Slashdot Mirror
If It Uses Electricity, It Will Connect To the Internet: F-Secure's CRO (theregister.co.uk)
New submitter evolutionary writes: According to F-Secure's Chief Research Officer "IoT is unavoidable. If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future, you will only buy IoT appliances, whether you like it or not, whether you know it or not." F-Secure's new product to help mitigate data leakage, "Sense", is a IoT Firewall, combining a traditional firewall with a cloud service and uses concepts including behaviour-based blocking and device reputation to figure out whether you have insecure devices.
I get his point - more things will be connected to the internet. But more things will also not be. The internet is a utility now, it's not just new and shiny. Sure, there will be coffee machines that are connected to the internet you can buy, but there will be a ton of people that don't want them and want a normal coffee machine. If you don't believe me, look at pets.com and the bubble burst. Seemed at the time that everything would be purchased through a web site. Sure, Amazon has some pet food sales. But people aren't ever going to stop buying dog food locally.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Film at 11.
He's probably right about the push towards having to be online, but I fail to see how an IoT firewall should mitigate it. Especially with the increasing use of IPv6, which means more and more IoT devices will try to get un-NATed access to the internet (and will probably also get their wish granted).
Good luck trying to firewall that.
Sorry, but no. If we want secure IoT devices, we have to demand them. And that means not buying the shoddy, insecure junk that's currently peddled. And I'm not even talking about any gimmicky gadgets from some Aliexpress shops, I'm talking about our "smart" TVs and other "smart" appliances made for dumb people.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Just rip out the antenna so it can't try to get on your wifi or cellular networks. Bam, good old fashioned dumb appliance that will simply do what it was originally designed for instead of trying to integrate a billion little web marketing doodads on to a screen that shouldn't be there in the first place.
There's always a market for 'dumb' things, be it phones, tools, or appliances. Your choices may be far more limited if you don't want an IoT appliance, but you're not going to be forced to buy one. Someone will see an opportunity for non IoT items and sell to those people. That's the way the market works.
I find it unlikely that my soldering will be part of the great IoT revolution.
Maybe the power-outlet it plugs in to, though...
Not in my house, it won't.
I think he is overestimating how many people will pay a subscription to a cell plan (even at 5bucks/mon that is 60 bucks/yr X #IoT devices) and if the IoT maker opts for WiFi, who says I am going to give the IoT device the password? And if the device does not work without wifi, I'll return it.
Wonder if going solar would help with this idea, or would "they" just try to mic/camera my solar charged battery.
"Imagination is more important than knowledge" - Einstein
After reading the article, I am looking forward to IoT sewage pump.
The guy undercuts his own point.
His claim is that every device will have cheap telemetry installed to report whatever the vendor wants to know. Which isn't unreasonable.
However, the avenue this telemetry uses is the question. "Such devices will not rely on home Wi-Fi systems, says Hypponen, rather undermining the principle behind the company's new Sense hardware." (They pretty much all use home wifi now.)
Until then, it's not a terribly difficult process to look at your wifi and disable connections from Mac addresses you don't know, or that identify as 'Toaster" or "Coffeemaker", is it? I mean, how insecure IS your wifi?
-Styopa
My Tektronix 547 would like you to try connecting to it.
People making ludicrous declarations like this really ought to stop for a moment and think about the silliness that they're predicting. Is there really a need for, say, my air compressor need to be on the Internet? It uses electricity, after all. Is there an advantage to reporting to someone--the Central Air Authority, I guess--that I just put air in my tires. And, of course, I expect that there's some dweeb who thinks that my smartphone receiving a text message alerting me that I just inflated my tires to 45psi is the best thing to happen in the history of the planet. It's not. Just like having every item on Earth available via the Internet is a marvelous idea... if you're a ten year old.
What happens if next week an IOT device is at the heart of another terrorist attack?
what if the ISP's get their way and are able to jack up the rates on bandwidth?
What if people start realizing that there is no incentive for manufacturers of IOT devices to give a shake about security and thus just stop buying them?
there are many ways that the future can unfold and predicting it relies on making a whole shit load of assumptions. That and this is also coming from a guy that likes locked down ecosystems, and is against user programmability. (second page, first couple paragraphs FTA). So he says that IOS is great because there is no malware except he neglects to address that the App store on every closed ecosystem has malware some where on it and the companies (google,apple,and microsoft) aren't that good at getting rid of it. So pretty much this is an add from a corporate shill that advocates for an all your eggs in one basket approach, where the basket is behind closed doors and you cant even take a look inside to see if your eggs are rotten or not...
can we make a new rule for slashdot? no more interviews or commentaries from the c-suite crowd who are politicking rather than give their honest opinion? maybe bring it back to being a news site? not a social commentary from our great and powerful overlords?
...in YouTube videos and independent businesses specializing in disabling the antennas in IOT devices...
Yay, headline-bait garbage! If you don't plug an ethernet cable into it or tell it your SSID and wifi password, then I guess there's no threat at all and they won't sneakily connect to the internet without your knowing and hack your whole house and OMG your whole family is gonna die ahhhh!!!
My brain and nervous system use electricity. Are those going to become computers and move online? I'm willing to consider it as long as the source is audited by multiple trusted parties.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
In order to be online, I either have to a) plug it in b) configure it with my WiFi encryption or c) provide unencrypted WiFi. It can't get online unless I put it online.
So are appliance makers going to pay for people to have internet access? What are they going to do for people who can't get access? It just seems unreadable if not completely idiotic.
Simple as that
Twinstiq, game news
We have seen several years already of adding connectivity for marketing's sake alone, and with some well known disastrous results. Problems come in two camps, only the first being security of cheap poorly designed widgets. The second is plain old functionality, which is what will ultimately keep IoT from becoming truly ubiquitous and ingrained.
Even if (big IF) security was tied up with a bow, the utility side is a big one. Fly by night companies stop support for products and shut off servers within months to at most a year or two of selling a widget. Once sales drop off and they focus efforts on the next shiny object the incentive to maintain the old is just gone. Having an internet connected meat thermometer sounds great until you bust it out the next summer and find it no longer works because ACME.com is out of business or stopped supporting your MeatWand 2000.
Layered on top is the need to get the widget online and keep it online. Bashing in your WiFi password into every widget coming through the door is both a hassle and a source of fear. Want to figure out how to change your passwords on EVERY widget that uses electricity in your house if you change ISP's and get a new router? I certainly don't want to be unable to run a load of laundry to toast toast because there is an internet outage. Connectivity must then optional, and most widgets cannot be enhanced in any useful way beyond their bare utility by being connected. Most of the enhancements are of novelty value at best.
More and more devices will want to connect in the future, but I'll be damned if I give them access.
The main problem with the IoT is that is givens hackers all over the world (lone wolves or state sponsored) the power to disrupt our society. Get the security right FIRST. Otherwise this will be a giant mess.
Yes, a huge slap is warranted to slap companies out of their stupor, and think "should this ever even be considered to be an IoT device?"
What happens if next week an IOT device is at the heart of another terrorist attack?
It will be the news for a week then nobody gives a shit about it anymore. Why do you think this is different from the other attacks?
what if the ISP's get their way and are able to jack up the rates on bandwidth?
Why should the makers of IoT devices care? Yes, people will lament over them using their bandwidth. AFTER they bought them.
What if people start realizing that there is no incentive for manufacturers of IOT devices to give a shake about security and thus just stop buying them?
Is that a trick question? You're reading on /., so you know consumer habits when it comes to computers and internet. When, in the whole history of both of them, have security problems in any technology, in any place, in any way, EVER made people think "Hmm... maybe I shouldn't use that crap"?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Probaly not as silly as it sounds
Ring Ring Ring
Hello?
This is Mike from Windows-IOT. Oh my goodness gracious, we have detected that your toaster is compromised. You must do the needfull and give us access to your toaster's remote interface. And also we need your credit card number to pay for securing your toaster.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
This assumes I have internet service where I live.
naaaaaaaaaaaaaaaah, I have tons of other choices with my hot air soldering gun and flash programmers.
"If it uses electricity, it will be online."
Like my metal detector's going to get any sort of connectivity signal A. out in the middle of nowhere desert areas and B. inside a mine shaft.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Manufacturers are effing *CHEAP*. Yes you might be able to mesh network a device with a 2-cent chip. But you can't make a *SECURE* device for 2 cents. You'll get the usual idiot practices of hardcoded passwords being the same for all products of the same model, communicating by cleartext telnet. When bricked devices start being returned in droves, watch for manufacturers to change their minds quickly.
Ditto for not operating when not connected. maybe Brickerbot can get some of these devices to transmit a random noise signal at max power. Eventually it'll become like wifi in my condo, where I can see 25+ neighbours' systems fighting over the same 11 channels. If it needs connectivity to work at all, a *LOT* of people will avoid it.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
In the long dark teatime of the soul
My toaster cries at midnight.
It has no port to connect to others
No mouth to voice it's desire to toast to perfection.
It remains, as before,
Metal heating element bars.
Which merely
toast.
Cry toast and let loose the IoT, fair Horatio!
-- Tigger warning: This post may contain tiggers! --
https://www.youtube.com/watch?v=LRq_SAuQDec
I still haven't seen an idea jell whose time has come. Regular people need a website where they can navigate to find the information needed to reliably de-smart their property.
An example page would read:
"To disable the 'smart connection' of your Bliengditz Toaster/Yogurtmaker, drill a hole 11mm deep with a #34 drill where shown on this diagram."
The key would be to provide the strategic information needed to disconnect devices without disabling needed functionality, i.e. to sever the net connection but leave the control logic to usefully operate the device.
It's an idea whose time has come.
Of course F-Secure's Chief Research Officer would say that.
My soldering iron uses electricity but does not need to be connected to the internet.
My drill uses electricity but does not need to be connected to the internet.
My power saw uses electricity but does not need to be connected to the internet.
My welder uses electricity but does not need to be connected to the internet.
My flashlight uses electricity but does not need to be connected to the internet.
My blender uses electricity but does not need to be connected to the internet.
There are a _LOT_ of devices that don't benefit from internet connectivity and are find just the way they are now, dumb.
K.I.S.S.
We already can have Internet capable vibrators, some are even equipped with cameras.
Isn't that great? Very useful if it has a location sensor.... where can a vibrator go?
Electric nose hair trimmers. Electric toilets (Toto and such). Electric screwdrivers. Electric knives.
All of these need to be on the Internet, how have we ever lived before being able to twitt the length of your nose hair...
You can't handle the truth.
geeze getta load of all these would-be 9-fingered wonders.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I already saw some website recently showing all kinds of sill IoT things. Don't remember where, but seriously useless silly stuff.
Simply don't allow the IoT devices on your local network ... problem solved.
...combining a traditional firewall with a cloud service
So it's a device that is used to restrict the access between IoT devices and the outside world, but relies on a cloud service to operate? No thanks. I'll take a router that offers me two wifi networks, one for my computers/tablets/etc and one of all of the iToasters, has the ability to block one of those from reaching the outside world, and doesn't require someone else's website to configure it.
Devices may *want* to be or have the capability to be connected to the Internet, but w/o a CAT5 cable plugged into it, or a local WiFi password, it's not going to happen. If they try to use any near-by open hot-spots, I guess we can just put little Faraday cages around the damn things.
If a device doesn't work w/o being connected to the Internet, then I won't buy it.
It must have been something you assimilated. . . .
And those will begin to see that a device that cannot connect to the internet as an advantage and that will make sure they get that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You folks aren't seeing the big picture here. It isn't as much about the cloud IoT as it is about you local house LAN. Imagine everything you buy from furniture to toothpaste is automatically meshed into your house LAN, you can do anything from identify when the toothpaste runs out and it automatically orders more, to adapting your house's floor plan for the ideal placement of that couch you just bought before it even arrives. Anything that breaks, needs new batteries, or you want to keep track of will be meshed to your local LAN. That's the future.
Thats current capitalism. We don't need IoT at all, but convenience makes it feel that way. "Mental health." Stop being lazy? How are these devices going to just connect to your wifi without permission?
Although he may certainly be right about mass-market consumer devices, there will always remain at least a niche market for devices that are not connected to anything.
I mean heck... what about raw electronic components? Is he suggesting that even basic led's will connect to the internet?
File under 'M' for 'Manic ranting'
Virus scanners will have long since been rendered obsolete.
People will demand and have the means of fully controlling their systems entirely by themselves within their own administrative domains. This will have become even easier than today's cyber stalking "cloud based" "IoT" malware "appliances" forcing you to connect to other peoples servers thousands of miles away just to adjust some widget a few feet away from you.
People will have long since gotten over marketing campaigns celebrating gadgetry with pointless complexity and features which provide no coherent value proposition to the end user.
People of the future will look back at present day with disdain and shock corporations were allowed to violate their customers privacy and security as they please with no repercussions in order to maximize profits.
Which IMHO is a good thing. People have way too much shit.
Frak those Cylons! Don't let them connected! Stay off!
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
INASMUCH as wifi access points are increasingly, especially in a home or other residential environment, SECURED, in order to connect through THEM, the IoT appliances would need to know the password for at least one.
Unless of course, they use cellular connectivity to spy on you, but that require them to get the permission of at least A wireless provider, AND the cost of the transceiver would increase the final unit cost so much that for something like a coffee maker, a toaster, etc., no one would STAND for it. Hence, there will likely always be a demand for NON IoT devices and appliances.
Also, I really and truly doubt they could do it legally without the end-user's knowledge. For one thing, if it emanates RF energy, it would need an FCC compliance statement, (in the US,) which would tip you off that something's up. Hmmm... why does my TOASTER have an FCC compliance statement on it? Also, why does it do only what this $10 one does, but cost $73.95?!?
Further, even if they try to be tricky and start sneaking shit like this into our homes without FCC compliance AND a certification as to that compliance, they'd either get fined or shut down, OR, if they went around that by using some other means of communication such as ultra-high frequency sound, either way, you can tell it's doing it, just by using a radio scanner. I'm sure there are devices designed to help you detect the presence and operation, and locate the source of either radio waves coming from a device that really should NOT be emitting any, or of ultrasound, etc.
(I'm sure that elsewhere in the world, such as the EU, there are probably similar rules to whatever the FCC has here, even if not identical in all or any cases.)
I wouldn't even be too surprised if there are apps that take advantage of your smartphone's radio receivers to detect and help you triangulate such things. Going to be interesting to research this.
And your old CRT television set used 10 times the power of your new LED flat-screen.
As one who has repaired such items for 40 years, I cry foul. I noticed my work computer's CRT only drew 50% more current than the then-new LCDs of similar size.
Things are becoming junk. Buy anything lately? Doesn't seem to matter from which company. Stuff isn't made to last anymore. It's not lasting because they are making them electronic. Dishwasher for example. I own a bunch of rentals. A 1990s era dishwasher I would get about 20 years out of. I have a rental where we replaced a 1960s era dishwasher with a 2010 version. Had to service it twice, then replace it in 2015 because it was SHOT. Wires melted inside and such. Same with the range/oven. That was replaced about the same time. Also had electronic shit in it. I have one house that has a range that was installed in 1964, still going strong. It's a GE. Finding GE ovens from the 1960s in 1960s era houses still running is very common. 50 years people.
Another house I had a brand new dishwasher installed and it's been running for a whole month. Probably 4 or 5 times and the heating for drying the dishes is already not working. I also don't put crap in. I put stuff that I think I won't have to worry about for a couple of decades I hope.
So we need to push back and get rid of all of this new fangled electronic stuff. It's crap. Go back to the good old tried and true mechanics and relays and such. We don't need our stuff on the internet. Everyone knows the Internet is for porn after all.
What happens if next week an IOT device is at the heart of another terrorist attack?
It will be the news for a week then nobody gives a shit about it anymore. Why do you think this is different from the other attacks?
what if the ISP's get their way and are able to jack up the rates on bandwidth?
Why should the makers of IoT devices care? Yes, people will lament over them using their bandwidth. AFTER they bought them.
What if people start realizing that there is no incentive for manufacturers of IOT devices to give a shake about security and thus just stop buying them?
Is that a trick question? You're reading on /., so you know consumer habits when it comes to computers and internet. When, in the whole history of both of them, have security problems in any technology, in any place, in any way, EVER made people think "Hmm... maybe I shouldn't use that crap"?
AND that's the REAL problem now isn't it?