Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

Why IoT Security Is So Critical (techcrunch.com) 148

An anonymous reader writes: Software engineer Ben Dickson starts off an opinion piece about Internet of Things security with this amusing comment: "Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would've laughed at you and said you watch too much James Bond. But today, if you tell me that hackers with malicious intents can use my toaster to break into my Facebook account, I will panic and quickly pull the plug from the evil appliance." Dickson then lays out many of the issues with securing internet-connected devices, and explains the work being done to make them more secure. He highlights areas that manufacturers must focus on: "In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system. ... There also must be a sound plan for installing security updates on IoT devices. Each consumer will likely soon own scores — if not hundreds — of connected devices. The idea of manually installing updates on so many devices is definitely out of the question, but having them automatically pushed by manufacturers also can be a risky business."
This discussion has been archived. No new comments can be posted.

Why IoT Security Is So Critical

Comments Filter:
  • by Anonymous Coward on Monday October 26, 2015 @04:25AM (#50801483)

    is because morons won't stop adding devices to the "IoT" instead of leaving them dumb like they should be. FFS this is a problem created by a trend with no benefits in the first place.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Butbutbut I need to turn on the toaster from the bedroom so the toast is ready when I arrive in the kitchen!

      • Re: (Score:3, Insightful)

        by TheRaven64 ( 641858 )
        Unless the toaster can also cut the bread and insert it, then there isn't much value in being able to turn it on remotely. There are lots of reasons where it might be nice to have some connectivity though:
        • If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.
        • If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

          Communication in the other directio

        • by Anonymous Coward

          If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.

          How does the toaster know it's you in the shower and not someone else ?

          If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

          Sound like a potential DOT attack to me (Denial of Toast)

          Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

          Beeping would do the same thing, or gosh even the popping up the toast on most toasters is noisy enough already.

          It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

          You already got the bread out of the fridge to put into the toaster, a sane person would already have taken the butter at that point so it can soften a little. This is silly talk.

          • by Anonymous Coward

            You already got the bread out of the fridge to put into the toaster, a sane person would already have taken the butter at that point so it can soften a little. This is silly talk.

            Sane people don't put bread in the fridge.

            • by Viol8 ( 599362 )

              "Sane people don't put bread in the fridge."

              Err, they do if they want their bread to keep longer than a few days before going stale.

              • For most kinds of bread and most climates the bread kept outside of the fridge lasts longer and tastes better.
                However: no idea where you live ;)

              • Fridges work by being a closed air-con unit, as part of that process they draw moisture out of the air. Bread, placed in a fridge therefore goes stale quicker.

                To keep bread, either freeze it (and let it slowly defrost at air temperature to get it back to best condition) or put it in a closed container like a bread bin. Or buy bread so laced with chemicals that there's hardly any flour used in its production.

              • Wha?? Putting bread in the fridge guarantees that the bread will become stale in under 10 hours. Freezing is even worse.

              • "Sane people don't put bread in the fridge."

                Err, they do if they want their bread to keep longer than a few days before going stale.

                Is this a serious comment? Bread doesn't last longer than a couple of days before going stale regardless of what you do with it. Unless you are buying some weird, horrible, white chemical pudding instead of actual bread.

                For toast, you can always slice some bread and keep it in the freezer. But actual bread needs to be fresh.

        • Unless the toaster can also cut the bread and insert it, then there isn't much value in being able to turn it on remotely. There are lots of reasons where it might be nice to have some connectivity though:

          • If the toaster can detecting when I've finished showering, I can program it so that my toast will pop up when I've showed and dressed.
          • If my doorbell or telephone rings, then it can pause and resume later, so the toast hasn't had time to cool down before I get to it.

            Communication in the other direction would let it notify me in whatever room I'm in when the toast is ready.

          • It could communicate with the fridge that I was likely to get butter out soon, which would mean that I'd be likely to open the door soon. This would let the fridge postpone running the compressor until afterwards (no point chilling air that's just about to be removed from the fridge).

          These are just the ones that come to mind immediately. I'm sure there are other applications.

          I know you're going with the example provided, but this is ridiculous. Are we bringing in high technology and introducing a much lager attack surface just so people don't have to wait for their toast?

        • You can do all of these things right now without involving the internet at all.

      • Obligatory Talkie Toaster [youtube.com]
    • by Z00L00K ( 682162 )

      Well, there's no need for a toaster to be able to do internet, but look at other things that actually can benefit from it - like ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed.

      Personally I would set up a separate network for my devices that controls my home. But it would still be good from the security point of view if the devices themselves have protections bu

      • by Anonymous Coward

        I do Internet of Things = Idiot.
        Wider Area Network of Things = WANT

        I've just filed my first patent for nano fleas which swarm around me filming me from every direction so I don't even need a selfie stick. They have the added bonus of helping me sniff my own farts and helping me give ratings based on my vegan/paleo diet (depending which side of the fence I swing). Based on the smell of my farts they also find me suitable grinder dates in my vicinity.

        But I'm a new age hipster spiritualist so I'm AC because my

      • Re: (Score:3, Insightful)

        by Viol8 ( 599362 )

        "ike ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed."

        And the thermostats need to be online because....?

        "I can also think of devices like the fridge or freezer to be able to talk to the internet to be more cost efficient - cool extra during cheap hours and cool less when electricity is more expensive."

        Wtf? Perishable food needs to be kept cool regardless of the

        • And the thermostats need to be online because....?

          Because some power companies currently and more will soon give you a price break for cutting usage during a surge in demand. Sometimes this can be predicted, sometimes it can't. Hence the need for real-time comms.

          Wtf? Perishable food needs to be kept cool regardless of the price of the electricity unless you want to risk food poisoning to save a few pennies.

          For a refrigerator, you're likely right. Think about a freezer, though. Maybe you're set to -10C most of the time. However, you're going to be gone all day and your usage patterns don't show you opening the freezer in the morning, maybe it is better to cool everything to -25C overnight, and then NO

          • by Viol8 ( 599362 )

            "Because some power companies currently and more will soon give you a price break for cutting usage during a surge in demand. Sometimes this can be predicted, sometimes it can't. Hence the need for real-time comms."

            Oh please. I warm my house to be the temp I want it to be. I'm not going to shiver to save a teeny tiny amount of cash. If you're that skint then you won't be able to afford all this tech anyway - wear a jumper.

            "Opening the door is what creates energy usage. Having an app to keep inventory can dr

            • Here's a novel idea: Don't plug this shit in if you don't want to use it.

              For those without photographic memory, or those that don't mind putting on a jacket to save some money, let us have these devices to save money and help the planet, and let's work on making them safer.

              • by Viol8 ( 599362 )

                "Don't plug this shit in if you don't want to use it."

                And what happens if it gets to the point where I don't have a bloody choice because the fridge refuses to work unless its downloaded some new firmware or whatever?

                "et us have these devices to save money and help the planet"

                Help the planet? You having a laugh? You might want to check out the mess the mining the precious metals for all our playtoy devices causes and then the pollution from their refining and the manufacture of the device itself plus transp

          • by Jawnn ( 445279 )
            Your point are all valid, but only one requires an Internet connection, and even then, it could and should be kept from accessing anything but the host/IP required to do it's simple job. Jeezus H Christ, have we fallen so far that "application" now means something you get from the cloud and run on your phone?
        • And the thermostats need to be online because....?

          Because otherwise they'd have to sell you the devices rather than renting them to you.

        • There is absolutely NO reason for ANY kitchen appliances to be online or have any kind of network presense

          There are plenty of reasons, such as monitoring the temperature in your refrigerator to make sure things haven't gotten too warm, keeping track of inventory and expiration dates, starting dinner a few hours before getting home, monitoring the health and maintenance status of appliances.

          unless you such a bone idle sack of fat that you can't even be bothered to open a fridge door to check whats inside but

          • There are plenty of reasons, such as monitoring the temperature in your refrigerator to make sure things haven't gotten too warm, keeping track of inventory and expiration dates, starting dinner a few hours before getting home, monitoring the health and maintenance status of appliances.

            None of which require an internet connection.

            • by KGIII ( 973947 )

              How about a device, sort of like a firewall or a WSUS setup, that collects data from the internet and then allows only a one-way access from your devices to update, get rates (these needn't be completely real-time, say polling every ten minutes or something) for electricity, and whatnot. They could check for signatures, match hash values, and ensure that the updates were legit/signed. Using something like PNP or automated port forwarding, they could automatically configure what they need for information and

            • None of which require an internet connection.

              Little is "required". People like Internet connections for the IoT because it's convenient and, contrary to what TFA claims, is low risk.

        • by Z00L00K ( 682162 )

          First: Level of cooling can vary and using technique like Glauber's salt can keep the actual temperature within the stipulated range for the food for storage. As long as the freezer is closed the temperature will be pretty steady for hours, but waiting an hour to turn on the cooling won't make much difference - and if you cool extra in the morning before the price rises if you are billed by the hour then it might not need cooling until much later.

        • by Z00L00K ( 682162 )

          On the thermostats being online - well, if the thermostat is in a network with one thermostat per room then it may be a good idea to network it with the radiator valves and with the air condition unit. The better you know the indoor climate the better you can manage it. One central thermostat is like tuning a watch with an axe. One room can be in shadow and need heating while another is getting sunshine and need cooling. A smart ventilation system with a sensor network will offer an opportunity to manage th

          • by KGIII ( 973947 )

            When I retired, I went on a bender and did a whole ton of drugs. (I've disclosed that before. I'm okay with the world knowing.) During this time, I kind of worried about my sanity. So, I went to a head shrinker. The head shrinker was a learned lady who felt I should attend a group therapy session. Which I did. I kind of liked it. I learned about CBT and stuff. Kind of neat... I went for quite a while, it was helpful.

            Anyhow, during this session I too became a learned man and what instructions were given seem

      • Well, there's no need for a toaster to be able to do internet, but look at other things that actually can benefit from it - like ventilation systems and you have a completely different case. Thermostats that can detect not only presence of people but also power consumption in a room and predict the ventilation level needed.

        How are those cases different? I'm not seeing how the internet has to be involved for any of them.

    • by stooo ( 2202012 )

      If morons don't do it, Chinese manufacturers will do the IOT for you

      http://thehackernews.com/2013/... [thehackernews.com]

    • Well, one of the reasons that these devices are connected is to harvest data. That is why they are open to the net in the first place, and that is the major security problem. If such a device only accepts traffic from the local network with decent encryption, it creates too little data to even get noticed. But if it blabs to the outside world all the time, it is literally begging to be used as an infiltration vector.
    • Please tech journalists - stop trying to make the idiot of things (IoT) happen. It's not going to happen the way you want it to!
  • DOA (Score:3, Insightful)

    by Anonymous Coward on Monday October 26, 2015 @05:18AM (#50801563)

    Google/phone manufacturers cant even keep android phones patched more than a few years. What makes people believe that "IoT" devices will do any better?

    • Re:DOA (Score:5, Insightful)

      by peragrin ( 659227 ) on Monday October 26, 2015 @05:47AM (#50801637)

      Look at smart TV's and the number of updates that they get.

      Manufacturer's goals are not compatible with IoT concept. you own your TV for a decade or more between replacing it. Refrigerator's can go 20+ years easy.

      Do manufacturer's really want to provide support that long? if the answer is no then it doesn't belong in the Iot category.

      • by Z00L00K ( 682162 )

        Built in limited lifetime of the device. "Sorry the product you have is end of life, no more updates. Buy a new one."

      • by AmiMoJo ( 196126 )

        Manufacturers see the IoT as a great way to make otherwise perfectly good appliances obsolete. They would rather you didn't keep your TV for 10 years or your fridge for 20 years. Actually our last washing machine was over 30 years.

        They are banking on consumers being short sighted and not realizing that the cool gimmick their new fridge has will be useless in a year or two. Brand loyalty is dead so they don't care about giving a good impression. Consumers choose by price, fashion and gimmicks so as long as t

  • by mbone ( 558574 ) on Monday October 26, 2015 @05:40AM (#50801615)

    Fixed that headline for you.

    Engineers with a hammer treating everything as a nail, and marketeers seeking to mine information from everyone's daily actions are evidently a very bad combination.

    • Yup, just say no to this crap.

      The only thing I want to be internet connected is my computers, my tablet, and only very rarely my phone.

      The rest of this internet connected crap I have no interest in, because I assume the security is incompetently written, and the product is mostly geared to allow analytics and ads ... none of which I have any interest in.

      An endless series of crap products which are connecting to the intertubes is just marketing hype.

  • by Anonymous Coward

    And yet we see people blaming more and more privacy invasions on companies like Apple in the iCloud Hack that exposed various celebrity nudes. More and more data that people add to the internet means the more private moments will be exposed to entertain the sick perverts of the world. Not to mention the IoT's could allow people to gain access to accounts via question and answer password resets. What is your favorite food? Well per your toaster you love Bagels and per your fridge you love Strawberry Crea

  • by NostalgiaForInfinity ( 4001831 ) on Monday October 26, 2015 @06:06AM (#50801689)

    There also must be a sound plan for installing security updates on IoT devices.

    No, not really. If your home network security assumes that every single attached device is patched and secure, you have already lost. You should deploy your IoT devices in such a way that, even if they get compromised, the damage is limited.

    Also of concern are huge repositories where IoT data is being stored, which can become attractive targets for corporate hackers and industrial spies who rely on big data to make profits.

    I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster. "Corporate hackers and industrial spies" generally don't go after such low value data, they go after credit card numbers and corporate secrets.

    What is evident is that the IoT will become an important part of our lives very soon, and its security is one of the major issues that must be addressed via active participation by the entire global tech community.

    No, it really doesn't need to be. Unless you have specific and clear evidence to the contrary (plus an assumption of liability by the manufacturer), consider all IoT devices to be inherently insecure and use them accordingly.

    • I don't really see how "corporate hackers and industrial spies" can "make profits" by breaking into Apple and stealing data about when I turn on my toaster. "Corporate hackers and industrial spies" generally don't go after such low value data, they go after credit card numbers and corporate secrets.

      They will be going after the credit card numbers and corporate secrets, the point is that your toaster would be the weak link in your systems. If they can hack the toaster, they can get the admin password for the toaster as well as the addresses of all the other things in the house. Form there try that admin password on something like the fridge. Most people will probably reuse the same password for all their appliances so they now have admin access to the fridge which has a reorder system for items keep th

      • They will be going after the credit card numbers and corporate secrets, the point is that your toaster would be the weak link in your systems. If they can hack the toaster, they can get the admin password for the toaster as well as the addresses of all the other things in the house. Form there try that admin password on something like the fridge.

        That's utter nonsense. Most IoT devices run on Z-Wave or ZigBee networks and are paired by button presses; they don't have network passwords or user passwords, and

  • by gweihir ( 88907 ) on Monday October 26, 2015 @06:50AM (#50801791)

    First, it was mainframes that were insecure. When they were finally secured, the same mistakes were repeated with workstations. Then the same mistakes were repeated with PCs. Now they are repeated with mobile phones and with cars. Next they will be repeated with IoT.

    The problem is that most people are completely unable to learn from experiences made by others, and so they repeat the same stupid mistakes whenever there is a new application field. The experts are available and could do better, but they do not get used, because all the bright-eyed "innovators" do not have a clue what they are doing.

    • by roca ( 43122 )

      Entirely agree, except it's even worse because the "finally secured" part never actually happens.

  • by Viol8 ( 599362 ) on Monday October 26, 2015 @06:51AM (#50801799) Homepage

    Too lazy to check the fridge? There's an app for that. Too stupid to be able to pull your own curtains? There's an app for that. Too bone idle to turn off a light switch? There's an app for that.

    Soon the infants masquerading as adults will require robots to wipe their backsides for them and spoon feed them mush for dinner (chew solids? Too much effort). You think the passengers on the starship in Wall-E were just a joke? Hardly - its where we're heading.

    Meanwhile all these human vegetables will have all their private data sucked up by corporations and hackers to be used as they please.

    • Soon the infants masquerading as adults will require robots to wipe their backsides for them and spoon feed them mush for dinner (chew solids? Too much effort).

      For as much as your post seems like "keep off my lawn" vitriol.....

      It's absolute truth

      I run a amateur radio competition. Essentially make as many contacts with as many locations as possible over a certain time.

      Once upon a time, we required mailed in summary sheets (a way to get the logging started, plus some other info we need that isn't in the contact logs.)

      But in the age of email, some people would spend hours telling me to go die in a fire because it was too much effort to fill out the pdf and pr

      • by KGIII ( 973947 )

        Well yeah, the summary should be automatically filled in by the data from the SDR, it should have meta data included automatically. Hell, they shouldn't even have to do that (next). Next they'll not even want to click the button to sign anything but have it all done automatically - just ship the meta data off in XML and you have something autonomous do the scoring based on meta data collected from the Google Maps API. Hell, they won't even have to sign up for the contest - just use push notifications over a

        • Well yeah, the summary should be automatically filled in by the data from the SDR, it should have meta data included automatically. Hell, they shouldn't even have to do that (next). Next they'll not even want to click the button to sign anything but have it all done automatically - just ship the meta data off in XML and you have something autonomous do the scoring based on meta data collected from the Google Maps API.

          There are a few contests that use live updating on teh web. Turns out to be a hassle for any contest that uses Mobiles, Portables or Rovers. But Hams are kind of like Slashdot users, som on the edge, and some worried about teenagers on their lawns. So we get a lot of different lod formats.

          Would be cool if the scoring was done the moment the contest ended.

          I'm only partially joking but, if nothing changes, then perhaps the writing is on the wall. With a few hours, I was able to pass every single test on the ARRL (I think that was the URL) site - the prep exams, knowing only some of the material from long-since-past EE classes in the late 1980s. I simply noted the errors and the answers and memorized it. What work needs to be done, really?

          Yes, the practice exams are more like a beginning, a low bar to entry, than being very difficult.

          I decided to not get my license, I'd end up hurting myself.

          Reminds me - one of the issues I have with the testing

    • by GuB-42 ( 2483988 )

      And why should I wipe my backside if a robot can do it? Yes I am lazy, laziness is progress. Should I call you lazy because you are not hunting the meat you are eating (or grow your own vegetables, or carry your own water, or...)?
      This doesn't mean that we should be lazy for everything, we can still have hobbies or do sports, but if robots can do my chores, that's perfect for me.

  • My boss asked me "What is IoT?", so I explained it to her. I told her it was a collection of "smart" appliances that are connected to the internet, so that you could dim the light bulbs in your living room from your smart phone, or you could adjust the thermostat in your house so it is nice & warm when you get home, or you could preheat the oven to 450 on your way home from the store. On the flip side, hackers could turn off your lights prior to a home invasion, turn your thermostat off during a cold sp
    • Re: (Score:3, Informative)

      by Lumpy ( 12016 )

      Hackers are not going to do a home invasion. Stop being a paranoid conspiracy nut who likes spreading fear.

      Less than 7% of all burglaries are home invasions (US gov data, go look it up). you have a significantly higher chance of dying in your bathtub, or your car exploding on your way to work than a home invasion.

      Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers. That last 1%? done by people you know.

      • Hackers are not going to do a home invasion. Stop being a paranoid conspiracy nut who likes spreading fear.

        Chillax dude, the examples were tongue-in-cheek. My boss got a good laugh out of it, why can't you?

      • Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers.

        Most malicious hackers are not highly educated or skilled. They're script kiddies running tools made by someone else.

        • Lastly, 99% of all home invasions are done by drugged out violent criminals, not highly educated and skilled hackers.

          Most malicious hackers are not highly educated or skilled. They're script kiddies running tools made by someone else.

          So what? If the tools work you're not going to care whether you were fucked over by a 13 year old in his basement or Dr Evilgeniushacker in a lair beneath a volcano.

    • On the flip side, hackers could turn off your lights prior to a home invasion

      lol, and then what are they going to do - intimidate me with a Klingon axe-thingy and demand all my caffeinated beverages?

    • by dablow ( 3670865 )

      It's not just the hackers, the government could essentially kill you by disabling everything that keeps you alive (heating, ability to store and cook food, the ability to remain warm and sheltered etc etc.). No need for costly drones.

      They will be able to track your every single breath...They will know when you cheated on your taxes just by looking at the quality of beer your purchased.....

    • by mlush ( 620447 )
      I think hackers are going to be more interested in using IoT to hack a WiFi Password via a smart kettle [thehackernews.com]
    • My boss asked me "What is IoT?", so I explained it to her. I told her it was a collection of "smart" appliances that are connected to the internet, so that you could dim the light bulbs in your living room from your smart phone, or you could adjust the thermostat in your house so it is nice & warm when you get home, or you could preheat the oven to 450 on your way home from the store. On the flip side, hackers could turn off your lights prior to a home invasion, turn your thermostat off during a cold spell so your pipes freeze, or preheat your oven to 600 degrees while you're on vacation.

      More likely those hackers will route spam through your toaster, use your fridge as a bot net, make your oven a tor gateway, and make the computer that controls your lights host bit torrent. Or just use them to sniff household network traffic to find anything to use there and possible man in the middle attacks. For that matter, what's the chances somebody will use the same household password on all their appliances including the wifi router and home computer so that when they hack one, they have access to al

  • by rsilvergun ( 571051 ) on Monday October 26, 2015 @07:48AM (#50802025)
    someone could be in my kitchen, digitally making themselves a grilled cheese sandwich with neither my knowledge or consent. And don't say it's just my teenager, I can't get her to step foot in a kitchen.
  • It's not critical. (Score:4, Interesting)

    by Lumpy ( 12016 ) on Monday October 26, 2015 @07:48AM (#50802029) Homepage

    My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

    WE don't. what we need is 100% open on all the devices so that as the owner of a device I can use it with whatever I want in whatever way I want. heavy security means I will never ever be able to do that.

    All of the IOT (I really hate that acronym) crap needs to talk to a single hub and that when allowed to communicate out needs security. There needs to be absolutely ZERO security on the inside protected network other than what already exists with decent systems like Z Wave or Zigbee where they get a key from the hub they join and only talk to that network. can it be still hacked? yes but not by the typical thief who really would not care to as all he has to do is a smash and grab.

    My toaster does not need to tweet or talk to westinghouse's servers. it needs to talk to my HA hub, and from there I can decide if it needs access to post to slashdot that my double cinnamon raisin toast is done.

    • I much prefer a Z-Wave / Zigbee solution over WiFi solutions as well. For the reason you stated, but there is another reason: WiFi sucks. I've yet to find an access point that is really reliable, and does not require frequent reboots. And with dozens or even hundreds of devices on one WiFi network, it's going to suck even harder. In contrast, I find my Z-Wave network to be extremely reliable. Besides, even if Z-Wave device firmware was somehow compromised, it would still have a much harder time getting
      • by Lumpy ( 12016 )

        Problem is we already have had wireless Alarm systems for well over 2 decades and are extremely common and we still dont have simple thief boxes to override the door sensors.

        Thieves don't CARE about your door sensor, they kick it in, let the alarm wail as it dials the alarm company and make off with your TV set and everything else that is easily snatched before the police even get the phone call that someone is breaking in. 20 minutes later a cop might drive by the house.

        They don't need to override anyt

    • My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

      You are right - but it won't happen that way. Manufacturers will want to be able to push updates, Google will want to know what is being bought and used, (I suspect eventually, little rfid chips in all foodstuffs so an inventory can be done and reported back so you'll be able to get a suggested grocery list complete with ads on some app on your smartphone),food manufacturers will want Google's data, the electric company will want access for power control, ADT will want access for their security services, po

    • Agreed hub to device symmetric key secures that path. But it just makes the hub a more valuable target the more powerful devices connected to it get ( turning on a light versus opening garage door.

    • My door sensor does not need 128 bits of encryption. it needs to talk to a hub inside my home unencrypted, and then the link out from there needs to be secure. The problem is all these "experts" dont have a clue at all about all of this and are clamoring that we need heavy security on everything! ZOMG!!!

      Perhaps they're thinking that all this stuff will mostly likely be wireless and as accessible to your neighbor or from the street outside your house as to whatever it's supposed to be talking to. While major appliances might get dedicated wire, unless they do network over power, they're probably not going to wire for every place you might put a lamp or toaster.

  • by hodet ( 620484 ) on Monday October 26, 2015 @08:58AM (#50802457)

    Anything on IoT becomes a shitfest discussion of toasters and fridges. Fuck what happened to this place.

    • by AmiMoJo ( 196126 )

      Indeed, the biggest area for IoT, the area I happen to work in, is sensor networks. Say you have a vast water distribution network that you need to monitor. Typical ones leak 30-40% of the water out, so you are probably interested in figuring out where the leaks are, as well as metering everyone's usage for billing purposes.

      In the past you had to send people out to take readings everywhere. Now you can put IoT sensors everywhere and they send you the data at regular intervals. It's getting so good already t

      • by hodet ( 620484 )

        This is what the IoT is all about. There are tonnes of other examples as well. How about the guy who invented a system that monitors power usage at his elderly mothers house from his web browser. He knows her routine enough to see power spikes when he should (like the kettle making tea at 10am every morning). If usage looks out of the ordinary he immediately checks up on her to make sure she is ok.

        Lots of great stuff happening in maker space. People coming up with all kinds of ingenious way of using em

    • by Anonymous Coward

      Couldn't agree more. This used to be a site for tech enthusiasts; now it's full of get-off-my-lawn luddites who'd rather go back to the days of text-only and 48k memory. (not that there's anything wrong with the command line - I still spend a large fraction of my computing time there)

      Of course IoT is stupid without security. But there are plenty of useful applications that have little security risk. The hysteria over IoT here is tiresome. It's just as stupid as the example given in the summary - "use my toa

  • I've been on something of a roll setting up Raspberry Pi's as something of a family IoT cloud.
    While it's probably not (yet) completely secure from hackers like the NSA, I do have a lot of confidence in Debian/Raspbian linux. With 7 million RPi's sold and lots of volunteers working on it, I expect it will be getting security updates for a long time.

    I've got nice simple Python fabric scripts that I run from my laptop to keep everything up-to-date, setup ssh keys, firewalls, knockd, motion webcams, temperatur

  • by silas_moeckel ( 234313 ) <silas&dsminc-corp,com> on Monday October 26, 2015 @09:27AM (#50802651) Homepage

    The it's got wifi and connects to the cloud model is broken by design. It's a great marketing thing to make you replace your outdated bits every few years since they are no longer compatible. But a model that is reliant on lots of vendors to do constant updates to deal with newly uncovered issues fails as white good vendors forget about a model the instant a newer version comes out. All of the cloud features have been how can we nickle and dime you

    You need basic encryption/authentication/replay prevention on the network. The device(s) that control those networks need to be secure. We have openhab etc in the opensource side and a small pile of black boxes with varying levels of local intelligence. My vera can not reach the internet it's in an isolated network along with a few other IP based IoT like my garage door controler some DIY kit etc. Oddly it chugs along just fine with openhab relaying any external info it needs like when I should be arriving home or the weather forecast. Sure if there is a network level exploit to zwave, insteon, zigbee or whatever will need to get firmware upgrades on bits. Bet far better to make something thats not intended to be a 20+ year lifespan embed device be the thing thats get upgraded etc. The last thing I want is my fridge having to phone home to do anything, to be reliant that some cloud is still there and supports my 20-30-40 year old device. Sensors can be very well defined it's not like some software upgrade will add a new sensor. Lightbulbs are getting smarter with RGBW and color temps as well as dimming, would expect motion sensing ambient light levels etc to be pretty standard soon. But who wants to worry that the cheap chinese bulbs they got at walmart wont get security patches a couple years from now.

  • The last thing in the world I want is more of my devices sending data about me and my belongings to servers that I do not control.

    For what I hope are obvious reasons.

One person's error is another person's data.

Working...