Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Has Serious Concerns About IoT Security and Privacy (onthewire.io)

Posted by BeauHD on from the product-shelf-life dept.

Trailrunner7 quotes a report from On The Wire: The Federal Trade Commission has sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying that while many IoT devices have tangible benefits for consumers, "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities." One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven't contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and businesses alike. "Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices," the FTC comments say. In early May, the FTC issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security patches.

24 of 41 comments (clear)

  1. No kidding by Ol+Olsoc · · Score: 3, Insightful
    Tell me of anything we've put on the internet that has been secure and private. I just do not want to have to buy Norton or McAfee AV for my friggin toilet or refrigerator.

    Or ad blockers. Or the ridiculous piece of crap that Samsung makes that already enables MiTM attacks. https://www.schneier.com/blog/...

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:No kidding by TheGratefulNet · · Score: 2

      ctl-alt-flush

      then enter the PIN

      oh wait - the PIN was supposed to go AFTER or BEFORE the flush?

      damn.

      where's my abacus. fuck this shit.

      --

      --
      "It is now safe to switch off your computer."
  2. Decoupling by Anonymous Coward · · Score: 2, Interesting

    Decouple the software and hardware manufacturers from each other by defining lots of open, roalty-free standards and interfaces. It will work. Maybe.

    1. Re:Decoupling by invictusvoyd · · Score: 1

      You mean like windows iot?

    2. Re:Decoupling by guruevi · · Score: 1

      The standards exist. However professional builders want to lock your smart house in their own software packages and DIY-grade want to lock you into only buying their brand (DLink, Philips, Honeywell, GE, ...). It's hell trying to find something that interoperates correctly across brands even if they support a standard like ZWave.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  3. Re:Reasons why I don't like the Internet of Things by reboot246 · · Score: 3, Funny

    Worst of all, Internet of Things devices could watch me while I make passionate love to your wife.

  4. Air-gap by Todd+Knarr · · Score: 3, Informative

    Proper setup for IoT: wired networking (via powerline is probably the easiest), no WAN access. Vulnerabilities can still be exploited, but the attacker has to be inside your house to do it. A compromised PC could be used to stage an attack, but if they're compromised your PC they can control the devices directly if those are the targets and if the PC's the target they don't need to compromise the devices at that point.

    For the wireless fans, I have bad news: there isn't any safe way to access IoT devices over WiFi. The connectivity-at-a-distance nature and lack of interface to configure encryption/authentication keys on the devices makes it inherently impossible.

    1. Re:Air-gap by silas_moeckel · · Score: 1

      I have what I think is a fairly proper setup. If you want access to camera's thats wired with VPN access. You could get on my zwave network and what look at thermostats and dimmers? Sure you could turn the lights on but nothing more mischievous that costing me some money, you could see when I'm moving about and what temperature etc. Wifi you could know how much propane is in my grill and that network deadends. Primary security is hardwired it keeps my insurance guy happy, I've got some RF in that if you were realy crafty you could block it and break into my shed and get away with garden tools. I've got some proprietary radios you could turn up my hot tub or read my weather station. I'm sure somebody could come up with an attack that jumps from one of these networks through vera or openhab to get further up the stack but you still need to get past network levels controls to get out of the HA portion of the network or even into the CCTV portion.

      --
      No sir I dont like it.
    2. Re:Air-gap by Todd+Knarr · · Score: 1

      The big threat isn't that, it's a vulnerability in a server program on the zwave network that provides data from the devices that can be exploited to let you execute code on that device. Now you can load a program onto it that, rather than doing it's normal job, can connect to any of the PCs that can see that data. The PCs will see an internal connection which bypasses the router's firewall and quite possibly the PC's individual firewall if like most people you've told your PCs they're on a home network and can trust other local computers. Being able to do that only if you already have access to the inside of the house isn't particularly risky, the set of potential attackers is pretty limited. Being able to do that via WiFi, OTOH, means anybody driving by on the street could attack you and that's a whole 'nother order of risk.

    3. Re:Air-gap by silas_moeckel · · Score: 1

      Thus my I'm sure somebody could come up with an attack that jumps from one of these networks through vera or openhab to get further up the stack statement. And why both of those have very little access to anything. I would frankly be far more worried about somebody getting into one of these cloud connected HA controllers I picked gear specifically that will work without an internet connection.

      --
      No sir I dont like it.
  5. May not? by turbidostato · · Score: 3, Insightful

    "businesses may not have an incentive to support software updates for the full useful life of these devices"

    Make mandatory by force of law and there you have your incentive.

    1. Re:May not? by guruevi · · Score: 1

      How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:May not? by geekmux · · Score: 2

      How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.

      Then perhaps it's time we stop importing cheap SHIT that fails to meet basic standards.

      Since price trumps all for the ignorant masses, I guess we'll have to wait for those trillion-dollar class-action lawsuits. You know, because those are sooooo worth it to consumers in the end when we receive a free coupon for a month's worth of light bulb monitoring service.

    3. Re:May not? by turbidostato · · Score: 3, Insightful

      "How are you going to enforce this? The majority of "smart" devices are shipped directly from China"

      The same way things like that are enforced in EU: no seal of approval? can't be legally imported. For things that are imported by a trader in USA, you go after the trader. For things that are imported by an end user, that's what things like TTIP *should* be: government-to-government agreement that this won't happen or the seller will be fined by its domestic country..

    4. Re:May not? by turbidostato · · Score: 1

      "Do you need the government to wipe your butt?"

      This is a democracy. I *hire* the government to wipe my butt.

  6. Is someone deliberately posting this stuff? by AbRASiON · · Score: 1

    https://slashdot.org/comments....

    Seriously it's meaningless bullshit, STOP.

  7. Vald concerns by the FTC by Anonymous Coward · · Score: 1

    Companies have grown very obnoxious: Samsung's TV which listens to what is said in your home so it can deliver targeted ads http://money.cnn.com/2015/02/0... http://www.bbc.co.uk/news/tech... and Microsoft's Windows 10 which spies on everything you do http://bgr.com/2015/07/31/wind... http://www.independent.co.uk/l...

    Unlikely people would buy a Samsung's TV if they knew about this, but Microsoft has a virtual monopoly we can't avoid. Time for the FTC to stop these repugnant companies for abusing their dominant positions.

  8. IoT: The Gift That Keeps On Taking by JustAnotherOldGuy · · Score: 4, Insightful

    IoT is a nightmare already and is bound to get worse. None of these manufacturers take security seriously, it's all just "Hey, lets make our $gadget internet connected and brag about it!".

    Most of the "benefits" are marginal or meaningless, and I can guarantee you that this whole IoT shitstorm is going to get worse- much worse- before it gets better. If it ever gets better, that is.

    You think you got vulnerabilities coming out of your ass now, just wait. You ain't seen nothin' yet.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  9. Security is an afterthought by Natales · · Score: 1

    The IoT market is indeed insanely hot and competitive, and time-to-market can make or break a product's success. This means that the MVP version (minimum viable product), that is supposed to be just the first step in an iteration, many times ends up becoming the version that gets shipped.

    It's very rare that security is considered in an MVP. Some simpler types of IoT devices (typically send-only), that rely more on the cloud back-end, may have better luck by improving the security of the cloud-based components over time, but if the device accepts input and network commands, all bets are off.

  10. Where is the outrage for smartphones?!? by geekmux · · Score: 4, Interesting

    So the FTC is suddenly concerned about updating software or firmware for IoT devices. Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?

    Humans carry around their lives in smartphones these days. Needless to say, having my "vulnerable" light bulb hacked isn't going to have the same impact as rooting my phone.

    Believe me, I like the attention IoT security is perhaps finally receiving, but talk about priorities...

    1. Re:Where is the outrage for smartphones?!? by swillden · · Score: 1

      Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?

      Sure.

      It doesn't exist because the vast majority of smartphone buyers simply don't care. Many expect to replace their phone every other year or so (or more often as the devices get broken), and most of the cost-conscious don't care because in practice the security issues don't affect them. Sure, in theory their old, unpatched devices are horribly unsecure, but in the real world nothing bad actually happens because of it. The real problems that affect users are things like SMS fraud and ransomware, which have little to nothing to do with security vulnerabilities.

      So, the only people who get outraged are geeks and pundits, and no one pays much attention to them. The FTC pays attention to worries about IoT devices because they're in the future which makes it easy to worry that the problems will be horrendous. Smartphone security issues are in the present, and in terms of real-world impact they're pretty minimal so no one gets too worked up.

      If we as a society want our smartphones to be supported for longer, we're going to have to be willing to pay for it, because phone manufacturers (other than Apple) are already operating on razor-thin margins. I can see three ways it could happen:

      1) OEMs could increase the price of devices across the board. Since the additional cost would be widely distributed, the per-unit increase would be pretty small. However, this would mean that all of the users who don't care about long-term support would be subsidizing those who do. It would also mean that manufacturers who don't do this would have a competitive advantage over those who do because, again, the vast majority of smartphone users don't care.

      2) Governments could mandate long-term support. That would effectively impose a tax on users who don't care about long-term support in order to subsidize those who do.

      3) OEMs could offer long-term support contracts to the users who care about them. I don't know for sure, but I suspect the number of such users would be small enough that the support contracts would be expensive. Perhaps enough that it would make more sense for users to want the support to simply buy a new device.

      In any case, in the current situation, the way you get support is by buying a new device every other year.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  11. Re:not all things require the same security by geekmux · · Score: 1

    variety is the spice of life

    Hack and screw around with voltage regulation, and you could start a fire.

    Hack a fridge during the day and shut it off for a few hours. Turn it back on so the consumer doesn't notice its become a food poison death trap.

    If you think IoT doesn't require a security baseline, you're being ignorant of the dangers.

  12. Correction: by argStyopa · · Score: 1

    Correction: any rational person has severe concern about security and the ridiculous "IoT".

    --
    -Styopa
  13. What is this thing you call... computer? by JesseEnjaian · · Score: 1

    “IoT devices are capable of collecting, transmitting, and sharing highly sensitive information.”

    "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities."

    “The massive volume of granular data collected by IoT devices enables those with access to the data to perform analyses that would not be possible with less rich data sets,”