back to article Intellifridge terror: Internet of Stuff kit must fend off hackers of the FU-TURE-TURE-TURE

Internet of Stuff gadgets need to have security with a 10-year lifespan if they are to offer any kind of decent protection to people and national infrastructures, according to a new report. Beancounters at Beecham Research have been the latest to warn that the much-vaunted Internet of Things is going to run into security …

  1. Mage Silver badge

    Simple solution

    Don't buy an Internet connecting Fridge.

    If you buy a gadget with the stupidity of built in WiFi that can't be disabled and no other way to operate it, take it back as "unfit for purpose" under Sale of Goods Act.

    No matter what you do with your Router/Firewall, you can't make a WiFi gadget secure.

    1. chivo243 Silver badge

      Re: Simple solution

      I think I could. Snip, snip. Those wires leading to the wi-fi card are no match for my clamps! And if that doesn't work, black list it in your WLAN, I have an XP box that I've blocked.

      However, I wouldn't buy one either...

      1. Mage Silver badge

        Re: Simple solution

        Black listing on router doesn't work if the neighbour can pick it up directly.

        Actually some stuff is so badly done, the likely scenario is that it connects to Internet with neighbour's public WiFi (stupid people think it's good to encourage people to share public WiFi) without the owner even knowing they bought an IoT gadget.

        1. JDX Gold badge

          Re: Simple solution

          Don't you have to tell the device to join your WiFi, rather than have the WiFi ask the device to join? Isn't that the whole principle of WiFi... so the fact it is WiFi enabled means as long as you never let it join your network, it's OK?

          Or can one coerce a device to connect by pushing a request from the router?

          1. VinceH

            Re: Simple solution

            "Don't you have to tell the device to join your WiFi, rather than have the WiFi ask the device to join? Isn't that the whole principle of WiFi... so the fact it is WiFi enabled means as long as you never let it join your network, it's OK?"

            I predict that the goal of adding internet connectivity to anything and everything, pointlessly or otherwise, could be so compelling to some manufacturers that they might take it a step too far - and if you don't connect it to your WiFi within a certain amount of time, it'll scan for open networks and, when it finds one, connect. Without asking.

            Solutions: chivo243 has one above. Another would be to connect the Internet of Pointless Things device to your existing WiFi, giving it an IP address that is cut off from everything.

            1. JDX Gold badge

              Re: Simple solution

              I find that rather unlikely.

              1. VinceH

                Re: Simple solution

                Why?

                It can't be because of how difficult it would be to make a device that has been powered up for 'x' amount of time without a connection to automatically connect to an open network within range - because that wouldn't be difficult at all.

                A lot of stuff I see as Internet of Pointless Things gadgetry could be a lot less pointless from the point of view of those who could be collecting the data these things would be able to send 'home' - think back to the LG TVs, for example, which IIRC were found to be phoning home to report on customer viewing habits.

                If a company is capable of perceiving a use for such data - and aren't above collecting that data without properly informing the end user (let alone seeking their permission) - then it's only a small, and fairly trivial step to go to the above lengths to get it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      Don't buy an Internet connected anything unless it offers something actually useful.

      Happens I got my new debit card through the post today, old one is expiring soon, and it had the groovy new contactless functionality. Pay By Bonk as the reg would have it. A phone call to the bank and they promised to replace it with the old boring and IMO less-hackable sort (but I had to fight for it. They really wanted me to take the contactless). They never asked what I wanted just gave it to me. Seems a lot of this turd is not consumer-led at all but shovelled on us for reasons I don't really understand.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        We got sent one of the thoughtless/contactless cards 3 weeks ago by ********* bank. Immediately phoned up to say "don't want it, send us a proper card etc. Stiff rearguard action by phonecentre operator but stood our ground- "ok" says she. 3 weeks later phone up to enquire, nothing on account to show request for standard card. Suggest they listen to phone call on said date, immediate panic, £25 in account to compensate etc. bastards are pushing this one hard. Still, result.

        But, whose money is it?

  2. RealBigAl

    Intellifridge? What would be the point of that? You'd never be able to watch it with the door shut.

    1. Captain DaFt

      Live streaming webcams!

      "Intellifridge? What would be the point of that? You'd never be able to watch it with the door shut."

      But, You'll never have to open the door with Intellifridge!

      Live streaming webcams on each shelf give you a panoramic view of all the contents streamed live to your iPhone (coming soon to Android) where ever you may be!

      Plus, with Intellifridge's exclusive app, you get out patented Expiro-meter, which will show you a running countdown to show you just how long you have before each item in your Intellifridge hits its end of shelf life! and then, posts to your Facebook, Twitter, and Google+ accounts to remind you you that Intellifridge has already ordered more, and notified your Intellidoor to unlock so the delivery person can enter your home to clean and restock your Intellifridge without you having to lift a finger!

      Intellifridge, It's easy! it's convenient! And of so PROFITABLE for us*.

      *Note: By installing Intellifridge, you give us, the CON-glomerate Corporation, exclusive, life long access to any and all data we acquire about you, your family, neighbors and friends, and authourise us to sell it to any and all purchasers at a reasonable price.

  3. Pen-y-gors

    Don't hold your breath

    We've been using the Internet of Computers for 20+ years and that's still not secure, so don't hold your breath for an IoT that's secure now and for the next decade.

    Of course, part of the problem is that everyone feels driven to upgrade their software and hardware every other Wednesday, which fixes old bugs and introduces new ones. There's a lot to be said for someone developing a simple, secure IoT thingy and keeping it in production, without any changes, for 20 years

  4. adnim
    Boffin

    "...security with a 10-year lifespan"

    Is this a thought experiment?

  5. The_Idiot

    Stuff the...

    ... 'Internet of Things'. After all, can anyone sell me:

    1: A vehicle sufficiently 'secure' that nobody will be able to steal it or otherwise compromise it for the next ten years?

    2: A house sufficiently 'secure' that nobody will be able to break into it or otherwise compromise it for the next ten years?

    3: A physical safe sufficiently 'secure' that nobody will be able to break into it or otherwise comp...

    I think I'll stop there. All these 'technologies' have been around a lot longer than the 'Internet of Things' - and are not, nor likely ever will be, able to carry a point of sale guarantee of security, never mind the next decade.

    Sigh.

    1. sabroni Silver badge

      Re: Stuff the...

      None of those things are addressable from the other side of the world though. Anyone on the internet could attempt to compromise your intellifiridge, how many of them could access your house as easily?

      1. The_Idiot

        Re: Stuff the...

        Mostly anyone - with a phone call or two to a 'local contractor' if I was a sufficiently worthwhile target.

        Your point, however, is of course entirely valid. It was more the whole concept of 'ten year security' applied to _anything_ that riled me some.

        For any 'technology' or 'thing' I can't predict who will want to try to compromise it next flippin' _week_, or how they'll try to do it, never mind ten years. And there is no technology or thing of which I'm aware that has even been able to make such a promise. When the Plumbers were told to break into a room at the Watergate Hotel, the order wasn't issued from the room next door - or any room in the Hotel. But the Hotel was compromised easily. When someone in, as an example only and not intended to point any real fingers, the Far East wants a new Rolls Royce without actually going into a car showroom, or a Rembrandt some museum thinks is part of their decor, and sends a custom 'acquisition' order to a team to, um, 'acquisition' it, the team may be local to the item, but the order isn't. The channel is just that - a channel.

        Security. I've heard of it. Mostly from folk who thought they had it - and didn't. Or folks who said they were selling it - and weren't.

        1. heyrick Silver badge

          Re: Stuff the...

          "Mostly anyone - with a phone call or two to a 'local contractor' if I was a sufficiently worthwhile target."

          If you were a worthwhile target, somebody somewhere could break into your car, home, safe... And that is you alone.

          This is a far cry from somebody trying to hack your fridge, oven, central heating, budgie feeder from the other side of the planet "for the lulz", and/or attacking large numbers of these devices (because the security, once cracked, could easily be deployed en masse) for some sort of political point, or simply because they can, probably from a country that doesn't give two hoots about our laws and the effects of messing with this sort of stuff.

          How long until "Granny froze to death last night because some teenager from Szechuan thought it would be funny to erase the flash in the controller and get it to reboot and freeze..."

  6. Brian Miller

    Security by brick!

    Never mind security by obscurity, you need security by brick! If it has all the connectivity and Internet functionality of said brick, it's definitely secure for ten years!

    Seriously, a lot of the security problems simply stem from really bad practices that should get someone fired in the first place before they create a pile of crap. If you want to manage a fridge, all it needs is SNMP, and nothing else. Same for basically every other appliance. SNMP v1 is more than enough to monitor everything, because you just need to get an appliance's state, not turn it on or off. Honestly, an IOT blender is pointless to turn on and off over the net. Really, is your robot capable of washing and slicing and dicing the veggies, but it can't turn on a switch?

    1. BlueGreen

      Re: Security by brick!

      > If you want to manage a fridge, all it needs is SNMP

      Mate, that is one surreal suggestion. U joke?

      But if we go there why not throw in IPtables and allow Aida Brady to configure that.

  7. Dan Paul

    Only a 10 Year lifespan? ( I agree with Mage)

    Obviously these "wet behind the ears" engineers and designers don't understand that the lifespan of a fridge is 25 years and the more complex you make them, the less likely you are to attain that goal.

    I distinctly remember as a child our fridge at home lasting even longer than that and the old one that used ammonia went in the basement for chilling beer for another ten years before the compressor died.

    Given that the state of the entire internet is about to change, I can't see these twerps who design this overpriced crap even accommodating 5 years of security let alone how long people hold on to a fridge.

    Who is to say there will even be WIFI in ten years?

    1. JDX Gold badge

      Re: the lifespan of a fridge is 25 years

      Is it? Says who?

      1. Will Godfrey Silver badge

        Re: the lifespan of a fridge is 25 years

        Says Me - That's at least how long my last one was going for.

  8. earl grey
    Facepalm

    My TV is talking to me

    No, wait; it's the fridge. I can easily imagine how the wacko anti-cell-tower folks are going to flip over having "stuff" in their own house sending secret messages into the aether.

    1. JDX Gold badge

      Re: My TV is talking to me

      If they have WiFi then this isn't changing anything. If they don't, then a Wifi-capable fridge which isn't broadcasting (since it's not joined a network) isn't going to do much either.

  9. chuckufarley Silver badge

    10 Years, huh?

    My grandmother has toast that old, let allow toasters. I guess they have no plans to move the human race off of our landfill economy.

    1. ecofeco Silver badge

      Re: 10 Years, huh?

      Off our landfill economy? That's just crazy commie talk where people have to, *gasp*! repair their own stuff!

  10. Anonymous Coward
    Anonymous Coward

    10 years security ...

    ... because the Internet Fridge Hackers are going to DDoS the cheese you bought three weeks ago and forgot about and has been sitting in the back left corner behind the half-empty mayo jar?

  11. Haku

    Computers are great, but there's a limit to how much intrusion into my life I'll accept, because I sure wouldn't want to come home and find the house crashed and most of the appliances refuse to respond, or thieves broke in through some 0-day vulnerability and took my priceless collection of turnips.

  12. ecofeco Silver badge

    What is the likelyhood of this protection?

    Exactly. None.

  13. Alan Brown Silver badge

    obligatory cartoon

    http://www.ibiblio.org/Dave/Dr-Fun/df200306/df20030604.jpg

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like