Beware the Ticking Internet of Things Security Time Bomb 131
alphadogg writes: A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven't baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming. LogMeIn's Paddy Srinivasan says most Internet-of-things OEMs "barely even have IT staff," so they aren't capable of developing rigorous security even if they wanted to. IBM’s Andy Thurai says most companies are rushing technology to market to try to monetize you as much as possible, and they aren't even willing to give you a cut for the data you supply. Regulations may help, but probably not enough and definitely not soon.
The NSA want's to know what's in your fridge (Score:1)
If an IOT device phones home DO NOT BUY IT (Score:5, Interesting)
It is really that simple. That means don't buy Dropcam or a Nest or any of the other "easy to use" everything is stored "in the cloud" IOT devices that are out there and are the most heavily promoted.
There are nwtwork security cameras you can secure easily and control the recordings of. There are also "home automation" devices that only talk to each other within a defined area using reasonable encryption. You just have to be very careful and research what you are buying.
I note that in my last visit to BestBuy every IOT and home automation device promoted was more useful to the company who manufactured it that was collecting all the customers data than to the customer.
You can program your home router to block all outgoing traffic except from devices you select and you will find that many IOT devices will no longer work if you block their ability to "phone home."
Re: (Score:3)
Re:If an IOT device phones home DO NOT BUY IT (Score:5, Funny)
I'm there. (Score:2)
not buying that crap. except my alarm system.
wait a minute...
Re: (Score:1)
Actually, there are some good use cases like: Elder care.
Exterior video surveillance, remote control keypad door locks that can be unlocked securely, sensors on doors and motion sensors can provide families with ways to assist an elderly parent with memory or physical issues remotely without intruding too much.
There are IOT products that can provide this that do not 'phone home' to manufacturers. But it does take research to find them.
Re: (Score:3)
It seems there is a lot of confusion about IoT. It is not about house automation at all, it may be about it, but it is not the main target for IoT. However, the vendors are jumping in the marketing bandwagon and decide to rename everything they were already providing or extend the capabilities of their gizmo with useless internet extensions just to call it an IoT device. Unfortunately, many conclude the IoT is about useless gizmo that are spying at you or whatever.
IoT is rather than about devices to monito
Re:If an IOT device phones home DO NOT BUY IT (Score:4, Insightful)
I find it depressing that our attitude is now "avoid new technology" rather than "how can we make this secure?"
Maybe it's time for an open source secure IoT platform that companies can use. As well as an OS it would need to provide stacks for doing common IoT stuff in a secure way, that has privacy controls built in.
Buffalo ship routers with DD-WRT installed, advertised as a feature. Maybe some kind of certification process could be created, that includes the ability to do updates to the core OS and remote shut-down via blacklist if products are ever found to be vulnerable and unfixable.
Re:If an IOT device phones home DO NOT BUY IT (Score:4, Insightful)
I find it depressing that people confuse "don't waste money on useless shit" with "avoid new technology".
Re: (Score:2)
Absolutely. If there was a secure framework for network-connected IoT devices with documented measures to implement the administration or user management, then we'd get secure devices. Without it, we will have servers listening on port 80 to anyone who wants access.
It'll need a fancy logo like DLNA has, and some form of certification so manufacturers know they must use it in order to get customer acceptance, and that gets you into the world of standards bodies and all the politics that goes with it. Still,
Re: (Score:2)
I think you'll find the prevailing attitude is "avoid useless technology".
Granted there is a certain level of geek cred for connecting something to the net that has never been connected before, but at a practical level I have absolutely no need for my television, kettle or frickin light bulbs to be Internet connected.
Now that it is well established that 1) Governments want to spy on you and 2) Companies want to spy on you, I would expect that you, a reasonably seasoned Slashdotter, would see the folly in a
Re: (Score:3)
You misunderstand the problem.
With Smart TVs recording your watching habits in order to send you adverts, there is the potential for someone else to get access to it and record everything else about you.
One day you'll get a link to a website that shows you and your babysitter 'earning an extra bonus' with a payment demand to have it removed - all of which was recorded by your smart TV but sent to a Russian hacker rather than Samsung.
Re: (Score:2)
But just think of the awesome TV shows!
Blackmail: https://www.youtube.com/watch?... [youtube.com]
Re: (Score:3)
Back in the day, when an 8086 was real money and whatnot, you could be fairly sure that only the identifiable computer on your desk was sophisticated enough to be disobeying you; because you couldn't afford enough transistors, even if the market could supply them, for anything else to be.
Now, thanks to Progress, basically anything from 99 cents on up is probably turing complete, phoning home to the mothership, and host to a mixtur
Re: (Score:2)
When an 8086 was real money, an 8048 was only a few bucks, so things haven't changed as dramatically as you make it seem.
Re: (Score:2)
today chips with 8048 cores are fractions of a penny in large quantity, so yes they have changed pretty dramatically
Shocking (Score:2)
Inconceivable!
Next you'll probably try and tell me that they'll threaten to sue security researchers that expose the inevitable flaws rather than simply fixing them.
Re: (Score:2)
It's not just the developers. A lot of legal teams are just taking their web-based privacy rules and applying them to systems who know exactly who you are. For example, Lowes' IRIS system: http://iotsecuritylab.com/iot-... [iotsecuritylab.com]
Re: (Score:2)
Why connect EVERYTHING? (Score:3)
Connectivity seems to be this decade's fin tail and chrome craziness.
Re: (Score:2)
Why connect EVERYTHING?
$$$$$$$$$$$$$$
What more reason do you need?
Re:Why connect EVERYTHING? (Score:4, Funny)
I'm not sure if I'll connect EVERYTHING. However, I plan to connect at least my refrigerator to the Internet in order to give the power to curdle my milk to Kim Jong Un. If he makes use of that, then Snap, Crackle, Pop and I will know for certain that he's truly EVIL.
Re: (Score:2)
Infrastructure like railroads, bridges, etc. can be fitted with a massive number of telemetry sensors at low cost. Many bridge inspections could be done remotely if the bridge is covered with thousands and thousands of strain gauges. The USGS and the weather service can offer more and better information to the public with more advanced sensor networks. Maybe with enough sensors and the right software, we could predict earthquakes. Who knows? The technology is not there.
The security wonks tell us over a
Re: (Score:1)
What better way to convince a large number of people to replace big ticket items like refrigerators or washing machines?
Re: (Score:2)
I could use a newer refrigerator, our current one was second hand when we bought it thirteen years ago. So if clueless people start selling off their nice refrigerators because they're 'dumb' there will probably be deals to be had.
Re: (Score:2)
Once everything is connected a company will be able to use the shoddy IoT security to peek around your house and learn what brands/models of appliances and other products your own. Think how easy market research will be! No more have to convince people to complete a survey by giving them some freebie.
Re: (Score:2)
Analytics. Other than Chrome plating having connectivity and the ability to collect data is useful. Unfortunately the term IoT has been abused by corporations to the point where IoT now means Internet of Things I Know About Customers. But there are real benefits to the IoT movement when the user is in control of the data.
Case in point: My wireless power meter. The company manufactured a dongle for a PC that logs history of power use. Naturally this dongle reports power use to the company and you have to acc
Re: (Score:2)
But to me the use wasn't worth the privacy invasion.
You know the power company already has a really tremendous ability to monitor your power usage on a continuous basis. They can tell if you stay up late, they can tell if you sneak home during the day to cheat on your wife. They can tell how much you run your electric dryer so they can tell how many people are living in your house. They can probably tell you what model of refrigerator you own, just from looking at the power curves. No doubt your wife's lawyer or your insurance company (or someone else'
Re: (Score:2)
My power company is heavily regulated and I have a strong legal representation in the form on a local consumer ombudsman.
I can't say the same for a 3rd party entity where I don't even know which country they are based in.
Oh and I don't have a smart meter so unless someone is sitting down outside my switchboard, no they can't do the above, but I'm also significantly less concerned about my power company having this information given that their business model isn't based around the collection of customer data
Re: (Score:2)
Have you ever been at the store and wondered if there was anything else you needed to replenish in your fridge? Wouldn't it be great to pull up a webcam view of the interior right at that moment? Or how about making sure your oven and stove and iron are off? Or getting a video call on your smartphone when someone rings your doorbell while you're not home?
These are just a few of the things that I personally would find useful or at least interesting - I'm sure other people have entirely different lists of thi
DHCP and a Firewall (Score:5, Funny)
I run DHCP, only allowing MAC addresses I want to get a routable address. And just in case, I also run a firewall where I can see what devices are connecting to the outside world.
The day my toaster tells me it NEEDS an internet connection to make toast is the day make toast over a campfire.
Re:DHCP and a Firewall (Score:5, Funny)
Re:DHCP and a Firewall (Score:5, Funny)
Your IoT smoke detector will call the fire department when you make a campfire in your kitchen.
Oh it may try...
Re: (Score:1)
Re: (Score:1)
Good luck getting your antivirus software to scan your toaster....
Re: (Score:1)
I am more worried about bacterial infestations in my kitchen appliances.
Re: (Score:3)
That's okay, all your devices have connected to your neighbour's poorly configured open network and have been sending your private information to the world for years now.
Re: (Score:2)
Those frakking Cylons! :P
car analogy (Score:3)
Re: (Score:1)
I'd wreck the car too if it tried to convince me a door is a jar.
Re: (Score:1)
It is grabbed with the hand and contains glass. Sounds like a door is a jar.
Some 'Things' more valuable than others (Score:5, Interesting)
Periodically some "things" on the IoT get revealed as publicly accessible. Cameras and conference room equipment particularly have caused problems in the past.
In homes, it may be some lolz to mess with lights of a stranger. It may be costly to the homeowner when someone modifies the HVAC settings to crank the programmable thermostat during the day. A skript kiddie could cause a neighborhood to all lose their AC compressors, and then we're talking tens of thousands, perhaps hundreds of thousands in some areas.
Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume. Cameras on TVs are a great combination if thieves can guess your neighborhood, then identify your house, then identify you are not home.
Similarly with garage doors. That industry has come a long way, in the 70s and 80s you could get a universal garage door remote that would work on many homes in a neighborhood, some thieves would clean out the garages and close the door when done. New IoT garage remote controllers lack the basic protections implemented decades ago.
And most obviously, security cameras in and around a home are increasingly common as an IoT item. Do you REALLY want those images out there?
Many ISPs make it rather easy to iterate through neighborhoods as they provide convenient DNS access like c-111-222-333-444.town.state.comcast.net. A quick scan of a town to find all the customers with open security cameras, a bit of time to identify the homes in that neighborhood that look interesting on camera and have a few open IoT devices... and you've got a loot schedule. Most of the scans could be easily automated, only requiring some human criminals to look at them once they've found a neighborhood with enough interesting devices exposed.
Re: (Score:3)
I still find frelling **security** equipment without the ability to change the default password on it. Obviously we don't install it, but the stuff is sold as "professional grade" and costs big piles of money.
Re: (Score:2, Insightful)
Older cars were generally more reliable because there were fewer things to go wrong.
Uh, no, they weren't. You might be able to fix a 1970s car when it broke down, but they broke down a lot more. Go back to the 1930s, and there were even less things to go wrong, but you were probably doing maintenance on those things every weekend to ensure they didn't break down.
Re: (Score:1)
People have different opinions on the terms "maintenance", "reliable", and "broke down" when it comes to vehicles. Historically older vehicles require much more maintenance but when an issue was encountered they would often still run poorly while newer vehicles may stop dead in their tracks for a rather small reason (cam/crank position sensors for example). The mechanical components in the older carburetor vehicles just prior to the mandated emission controls when properly maintained and not abused would
Re: (Score:1)
My 2006 Ford Ranger has modern infrastructure where I want it, but none of the new electronic bells-and-whistles. Okay, it does have a horn, but the only non-stripped option is the CD player in the radio. The windows have cranks, the doors open with a key. The key is duplicated for a few dollars. And it's so plain and dull that it's not likely to get stolen because of not having a 'security' electronic keyfob.
It's also black, like all Fords are supposed to be.
Re: (Score:2)
it's also a death trap, using it as your daily vehicle is an enormous risk compared to a modern vehicle
did you count the potential cost of your death in your financial analysis?
Re: (Score:2)
Re: (Score:2)
Older cars were generally more reliable because there were fewer things to go wrong.
Uh, no, they weren't. You might be able to fix a 1970s car when it broke down, but they broke down a lot more. Go back to the 1930s, and there were even less things to go wrong, but you were probably doing maintenance on those things every weekend to ensure they didn't break down.
And how. Anyone remember changing points and plugs? 15,000 mile non speed rated tires? Water pumps that lasted 20 K miles?A car that is just about finished at 100,000 miles? Rust holes at 60 K miles
Yes, they were easier to work on, but yes, you worked on them a lot
My first car, a 65 Buick Skylark, was a nice car for the time, was continually being worked on. But it was just SOP because everyone elses was too.
Today's cars are marvels. My last two I put 200 K and almost 300K miles on with almost no repl
Re: (Score:2)
The parts you mention are not more reliable today because of the added complexity, it's better materials and the manufacturing tech. Transplant that to the design of a '70s car and the benefit would remain.
That's not to say that the ECU fine tuning constantly isn't helpful, it is. It would be better still if it was as open as the mechanical design of a car from the '70s. That and if the replacement parts didn't cost a small fortune due to being harder to duplicate and easier to sue over due to copyrighted f
Re: (Score:2)
Controlling your television may not seem very creepy, but could be used as presence detection to see how long it takes for someone to turn it off or turn down the loud volume.
Oooo, I like the way you think, you beautiful bastard. :)
We'll Party Like It's 1999. (Score:5, Interesting)
I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote,
sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves,
garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked. X10 had no notion of authentication. Probably still hasn't.
Now, I had to drive around, because I was using a commercial-grade transmitter, my range and impact were limited.
Now, Imagine that kind of attitude, but with everything just a few network hops away, no range limits, and with the Invisible Hand clearly not having spanked the market into having a clue.
Image a person less mature than me and that same kind of attitude, today. Or several thousands of them. Spread over the globe.
I can image the havoc, I'm having trouble imagining the useful applications.. A matter of age? I'm not near to connecting stuff I don't have to.
Imagine what would happen if the Silons attacked, also.
Re: (Score:2)
Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected. Keep in mind, major solar flare with our planet just happening to be in it's path is not if but when, it will happen. How long will it take to repair the damage when all the information systems required to repair the damage is down.
New regulations are required to ensure essential infrastructure can be maintained manually and repaired manually. That hard copies are retained on sites for
Re: (Score:2)
Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.
Just imagine if the Carrington event happened today?
Re: (Score:3)
Now imagine the havoc of the inevitable solar flare on all this connectedness that can not run with out being connected.
Yeah whatever, scare-monger, that solar flare will knock out the power station whether or not you have sensors on your refrigerator. So you mean we have to be prepared for when the power goes off? Yeah this is the USA, you can count on the power to go out at least a couple of times a year. Are you prepared for that?
Re: (Score:2)
For fools like you http://en.wikipedia.org/wiki/S... [wikipedia.org]. Who, you gonna call, no one. "Ice cores containing thin nitrate-rich layers have been analyzed to reconstruct a history of past solar storms predating reliable observations. Data from Greenland ice cores, gathered by Kenneth G. McCracken and others, show evidence that events of this magnitudeâ"as measured by high-energy proton radiation, not geomagnetic effectâ"occur approximately once per 500 years, with events at least one-fifth as large occ
Re: (Score:2)
I remember new year's eve Y2K, and everyone expecting blackouts, etc.. and me driving around with an X10 wireless remote, sending random commands to sequential channels. People's lights went on and off, burglar alarms (dis)armed themselves, garage doors opened, sprinklers sprinkled water onto the cold pavement (with great ice potential). People panicked....
Imag[in]e a person less mature than me ....
I am finding it difficult to imagine a person less mature than yourself.
Speaking of X10... (Score:2)
What happened to them? I haven't seen or heard them for a while. I just see GoPro and others these days.
Re: (Score:2)
Troll level: Awesome
We need governmental regulation of IoT security (Score:2)
Personally, I feel that IoT durable good devices devices should get security fixes for 20 years--via regulation
Re: (Score:2)
Yea because that is not trivial to get around, Oh the OEM we bought it from folded, we do not have the source code etc.
Re: (Score:1)
The agencies like the UL (non-governmental) could require the source code in escrow for any devices seeking their 'approval.' Said 'approval' is a checkbox item, like UL approval is, for Insurance companies.
A completely private-enterprise solution that just needs some lawyers involved to implement. Imagine that!
Re: (Score:2)
A completely private-enterprise solution that just needs some lawyers involved to implement.
Maybe you should look at the electronics section of your local drugstore and tell us how many of the USB charging devices have "UL" stamps on them. "None" will be my guess. All of the people who bought these devices, are they all in continuous violation of the fire codes? What is anyone going to do about it?
And guess what, in China you can print "UL" or "FCC" on anything you want to, they sure don't care, and who actually looks through the thousands of container loads that arrive in the US every day to
Re: (Score:2)
So, all foreign made products should have their source code handed to the NSA so they can check for weak security ?
Re: (Score:2)
First off having codes does not mean having the rights, often thats a complex mess on a commercial app. Secondly the build environment is also a complex bit and needed to actually make things work.
It seems to make more sense to work towards the M&M security policy. An edge device that connects the home devices to the internet and deals with a lot of the security aspects. You still need communications security inside the house but if trust is only placed in that one gateway controler.
That said I see t
Re: (Score:2)
While I'm not a fan of government regulations, they do play an important role in society.
Of course they do. The present day trend of having to apologize for things that sane people believe in is so old. It's like apologizing that your doctor has to have a license.
why wait for that? (Score:4, Interesting)
The Ticking Time Bomb of Car Fob Security is already upon us and I suspect that this will explode long before the IoT bomb even has a chance to finish winding up...
Re: (Score:2)
Car fobs require proximity. The whole problem with IoT is that the proximity hurdle is removed -- which means everyone around the world who has an idea about how to use your device has the ability to attempt it. Just like with Internet-enabled cars. Now some cars have the ability for a remote attacker to both pinpoint their location AND unlock the doors, via script. Insecure car fobs have nothing on that (I remember when physical keys could often be swapped within car model).
Re: (Score:2)
no amount of electronics will prevent thieves from putting your car onto a flatbed truck
faraday cages still work pretty well to block radio signals
if they really really want to break into your car, there is no way to stop them
Re: (Score:2)
Most devices will sit behind a router with NAT and/or firewall. They can phone out, but you can't reach them from the outside.
Lacking a security model (Score:2)
The primary issue as I see it with IoT is the lack of a good security model that ordinary people can reference. You wouldn't stick an unmanaged Windows desktop out on the internet, expose a service and expect it not to be vulnerable. Why would we treat an inexpensive gadget any different? Security happens in layers, so if the device is going to be out on the internet then it needs a firewall protecting it, it needs some intelligent filtering so private data doesn't leak out (even to the device vendor) and m
Re: (Score:2)
I'm pulling my hair out working hard to get a high quality security system into place on a device where it barely fits, only to see an article that says "ticking time bomb!" We're not all idiots. I suspect most of us aren't. The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.
Problem is that the media and purveyors of panic are focusing on the dumb end of t
Re: (Score:2)
Yeah, I don't agree with the ticking time bomb insinuation, that's a little dramatic compared with reality.
Re: (Score:2)
The security we're using requires actual knowledge to use, it's not for some home users or casual people, it doesn't have passwords but it has certificate exchange, no phone will ever talk to them, etc.
Is it using OpenSSL? If so, then it's insecure.
Re: (Score:2)
I don't. but...
I'm pretty sure OpenSSL has been fixed. They had a patch within a few days, and they've even bumped the version number since then to 1.0.2. Maybe you're thinking of commercial software which is sometimes slow to push out fixes.
Re: (Score:2)
Re: (Score:2)
it would be a miracle rivaling the birth of christ if openssl were actually fixed
Re: (Score:2)
The ultimate faith based security?
ZigBee (Score:1)
So, starting 12 years ago, ZigBee had a security working group to specifically address these very things. It was, of course, a pain in the neck in many ways. But it was intended to provide a good secure platform for developers and vendors.
On the other hand, TinyOS, starting in 2000 had very little in the way of security and has also not been adopted by much more than academics and experimentalists, or those who have other means of handling or avoiding the security issues.
These are always considerations and
IoT Launchpad Security Project (Score:2)
Hi
We're working on a project (in public) to try to help secure out-of-the-box links from low-power cheap sensor nodes to the concentrator (or equivalent) in IoT networks.
Eg see:
http://www.earth.org.uk/note-o... [earth.org.uk]
and
http://lists.opentrv.org.uk/pi... [opentrv.org.uk]
to pick a couple of related items.
Anyone who'd like to help us get this right with solutions open source, please do contact us eg via @OpenTRV on Twitter or email.
Rgds
Damon
The Internet of never updated easily pwn3d things (Score:2)
No message needed.
EZ fix (Score:2)
Re: (Score:2)
company pays 3x damages .. it would solve the problem
That's not how it works. 3x damages bankrupts the shell corporation holding the distribution rights, nobody actually gets any money, the anonymous stakeholders walk away with no loss.
ibm to the rescue (Score:1)
And what exactly is IBM going to do to help?
They're just pissed they're missing out. That's what happens when you lay off all your good employees. You're the last one to dinner.
Greed and stupidity... (Score:2)
Always the same story. They are just making the same mistakes again that have been made before with workstations, servers and mobile devices. But this time they really could have known better, so this can only be a combination of greed and stupidity.
Good point (Score:2)
It's a good point that as IoT devices proliferate there are security implications because your house will have dozens or even hundreds of devices all talking TCP/IP using whatever random protocols and implementations each device's manufacturer came up with.
That being said, I think it's unrealistic to imagine that each little company should hire their own security experts to make their own rock-solid stack, because many of these devices are home-made, or made by little startups, etc. And even if every manufa