Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Beware the Ticking Internet of Things Security Time Bomb 131

alphadogg writes: A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven't baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming. LogMeIn's Paddy Srinivasan says most Internet-of-things OEMs "barely even have IT staff," so they aren't capable of developing rigorous security even if they wanted to. IBM’s Andy Thurai says most companies are rushing technology to market to try to monetize you as much as possible, and they aren't even willing to give you a cut for the data you supply. Regulations may help, but probably not enough and definitely not soon.
This discussion has been archived. No new comments can be posted.

Beware the Ticking Internet of Things Security Time Bomb

Comments Filter:
  • With Samsung recording data on the Smart TV's, it's not too far-fetched that the IoT will in large part be a system of tracking end users to inundate them with more targeted Ads.
    • by atrimtab ( 247656 ) on Tuesday May 12, 2015 @05:56PM (#49677437)
      if you cannot completely turn that intrusive privacy robbing feature OFF permanently. Devices that phone home to their real corporate master are not owned or controlled by YOU.

      It is really that simple. That means don't buy Dropcam or a Nest or any of the other "easy to use" everything is stored "in the cloud" IOT devices that are out there and are the most heavily promoted.

      There are nwtwork security cameras you can secure easily and control the recordings of. There are also "home automation" devices that only talk to each other within a defined area using reasonable encryption. You just have to be very careful and research what you are buying.

      I note that in my last visit to BestBuy every IOT and home automation device promoted was more useful to the company who manufactured it that was collecting all the customers data than to the customer.

      You can program your home router to block all outgoing traffic except from devices you select and you will find that many IOT devices will no longer work if you block their ability to "phone home."

      • I have a better idea: Don't buy any 'Internet of Things' devices in the first place. Nobody needs them.
        • by Zero__Kelvin ( 151819 ) on Tuesday May 12, 2015 @08:14PM (#49678205) Homepage
          Ah, yes, Grashopper. I've been around long enough to remember when people said that exact same thing about a "home computer." "Don't buy any 'Personal Computer' devices in the first place. Nobody needs them., they used to say :-)
        • not buying that crap. except my alarm system.

          wait a minute...

        • by Anonymous Coward

          Actually, there are some good use cases like: Elder care.

          Exterior video surveillance, remote control keypad door locks that can be unlocked securely, sensors on doors and motion sensors can provide families with ways to assist an elderly parent with memory or physical issues remotely without intruding too much.

          There are IOT products that can provide this that do not 'phone home' to manufacturers. But it does take research to find them.

        • It seems there is a lot of confusion about IoT. It is not about house automation at all, it may be about it, but it is not the main target for IoT. However, the vendors are jumping in the marketing bandwagon and decide to rename everything they were already providing or extend the capabilities of their gizmo with useless internet extensions just to call it an IoT device. Unfortunately, many conclude the IoT is about useless gizmo that are spying at you or whatever.

          IoT is rather than about devices to monito

      • by AmiMoJo ( 196126 ) on Tuesday May 12, 2015 @11:17PM (#49678925) Homepage Journal

        I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

        Maybe it's time for an open source secure IoT platform that companies can use. As well as an OS it would need to provide stacks for doing common IoT stuff in a secure way, that has privacy controls built in.

        Buffalo ship routers with DD-WRT installed, advertised as a feature. Maybe some kind of certification process could be created, that includes the ability to do updates to the core OS and remote shut-down via blacklist if products are ever found to be vulnerable and unfixable.

        • by Hognoxious ( 631665 ) on Wednesday May 13, 2015 @12:12AM (#49679123) Homepage Journal

          I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"

          I find it depressing that people confuse "don't waste money on useless shit" with "avoid new technology".

        • Absolutely. If there was a secure framework for network-connected IoT devices with documented measures to implement the administration or user management, then we'd get secure devices. Without it, we will have servers listening on port 80 to anyone who wants access.

          It'll need a fancy logo like DLNA has, and some form of certification so manufacturers know they must use it in order to get customer acceptance, and that gets you into the world of standards bodies and all the politics that goes with it. Still,

        • by Trogre ( 513942 )

          I think you'll find the prevailing attitude is "avoid useless technology".

          Granted there is a certain level of geek cred for connecting something to the net that has never been connected before, but at a practical level I have absolutely no need for my television, kettle or frickin light bulbs to be Internet connected.

          Now that it is well established that 1) Governments want to spy on you and 2) Companies want to spy on you, I would expect that you, a reasonably seasoned Slashdotter, would see the folly in a

    • You misunderstand the problem.

      With Smart TVs recording your watching habits in order to send you adverts, there is the potential for someone else to get access to it and record everything else about you.

      One day you'll get a link to a website that shows you and your babysitter 'earning an extra bonus' with a payment demand to have it removed - all of which was recorded by your smart TV but sent to a Russian hacker rather than Samsung.

  • Companies, rushing to get things out to market, not bothering to do enough testing, nevermind rigorously ensuring that they've secured their products?
    Inconceivable!
    Next you'll probably try and tell me that they'll threaten to sue security researchers that expose the inevitable flaws rather than simply fixing them.
  • by Ateocinico ( 32734 ) on Tuesday May 12, 2015 @04:35PM (#49677155)

    Connectivity seems to be this decade's fin tail and chrome craziness.

    • by 0123456 ( 636235 )

      Why connect EVERYTHING?

      $$$$$$$$$$$$$$

      What more reason do you need?

      • by Marginal Coward ( 3557951 ) on Tuesday May 12, 2015 @04:52PM (#49677263)

        I'm not sure if I'll connect EVERYTHING. However, I plan to connect at least my refrigerator to the Internet in order to give the power to curdle my milk to Kim Jong Un. If he makes use of that, then Snap, Crackle, Pop and I will know for certain that he's truly EVIL.

      • Infrastructure like railroads, bridges, etc. can be fitted with a massive number of telemetry sensors at low cost. Many bridge inspections could be done remotely if the bridge is covered with thousands and thousands of strain gauges. The USGS and the weather service can offer more and better information to the public with more advanced sensor networks. Maybe with enough sensors and the right software, we could predict earthquakes. Who knows? The technology is not there.

        The security wonks tell us over a

    • by Anonymous Coward

      What better way to convince a large number of people to replace big ticket items like refrigerators or washing machines?

      • I could use a newer refrigerator, our current one was second hand when we bought it thirteen years ago. So if clueless people start selling off their nice refrigerators because they're 'dumb' there will probably be deals to be had.

    • by SeaFox ( 739806 )

      Once everything is connected a company will be able to use the shoddy IoT security to peek around your house and learn what brands/models of appliances and other products your own. Think how easy market research will be! No more have to convince people to complete a survey by giving them some freebie.

    • Analytics. Other than Chrome plating having connectivity and the ability to collect data is useful. Unfortunately the term IoT has been abused by corporations to the point where IoT now means Internet of Things I Know About Customers. But there are real benefits to the IoT movement when the user is in control of the data.

      Case in point: My wireless power meter. The company manufactured a dongle for a PC that logs history of power use. Naturally this dongle reports power use to the company and you have to acc

      • But to me the use wasn't worth the privacy invasion.

        You know the power company already has a really tremendous ability to monitor your power usage on a continuous basis. They can tell if you stay up late, they can tell if you sneak home during the day to cheat on your wife. They can tell how much you run your electric dryer so they can tell how many people are living in your house. They can probably tell you what model of refrigerator you own, just from looking at the power curves. No doubt your wife's lawyer or your insurance company (or someone else'

        • My power company is heavily regulated and I have a strong legal representation in the form on a local consumer ombudsman.

          I can't say the same for a 3rd party entity where I don't even know which country they are based in.

          Oh and I don't have a smart meter so unless someone is sitting down outside my switchboard, no they can't do the above, but I'm also significantly less concerned about my power company having this information given that their business model isn't based around the collection of customer data

    • Have you ever been at the store and wondered if there was anything else you needed to replenish in your fridge? Wouldn't it be great to pull up a webcam view of the interior right at that moment? Or how about making sure your oven and stove and iron are off? Or getting a video call on your smartphone when someone rings your doorbell while you're not home?

      These are just a few of the things that I personally would find useful or at least interesting - I'm sure other people have entirely different lists of thi

  • by avgjoe62 ( 558860 ) on Tuesday May 12, 2015 @04:40PM (#49677195)

    I run DHCP, only allowing MAC addresses I want to get a routable address. And just in case, I also run a firewall where I can see what devices are connecting to the outside world.

    The day my toaster tells me it NEEDS an internet connection to make toast is the day make toast over a campfire.

  • by turkeydance ( 1266624 ) on Tuesday May 12, 2015 @04:48PM (#49677239)
    from back in the day when cars talked to you: "your door is ajar". fail. a local woman wrecked her new car when she heard "spirits" talking to her.
    • by Anonymous Coward

      I'd wreck the car too if it tried to convince me a door is a jar.

      • by Anonymous Coward

        It is grabbed with the hand and contains glass. Sounds like a door is a jar.

  • by Frobnicator ( 565869 ) on Tuesday May 12, 2015 @04:53PM (#49677269) Journal

    Periodically some "things" on the IoT get revealed as publicly accessible. Cameras and conference room equipment particularly have caused problems in the past.

    In homes, it may be some lolz to mess with lights of a stranger. It may be costly to the homeowner when someone modifies the HVAC settings to crank the programmable thermostat during the day. A skript kiddie could cause a neighborhood to all lose their AC compressors, and then we're talking tens of thousands, perhaps hundreds of thousands in some areas.

    Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume. Cameras on TVs are a great combination if thieves can guess your neighborhood, then identify your house, then identify you are not home.

    Similarly with garage doors. That industry has come a long way, in the 70s and 80s you could get a universal garage door remote that would work on many homes in a neighborhood, some thieves would clean out the garages and close the door when done. New IoT garage remote controllers lack the basic protections implemented decades ago.

    And most obviously, security cameras in and around a home are increasingly common as an IoT item. Do you REALLY want those images out there?

    Many ISPs make it rather easy to iterate through neighborhoods as they provide convenient DNS access like c-111-222-333-444.town.state.comcast.net. A quick scan of a town to find all the customers with open security cameras, a bit of time to identify the homes in that neighborhood that look interesting on camera and have a few open IoT devices... and you've got a loot schedule. Most of the scans could be easily automated, only requiring some human criminals to look at them once they've found a neighborhood with enough interesting devices exposed.

    • by cusco ( 717999 )

      I still find frelling **security** equipment without the ability to change the default password on it. Obviously we don't install it, but the stuff is sold as "professional grade" and costs big piles of money.

    • by Bob9113 ( 14996 )

      Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume.

      Oooo, I like the way you think, you beautiful bastard. :)

  • by marienf ( 140573 ) on Tuesday May 12, 2015 @04:59PM (#49677307)

    I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote,
    sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves,
    garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked. X10 had no notion of authentication. Probably still hasn't.

    Now, I had to drive around, because I was using a commercial-grade transmitter, my range and impact were limited.

    Now, Imagine that kind of attitude, but with everything just a few network hops away, no range limits, and with the Invisible Hand clearly not having spanked the market into having a clue.

    Image a person less mature than me and that same kind of attitude, today. Or several thousands of them. Spread over the globe.

    I can image the havoc, I'm having trouble imagining the useful applications.. A matter of age? I'm not near to connecting stuff I don't have to.

    Imagine what would happen if the Silons attacked, also.

    • by rtb61 ( 674572 )

      Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected. Keep in mind, major solar flare with our planet just happening to be in it's path is not if but when, it will happen. How long will it take to repair the damage when all the information systems required to repair the damage is down.

      New regulations are required to ensure essential infrastructure can be maintained manually and repaired manually. That hard copies are retained on sites for

      • Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

        Just imagine if the Carrington event happened today?

      • Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.

        Yeah whatever, scare-monger, that solar flare will knock out the power station whether or not you have sensors on your refrigerator. So you mean we have to be prepared for when the power goes off? Yeah this is the USA, you can count on the power to go out at least a couple of times a year. Are you prepared for that?

        • by rtb61 ( 674572 )

          For fools like you http://en.wikipedia.org/wiki/S... [wikipedia.org]. Who, you gonna call, no one. "Ice cores containing thin nitrate-rich layers have been analyzed to reconstruct a history of past solar storms predating reliable observations. Data from Greenland ice cores, gathered by Kenneth G. McCracken and others, show evidence that events of this magnitudeâ"as measured by high-energy proton radiation, not geomagnetic effectâ"occur approximately once per 500 years, with events at least one-fifth as large occ

    • I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote, sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves, garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked....

      Imag[in]e a person less mature than me ....

      I am finding it difficult to imagine a person less mature than yourself.

    • What happened to them? I haven't seen or heard them for a while. I just see GoPro and others these days.

    • by Trogre ( 513942 )

      Troll level: Awesome

  • While I'm not a fan of government regulations, they do play an important role in society. For example, car safety is as a result of government regulation. Unfortunately, many non-IoT devices don't get firmware updates. To make matters worse, the devices that manufacturers want to make IoT are often household durable goods (e.g. appliances, thermostats, etc.), that don't get replaced every year.

    Personally, I feel that IoT durable good devices devices should get security fixes for 20 years--via regulation
    • Yea because that is not trivial to get around, Oh the OEM we bought it from folded, we do not have the source code etc.

      • The agencies like the UL (non-governmental) could require the source code in escrow for any devices seeking their 'approval.' Said 'approval' is a checkbox item, like UL approval is, for Insurance companies.

        A completely private-enterprise solution that just needs some lawyers involved to implement. Imagine that!

        • A completely private-enterprise solution that just needs some lawyers involved to implement.

          Maybe you should look at the electronics section of your local drugstore and tell us how many of the USB charging devices have "UL" stamps on them. "None" will be my guess. All of the people who bought these devices, are they all in continuous violation of the fire codes? What is anyone going to do about it?

          And guess what, in China you can print "UL" or "FCC" on anything you want to, they sure don't care, and who actually looks through the thousands of container loads that arrive in the US every day to

        • by itzly ( 3699663 )

          So, all foreign made products should have their source code handed to the NSA so they can check for weak security ?

        • First off having codes does not mean having the rights, often thats a complex mess on a commercial app. Secondly the build environment is also a complex bit and needed to actually make things work.

          It seems to make more sense to work towards the M&M security policy. An edge device that connects the home devices to the internet and deals with a lot of the security aspects. You still need communications security inside the house but if trust is only placed in that one gateway controler.

          That said I see t

    • While I'm not a fan of government regulations, they do play an important role in society.

      Of course they do. The present day trend of having to apologize for things that sane people believe in is so old. It's like apologizing that your doctor has to have a license.

  • why wait for that? (Score:4, Interesting)

    by slew ( 2918 ) on Tuesday May 12, 2015 @05:42PM (#49677371)

    The Ticking Time Bomb of Car Fob Security is already upon us and I suspect that this will explode long before the IoT bomb even has a chance to finish winding up...

    • Car fobs require proximity. The whole problem with IoT is that the proximity hurdle is removed -- which means everyone around the world who has an idea about how to use your device has the ability to attempt it. Just like with Internet-enabled cars. Now some cars have the ability for a remote attacker to both pinpoint their location AND unlock the doors, via script. Insecure car fobs have nothing on that (I remember when physical keys could often be swapped within car model).

      • no amount of electronics will prevent thieves from putting your car onto a flatbed truck

        faraday cages still work pretty well to block radio signals

        if they really really want to break into your car, there is no way to stop them

      • by itzly ( 3699663 )

        Most devices will sit behind a router with NAT and/or firewall. They can phone out, but you can't reach them from the outside.

  • The primary issue as I see it with IoT is the lack of a good security model that ordinary people can reference. You wouldn't stick an unmanaged Windows desktop out on the internet, expose a service and expect it not to be vulnerable. Why would we treat an inexpensive gadget any different? Security happens in layers, so if the device is going to be out on the internet then it needs a firewall protecting it, it needs some intelligent filtering so private data doesn't leak out (even to the device vendor) and m

    • I'm pulling my hair out working hard to get a high quality security system into place on a device where it barely fits, only to see an article that says "ticking time bomb!" We're not all idiots. I suspect most of us aren't. The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.

      Problem is that the media and purveyors of panic are focusing on the dumb end of t

      • Yeah, I don't agree with the ticking time bomb insinuation, that's a little dramatic compared with reality.

      • The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.

        Is it using OpenSSL? If so, then it's insecure.

        • I don't. but...

          I'm pretty sure OpenSSL has been fixed. They had a patch within a few days, and they've even bumped the version number since then to 1.0.2. Maybe you're thinking of commercial software which is sometimes slow to push out fixes.

  • by Anonymous Coward

    So, starting 12 years ago, ZigBee had a security working group to specifically address these very things. It was, of course, a pain in the neck in many ways. But it was intended to provide a good secure platform for developers and vendors.

    On the other hand, TinyOS, starting in 2000 had very little in the way of security and has also not been adopted by much more than academics and experimentalists, or those who have other means of handling or avoiding the security issues.

    These are always considerations and

  • Hi

    We're working on a project (in public) to try to help secure out-of-the-box links from low-power cheap sensor nodes to the concentrator (or equivalent) in IoT networks.

    Eg see:

    http://www.earth.org.uk/note-o... [earth.org.uk]
    and
    http://lists.opentrv.org.uk/pi... [opentrv.org.uk]

    to pick a couple of related items.

    Anyone who'd like to help us get this right with solutions open source, please do contact us eg via @OpenTRV on Twitter or email.

    Rgds

    Damon

  • You get hacked via a company's product, company pays 3x damages. Doesn't matter if the company makes a web browser or a thermostat. Never happen, but it would solve the problem. Would also kill IoT in it's tracks.
    • company pays 3x damages .. it would solve the problem

      That's not how it works. 3x damages bankrupts the shell corporation holding the distribution rights, nobody actually gets any money, the anonymous stakeholders walk away with no loss.

  • by Anonymous Coward

    And what exactly is IBM going to do to help?

    They're just pissed they're missing out. That's what happens when you lay off all your good employees. You're the last one to dinner.

  • Always the same story. They are just making the same mistakes again that have been made before with workstations, servers and mobile devices. But this time they really could have known better, so this can only be a combination of greed and stupidity.

  • It's a good point that as IoT devices proliferate there are security implications because your house will have dozens or even hundreds of devices all talking TCP/IP using whatever random protocols and implementations each device's manufacturer came up with.

    That being said, I think it's unrealistic to imagine that each little company should hire their own security experts to make their own rock-solid stack, because many of these devices are home-made, or made by little startups, etc. And even if every manufa

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...