Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Businesses Security Communications Networking Privacy The Internet IT Technology

The Internet of Things Is a Surveillance Nightmare (dailydot.com) 156

An anonymous reader writes from a DailyDot's Kernel Mag article: Welcome to the Internet of Things, what Schneier calls "the World Size Web," already growing around you as we speak, which creates such a complete picture of our lives that Dr. Richard Tynan of Privacy International calls them "doppelgangers" -- mirror images of ourselves built on constantly updated data. These doppelgangers live in the cloud, where they can easily be interrogated by intelligence agencies. Nicholas Weaver, a security researcher at University of California, Berkeley, points out that "Under the FISA Amendments Act 702 (aka PRISM), the NSA can directly ask Google for any data collected on a valid foreign intelligence target through Google's Nest service, including a Nest Cam." And that's just one, legal way of questioning your digital doppelgangers; we've all heard enough stories about hacked cloud storage to be wary of trusting our entire lives to it. [...] But with the IoT, the potential goes beyond simple espionage, into outright sabotage. Imagine an enemy that can remotely disable the brakes in your car, or (even more subtly) give you food poisoning by hacking your fridge. That's a new kind of power. "The surveillance, the interference, the manipulation the full life cycle is the ultimate nightmare," says Tynan. [...] That makes the IoT vulnerable -- our society vulnerable -- to any criminal with a weekend to spend learning how to hack. "When we talk about vulnerabilities in computers... people are using a lot of rhetoric in the abstract," says Privacy International's Tynan. "What we really mean is, vulnerable to somebody. That somebody you're vulnerable to is the real question." The state of security around IoT, the chip or sensor-equipped devices connected to each other over the Internet, is deeply concerning. Just in the past few months, we have seen several instances of these devices getting hacked. We have also seen things such as Shodan, a search engine for the Internet of Things that can allow someone to browse vulnerable webcams. Many people continue to overlook the significance and potential consequences of their "smart" devices getting compromised. Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee. You see these devices are connected to your Wi-Fi network, which gives them the ability to interact with other gadgets connected to the same network. When attackers manage to access one of these devices, it's only a matter of time before they own your entire network.
This discussion has been archived. No new comments can be posted.

The Internet of Things Is a Surveillance Nightmare

Comments Filter:
  • Too late (Score:5, Insightful)

    by Anonymous Coward on Monday March 21, 2016 @12:40PM (#51744605)

    The convenience is worth the risk. The dumb-ass majority has spoken.

    • Re:Too late (Score:5, Insightful)

      by NatasRevol ( 731260 ) on Monday March 21, 2016 @12:56PM (#51744813) Journal

      Fair point. But did they have any other options?

      Are there secure IoTs?

      Maybe, just maybe, the developers/manufacturers are at some fault.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Yes, they could have said "no". Your scale does not need to talk to the fridge. Your thermostat does not need to talk to Google.

      • Secure IoTs? Depends on what you mean by that. Standards like Z-Wave and Zigbee are already somewhat safer from remote tampering than WiFi-enabled devices since they operate on their own network. Hacking into them remotely or making them send data to a 3rd party involves hacking the central controller (if that controller even is connected to the Internet, though it often is). Certainly possible but it's a considerable extra hurdle. The networks themselves are fairly easy to hack, though the new version
        • Re:Too late (Score:5, Informative)

          by plover ( 150551 ) on Monday March 21, 2016 @02:26PM (#51745727) Homepage Journal

          The real problem with the IoT is that everyone and their brother is trying to be the One True Provider of All Home Automation, and they want to do it in the cloud so they can charge you for integrating with everyone else's clouds. Nest has the whole Nest-Certified thing, running in the cloud. Samsung has the Samsung Smart Home, running your washers, dryers, and air conditioners in their cloud. AssureLink will happily run your garage door openers in their cloud. Honeywell has their thermostat system, in their cloud. Rheem has their EcoNet for running hot water heaters, in their cloud. LG has a cloud service for their TVs. Schlage has a cloud for running door locks. D-Link has a cloud for viewing their security cameras. Fitbit cloud-enables your health data. Philips' cloud runs your Hue lights. And so on.

          Cloud solves some thorny problems. It enables easier configuration of the home user's environment by removing most of the barriers, which is critical to commercial success. Ordinary people don't know they need to poke a hole in their firewalls, and they also know they don't want to know all those technical details. But they still want to remotely access their IoThings from their iPhones. Having the IoThings phone home to the cloud means there's a central point to discover and communicate with them, making the consumer's installation woes less painful - ease of use is critical to driving sales. And the cloud can back up those configurations, allowing you to replace your old device 1.0 with new device 2.0, all without pain.

          Clouds can also improve end user security - from a certain kind of threat. If your home device is connecting to the cloud and never listening for input on its own, its attack surface is much smaller than if it has opened a port on your firewall. And when your home device needs a security patch, the cloud can push it. Obviously, that means your home devices place their trust in the cloud to be secure, which is the point of TFA.

          But the main problem cloud solves is that clouds provide an ongoing "service" for which the device provider can charge $9.99/month. And it's all about the continual extraction of money from the consumers. Why sell an overpriced sprinkler system only once when you can have that wealthy sprinkler system owner send your cloud service a check every single month? That's really why everyone wants to be the company that sells you the One True System, so they are the ones you're willing to pay on a monthly basis.

          What I want (and have) is a server in my house that handles the home automation communications and executes rules without requiring a cloud. Unfortunately, most of the commercial hubs come needlessly saddled with clouds. There is no technical reason for an Iris hub or a Wink hub to connect to a cloud, yet they do. Amazon Echo runs everything to the cloud, including your voice. Better systems make the cloud optional.

          There are also better choices on the horizon. OpenHAB is making great progress on providing an open source Java package that can handle a wide variety of home automation devices; GUI control is getting there, but setup and configuration is still a complex problem that's out of reach of the average homeowner.

          • by Geeky ( 90998 )

            OpenHAB is one option, with a Z-Wave/Zigbee USB stick it might be able to replace a SmartThings/Nest kind of set up - if you don't mind a lot of work getting it all working (kinda like using Linux in the early days)

            Also look for devices that don't need the cloud but use it for additional features. Philips Hue lights talk to a hub that does talk to the cloud for remote control, but that hub has a simple REST API for local control. If you wanted to, you could block the hub from talking to the internet and use

            • by plover ( 150551 )

              Yeah, I looked at OpenHAB for a while, but their grandly named "OpenHAB Designer" turned out to be nothing more a copy of Eclipse running a text editor to modify the necessary half-dozen configuration files and check them for syntax errors. It is definitely not ready for an advanced installation professional, let alone the average homeowner.

              I've had great luck so far with Vera (getvera.com). It can use the cloud if you let it, but everything is configured and run locally. Configuration is not quite plugT

              • by Geeky ( 90998 )

                Very similar to my experiences with SmartThings - despite being sold here in the UK in a major high street store, it's not really ready for primetime, but you can work around the limitations. I haven't gone beyond lights and a plug socket yet, plus the motion/door sensors that come in the starter kit. It's been a bit of fun, I like playing with gadgets, but I wouldn't recommend it to anyone just yet

                Sounds like the big difference, when compared with Vera, is that ST is cloud based and the development options

          • by DamonHD ( 794830 )

            We (OpenTRV) are building IoT devices that are decentralised and will work (well) without an Internet connection, smartphone or hideously complex instruction manual.

            Some of our target users don't have Internet connections or smartphones, for a start.

            Our devices can be connected up beyond a local hub (eg to control your heating better) if you wish, but making it possible to do without makes them inherently safer and more reliable IMHO.

            Yes, we're keen on OpenHAB integration, but Open Energy Monitor and MQTT a

        • Zigbee is old and crusty, the newest version is just strange and bloated and no one has really adopted it. It may die off except that big companies keep demanding Zigbee as a check-off box. The standards of this are new and evolving, and security isn't always there but the device makers are adding it anyway (and if you insist on alliance led standards for security then you'll get crap like WPA as a result when a manufacturer might actually have something better).

          Big problem is with the dumb IoT, devices t

      • Re:Too late (Score:5, Insightful)

        by Penguinisto ( 415985 ) on Monday March 21, 2016 @01:20PM (#51745067) Journal

        Fair point. But did they have any other options?

        Actually, as consumers, they (mostly) do have options - lots of them.

        In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle. This means not bothering with the cute little automated/networked thermometers, televisions, refrigerators, etc...

        To be honest, I don't see much value in them anyway - at least not at this time; I'm perfectly capable of setting a thermostat (or throwing another log into the wood stove), and keeping a mental inventory of what's in my refrigerator. There are promising technologies/devices out (e.g. the Amazon Echo thingy), but in all honesty, they're nice-to-have things, not need-to-have (and unless you're severely disabled, nearly all of them are not much more than glorified monetization opportunities for whoever sells the thing to you - again, see also the Amazon Echo thingy).

        Anyrate, yes the consumer (that is, you and I) have the ultimate power over how much these things influence and potentially control our lives and out stuff.

        Now there may be exceptions (say you bought some swanky condo or rented an apartment that has all this stuff in it), but they can be disabled to an extent (or even hijacked by you if you know how and see a use for doing so.) It ultimately depends on you.

        Eventually, I can see where you'd have no choice but to buy such things because alternatives would cease to exist... but even there, you can simply, say, assign them to an SSID that you've throttled down to 14.4k or some obscenely low rate, then take the extra step of firewalling the shit out of that network to allow only established/related ports. Or, just hack the thing to taste (after all, phones can be jailbroken fairly quickly, so...)

        • I'm in the same boat. Due to numerous other Wi-Fi links around where I live, at best, I get reliable signal in one room, but that pretty much it. Because there are just so many devices yakking on Wi-Fi, even the 5Ghz band, where devices are supposedly to find the channel that is used the least, are saturated.

          As for IoT devices, I do watch occasionally the Fiver channel on YT, which always has some new IoT item. Some are cool, others... why bother? If I were to spend the price premium for a "smart" fridg

          • by dbIII ( 701233 )

            I've never understood why IoT devices don't move to a hub/spoke model

            The same reason security is an afterthought :(

          • I've never understood why IoT devices don't move to a hub/spoke model. A hardened, central hub that does the Internet communicating, and the devices use Bluetooth and are paired with the hub (or hubs).

            Many do: Philips Hue, SmartThings, Iris (Lowes), VeraLite, and others do, except it's Z-Wave and/or ZigBee rather than Bluetooth that does the communicating. (Low-energy Bluetooth wasn't around when these standards were created, and Z-Wave and ZigBee also have the ability to form a mesh network rather than each needing to connect to the central bridge/hub.) WeMo is a notable one that doesn't work like this, as are Nest and several AppleHome Kit-capable products that connect directly to WiFi. I don't like th

        • In my case, I avoid the whole IoT thing like it were some virulent form of radioactive space herpes. It's not out of paranoia, but because my rural Satellite ISP has a bandwidth cap during most of any given 24-hour cycle.

          For me, it is because IoT is another way of saying "recurring monthly bill" or "forced obsolescence"

          Oh, look, I have a nice alarm clock that is connected to the internet, has an app store, collects data about me and will stop functioning when the manufacturer doesn't feel like supporting it any more.... what a deal!

      • Re:Too late (Score:5, Insightful)

        by Lumpy ( 12016 ) on Monday March 21, 2016 @01:22PM (#51745093) Homepage

        "Are there secure IoTs?"

        yep all of mine are. because I made them.

        I dont use stupid "cloud" crap for my IOT devices they talk to the server in my home, and the ones in the vacation home talk over an encrypted VPN to my home.

        it's the consumer crap designed to spy on you that are the problem, not IOT.

        • it's the consumer crap designed to spy on you that are the problem, not IOT.

          Once it starts going mainstream, what do you think most people will be using?

        • You can make IoT secure. Devices can be put on separate network segments that can't see each other, are firewalled, with an IDS/IPS in place to minimize damage if compromised. Logs can be exported one way via syslog to a secure server, which can be searched by Splunk or an elk stack machine. Warnings can be handled by an application running locally that can do email or SMS. Hub/spoke architectures can be used with low bandwidth devices using Bluetooth. Heck, most IoT devices could be hardwired. The de

          • This seems like it could be done fairly easily in software right inside even consumer-grade routers, and would at least help in mitigating some of the security threats of these devices. These routers already offer "guest networks" on most newer models, so this seems like the next logical step. Just create a simple way at router setup/configuration time to create an "IoT network" as well which is isolated from anything else on the router for safety.

      • But did they have any other options?

        Certainly. You don't buy 'IoT' devices in the first place. Most of them are solutions in search of a problem, not the other way around, just ways to get tech-enthused people to spend their money on more toys that they didn't need until someone convinced them they did.

      • Yes there are secure IoTs. Problem is with generic devices using generic operating systems with no security added or added as a late afterthought. Ie, "consumer" devices are the ones to beware of. Breaking into the coffee maker isn't giving you any access to your thermostat as they're not connected to each other except for using the same air space. A lot of these are relatively big and bulky devices, full android or linux maybe, with wi-fi networking and all its problems. Cheap devices made by companie

    • by GuB-42 ( 2483988 )

      The convenience would be worth the risk if it was convenient.
      Trouble is : it's not. The biggest problem is the lack of standardization. You can't buy any AC unit and expect it to be able to connect to any smart thermostat. You can't expect your IoT alarm clock to be able to turn on your IoT coffee machine without buying a specific machine, which, incidentally, makes poor coffee.
      And that's the problem, I buy things based on cost and how well they perform as things : I want a washing machine that washes well,

    • The "dumb-ass majority" will quickly change their tune when their home gets p0wned, badly.
      i.e. Devices stay on consuming electricity, fridge constantly shuts off so they are forced to rebuy all their groceries, little Johnny's lights keep switching on/off all day, etc.

      I'm actually waiting for the hackers to have a field day with this; then maybe the dumb-ass majority will actually learn their lesson:

      * Just because you _can_ hook a device up to the internet, doesn't mean you _should_.

      • I'm actually waiting for the hackers to have a field day with this;

        Then you might be interested in this [slashdot.org].

      • by dbIII ( 701233 )

        I'm actually waiting for the hackers to have a field day with this; then maybe the dumb-ass majority will actually learn their lesson

        We are already knee deep in a malware swamp beyond the dreams of bad SF, yet it just keeps on getting worse and there are plenty that have not learned the lesson (or even smirk at those who have).

    • Which convenience is that?
  • by Anonymous Coward

    If you don't want to get hacked, don't get things connected to the internet. If you want to know your milk is about to expire in your fridge, or turn your dryer on to fluff your clothes from your phone, then know the risks. If you don't care about those conveniences, don't pay for them and don't get a connected device. I can guarantee that you can still buy a fridge, dryer, coffee maker, and thermostat that aren't connected to the internet, and will still be able to for quite some time. Right now, the b

    • if you want to spy on me, weasels, you have to go to the big metadata folks that can't be avoided... Google, ad aggregators, etc. try to isolate me from the metadata files of credit agencies, insurance companies, licensing bureaus. get my voting frequency records.

      no IoT spying on me... no sir, everybody already has all the data they need. hell, if ConpuServe was still around, they'd see me there, too. the old ways are the best ways.

    • I have a LOT of IoT devices oddly they can not connect to the internet. Frankly when you have devices and standards that need to last decades you're never going to cost effectivly put enough crypto on them. So build upon that assumption, break into my zwave network you can turn on lights or unlock a door or turn on the heat. You're not going to disable the security system merely some extra motion sensors. Break into my IoT wifi and you still can not get anywhere.

      At the end of the day the implementations

    • If you want to know your milk is about to expire in your fridge, or turn your dryer on to fluff your clothes from your phone, then know the risks.

      But the risk is only because these stupid things are connected to the Internet. There's no reason they cannot use Bluetooth or similar. Connect to your cellphone when it is in range.

    • My wife just called, and told me we're out of milk. Why do I need a smart fridge? Not only that, but I don't want to program a menu into it so that it will tell me what I need to buy for next weeks meals. That's what the wife is for.

      The things I need they don't make, like a smart tackle box to tell me if I have enough lures and leaders for the weekend trip to the fishing hole, or the smart gun safe to tell me if I have enough turkey shells for Turkey Season, deer loads for Dear Season, etc. Those are th

  • This is going to be fun I hear.
  • Captain Obvious strikes again!

    • You know, until people act on it, or there are privacy laws in place, or the rest of the populace is outraged ... this is apparently quite far from "obvious".

      Say this to most people, and you'll get an eye-roll and a tick-box in the crazy column.

  • by Zumbs ( 1241138 ) on Monday March 21, 2016 @12:50PM (#51744741) Homepage

    Someone recently asked, "So what if my coffee maker gets hacked? What are criminals going to do? Burn my coffee?" They can do a lot more than burn your coffee.

    Depending on how well the safeguards are on your coffee machine, the criminals could try to keep the water heating elements running after all the water has been transferred to the pot. Aside from the energy bill, this could have other interesting side effects ranging from a destroyed coffee machine to a burning coffee machine that could set your home on fire. Yes, yes, this is probably a wee bit too close to scare-mongering, but it does underline the need for safety by design.

    • by i.r.id10t ( 595143 ) on Monday March 21, 2016 @12:55PM (#51744799)

      The wife asked me why I wear my gun when I'm just hanging around the house. I looked her dead in the eye and said, "the motherfucking decepticons". She laughed, I laughed, the toaster laughed, I shot the toaster, it was a good time.

      • by dstyle5 ( 702493 )
        What if it was an Autobot there to protect you from that Keurig coffee maker that cracks the occasional "Optimus sucks" joke?
      • Most toasters pack serious heat ya know, fuck around and they WILL bring the painini.
    • You don't have to come up with any far fetched hypothetical situations. Just by keeping track of coffee makers they can develop lists that thieves can use to know when it is convenient to empty your house.
    • Insurance companies want access. Ya know, make sure you are in your house, with no more than a 3 day absence which would invalidate your household insurance. Or to make sure the temperature doesn't go down too low so they can a) call you to notify you of the problem, and b) if no-one home, remotely crank up the heat. There's also remote cut-offs for water, in case they detect the flow continuing for hours on end (thanks to the smart meter). Smoke detectors, so they can notify the fire department,

    • I can think of far better uses for a hacked coffee maker. Top of the list is as a tool for proxying further attacks through, followed by DDoS node, followed by a good place to set up a server holding some illegal stuff so I can post the link in public forum. The coffee side has little practical use - but there's a computer in there that can be abused. Or I could just be annoying and make it play The Coffee Song while brewing.

    • Yes, yes, this is probably a wee bit too close to scare-mongering, but it does underline the need for safety by design.

      I wouldn't call it that.

      It has been demonstrated that with exploitable laser printer firmware, it is possible to keep the laser heating to the point of melting the printer or catching the paper on fire.

  • I think the whole IoT marketing movement is about rebranding existing technologies. Remotely accessible cameras and wearable technology have been around for a very long time practically unchanged, but now they're suddenly categorized under an ambiguous umbrella term. Most of the IoT tech have been security nightmares since day 1 so we shouldn't suddenly worry about them now, we should have worried about them for over a decade. Googling for weakly protected webcams, for example, has been around since the early 2000's and it's been a "new phenomenon" every five years or so.

    If there are devices in my home or car that I find intrusive, they can't be secured properly or they somehow threaten my privacy, I'll get rid of them. This of course becomes a bit problematic once we start running out of alternative manufacturers, but I don't think that'll be a problem for a long time to come. Our cars will most likely be the first that we have least choices with as laws have started to mandate certain wireless technologies to be implemented in them.

    The very least steps everyone should take to secure networked devices of any kind is to set up a proper firewall at home and whitelist addresses they can connect to. Or even bar them behind a VPN. Wouldn't be something every average Jane and Joe can do, but that's another story.

    • by RobinH ( 124750 )
      You won't know about all the ones that come in the appliances and vehicles you buy. They have no incentive to tell you.
  • Therac moment (Score:5, Insightful)

    by Okian Warrior ( 537106 ) on Monday March 21, 2016 @12:51PM (#51744749) Homepage Journal

    Software in medical devices was considered inconsequential for a couple of decades, and then the Therac [wikipedia.org] device came out and killed several patients.

    At the time, the FDA took a close look at software and decided that we need regulations to keep the software more safe.

    I look at the programming in cars right now and note that we haven't had our "Therac" moment. Car manufacturers keep closed source and there's no regulations about how the code should be designed for safety. (Safety for the car, yes. Safety for the software, none.)

    It'll probably take a couple of hackers making cars floor the accelerator randomly in a city for government to wake up and impose common-sense regulation.

    We'll get it straightened out once a couple of people get killed.

    • Re:Therac moment (Score:4, Informative)

      by plover ( 150551 ) on Monday March 21, 2016 @01:45PM (#51745335) Homepage Journal

      Except the THERAC problem was almost the opposite of unregulated quality control. Because getting new software tested and certified was so very expensive, they decided to reuse their existing certified software in a new model of machine, thus avoiding the cost of the review process. The new device was slightly different, though, and more susceptible to the latent bug that caused the fatally high doses of radiation. (As I recall, it was an error handler in the patient name field that caused it to misinterpret the dose the technician selected.)

      The regulatory process was partially at fault for making regulations so burdensome the company would rather play a game to get around them. I'm not saying we shouldn't have rigorous testing for safety critical applications, but that certification testing needs to incorporate the whole application plus its intended environment, not just testing the different bits from the last time it was certified.

      • I daresay your response seems a little anti-regulation-ish.

        The fault analysis didn't include the software, and indicates that the machine passed FDA muster without even considering the safety aspects of the software. It only states that the company did some testing.

        Indeed, it would appear that the FDA accepted the "software is inconsequential" argument at the time of review.

        Here's is a quote from the analysis [vt.edu]:

        In March 1983, AECL performed a safety analysis on the Therac-25. This analysis was in the form of a fault tree and apparently excluded the software. According to the final report, the analysis made several assumptions:

        (1) Programming errors have been reduced by extensive testing on a hardware simulator and under field conditions on teletherapy units. Any residual software errors are not included in the analysis.

        (2) Program software does not degrade due to wear, fatigue, or reproduction process.

        (3) Computer execution errors are caused by faulty hardware components and by "soft" (random) errors induced by alpha particles and electromagnetic noise.

        The fault tree resulting from this analysis does appear to include computer failure, although apparently, judging from these assumptions, it considers only hardware failures. For example, in one OR gate leading to the event of getting the wrong energy, a box contains "Computer selects wrong energy" and a probability of 10^11 is assigned to this event. For "Computer selects wrong mode," a probability of 4 x 10^9 is given. The report provides no justification of either number.

        • by plover ( 150551 )

          Sorry, I certainly wasn't trying to be one of the "deregulation" crowd. I was looking at the business pressures to avoid the cost of including the software in the testing, and then considered the loopholes in the testing regulations that permitted the company to skimp on testing.

          I was trying to conclude that the regulatory testing requirements were inadequate because they didn't require testing of the whole device, thus blaming the regulators for allowing those loopholes to exist. That doesn't mean that a

    • There were standards and procedures before Therac. The regulation could have been tightened more with more audits of course. And some of the complaints there were kind of ridiculous, like using assembler or a custom OS, things that tons of medical devices still do very extremely good reasons. The problems ultimately were management problems.

      Interesting that one important cause of failure was reusing older software that had reliance on some hardware interlocks. Yet today it is practically a religion in m

    • That is horrifying.

      Thanks for the nightmare fuel.

  • by asylumx ( 881307 ) on Monday March 21, 2016 @12:55PM (#51744807)
    I read "Surveillance Nightmare" and though -- well that's good, I don't want things to be easy for surveillance. Boy was I wrong when I realized they meant it's a nightmare *because* of all the surveillance it makes possible!
  • I don't want my fridge or my car hooked to the web at all, totally unnecessary. shit headed kid engineers and marketers are causing huge problems

  • Short of completely abandoning modern society and living off the grid there is no way to maintain what was previously known as privacy. The cost to secure IoT devices and retroactively secure the internet age is so massively prohibitive it beyond the wildest of dreams for any realist. The best that can be hoped for is that some new concept of privacy is developed culturally. One where while we could access each-others most private lives we all collectively understand and respect that everyone will have some
    • by Penguinisto ( 415985 ) on Monday March 21, 2016 @01:33PM (#51745205) Journal

      Short of completely abandoning modern society and living off the grid there is no way to maintain what was previously known as privacy.

      Sure there is - you just have to work at it.

      The cost to secure IoT devices and retroactively secure the internet age is so massively prohibitive it beyond the wildest of dreams for any realist..

      Umm, really?

      1) buy a cheap wifi router, give it a unique SSID
      2) tie all your IoT crap to that new SSID
      3) rig the router to QoS down to something ungodly tiny (2400 baud ought to do it), or just don't connect it to the Internet at all after the initial install/update for the device. Be certain that if it is connected, you block all incoming ports at the firewall.
      4) (for the truly paranoid) If it has a camera, a bottle of cheap black nail polish is like $3 or so. If it has a microphone, clip if off or cover it with epoxy.

      So far, we've spent less than $50, and most of that was for the new router - if you have an older router, just press that into service and it'll all cost you less than a couple of hours plus the price of a large latte... *shrug*.

      • Your suggestions are great for the current time frame.
        The question is, what happens when these IoT devices won't function correctly without a constant phone home.
        Updates, patches, etc.

        Just look at what they did with gaming.
        • Good point... but by then, it is hoped that a dummy server and a few /etc/hosts entries will take care of that. Also, by then there will likely be packages you can load onto your goodies, much like one can do to their phone right now.

          It's a lot like DRM has gone all this time - measure, counter-measure.

  • Yet when I really think about it, I find that I have no good reasons to keep my computers connected to the internet. I went to BSG style networking at home. One network for local machines, going through a router that applies firewall riles in between, then another computer connected to the edge router, yet that computer isn't quite connected to the internet. I then run a virtual machine with an immutable hard disk and browser and make PPPoE connection from that VM to the router to gain internet routing. For
    • Why waste my time alone in my house facebooking on netflixing when I can go out to a bar or a cinema with a date?

      I almost believed you until that last line. You're not a real Slashdoter! They don't have dates!

  • when these sorts of things become mandatory.

    We all see that eventually self driving cars will become mandatory and driving a car will become unthinkable. It is only a matter of time.
    Eventually, these IoT surveillance and control devices will become mandatory.
    Right now we aren't forced to buy internet connected appliances.
    Right now we aren't forced to buy internet connected cars.
    Right now we aren't forced to buy internet connected clothes, toiletries, etc.

    How long will that last?

    Once the Fi
    • When the government pays for my Internet connection then they may have some say in what I operate on it.

      I guess what I am saying is be very suspicious when the government starts paying for your Internet connections...

  • It won't become an issue until some fifteen year old hacks into some Senators $IOT and releases some scandalous information on the Web.

    You can bet your ass that security for IOT will become priority numero uno afterwards.

  • CIA chief: we’ll spy on you through your dishwasher (03.15.12)
    "“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,”"

    Stay with ethernet and a computer thats web facing :)
  • MAC access control and bespoke firewall rules solve most problems, the moment a device trips an alarm by going outside of it's allowed access you have your system drop the MAC off the allowed list and alert the owner that the device has a problem.

    The question of if you can buy an affordable consumer level WiFi router that can do this is a completely separate matter, and the rule changes that make open router firmware development harder doesn't help either.

If in any problem you find yourself doing an immense amount of work, the answer can be obtained by simple inspection.

Working...