is now.
    Will the government mandate IoT?

    Will we still be able to just buy an appliance that doesn't need weekly firmware updates and be constantly under threat from Romanian hackers?

    --
    We play the game with the bravery of being out of range
    1. Re:It really boils down to... by The-Ixian · · Score: 1

      When the government pays for my Internet connection then they may have some say in what I operate on it.

      I guess what I am saying is be very suspicious when the government starts paying for your Internet connections...

      --
      My eyes reflect the stars and a smile lights up my face.
  15. Re:Appernet of Apps! by Sir_Eptishous · · Score: 1

    Appsolutely!

    --
    We play the game with the bravery of being out of range
  16. And here I thought... by AutodidactLabrat · · Score: 1

    that billions of small, stupid devices hooked to the net with no local defenses from hackers and governments might be a GOOD thing...NOT!

  17. Re:I control my Wi-Fi, not them. by Sir_Eptishous · · Score: 1

    There have been reports of things like SmartTVs automatically connecting to ANY open WiFi(xFinity, etc). They are trying to create mesh networks that don't care whether you give them your networks pw or not.

    --
    We play the game with the bravery of being out of range
  18. Re:One population's security nightmare... by tnk1 · · Score: 1

    My point is valid because Apple is being fought to give the FBI a specific right to break encryption.

    This is not the same thing as most IoT devices being insecure.

    The FBI will be pleased with a capacity that they will have, but no one else will. That's fine to them.

    What they will not be happy with is the ability for just anyone to break into US homes with a vulnerability that is not limited to themselves.

    It is important to understand the distinctions, and also to understand that, as hard for it may be to believe that the FBI or NSA does anything but spy on its own citizens, it actually has another, actual stated job of protecting the US and its citizens.

    Perhaps not every person in those organizations takes that task seriously, but there are many, if not most, who do. In fact, if these agencies have an original sin, it is that they think they have to own everything in order to protect us from ourselves. The idea that they are purely out for themselves as sort of a shadow state is a conspiracy theorist wank job.

    Understand that I do realize that there are serious dangers from agencies that are trying to protect ourselves from ourselves by being able to spy on us, but you will fail to understand why these agencies have the power that they do unless you understand that they are not mustache twirling villains either.

  19. Re:I control my Wi-Fi, not them. by castionsosa · · Score: 1

    You would be surprised at how inexpensive 3G cards and antennas are. I wouldn't be surprised to find more devices just using that for a constant, unstoppable Internet connection if they can't find a link out.

    Or, they can do what modern consoles do. No Internet connection, no worky. You agreed to this, and that all info the device finds, can be given or sold freely by the device maker, in the EULA, when you opened the box.

  20. Re:One population's security nightmare... by NatasRevol · · Score: 1

    If IoT is controlled by phones, and the FBI/NSA/KGB/CHINA have access to our phones because of the stupidity of the FBI, whats the difference?

    With the power they want, they are CERTAINLY becoming much worse than mustache twirling villains.

    --
    There are two types of people in the world: Those who crave closure
  21. Re:I control my Wi-Fi, not them. by PPH · · Score: 1

    automatically connecting to ANY open WiFi

    That could be a problem if they are particularly 'smart'. But I've found that giving them an AP ID/password to a WiFi router that isn't actually plugged into any broadband usually shuts them up. And the advantage of living on a pretty large estate is that the next nearest node is well out of range of WiFi technology.

    --
    Have gnu, will travel.
  22. Importance is relevant by nehumanuscrede · · Score: 1

    It won't become an issue until some fifteen year old hacks into some Senators $IOT and releases some scandalous information on the Web.

    You can bet your ass that security for IOT will become priority numero uno afterwards.

  23. Software wasn't tested by Okian+Warrior · · Score: 1

    I daresay your response seems a little anti-regulation-ish.

    The fault analysis didn't include the software, and indicates that the machine passed FDA muster without even considering the safety aspects of the software. It only states that the company did some testing.

    Indeed, it would appear that the FDA accepted the "software is inconsequential" argument at the time of review.

    Here's is a quote from the analysis:

    In March 1983, AECL performed a safety analysis on the Therac-25. This analysis was in the form of a fault tree and apparently excluded the software. According to the final report, the analysis made several assumptions:

    (1) Programming errors have been reduced by extensive testing on a hardware simulator and under field conditions on teletherapy units. Any residual software errors are not included in the analysis.

    (2) Program software does not degrade due to wear, fatigue, or reproduction process.

    (3) Computer execution errors are caused by faulty hardware components and by "soft" (random) errors induced by alpha particles and electromagnetic noise.

    The fault tree resulting from this analysis does appear to include computer failure, although apparently, judging from these assumptions, it considers only hardware failures. For example, in one OR gate leading to the event of getting the wrong energy, a box contains "Computer selects wrong energy" and a probability of 10^11 is assigned to this event. For "Computer selects wrong mode," a probability of 4 x 10^9 is given. The report provides no justification of either number.

    1. Re:Software wasn't tested by plover · · Score: 1

      Sorry, I certainly wasn't trying to be one of the "deregulation" crowd. I was looking at the business pressures to avoid the cost of including the software in the testing, and then considered the loopholes in the testing regulations that permitted the company to skimp on testing.

      I was trying to conclude that the regulatory testing requirements were inadequate because they didn't require testing of the whole device, thus blaming the regulators for allowing those loopholes to exist. That doesn't mean that all regulations are bad, it means that in this case the regulators failed to do an adequate job of regulating.

      --
      John
  24. Filed Under "No Shit, Sherlock" by EmagGeek · · Score: 1

    Well what the hell did you all expect when you decided to put every detail of your entire sordid lives on the Internet?

  25. Re:I control my Wi-Fi, not them. by SuricouRaven · · Score: 1

    "They are trying to create mesh networks."

    That's not a mesh network. A mesh network would be if the TV, lacking an internet connection, instead connected to your neighbour's TVs, and via them to the next TV along, until it finds the poor sod who did connect their TV to the internet and can pass the messages finally back to the server.

  26. Re:Rubbish by turbidostato · · Score: 1

    "You could never give someone food poisoning by hacking their fridge."

    In fact, you can.

    Remember Alexander Litvinenko? It would have been tad more easy to kill him and avoid the diplomatic repercussion if you learn from his fridge that he buys, say, strawberries and cream from the same provider twice a month.

  27. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  28. Re:Rubbish by KGIII · · Score: 1

    They have obviously never had botulism. I won't get into details - I've shared them before. Botulism is not your normal tummy ache. Botulism is what kills you because of the force of you trying to expel all fluids from any hole in your body. Your heart ruptures, or a vein in your head or neck will burst like a bubble. Botulism is still very deadly today. It sucks.

    --
    "So long and thanks for all the fish."
  29. This security disaster was obvious day 1 of "IoT" by millertym · · Score: 1

    Anyone who ever helped their grandma or mother with their laptop could see this disaster coming from the invention of the term "IoT". IPv4 security + millions of people just plug and playing internet facing equipment = L. O. L. levels of an ugly mix of executive stupidity, investor greed, and public ignorance.

  30. I don't need a smart fridge.. by HexaByte · · Score: 1

    My wife just called, and told me we're out of milk. Why do I need a smart fridge? Not only that, but I don't want to program a menu into it so that it will tell me what I need to buy for next weeks meals. That's what the wife is for.

    The things I need they don't make, like a smart tackle box to tell me if I have enough lures and leaders for the weekend trip to the fishing hole, or the smart gun safe to tell me if I have enough turkey shells for Turkey Season, deer loads for Dear Season, etc. Those are things I don't trust my wife to get right.

    Of course, this being Slashdot, many of the nerds never got far enough away from the computer to get a girlfriend, much less land her (i.e., get her to marry you). For those, who cares, your life is too boring anyway, no-one wants to spy on you, but lots of companies want to sell you crap to fill up your lonely hours. Maybe one of those lifelike companion robots...

    Me, I'm going home to a good home cooked meal and and an enjoyable nighttime activity most slashdotters just dream about!

    --
    HexaByte - he's a square and a half!
  31. Re:This security disaster was obvious day 1 of "Io by DamonHD · · Score: 1

    My mother taught me how to program.

    There are problems with IoT security but none of them come from having XX chromosomes: if anything it's the driven XY engineers that say "we'll do security on the next release" that are the issue.

    Rgds

    Damon

    --
    http://m.earth.org.uk/
  32. Recall the CIA's interest in your home by AHuxley · · Score: 1

    CIA chief: we’ll spy on you through your dishwasher (03.15.12)
    "“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,”"

    Stay with ethernet and a computer thats web facing :)

    --
    Domestic spying is now "Benign Information Gathering"
  33. Re:Rubbish by turbidostato · · Score: 1

    "They have obviously never had botulism."

    There's no food that I can think of that can both induce botulism and requires a fridge, so I don't see what's your point.

  34. Re:One population's security nightmare... by dbIII · · Score: 1

    What if the mustache twirling villains have bought their way into the FBI? It's happened before which is why the IRS had to go after Capone.

  35. Re:Rubbish by dbIII · · Score: 1

    The point there appeared to be "sending a message" by using an incredibly rare and easily identified poison that only comes from one place. The diplomatic repercussions were expected and really didn't change anything to Russia's detriment. Everyone knew Putin was getting people killed they just didn't have a demonstration of his reach.
    However your point still stands if the killer wants it to look like an accident.

  36. Re:Rubbish by turbidostato · · Score: 1

    "The point there appeared to be "sending a message" by using an incredibly rare and easily identified poison that only comes from one place."

    Nevertheless there was the tactical point about how to do it. The way they did it left traces that were usable both by the press and the other side's intelligence. Imagine for a moment they were able to give him the Plutonium (or Thorium, or whatever it was) without the need to expose both the agent or the infection path. Everybody (in the knowledge) still would have known who was the hand after the issue, but still they'd have no card to play against him. Think, say, about Stuxnet: everybody "knew" who did it but, without traces, everybody was hesitant to act.

    And, of course, as you say, it's another vector for the "make it look like an accident" case.

  37. MAC access control and bespoke firewall rules by dsmatthews9379 · · Score: 1

    MAC access control and bespoke firewall rules solve most problems, the moment a device trips an alarm by going outside of it's allowed access you have your system drop the MAC off the allowed list and alert the owner that the device has a problem.

    The question of if you can buy an affordable consumer level WiFi router that can do this is a completely separate matter, and the rule changes that make open router firmware development harder doesn't help either.

  38. Re:Rubbish by dbIII · · Score: 1

    With the Polonium poisoning it was as obvious as a thief deliberately leaving a calling card in a novel. It's a byproduct of reactors that are only found in Russia and would produce very bright spots on any x-ray of the victim.

    So while I get your point about subtlety what happened to Litvinenko was the exact opposite and says a lot about how Russia is run at the moment. "In New Tsarsist Russia Putin says fuck you" is the meme of the moment.

    You do have a good point about harm due to deliberately making IoT devices fail. It could be very hard to pin down especially since forging logs is likely to be part of the operation. I'm old enough to sniff stuff before consuming due to habit before "use by" dates, but others are not and some spoilage is not going to be detected that easily. Non-fatal food poisoning could be used to get the target out of their secure location and to a place where they can be targeted by another means. Personally I think the most likely source of mischief is messing with the firmware of IoT devices with large batteries to overcharge and deliberately cause fires like some of the recent "hoverboard" accidents.

  39. Re:Rubbish by KGIII · · Score: 1

    That is correct but you don't see what the point is. The point is referencing this statement from the GGP above, which had tricked down through:

    Also, most food-borne illnesses are nothing other than a nuisance, good for a day or two home from work, and are no real threat to anyone without a compromised immune system.

    There are a number of other food-borne illnesses that can and will kill you but I'm only familiar with botulism. It was also me agreeing with you - I'm not sure why you'd react as if I was attacking something you'd said. But, so be it...

    As for some things that *might* end up in the refrigerator there's some of this list care of the CDC:

    some examples are chopped garlic in oil, canned cheese sauce, chile peppers, tomatoes, carrot juice, and baked potatoes wrapped in foil.

    But no, my post was an addendum to your post, not an argument against it. I guess, given that this is Slashdot, it's not unusual to assume that a response is an attempt to argue.

    --
    "So long and thanks for all the fish."