The Internet of Things Is a Surveillance Nightmare (dailydot.com) 156
An anonymous reader writes from a DailyDot's Kernel Mag article: Welcome to the Internet of Things, what Schneier calls "the World Size Web," already growing around you as we speak, which creates such a complete picture of our lives that Dr. Richard Tynan of Privacy International calls them "doppelgangers" -- mirror images of ourselves built on constantly updated data. These doppelgangers live in the cloud, where they can easily be interrogated by intelligence agencies. Nicholas Weaver, a security researcher at University of California, Berkeley, points out that "Under the FISA Amendments Act 702 (aka PRISM), the NSA can directly ask Google for any data collected on a valid foreign intelligence target through Google's Nest service, including a Nest Cam." And that's just one, legal way of questioning your digital doppelgangers; we've all heard enough stories about hacked cloud storage to be wary of trusting our entire lives to it. [...] But with the IoT, the potential goes beyond simple espionage, into outright sabotage. Imagine an enemy that can remotely disable the brakes in your car, or (even more subtly) give you food poisoning by hacking your fridge. That's a new kind of power. "The surveillance, the interference, the manipulation the full life cycle is the ultimate nightmare," says Tynan. [...] That makes the IoT vulnerable -- our society vulnerable -- to any criminal with a weekend to spend learning how to hack. "When we talk about vulnerabilities in computers... people are using a lot of rhetoric in the abstract," says Privacy International's Tynan. "What we really mean is, vulnerable to somebody. That somebody you're vulnerable to is the real question." The state of security around IoT, the chip or sensor-equipped devices connected to each other over the Internet, is deeply concerning. Just in the past few months, we have seen several instances of these devices getting hacked. We have also seen things such as Shodan, a search engine for the Internet of Things that can allow someone to browse vulnerable webcams. Many people continue to overlook the significance and potential consequences of their "smart" devices getting compromised. Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee. You see these devices are connected to your Wi-Fi network, which gives them the ability to interact with other gadgets connected to the same network. When attackers manage to access one of these devices, it's only a matter of time before they own your entire network.
Too late (Score:5, Insightful)
The convenience is worth the risk. The dumb-ass majority has spoken.
Re:Too late (Score:5, Insightful)
Fair point. But did they have any other options?
Are there secure IoTs?
Maybe, just maybe, the developers/manufacturers are at some fault.
Re: (Score:1, Insightful)
Yes, they could have said "no". Your scale does not need to talk to the fridge. Your thermostat does not need to talk to Google.
Re: (Score:2)
Easy. No Cloud. Why does your smart shoe need a cloud to communicate with your phone? Bluetooth is enough. Why doesn't your wlan lightbulb talk to your router as accesspoint, which can communicate with your mobile phone (some manufactures offer free dyndns with one click)? Why does it always need to use a cloud? One Cloud? At least two! The lightbuld talks with its manufacturer, which sends pings to google, which sends it to your phone as push message.
Re: (Score:2)
Re:Too late (Score:5, Informative)
The real problem with the IoT is that everyone and their brother is trying to be the One True Provider of All Home Automation, and they want to do it in the cloud so they can charge you for integrating with everyone else's clouds. Nest has the whole Nest-Certified thing, running in the cloud. Samsung has the Samsung Smart Home, running your washers, dryers, and air conditioners in their cloud. AssureLink will happily run your garage door openers in their cloud. Honeywell has their thermostat system, in their cloud. Rheem has their EcoNet for running hot water heaters, in their cloud. LG has a cloud service for their TVs. Schlage has a cloud for running door locks. D-Link has a cloud for viewing their security cameras. Fitbit cloud-enables your health data. Philips' cloud runs your Hue lights. And so on.
Cloud solves some thorny problems. It enables easier configuration of the home user's environment by removing most of the barriers, which is critical to commercial success. Ordinary people don't know they need to poke a hole in their firewalls, and they also know they don't want to know all those technical details. But they still want to remotely access their IoThings from their iPhones. Having the IoThings phone home to the cloud means there's a central point to discover and communicate with them, making the consumer's installation woes less painful - ease of use is critical to driving sales. And the cloud can back up those configurations, allowing you to replace your old device 1.0 with new device 2.0, all without pain.
Clouds can also improve end user security - from a certain kind of threat. If your home device is connecting to the cloud and never listening for input on its own, its attack surface is much smaller than if it has opened a port on your firewall. And when your home device needs a security patch, the cloud can push it. Obviously, that means your home devices place their trust in the cloud to be secure, which is the point of TFA.
But the main problem cloud solves is that clouds provide an ongoing "service" for which the device provider can charge $9.99/month. And it's all about the continual extraction of money from the consumers. Why sell an overpriced sprinkler system only once when you can have that wealthy sprinkler system owner send your cloud service a check every single month? That's really why everyone wants to be the company that sells you the One True System, so they are the ones you're willing to pay on a monthly basis.
What I want (and have) is a server in my house that handles the home automation communications and executes rules without requiring a cloud. Unfortunately, most of the commercial hubs come needlessly saddled with clouds. There is no technical reason for an Iris hub or a Wink hub to connect to a cloud, yet they do. Amazon Echo runs everything to the cloud, including your voice. Better systems make the cloud optional.
There are also better choices on the horizon. OpenHAB is making great progress on providing an open source Java package that can handle a wide variety of home automation devices; GUI control is getting there, but setup and configuration is still a complex problem that's out of reach of the average homeowner.
Re: (Score:2)
OpenHAB is one option, with a Z-Wave/Zigbee USB stick it might be able to replace a SmartThings/Nest kind of set up - if you don't mind a lot of work getting it all working (kinda like using Linux in the early days)
Also look for devices that don't need the cloud but use it for additional features. Philips Hue lights talk to a hub that does talk to the cloud for remote control, but that hub has a simple REST API for local control. If you wanted to, you could block the hub from talking to the internet and use
Re: (Score:2)
Yeah, I looked at OpenHAB for a while, but their grandly named "OpenHAB Designer" turned out to be nothing more a copy of Eclipse running a text editor to modify the necessary half-dozen configuration files and check them for syntax errors. It is definitely not ready for an advanced installation professional, let alone the average homeowner.
I've had great luck so far with Vera (getvera.com). It can use the cloud if you let it, but everything is configured and run locally. Configuration is not quite plugT
Re: (Score:2)
Very similar to my experiences with SmartThings - despite being sold here in the UK in a major high street store, it's not really ready for primetime, but you can work around the limitations. I haven't gone beyond lights and a plug socket yet, plus the motion/door sensors that come in the starter kit. It's been a bit of fun, I like playing with gadgets, but I wouldn't recommend it to anyone just yet
Sounds like the big difference, when compared with Vera, is that ST is cloud based and the development options
Re: (Score:2)
We (OpenTRV) are building IoT devices that are decentralised and will work (well) without an Internet connection, smartphone or hideously complex instruction manual.
Some of our target users don't have Internet connections or smartphones, for a start.
Our devices can be connected up beyond a local hub (eg to control your heating better) if you wish, but making it possible to do without makes them inherently safer and more reliable IMHO.
Yes, we're keen on OpenHAB integration, but Open Energy Monitor and MQTT a
Re: (Score:2)
Laugh if you want, but I really do have two "clouds" controlled by my smart house. They're ultrasonic mist emitters that fill our orchid-growing cabinets with fog, three times a day. It keeps the humidity inside the glass cases above 95%, which is ideal for some of the equatorial cloud-forest species.
And yes, the electrical plug is kept safely outside of the cabinets. Condensing humidity is a very bad environment for electrical appliances.
Re: (Score:2)
Zigbee is old and crusty, the newest version is just strange and bloated and no one has really adopted it. It may die off except that big companies keep demanding Zigbee as a check-off box. The standards of this are new and evolving, and security isn't always there but the device makers are adding it anyway (and if you insist on alliance led standards for security then you'll get crap like WPA as a result when a manufacturer might actually have something better).
Big problem is with the dumb IoT, devices t
Re:Too late (Score:5, Insightful)
Fair point. But did they have any other options?
Actually, as consumers, they (mostly) do have options - lots of them.
In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle. This means not bothering with the cute little automated/networked thermometers, televisions, refrigerators, etc...
To be honest, I don't see much value in them anyway - at least not at this time; I'm perfectly capable of setting a thermostat (or throwing another log into the wood stove), and keeping a mental inventory of what's in my refrigerator. There are promising technologies/devices out (e.g. the Amazon Echo thingy), but in all honesty, they're nice-to-have things, not need-to-have (and unless you're severely disabled, nearly all of them are not much more than glorified monetization opportunities for whoever sells the thing to you - again, see also the Amazon Echo thingy).
Anyrate, yes the consumer (that is, you and I) have the ultimate power over how much these things influence and potentially control our lives and out stuff.
Now there may be exceptions (say you bought some swanky condo or rented an apartment that has all this stuff in it), but they can be disabled to an extent (or even hijacked by you if you know how and see a use for doing so.) It ultimately depends on you.
Eventually, I can see where you'd have no choice but to buy such things because alternatives would cease to exist... but even there, you can simply, say, assign them to an SSID that you've throttled down to 14.4k or some obscenely low rate, then take the extra step of firewalling the shit out of that network to allow only established/related ports. Or, just hack the thing to taste (after all, phones can be jailbroken fairly quickly, so...)
Re: (Score:2)
I'm in the same boat. Due to numerous other Wi-Fi links around where I live, at best, I get reliable signal in one room, but that pretty much it. Because there are just so many devices yakking on Wi-Fi, even the 5Ghz band, where devices are supposedly to find the channel that is used the least, are saturated.
As for IoT devices, I do watch occasionally the Fiver channel on YT, which always has some new IoT item. Some are cool, others... why bother? If I were to spend the price premium for a "smart" fridg
Re: (Score:2)
The same reason security is an afterthought :(
Re: (Score:2)
I've never understood why IoT devices don't move to a hub/spoke model. A hardened, central hub that does the Internet communicating, and the devices use Bluetooth and are paired with the hub (or hubs).
Many do: Philips Hue, SmartThings, Iris (Lowes), VeraLite, and others do, except it's Z-Wave and/or ZigBee rather than Bluetooth that does the communicating. (Low-energy Bluetooth wasn't around when these standards were created, and Z-Wave and ZigBee also have the ability to form a mesh network rather than each needing to connect to the central bridge/hub.) WeMo is a notable one that doesn't work like this, as are Nest and several AppleHome Kit-capable products that connect directly to WiFi. I don't like th
Re: (Score:2)
In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle.
For me, it is because IoT is another way of saying "recurring monthly bill" or "forced obsolescence"
Oh, look, I have a nice alarm clock that is connected to the internet, has an app store, collects data about me and will stop functioning when the manufacturer doesn't feel like supporting it any more.... what a deal!
Re:Too late (Score:5, Insightful)
"Are there secure IoTs?"
yep all of mine are. because I made them.
I dont use stupid "cloud" crap for my IOT devices they talk to the server in my home, and the ones in the vacation home talk over an encrypted VPN to my home.
it's the consumer crap designed to spy on you that are the problem, not IOT.
Re: (Score:2)
it's the consumer crap designed to spy on you that are the problem, not IOT.
Once it starts going mainstream, what do you think most people will be using?
Re: (Score:2)
You can make IoT secure. Devices can be put on separate network segments that can't see each other, are firewalled, with an IDS/IPS in place to minimize damage if compromised. Logs can be exported one way via syslog to a secure server, which can be searched by Splunk or an elk stack machine. Warnings can be handled by an application running locally that can do email or SMS. Hub/spoke architectures can be used with low bandwidth devices using Bluetooth. Heck, most IoT devices could be hardwired. The de
Re: (Score:2)
This seems like it could be done fairly easily in software right inside even consumer-grade routers, and would at least help in mitigating some of the security threats of these devices. These routers already offer "guest networks" on most newer models, so this seems like the next logical step. Just create a simple way at router setup/configuration time to create an "IoT network" as well which is isolated from anything else on the router for safety.
Re: (Score:2)
But did they have any other options?
Certainly. You don't buy 'IoT' devices in the first place. Most of them are solutions in search of a problem, not the other way around, just ways to get tech-enthused people to spend their money on more toys that they didn't need until someone convinced them they did.
Re: (Score:2)
Re: (Score:2)
which is kind of my point.
Don't blame the consumer when the mfgr is putting out shit product. While putting lipstick on it.
Re: (Score:2)
Re: (Score:2)
"Don't blame the consumer when the mfgr is putting out shit product."
Of course you can blame the customer.
The only thing you can't blame the customer is for the thingie being there (I wanted X but X came with a, b and c tied to it) as soon as they buy something on purpose, customers are the ones to blame.
What you can't do is just the opposite, blame the vendor. You know for sure the vendor will try to sell you the cheapest shit that maximizes their revenue. Heck, it's their damn job to do so! And the ven
Re: (Score:2)
You're working with the wrong vendors if you think it's their job to sell you the cheapest shit possible.
Re: (Score:2)
"You're working with the wrong vendors if you think it's their job to sell you the cheapest shit possible."
That's not what I said. I said "the cheapest shit that maximizes their revenue".
Re: (Score:2)
Blame the consumer for not asking about security options. If their thermostat is unsecure as an IoT device because it connects to their wifi router, then I wouldn't put any bets about the security of their laptop or smart TV either. The rise of security problems is not necessarily because of IoT security but because there are not so many more things all on the same internet. The security needs to be added even when the consumer is not asking for those features, even if it raises the cost of the products.
Re: (Score:2)
Part of a recent project has been to make an IoT-friendly really robust secure link from device to hub or Internet server, all liberally licensed and open:
https://github.com/DamonHD/Ope... [github.com]
This runs happily on Arduino-UNO (and slower) class hardware purely in software, eg including an AES-GCM implementation:
https://github.com/opentrv/OTA... [github.com]
So yes, is the answer.
We (OpenTRV) aim to get it on 400 million energy saving smart thermostatic radiator valves across Europe.
Rgds
Damon
Re: (Score:2)
Yes there are secure IoTs. Problem is with generic devices using generic operating systems with no security added or added as a late afterthought. Ie, "consumer" devices are the ones to beware of. Breaking into the coffee maker isn't giving you any access to your thermostat as they're not connected to each other except for using the same air space. A lot of these are relatively big and bulky devices, full android or linux maybe, with wi-fi networking and all its problems. Cheap devices made by companie
Re: (Score:2)
The convenience would be worth the risk if it was convenient.
Trouble is : it's not. The biggest problem is the lack of standardization. You can't buy any AC unit and expect it to be able to connect to any smart thermostat. You can't expect your IoT alarm clock to be able to turn on your IoT coffee machine without buying a specific machine, which, incidentally, makes poor coffee.
And that's the problem, I buy things based on cost and how well they perform as things : I want a washing machine that washes well,
Re: (Score:2)
The "dumb-ass majority" will quickly change their tune when their home gets p0wned, badly.
i.e. Devices stay on consuming electricity, fridge constantly shuts off so they are forced to rebuy all their groceries, little Johnny's lights keep switching on/off all day, etc.
I'm actually waiting for the hackers to have a field day with this; then maybe the dumb-ass majority will actually learn their lesson:
* Just because you _can_ hook a device up to the internet, doesn't mean you _should_.
Re: (Score:2)
I'm actually waiting for the hackers to have a field day with this;
Then you might be interested in this [slashdot.org].
Re: (Score:2)
We are already knee deep in a malware swamp beyond the dreams of bad SF, yet it just keeps on getting worse and there are plenty that have not learned the lesson (or even smirk at those who have).
Re: (Score:2)
Simple Solution (Score:1)
If you don't want to get hacked, don't get things connected to the internet. If you want to know your milk is about to expire in your fridge, or turn your dryer on to fluff your clothes from your phone, then know the risks. If you don't care about those conveniences, don't pay for them and don't get a connected device. I can guarantee that you can still buy a fridge, dryer, coffee maker, and thermostat that aren't connected to the internet, and will still be able to for quite some time. Right now, the b
oh, yeah, they won't find me in atoms and pieces (Score:1)
if you want to spy on me, weasels, you have to go to the big metadata folks that can't be avoided... Google, ad aggregators, etc. try to isolate me from the metadata files of credit agencies, insurance companies, licensing bureaus. get my voting frequency records.
no IoT spying on me... no sir, everybody already has all the data they need. hell, if ConpuServe was still around, they'd see me there, too. the old ways are the best ways.
Re: (Score:3)
I have a LOT of IoT devices oddly they can not connect to the internet. Frankly when you have devices and standards that need to last decades you're never going to cost effectivly put enough crypto on them. So build upon that assumption, break into my zwave network you can turn on lights or unlock a door or turn on the heat. You're not going to disable the security system merely some extra motion sensors. Break into my IoT wifi and you still can not get anywhere.
At the end of the day the implementations
Re: (Score:3)
But the risk is only because these stupid things are connected to the Internet. There's no reason they cannot use Bluetooth or similar. Connect to your cellphone when it is in range.
I don't need a smart fridge.. (Score:2)
My wife just called, and told me we're out of milk. Why do I need a smart fridge? Not only that, but I don't want to program a menu into it so that it will tell me what I need to buy for next weeks meals. That's what the wife is for.
The things I need they don't make, like a smart tackle box to tell me if I have enough lures and leaders for the weekend trip to the fishing hole, or the smart gun safe to tell me if I have enough turkey shells for Turkey Season, deer loads for Dear Season, etc. Those are th
Just Need To Chip The Humans. (Score:2)
No shit. (Score:2)
Captain Obvious strikes again!
Re: (Score:3)
You know, until people act on it, or there are privacy laws in place, or the rest of the populace is outraged ... this is apparently quite far from "obvious".
Say this to most people, and you'll get an eye-roll and a tick-box in the crazy column.
Burning coffee machines? (Score:3)
Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee.
Depending on how well the safeguards are on your coffee machine, the criminals could try to keep the water heating elements running after all the water has been transferred to the pot. Aside from the energy bill, this could have other interesting side effects ranging from a destroyed coffee machine to a burning coffee machine that could set your home on fire. Yes, yes, this is probably a wee bit too close to scare-mongering, but it does underline the need for safety by design.
Re:Burning coffee machines? (Score:5, Funny)
The wife asked me why I wear my gun when I'm just hanging around the house. I looked her dead in the eye and said, "the motherfucking decepticons". She laughed, I laughed, the toaster laughed, I shot the toaster, it was a good time.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Insurance companies want access. Ya know, make sure you are in your house, with no more than a 3 day absence which would invalidate your household insurance. Or to make sure the temperature doesn't go down too low so they can a) call you to notify you of the problem, and b) if no-one home, remotely crank up the heat. There's also remote cut-offs for water, in case they detect the flow continuing for hours on end (thanks to the smart meter). Smoke detectors, so they can notify the fire department,
Re: (Score:2)
I can think of far better uses for a hacked coffee maker. Top of the list is as a tool for proxying further attacks through, followed by DDoS node, followed by a good place to set up a server holding some illegal stuff so I can post the link in public forum. The coffee side has little practical use - but there's a computer in there that can be abused. Or I could just be annoying and make it play The Coffee Song while brewing.
Re: (Score:2)
It's mostly just about rebranding stuff (Score:5, Insightful)
I think the whole IoT marketing movement is about rebranding existing technologies. Remotely accessible cameras and wearable technology have been around for a very long time practically unchanged, but now they're suddenly categorized under an ambiguous umbrella term. Most of the IoT tech have been security nightmares since day 1 so we shouldn't suddenly worry about them now, we should have worried about them for over a decade. Googling for weakly protected webcams, for example, has been around since the early 2000's and it's been a "new phenomenon" every five years or so.
If there are devices in my home or car that I find intrusive, they can't be secured properly or they somehow threaten my privacy, I'll get rid of them. This of course becomes a bit problematic once we start running out of alternative manufacturers, but I don't think that'll be a problem for a long time to come. Our cars will most likely be the first that we have least choices with as laws have started to mandate certain wireless technologies to be implemented in them.
The very least steps everyone should take to secure networked devices of any kind is to set up a proper firewall at home and whitelist addresses they can connect to. Or even bar them behind a VPN. Wouldn't be something every average Jane and Joe can do, but that's another story.
Re: (Score:2)
Re: (Score:2)
Therac moment (Score:5, Insightful)
Software in medical devices was considered inconsequential for a couple of decades, and then the Therac [wikipedia.org] device came out and killed several patients.
At the time, the FDA took a close look at software and decided that we need regulations to keep the software more safe.
I look at the programming in cars right now and note that we haven't had our "Therac" moment. Car manufacturers keep closed source and there's no regulations about how the code should be designed for safety. (Safety for the car, yes. Safety for the software, none.)
It'll probably take a couple of hackers making cars floor the accelerator randomly in a city for government to wake up and impose common-sense regulation.
We'll get it straightened out once a couple of people get killed.
Re:Therac moment (Score:4, Informative)
Except the THERAC problem was almost the opposite of unregulated quality control. Because getting new software tested and certified was so very expensive, they decided to reuse their existing certified software in a new model of machine, thus avoiding the cost of the review process. The new device was slightly different, though, and more susceptible to the latent bug that caused the fatally high doses of radiation. (As I recall, it was an error handler in the patient name field that caused it to misinterpret the dose the technician selected.)
The regulatory process was partially at fault for making regulations so burdensome the company would rather play a game to get around them. I'm not saying we shouldn't have rigorous testing for safety critical applications, but that certification testing needs to incorporate the whole application plus its intended environment, not just testing the different bits from the last time it was certified.
Software wasn't tested (Score:2)
I daresay your response seems a little anti-regulation-ish.
The fault analysis didn't include the software, and indicates that the machine passed FDA muster without even considering the safety aspects of the software. It only states that the company did some testing.
Indeed, it would appear that the FDA accepted the "software is inconsequential" argument at the time of review.
Here's is a quote from the analysis [vt.edu]:
In March 1983, AECL performed a safety analysis on the Therac-25. This analysis was in the form of a fault tree and apparently excluded the software. According to the final report, the analysis made several assumptions:
(1) Programming errors have been reduced by extensive testing on a hardware simulator and under field conditions on teletherapy units. Any residual software errors are not included in the analysis.
(2) Program software does not degrade due to wear, fatigue, or reproduction process.
(3) Computer execution errors are caused by faulty hardware components and by "soft" (random) errors induced by alpha particles and electromagnetic noise.
The fault tree resulting from this analysis does appear to include computer failure, although apparently, judging from these assumptions, it considers only hardware failures. For example, in one OR gate leading to the event of getting the wrong energy, a box contains "Computer selects wrong energy" and a probability of 10^11 is assigned to this event. For "Computer selects wrong mode," a probability of 4 x 10^9 is given. The report provides no justification of either number.
Re: (Score:2)
Sorry, I certainly wasn't trying to be one of the "deregulation" crowd. I was looking at the business pressures to avoid the cost of including the software in the testing, and then considered the loopholes in the testing regulations that permitted the company to skimp on testing.
I was trying to conclude that the regulatory testing requirements were inadequate because they didn't require testing of the whole device, thus blaming the regulators for allowing those loopholes to exist. That doesn't mean that a
Re: (Score:2)
There were standards and procedures before Therac. The regulation could have been tightened more with more audits of course. And some of the complaints there were kind of ridiculous, like using assembler or a custom OS, things that tons of medical devices still do very extremely good reasons. The problems ultimately were management problems.
Interesting that one important cause of failure was reusing older software that had reliance on some hardware interlocks. Yet today it is practically a religion in m
Re: (Score:2)
Re: (Score:3)
I develop software for electronic controls in several industries, including automotive, so I am very familiar with the MISRA C Guidelines. They define a "safe subset" of C. The intention of the guidelines is really to make sure that certain, problematic features of C are being used correctly and only when needed. The idea being that when those problematic features are used, code reviews be performed to make sure the use is needed, correct and documented.
The problems come in when the guidelines meet reality.
Re: (Score:2)
We still use C because no one has really come up with a suitable replacement that lots of programmers know. There is a subset of C++ that is good, in fact preferrable to C, but that is often abused because someone will start expanding that envelope to use more and more C++ features until something breaks. They swear, just a simple template only a one line, then in a month or two they've got full page templates obsfuscating the code to hell and back. So C it is. You know Ada might be ok I'd be willing to
Misunderstood headline! (Score:3)
Re: Misunderstood headline! (Score:3)
unwanted (Score:2)
I don't want my fridge or my car hooked to the web at all, totally unnecessary. shit headed kid engineers and marketers are causing huge problems
Privacy is a lot cause (Score:2)
Re:Privacy is a lot cause (Score:4, Insightful)
Short of completely abandoning modern society and living off the grid there is no way to maintain what was previously known as privacy.
Sure there is - you just have to work at it.
The cost to secure IoT devices and retroactively secure the internet age is so massively prohibitive it beyond the wildest of dreams for any realist..
Umm, really?
1) buy a cheap wifi router, give it a unique SSID
2) tie all your IoT crap to that new SSID
3) rig the router to QoS down to something ungodly tiny (2400 baud ought to do it), or just don't connect it to the Internet at all after the initial install/update for the device. Be certain that if it is connected, you block all incoming ports at the firewall.
4) (for the truly paranoid) If it has a camera, a bottle of cheap black nail polish is like $3 or so. If it has a microphone, clip if off or cover it with epoxy.
So far, we've spent less than $50, and most of that was for the new router - if you have an older router, just press that into service and it'll all cost you less than a couple of hours plus the price of a large latte... *shrug*.
Re: (Score:3)
The question is, what happens when these IoT devices won't function correctly without a constant phone home.
Updates, patches, etc.
Just look at what they did with gaming.
Re: (Score:2)
Good point... but by then, it is hoped that a dummy server and a few /etc/hosts entries will take care of that. Also, by then there will likely be packages you can load onto your goodies, much like one can do to their phone right now.
It's a lot like DRM has gone all this time - measure, counter-measure.
Re: (Score:2)
I've always owned my modem. In fact, I think it is federal law (in the US, which almost certainly means it must be in the EU as well)
But you can easily use a downstream router to accomplish the same plan, even if you don't own the modem.
Re: (Score:2)
I think that you misunderstand. When i say my modem, I mean, I bought it from a 3rd. party. I administer it. I'm not aware, of the top of my head, of any missing features.
Maybe if you want an integrated landline or something?
See also, 3rd party cable boxes. It's the law.
BGS style computing (Score:2)
Re: (Score:2)
Why waste my time alone in my house facebooking on netflixing when I can go out to a bar or a cinema with a date?
I almost believed you until that last line. You're not a real Slashdoter! They don't have dates!
It really boils down to... (Score:2)
We all see that eventually self driving cars will become mandatory and driving a car will become unthinkable. It is only a matter of time.
Eventually, these IoT surveillance and control devices will become mandatory.
Right now we aren't forced to buy internet connected appliances.
Right now we aren't forced to buy internet connected cars.
Right now we aren't forced to buy internet connected clothes, toiletries, etc.
How long will that last?
Once the Fi
Re: (Score:2)
When the government pays for my Internet connection then they may have some say in what I operate on it.
I guess what I am saying is be very suspicious when the government starts paying for your Internet connections...
Importance is relevant (Score:2)
It won't become an issue until some fifteen year old hacks into some Senators $IOT and releases some scandalous information on the Web.
You can bet your ass that security for IOT will become priority numero uno afterwards.
Recall the CIA's interest in your home (Score:2)
"“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,”"
Stay with ethernet and a computer thats web facing
MAC access control and bespoke firewall rules (Score:2)
The question of if you can buy an affordable consumer level WiFi router that can do this is a completely separate matter, and the rule changes that make open router firmware development harder doesn't help either.
Re:One population's security nightmare... (Score:4, Insightful)
is every Three Letter Agency's wet dream.
Maybe not. Yes, the ability to spy on people might be useful for them, however, they're frequently charged with the protection of US citizens as well.
If IoT is vulnerable, it is not just vulnerable to the NSA or FBI, it is vulnerable to Russia, Iran, North Korea, China, and anyone else who wants to try a hand at it. That's not a situation that would have everyone at the FBI (for instance) uncorking a bottle of champagne.
Re: One population's security nightmare... (Score:1)
Re: (Score:2)
The problem is that they often see US citizens as criminals. You know, before all that stupid trial stuff.
And if your point was valid, they wouldn't be fighting Apple in federal court for security, or been fighting them on it for several years now.
http://www.bloomberg.com/news/... [bloomberg.com]
Re: (Score:2)
My point is valid because Apple is being fought to give the FBI a specific right to break encryption.
This is not the same thing as most IoT devices being insecure.
The FBI will be pleased with a capacity that they will have, but no one else will. That's fine to them.
What they will not be happy with is the ability for just anyone to break into US homes with a vulnerability that is not limited to themselves.
It is important to understand the distinctions, and also to understand that, as hard for it may be to b
Re: (Score:2)
If IoT is controlled by phones, and the FBI/NSA/KGB/CHINA have access to our phones because of the stupidity of the FBI, whats the difference?
With the power they want, they are CERTAINLY becoming much worse than mustache twirling villains.
Re: (Score:2)
Re: Rubbish (Score:1)
Re: (Score:2)
"You could never give someone food poisoning by hacking their fridge."
In fact, you can.
Remember Alexander Litvinenko? It would have been tad more easy to kill him and avoid the diplomatic repercussion if you learn from his fridge that he buys, say, strawberries and cream from the same provider twice a month.
Re: (Score:2)
They have obviously never had botulism. I won't get into details - I've shared them before. Botulism is not your normal tummy ache. Botulism is what kills you because of the force of you trying to expel all fluids from any hole in your body. Your heart ruptures, or a vein in your head or neck will burst like a bubble. Botulism is still very deadly today. It sucks.
Re: (Score:2)
"They have obviously never had botulism."
There's no food that I can think of that can both induce botulism and requires a fridge, so I don't see what's your point.
Re: (Score:2)
That is correct but you don't see what the point is. The point is referencing this statement from the GGP above, which had tricked down through:
Also, most food-borne illnesses are nothing other than a nuisance, good for a day or two home from work, and are no real threat to anyone without a compromised immune system.
There are a number of other food-borne illnesses that can and will kill you but I'm only familiar with botulism. It was also me agreeing with you - I'm not sure why you'd react as if I was attacking something you'd said. But, so be it...
As for some things that *might* end up in the refrigerator there's some of this list care of the CDC:
some examples are chopped garlic in oil, canned cheese sauce, chile peppers, tomatoes, carrot juice, and baked potatoes wrapped in foil.
But no, my post was an addendu
Re: (Score:2)
However your point still stands if the killer wants it to look like an accident.
Re: (Score:2)
"The point there appeared to be "sending a message" by using an incredibly rare and easily identified poison that only comes from one place."
Nevertheless there was the tactical point about how to do it. The way they did it left traces that were usable both by the press and the other side's intelligence. Imagine for a moment they were able to give him the Plutonium (or Thorium, or whatever it was) without the need to expose both the agent or the infection path. Everybody (in the knowledge) still would hav
Re: (Score:2)
So while I get your point about subtlety what happened to Litvinenko was the exact opposite and says a lot about how Russia is run at the moment. "In New Tsarsist Russia Putin says fuck you" is the meme of the moment.
You do have a good point about harm due to deliberately making I
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
automatically connecting to ANY open WiFi
That could be a problem if they are particularly 'smart'. But I've found that giving them an AP ID/password to a WiFi router that isn't actually plugged into any broadband usually shuts them up. And the advantage of living on a pretty large estate is that the next nearest node is well out of range of WiFi technology.
Re: (Score:2)
"They are trying to create mesh networks."
That's not a mesh network. A mesh network would be if the TV, lacking an internet connection, instead connected to your neighbour's TVs, and via them to the next TV along, until it finds the poor sod who did connect their TV to the internet and can pass the messages finally back to the server.
Re: (Score:2)
You would be surprised at how inexpensive 3G cards and antennas are. I wouldn't be surprised to find more devices just using that for a constant, unstoppable Internet connection if they can't find a link out.
Or, they can do what modern consoles do. No Internet connection, no worky. You agreed to this, and that all info the device finds, can be given or sold freely by the device maker, in the EULA, when you opened the box.
Re: (Score:2)
Re: (Score:2)
My mother taught me how to program.
There are problems with IoT security but none of them come from having XX chromosomes: if anything it's the driven XY engineers that say "we'll do security on the next release" that are the issue.
Rgds
Damon