Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Communications Wireless Networking

New WiFi HaLow Protocol May Bring Old Security Issues With It 65

Trailrunner7 writes: Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own, a new WiFi protocol designed specifically for IoT devices and appliances is on the horizon, bringing with it all of the potential security challenges you've come to know and love in WiFi classic. The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it's designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities. But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol.
This discussion has been archived. No new comments can be posted.

New WiFi HaLow Protocol May Bring Old Security Issues With It

Comments Filter:
  • Great idea! (Score:5, Funny)

    by mwvdlee ( 775178 ) on Monday January 11, 2016 @04:46AM (#51276613) Homepage

    I've always wanted to be able to control traffic lights.

    • by Anonymous Coward

      Whoever wrote the article is quite visibly stupid.
      Let's not replace all those hacky vendor-dependent implementations with one that will be well known, with security considerations fully described, because chinese hackers and smart fridges!

      • Exactly.

        Re-using the 900Mhz open spectrum is a very good idea, for very good engineering reasons - there are things you can do in 900Mhz that 2.4 and 5.1 Ghz can't at low power levels. And, in no way, is talking about fad consumer electronics that attach to the Internet for no added value whatsoever a reason not to re-use this spectrum that was relegated to garbage cordless landline telephones and the odd pair of pre-Bluetooth wireless headphones.

        • Exactly.

          Re-using the 900Mhz open spectrum is a very good idea, for very good engineering reasons - there are things you can do in 900Mhz that 2.4 and 5.1 Ghz can't at low power levels. And, in no way, is talking about fad consumer electronics that attach to the Internet for no added value whatsoever a reason not to re-use this spectrum that was relegated to garbage cordless landline telephones and the odd pair of pre-Bluetooth wireless headphones.

          Too bad Zigbee is relegated to 2.4 GHz only. This sounds like a possible solution for the RF pollution problem that Comcast is having with their Zigbee-based wireless security system, as reported in Slashdot in the last week or so.

    • It's a real thing though, remote configuration and monitoring of traffic lights, and wireless or wireless mesh is an approach actively being considered and implemented. That's why security is important, and better security than WiFi Alliance's WPA/WPA2 stuff. Generally this stuff is not on the "internet" despite the fashionable idea of calling these sorts of things "IoT".

  • by vikingpower ( 768921 ) on Monday January 11, 2016 @04:50AM (#51276623) Homepage Journal

    a way to put offline all these CCTV cameras in Europe's cities. Or aim them at the heavens. Bring it on !

    • by Anonymous Coward

      Noted how they're tweaking the laws to have a "terrorism" special case everywhere?

      Given the flexibility of the label, perhaps just having an nmap or a wireshark could get any of us in jail. Spreading about protocols with fat and enticing vulnerabilities is the best bait to catch all-too-curious people.

      Collaterals? Nah, we learned to cope with that.

    • I understand you're having problems with your Police State. Have you tried turning it off and back on again?

    • From what I have heard, the protocol tops out at 100Kbps.

      So, no streaming video.

  • "Could" (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Monday January 11, 2016 @05:03AM (#51276655)

    The article basically says all this could happen. It says nothing about the new protocol; nor does it talk about anything specific that's known about it.

    It pretty much boils down to "here's a new protocol, and since new protocols often have security holes, this one may also have security holes."

    • OK, then let's be more certain:

      We know damned well that the people who write the protocols in both the devices as well as the routers will do it in a lazy half-assed manner which is guaranteed to have gaping security holes in it. History tells us there is no "if", "might", "maybe", or "could".

      Over and over we pretty much see that this is almost guaranteed to happen.

      IoT is marketing hype, and as such this is being pushed to market by a bunch of people who don't value security, and bear no penalty for being

      • The Internet of Useless Things doesn't predicate the use of a new lower frequency block in standardized layer-2 wireless communication. This could happen perfectly fine without the discussion of a web-enabled juicer.

        Tying the two together, which this article attempts to do, is complete nonsense. The WiFi consortium would have been looking at this for a long time before the current IoT horseshit started to take off.

        • No, but I will still maintain that a new protocol, coupled with the lazy bastards writing IoT products, is pretty much 100% guaranteed to create new security holes.

          Because every time we get a new protocol we get companies who do a lousy job of adhering to it, and every single company making consumer electronics demonstrates time and time again they're lazy/incompetent/cheap/indifferent to properly implementing security.

          I refuse to believe the companies making IoT things won't fuck up and create new security

      • If you don't think the IoT is going to be a gong-show of bad security, you haven't been paying attention

        It already is and has been for a while. Hard coded admin passwords, no or broken encryption implementations, "phoning the mothership", etc.

    • by AmiMoJo ( 196126 )

      WiFi HaLow is likely to improve security, if anything. Rolling your own security is usually what leads to problems, so using something off-the-shelf and built into chipsets that have been verified by the manufacturer is going to be better than whatever solutions random IoT developers would come up with.

      Of course they will still find ways to screw it up, but as a baseline it should really help.

  • FUD (Score:5, Insightful)

    by OzPeter ( 195038 ) on Monday January 11, 2016 @05:52AM (#51276727)

    TFA is pure unadulterated FUD

  • I am Cassandra (Score:4, Insightful)

    by Sir Holo ( 531007 ) on Monday January 11, 2016 @06:01AM (#51276745)

    Does anyone else around here ever get tired of being a Cassandra?

    People won't heed warnings about stupid new 'tech devices'. But 10 years later, once it has bitten them in the ass, they complain to us that we weren't emphatic enough.

    Society gets what it asks for.

    • You'd have a point if there was any substance to the article, but there isn't. There's a quote in the article, repeated in large, bold letters, which sums up what they're saying:

      âoeWhile the standard could be good and secure, implementations by different vendors can have weaknesses and security issues."

      But the large bold lettered part leaves out what followed; "This is common to all protocols,â and the entire article ignores that.

      There is no protocol available that is 100% secure against hacking,

      • PS: Dear slashdot,

        We all know that implementation takes time, but Unicode has been around for over twenty years now. Granted, you did spend about a decade (okay, two years or so, but it felt like a decade) screwing around with that crappy beta interface that everyone hated, but you gave up on that almost a year ago. You could have gotten this done by now if you hadn't been so intent on putting commercials (oh, sorry, videos) on the front page, but hey... bygones. Now would be a good time to fix something

      • by KGIII ( 973947 )

        I dunno about all that? I use 27 Lithuanian boys that I trained to chitter like squirrels. They chitter my packets back and forth and if they send a malformed packet then I beat them with a stick (or a rubber hose - if I've got people over, LAN parties can be interesting) and they eventually learn to drop any unwanted packets. It beats a hosts file and functions as a firewall - all at the same time. There's a little latency around dinner time and a little less redundancy after "the incident" but it's pretty

      • The article lacked any substance.

        I was just making a general comment. . . in the wrong forum, apparently.

      • You'd have a point if there was any substance to the article, but there isn't. There's a quote in the article, repeated in large, bold letters, which sums up what they're saying:

        ...

        You aren't being Cassandra. You're being the descendant of the lone nutjob who ran around in the 70s screaming that nobody should implement TCP and everyone should stick with incompatible protcols because he thought nothing good could could possibly come from a universal standard.

        The article was crap. True.

        I was speaking generally. I did not finish RTFA.

        It just seemed an appropriate occasion to ask the question (based on the summary) – a general question. Not about net security, but about being a prescient person in general. Managers, politicians, and the general public ignore real innovations or warnings, and disregard the visionary types. They then later blame the engineers/programmers/scientists for not having 'done something sooner'.

        Prime example: Douglas Engelbart o

    • Society gets what it asks for.

      What have we gotten? For all the various security breaches in the past few years one can still argue that as a society we are better off now than when we were more secure and less connected.

      What an amazing time to be alive!

    • by antdude ( 79039 )

      Hi Cassandra. :P

  • by Bearhouse ( 1034238 ) on Monday January 11, 2016 @06:28AM (#51276785)

    Bonus points for overuse of the word "protocol".
    By the way, the "much longer range" (debatable)...that's a function of the wavelength guys, not the protocol.

    Anyway, dupe. Was widely discussed here the other day; can be bothered to find TFA.
    Was a nice nerdy conversation about range vs. antenna design vs. signals stomping all over each other...
    More info on 11ah here;
    https://en.wikipedia.org/wiki/... [wikipedia.org]

    Don't see how this will bring any more - or less -security. If, and it's a big if, people learn from the mistakes of the past, then our previous experiences with wifi should make people more aware of the design risks and take proper steps to secure stuff.
    Of course, with all of the continuing revelations about hard-coded passwords, crap firmware and backdoors in everything from routers (both pro and consumer grade), "smart" meters and "smart house security solutions" *cough* the betting is probably that cheapo IoT devices will be as insecure as hell.
    But that's hardly the fault of the standard...

  • Longer Range (Score:1, Insightful)

    by Anonymous Coward

    More "favorable" propagation maybe (for certain values of favorable)

    It'll have better range for the 6 months it takes the 900Mhz band to get shitted up with the 100's of devices now all within sight of each other and the digital screaming match begins. Remember when 2.4Ghz wifi would get you out the front door and 50 yards down the road, and how nowadays it'll barely get from the living room to the bedroom.

  • The next release of the Linux kernel could contain old security problems. The next release of OS X could contain old security problems. The next smart card standard could contain old security problems.
  • What I still can't grasp is this: apart from certain niche applications, why would anybody want a 'smart lightbulb'? And the wider question - isn't the whole IoT thing a solution looking for a problem to solve? So far, I can't for the life of me see a convincing reason to invest in the gadgets that have been proposed so far - kitchen appliances on the internet? Thermostats? I suppose home-surveillance might be somewhat interesting, but wouldn't it be rather light hearted to connect cameras looking at your p

    • Thermostats?

      I agree that it is a little silly to put each and every little thing on-line, but my wifi thermostat has been very, very useful. I can't imagine the need to connect the 'fridge though. A wifi stove would be about as useful as the 'cook time' feature I never use. A wifi coffee maker would be about as useful as its clock I never bother setting (besides, a clock should just *know* what time it is). Now where is my wifi stapler?

    • What I still can't grasp is this: apart from certain niche applications, why would anybody want a 'smart lightbulb'?

      What I still can't grasp is this: apart from trolling, why would luddites use Slashdot?

    • by KGIII ( 973947 )

      I have a home surveillance system and I pretty much used off-the shell components for it. It is, technically, on the internet at the moment - because I won't be back home until spring. However, in order to access it you need to do so with a specific IP address and there are a few other things that are checked before you can access it. Once you've accessed it you can move a few of the cameras and view archive footage.

      It'll even jump to motion - so it can be scanned quickly and if things change it jumps to th

  • by Anonymous Coward

    Seriously, you want to solve "old security issues" that are only an issue because you attached some random device to the internet that has no business being attached to the internet.

    The refrigerator, the thermostat, the kettle, the coffee maker, etc etc, these don't need connected to the internet. There is nothing about a thermostat that needs IP access to function.

    As for your lights etc, there is this amazing thing called a light switch. Sure it involves you getting up off your ass to turn the things on

    • Seriously, you want to solve "old security issues" that are only an issue because you attached some random device to the internet that has no business being attached to the internet.

      This new wireless protocol doesn't necessarily have anything to do with being connected to the Internet. But I do agree that there are too many devices and services connected to the Internet that have no business being connected to the Internet.

  • Love this:

    Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own...

    My TV's sound bar crashed last night and needed to be power cycled - and not via the power button, that was non-responsive, I had to yank the power cord. I have grown accustomed to rebooting my Roku and my TiVo and occassionally even my Plex server, but the sound bar?

  • Does anyone remember home cordless phones moving off the 902 - 928 MHz band to 2.4 GHz a decade or more ago, to escape all the garbage filling that chunk of spectrum?

    Amateur radio operators have that band (33cm) as a secondary allocation -- and can run up to 1500 Watts. Ha-Lo? Good-Bye! It's also primary to ISM (Industrial, Scientific, Medical) equipment. Still a lot of cordless phones, baby monitors, wireless audio and video extenders.

    And that's the home of the "new" Ha-Lo devices... Oh, the strategies .AH uses will help some, but they'll still be susceptible to all the other crap already operating on that band. And remember, FCC Part 15 means they have to put up with whatever's out there.

    If anything, they're hoping most of that crap has aged out of existence. There's still a lot out there. Oh, it's also ITU region 2 only -- the Americas. No sales in Europe, and no (legal anyway) sales in China, Japan, etc.
  • It's much more fun to consider the impending doom this protocol brings if you pronounce it to rhyme with "Hey Now" and imagine Jeffrey Tambor saying it.

news: gotcha

Working...