Sign in / up

back to article When THINGS attack! Defending data centres from IoT device-krieg

When good fridges turn bad. It may sound like science fiction, but security experts are warning that the growing prevalence of interconnected “thingbots” is opening up businesses to all sorts of bother. Security-as-a-Service provider Proofpoint warned recently that more than 750,000 Phishing and SPAM Emails had been launched …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. IglooDude

    Yep, yep and yep. Sticking a device out there with a public IP and nary a clue about how to lock it down (or even that it should be locked down in the first place) is inviting disaster. That's why my company sells cellular connectivity with decent network options - like assigning private static IPs, and routing all the cellular traffic to the customer's datacenter - effectively pulling the device behind the customer's corporate firewall, no matter how the device is configured.

    Of course, they should still be DMZing the devices within their WAN, but at least some schmoe on the internet can't root the device with a portscan and two minutes of websearching for a setup manual. Not that there's anything new about that: http://www.theregister.co.uk/2011/05/03/cop_car_hacking/

    2 0 Reply
  2. Paul Crawford Silver badge

    The problem comes down to two simple issues:

    1) People want new & shiny & cheap.

    2) No one gets punished for shit software.

    Put them together and you see what IoT is bringing. As we can't stop people buying cheap tat, the only other real option[*] is to start making suppliers liable for shit security.

    We know you can never be perfectly secure, but "shit" means things like known insecure protocols, no enforcement of password changes, no patching, ignoring vulnerability reports for more than 30 days, etc. That sort of thing ought to be punishable by more or less unlimited fines depending on how much lacking in diligence is found.

    [*] Of course we could pay lots to mitigate other people's shit, but that is a lost battle if the projected numbers of IoT are true. Making the "polluter pay" is a better idea IMHO.

    2 0 Reply
  3. DCFusor
    Holmes

    Rolling my own

    As an "old fart" computer guy living on an off-grid homestead I built up when I was younger and able to do more work manually, I'm rolling my own LAN of things to reduce the work I have to do to survive here. It's the only way. There is no need for many people to have any of this on the internet at all - a local LAN will do fine. I don't need to call my house from a cell phone I don't own to tell it to turn on the heat - and building a robot to work the woodstove might be problematic anyway. But there are things that need done that can easily be somewhat automated, yet still benefit from some human input - so I'm working on those first.

    Things like controlling the rain collection system - dump icky water, but put the good stuff into the main cistern if there's room for it. Helping me use any spare solar power - when the house batteries hit voltage, the controllers dump any excess on the ground and as of now, the only way to find out there's extra is to turn more stuff on and see if that drops the battery voltage. I could be heating my cistern/plumbing in winter, distilling water, charging my Volt, and so on if I knew there was spare and likely to be so till the end of the day - at least to the point of leaving the house batteries full for nighttime no matter what. In other words, I'm bringing high tech to the ancient art of homesteading. It's all GPLV2 if anyone cares. More here and at the linked forums: https://www.youtube.com/user/DCFusor/

    Anyone who puts critical infrastructure on the inet is an idiot - and this includes industry that just decided to save bucks vs a leased line (far harder to hack). They are learning, and might know something by the time I've been in the ground a few decades, though.

    5 0 Reply
    1. Bloakey1
      Reply Icon

      Re: Rolling my own

      <snip>

      " I could be heating my mash tub and still in winter, distilling moonshine"

      <snip>

      There i fixed it for you, you old devil.

      5 0 Reply
  4. Cuddles

    Criminals aren't the problem

    "The pay-off for hacking home devices is not obvious for cyber-criminals"

    The thing is, there doesn't need to be any pay-off for criminals. Even if there is never any possible profit to be made from hacking your fridge, someone somewhere on the internet will find it hilarious to make it order you 100 pints of milk, or switch it off and make everything go mouldy. Even more so if there's a camera somewhere handy so the results can go on Youtube. I think a large part of the problem with IoT security (and lack of it) is that too many people think in terms of what criminals might get up to and reason that there's just no incentive for anyone to hack these things so why worry. What they don't take into account is that some people are just dicks.

    8 0 Reply
    1. DCFusor
      Reply Icon
      Happy

      Re: Criminals aren't the problem

      Upped you Cuddles - you're right. It might be stated better that criminals aren't the *only* problem.

      I live so far out in the boonies that someone could take out my door with a chainsaw and no one notice, so yeah, out here we worry about that - when seconds count, the cops are only an hour away.

      (Not all US gun culture is idiots in cities murdering over drug territory - some is honest self-defence or garden/crop defence - it's a big country, it's tough to generalize and not be an idiot)

      That's if someone notices and calls them. Another reason *not* to make it easy to discover I'm not home. I was hammered by the realization of what info about me was available from just a few temperature/humidity/barometric sensors. Every door opened was obvious on the baro. Whether I washed my hands in the bathroom (loo to you guys) after using it just via temperature on a water line (length of pulse). And so on. No way I'm putting that up on a WAN. Not that any pen tester has made it past my firewall (yes, I've had a few try - with my permission). But you never know. I prefer to do better than just hope, and don't want this on the WAN with some outfit analyzing me in order to use me as product for ad companies.

      Of course, private recording of the camera can also be a good thing if the miscreant can't get to that to destroy it (even if they can read it). For later, understand. Motion detection to save bits, and to also catch some of the more interesting wildlife. The RasPi cam is miles ahead of most surveillance cameras FWIW - I've already caught some interesting things (one of which might end up in the local courts).

      1 0 Reply
  5. Stevie

    Bah!

    All your lightbulb are belong to fridge.

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Bah!

      is the fridge open or closed?

      0 0 Reply
      1. VinceH
        Reply Icon

        Re: Bah!

        It doesn't matter if it's open or closed if it now owns the light bulbs.

        0 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    Insist on Ada

    Consumer associations should have their customers insist on Ada.

    The only known solution to IoT is embedded open source Ada.

    1 0 Reply
  7. Zog_but_not_the_first
    Facepalm

    Doh ^ 100

    At least with the major brands one can hope that some sort of security review will be undertaken and the kit prepared accordingly, but there is an ocean of shiny tat (see eBay, alibaba etc.) where it won't be given a second thought.

    Quite the reverse, in fact. Witness the instructions for an outdoor security camera - "For ease of access to the camera, visit our web site and enter your WAN address and username and password".

    Really.

    1 0 Reply
  8. Mark 85

    I made this comment on a similar topic and it applies here... very much so here:

    Two things are obviously needed and therein will be a whole new set of problems...

    1) The company producing IoT must be willing to sacrifice some profit for updates and maintenance of the software. We as IT know this, but most of the companies doing this don't care except for the bottom line. They should also be providing information to the user to secure these devices once installed.

    2) User education. This is the toughest as education on the simplest things is rapidly disappearing in the US, maybe elsewhere. The users/customers should ask questions.... like "how often for software updates and fixes?", "What do I need to do to keep these things updated and secure?". But given that most people will buy the shiny and not give a thought to upkeep.... meh....

    Until number 2) happens and forces the issue, number 1) won't ever happen.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      "The users/customers should ask questions.... like "how often for software updates and fixes?", "What do I need to do to keep these things updated and secure?". "

      True - but you are up against the issue that most managers will quite happily say that as long as the Cyber Security Policy is applied, everything is OK. Today, I had the fun task of reviewing such a scholarly work (not), and it had such gems as requiring the manufacturer to apply all patches as soon as vulnerabilities discovered, by an automated system, and accept financial risk for all unpatched systems - and in other parts of same doc (a) requiring on-site customer testing of patches before they could be applied at each location, and (b) removing all manufacturer access to the end devices.

      A/C cos - well, it's kinda obvious. Although I have a scary idea that most organisations have similarly stupid lawyers drafting such docs.

      1 0 Reply
  9. Anonymous Coward
    Trollface

    I'd like to announce....

    That after 25 years in technology, I have decided that the time has obviously come to step out and create my own anti-tech startup, provisionally named "Ludd IT". I've developed a couple exciting product concepts, the first of which is our new Integrated Circuit Excised Box (ICEBOX), which is a counter-revolutionary food preservation container equipped with nothing but a cooling device involving a closed ammonia evaporation and heat exchange system. The box is accessed via an past-its-prime hinged door system, that when opened triggers a little pressure sensitive switch that turns on a tungsten-filament incandescent light bulb that enables late-night dining without the hassle and potential personal information leakage caused by turning your LED and compact flourescent lights on. We also might add an ice-maker. With this plus our anything-but-new coin-sized all-metal document management system, the Cellulose-based Legal Information Positioner (CLIP), I think we have the products to generate some noise and phase 1 revenues out in the marketplace.

    But our organization needs some new "why hasn't anyone not thought of that before" ideas! So I'd like to announce that we are searching for a new Chief Non-Technology Officer. This position requires strong leadership skills, a keen grasp of the obvious and a desire to push the boundaries of the archaic. This person will recruit and lead our team of skilled Technological Entropists, with the goal of turning back the clock on technological development--and maybe even slapping some hands and springs into that bad boy!

    Interested parties should enquire within.

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: I'd like to announce....

      "This person will recruit and lead our team of skilled Technological Entropists, with the goal of turning back the clock on technological development"

      @Marketing Hack - that sounds like a job for a uniquely qualified organisation, not just a single person. If you want to turn back the clock entirely or even just slow time, you need a government department or two.

      0 0 Reply
      1. nijam Silver badge
        Reply Icon

        Re: I'd like to announce....

        http://en.wikipedia.org/wiki/Bureau_of_Sabotage of course.

        0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like