New WiFi HaLow Protocol May Bring Old Security Issues With It 65
Trailrunner7 writes: Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own, a new WiFi protocol designed specifically for IoT devices and appliances is on the horizon, bringing with it all of the potential security challenges you've come to know and love in WiFi classic. The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it's designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities. But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol.
Great idea! (Score:5, Funny)
I've always wanted to be able to control traffic lights.
Re: Great idea! (Score:1)
Whoever wrote the article is quite visibly stupid.
Let's not replace all those hacky vendor-dependent implementations with one that will be well known, with security considerations fully described, because chinese hackers and smart fridges!
Re: (Score:1)
Sorry to burst your bubble but wireless has been used for well over a decade in various infrastructure systems. Not more than a mile away from where I'm sitting are a string of traffic lights all linked by wireless for better traffic flow. I have little doubt that the vendor for them took few if any security precautions, like many vendors they probably rely on security through obscurity. While I fully agree that there should be significant limits on wireless integration, there are ways to implement it sa
Re: (Score:3)
Re: (Score:2)
The WiFi security isn't the best. But beyond that this is only a link layer security, it does not deal with security once a packet is already on the air. You need security from endpoint all the way to the back office and if that is strong then you don't need the link layer security except to prevent localized disruptions (fake APs, etc).
Re: (Score:2)
Exactly.
Re-using the 900Mhz open spectrum is a very good idea, for very good engineering reasons - there are things you can do in 900Mhz that 2.4 and 5.1 Ghz can't at low power levels. And, in no way, is talking about fad consumer electronics that attach to the Internet for no added value whatsoever a reason not to re-use this spectrum that was relegated to garbage cordless landline telephones and the odd pair of pre-Bluetooth wireless headphones.
Re: (Score:1)
Exactly.
Re-using the 900Mhz open spectrum is a very good idea, for very good engineering reasons - there are things you can do in 900Mhz that 2.4 and 5.1 Ghz can't at low power levels. And, in no way, is talking about fad consumer electronics that attach to the Internet for no added value whatsoever a reason not to re-use this spectrum that was relegated to garbage cordless landline telephones and the odd pair of pre-Bluetooth wireless headphones.
Too bad Zigbee is relegated to 2.4 GHz only. This sounds like a possible solution for the RF pollution problem that Comcast is having with their Zigbee-based wireless security system, as reported in Slashdot in the last week or so.
Re: Great idea! (Score:2)
Re: (Score:2)
It's a real thing though, remote configuration and monitoring of traffic lights, and wireless or wireless mesh is an approach actively being considered and implemented. That's why security is important, and better security than WiFi Alliance's WPA/WPA2 stuff. Generally this stuff is not on the "internet" despite the fashionable idea of calling these sorts of things "IoT".
Finally (Score:3)
a way to put offline all these CCTV cameras in Europe's cities. Or aim them at the heavens. Bring it on !
IT'S A TRAP! (Score:1)
Noted how they're tweaking the laws to have a "terrorism" special case everywhere?
Given the flexibility of the label, perhaps just having an nmap or a wireshark could get any of us in jail. Spreading about protocols with fat and enticing vulnerabilities is the best bait to catch all-too-curious people.
Collaterals? Nah, we learned to cope with that.
Re: Finally (Score:3)
I understand you're having problems with your Police State. Have you tried turning it off and back on again?
Re: (Score:1)
*snickers* I probably shouldn't have but I read that and envisioned Clippy. Though, if there's a switch to turn it off - I'm not sure why you'd turn it back on again.
Re: (Score:1)
I'm at it. Again.
Re: (Score:2)
From what I have heard, the protocol tops out at 100Kbps.
So, no streaming video.
"Could" (Score:5, Insightful)
The article basically says all this could happen. It says nothing about the new protocol; nor does it talk about anything specific that's known about it.
It pretty much boils down to "here's a new protocol, and since new protocols often have security holes, this one may also have security holes."
Re: (Score:2)
To summarize the summary of the summary: people are a problem.
Re: (Score:2)
OK, then let's be more certain:
We know damned well that the people who write the protocols in both the devices as well as the routers will do it in a lazy half-assed manner which is guaranteed to have gaping security holes in it. History tells us there is no "if", "might", "maybe", or "could".
Over and over we pretty much see that this is almost guaranteed to happen.
IoT is marketing hype, and as such this is being pushed to market by a bunch of people who don't value security, and bear no penalty for being
Re: (Score:2)
The Internet of Useless Things doesn't predicate the use of a new lower frequency block in standardized layer-2 wireless communication. This could happen perfectly fine without the discussion of a web-enabled juicer.
Tying the two together, which this article attempts to do, is complete nonsense. The WiFi consortium would have been looking at this for a long time before the current IoT horseshit started to take off.
Re: (Score:3)
No, but I will still maintain that a new protocol, coupled with the lazy bastards writing IoT products, is pretty much 100% guaranteed to create new security holes.
Because every time we get a new protocol we get companies who do a lousy job of adhering to it, and every single company making consumer electronics demonstrates time and time again they're lazy/incompetent/cheap/indifferent to properly implementing security.
I refuse to believe the companies making IoT things won't fuck up and create new security
Re: (Score:2)
If you don't think the IoT is going to be a gong-show of bad security, you haven't been paying attention
It already is and has been for a while. Hard coded admin passwords, no or broken encryption implementations, "phoning the mothership", etc.
Re: (Score:2)
WiFi HaLow is likely to improve security, if anything. Rolling your own security is usually what leads to problems, so using something off-the-shelf and built into chipsets that have been verified by the manufacturer is going to be better than whatever solutions random IoT developers would come up with.
Of course they will still find ways to screw it up, but as a baseline it should really help.
Re:We don't need another band (Score:5, Interesting)
The IEEEE is the Goldilocks looking for the perfect spectrum and I am not sure that's even realistic.
Perfect is in the eye of the objective.
* 2.4GHz band is ideal for many applications but not all.
* 5GHz band has more bandwidth than 2.4 but also less range.
* 900MHz band has less bandwidth than 2.4GHz band but also more range.
So what is your objective?
One can argue that there was no need for the HaLow because other protocols exist for communicating on that range, but that's a different argument. If other protocols suit the objective better, nothing prevents them from being used.
Re: (Score:2)
Wait...
You mean that wireless communications engineers might actually know what the fuck they are doing, and make technical decisions based on the technical merits of the technology? Unpossible.
Re: (Score:2)
Re: (Score:2)
And all of the existing bands are overwhelmed. Good luck using any unlicensed frequencies in cities.
Re: (Score:2)
FUD (Score:5, Insightful)
TFA is pure unadulterated FUD
I am Cassandra (Score:4, Insightful)
Does anyone else around here ever get tired of being a Cassandra?
People won't heed warnings about stupid new 'tech devices'. But 10 years later, once it has bitten them in the ass, they complain to us that we weren't emphatic enough.
Society gets what it asks for.
Re: (Score:2)
You'd have a point if there was any substance to the article, but there isn't. There's a quote in the article, repeated in large, bold letters, which sums up what they're saying:
âoeWhile the standard could be good and secure, implementations by different vendors can have weaknesses and security issues."
But the large bold lettered part leaves out what followed; "This is common to all protocols,â and the entire article ignores that.
There is no protocol available that is 100% secure against hacking,
Re: (Score:2)
PS: Dear slashdot,
We all know that implementation takes time, but Unicode has been around for over twenty years now. Granted, you did spend about a decade (okay, two years or so, but it felt like a decade) screwing around with that crappy beta interface that everyone hated, but you gave up on that almost a year ago. You could have gotten this done by now if you hadn't been so intent on putting commercials (oh, sorry, videos) on the front page, but hey... bygones. Now would be a good time to fix something
Re: (Score:1)
I dunno about all that? I use 27 Lithuanian boys that I trained to chitter like squirrels. They chitter my packets back and forth and if they send a malformed packet then I beat them with a stick (or a rubber hose - if I've got people over, LAN parties can be interesting) and they eventually learn to drop any unwanted packets. It beats a hosts file and functions as a firewall - all at the same time. There's a little latency around dinner time and a little less redundancy after "the incident" but it's pretty
Re: (Score:2)
The article lacked any substance.
I was just making a general comment. . . in the wrong forum, apparently.
Re: (Score:2)
You'd have a point if there was any substance to the article, but there isn't. There's a quote in the article, repeated in large, bold letters, which sums up what they're saying:
...
You aren't being Cassandra. You're being the descendant of the lone nutjob who ran around in the 70s screaming that nobody should implement TCP and everyone should stick with incompatible protcols because he thought nothing good could could possibly come from a universal standard.
The article was crap. True.
I was speaking generally. I did not finish RTFA.
It just seemed an appropriate occasion to ask the question (based on the summary) – a general question. Not about net security, but about being a prescient person in general. Managers, politicians, and the general public ignore real innovations or warnings, and disregard the visionary types. They then later blame the engineers/programmers/scientists for not having 'done something sooner'.
Prime example: Douglas Engelbart o
Re: (Score:2)
Society gets what it asks for.
What have we gotten? For all the various security breaches in the past few years one can still argue that as a society we are better off now than when we were more secure and less connected.
What an amazing time to be alive!
Re: (Score:2)
Hi Cassandra. :P
Dupe. Uninformative. Silly speculation. (Score:5, Interesting)
Bonus points for overuse of the word "protocol".
By the way, the "much longer range" (debatable)...that's a function of the wavelength guys, not the protocol.
Anyway, dupe. Was widely discussed here the other day; can be bothered to find TFA.
Was a nice nerdy conversation about range vs. antenna design vs. signals stomping all over each other...
More info on 11ah here;
https://en.wikipedia.org/wiki/... [wikipedia.org]
Don't see how this will bring any more - or less -security. If, and it's a big if, people learn from the mistakes of the past, then our previous experiences with wifi should make people more aware of the design risks and take proper steps to secure stuff.
Of course, with all of the continuing revelations about hard-coded passwords, crap firmware and backdoors in everything from routers (both pro and consumer grade), "smart" meters and "smart house security solutions" *cough* the betting is probably that cheapo IoT devices will be as insecure as hell.
But that's hardly the fault of the standard...
Longer Range (Score:1, Insightful)
More "favorable" propagation maybe (for certain values of favorable)
It'll have better range for the 6 months it takes the 900Mhz band to get shitted up with the 100's of devices now all within sight of each other and the digital screaming match begins. Remember when 2.4Ghz wifi would get you out the front door and 50 yards down the road, and how nowadays it'll barely get from the living room to the bedroom.
in other news... (Score:2)
but why? (Score:2)
What I still can't grasp is this: apart from certain niche applications, why would anybody want a 'smart lightbulb'? And the wider question - isn't the whole IoT thing a solution looking for a problem to solve? So far, I can't for the life of me see a convincing reason to invest in the gadgets that have been proposed so far - kitchen appliances on the internet? Thermostats? I suppose home-surveillance might be somewhat interesting, but wouldn't it be rather light hearted to connect cameras looking at your p
Re: (Score:3)
Thermostats?
I agree that it is a little silly to put each and every little thing on-line, but my wifi thermostat has been very, very useful. I can't imagine the need to connect the 'fridge though. A wifi stove would be about as useful as the 'cook time' feature I never use. A wifi coffee maker would be about as useful as its clock I never bother setting (besides, a clock should just *know* what time it is). Now where is my wifi stapler?
Re: (Score:2)
What I still can't grasp is this: apart from certain niche applications, why would anybody want a 'smart lightbulb'?
What I still can't grasp is this: apart from trolling, why would luddites use Slashdot?
Re: (Score:1)
I have a home surveillance system and I pretty much used off-the shell components for it. It is, technically, on the internet at the moment - because I won't be back home until spring. However, in order to access it you need to do so with a specific IP address and there are a few other things that are checked before you can access it. Once you've accessed it you can move a few of the cameras and view archive footage.
It'll even jump to motion - so it can be scanned quickly and if things change it jumps to th
don't connect * to the internet (Score:1)
Seriously, you want to solve "old security issues" that are only an issue because you attached some random device to the internet that has no business being attached to the internet.
The refrigerator, the thermostat, the kettle, the coffee maker, etc etc, these don't need connected to the internet. There is nothing about a thermostat that needs IP access to function.
As for your lights etc, there is this amazing thing called a light switch. Sure it involves you getting up off your ass to turn the things on
Re: (Score:2)
Seriously, you want to solve "old security issues" that are only an issue because you attached some random device to the internet that has no business being attached to the internet.
This new wireless protocol doesn't necessarily have anything to do with being connected to the Internet. But I do agree that there are too many devices and services connected to the Internet that have no business being connected to the Internet.
too soon connected, too late smart (Score:1)
Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren't enough fun on their own...
My TV's sound bar crashed last night and needed to be power cycled - and not via the power button, that was non-responsive, I had to yank the power cord. I have grown accustomed to rebooting my Roku and my TiVo and occassionally even my Plex server, but the sound bar?
902 - 928 MHz Garbage Band (Score:3)
Amateur radio operators have that band (33cm) as a secondary allocation -- and can run up to 1500 Watts. Ha-Lo? Good-Bye! It's also primary to ISM (Industrial, Scientific, Medical) equipment. Still a lot of cordless phones, baby monitors, wireless audio and video extenders.
And that's the home of the "new" Ha-Lo devices... Oh, the strategies
If anything, they're hoping most of that crap has aged out of existence. There's still a lot out there. Oh, it's also ITU region 2 only -- the Americas. No sales in Europe, and no (legal anyway) sales in China, Japan, etc.
Look for the bright side (Score:2)
It's much more fun to consider the impending doom this protocol brings if you pronounce it to rhyme with "Hey Now" and imagine Jeffrey Tambor saying it.