Tip of the old iceberg.... again.
And there are some who believe the IoT is a good thing...
SOHOpeless: Security stains on Honeywell's Tuxedo home automator
Honeywell has issued an urgent firmware update for its three-year-old Tuxedo Touch home automation controller to patch vulnerabilities that could, among other things, let an attacker unlock users' deadlocks. This CERT advisory explains that without the firmware upgrade, all users are vulnerable to authentication bypass and …
-
Tuesday 28th July 2015 05:16 GMT Christian Berger
The problem isn't IoT by itself
...at least when it comes to security. The problem is the companies who implement IoT, the people working there, as well as the most stupid customers.
Imagine customers were moderately smart. You could simple offer an ssh-based interface to your device. The password would be printed on the serial number label or a throw away password would be displayed on the display. You'd log in and set the password you'd want to have. That's rather secure I mean that's how something like 99% of all servers on the Internet are controlled.
However you couldn't easily access it from outside... of course the solution is simple, a VPN or port forwarding, or just ssh-ing into your server and going into your fridge from there. Since it's all command line based and/or has a nice ncurses interface, it's all easy to integrate and secure.
However devices are not designed for people who know what they are doing, and they need to be cheap. Therefore you may not have a display and buttons to enter, for example, a WPA key. And of course since people don't use ssh, there needs to be an "app". And since app development is where the current bottom of the barrel developers seem to gather, that means you'll have some sort of insecure app. If you are lucky, those talk via TLS, if you are less lucky they talk via some home grown encryption system which uses standard cyphers... in a typical course you don't get crypto at all.
Ohh and of course people will want to use the functionality from outside, but they don't know how to set up a VPN... well let's write a web service... which of course then is written by a group of people also known to regularly come from the bottom of the barrel, Java web developers.
-
Tuesday 28th July 2015 10:32 GMT Infernoz
Re: The problem isn't IoT by itself
The main problem here is Honeywell were grossly incompetent in its implementation and negligent for connecting a security system to the cloud; it significantly increases the attack surface for no real benefit and I bet the video content was uploaded or stored insecurely, from the users point of view, which would opens another security fail which maybe much harder to fix!
It is uncalled for smearing Java Web Developers, Mr Arrogant who probably just thinks he knows security. The problem is, not-secure-by-default API and framework designs, and programmers who don't know how to do security properly, including correctly using security features in existing APIs. Web security, cryptography and data security are easy to get wrong, /in depth/, if you haven't had enough specialist security training or have dated knowledge; a web service may look secure but may still allow inappropriate data in and/or out which can allow deeper exploits e.g. for bounds, scripting, OS, database etc.
I won't buy any IoT kit until I see security taken seriously and a mature IoT ecosystem, with cloud use locked down tight so that the cloud provider only sees encrypted data which they can't decrypt or MitM attack!
-
Wednesday 29th July 2015 08:58 GMT SImon Hobson
Re: The problem isn't IoT by itself
@ Christian Berger
That's perhaps a bit hard - I'm sure there are a lot of honest and competent developers working on some of this stuff. I can't help thinking that the problem lies a bit further up the chain - ie the managers who set the priorities and allocate resources. I know that at one ${dayjob} they had a sh*t-hot security gut on the dev team - but he left because he couldn't get any buy-in from management to include security as part of the design rather than something he nailed on afterwards.
> Ohh and of course people will want to use the functionality from outside, but they don't know how to set up a VPN.
And of course, here in the UK, some of the biggest ISPs either won't let you have a fixed IP at all, or charge a stupid amount for one. No reason other than simple marketing - if you want a fixed IP, we want "business ISP" income from you. Yes it's easily worked around with dynamic DNS - but it's one more "cussedness factor".
Many routers include VPN support - but they tend to be the "less budget" ones. And of course, we all know that consumer routers are all well secured as well don't we (not) !
-
-
-
Tuesday 28th July 2015 08:14 GMT Anonymous Coward
Re: I don't understand ....
I don't understand why anyone would trust an 'agent', under the control of a faceless company to lock the door to their home properly and keep it locked.
Exactly. As soon as any device needs an "account" on a 3rd party service to work (and this does, to do the usual NAT traverse) you know there is a third party who potentially* has access. The question is if you (a) trust that 3rd party and (b) can make them liable for a break in if they screw up. If the answer to any of those questions is "no", avoid, and to be frank, I'd never be able to answer (a) with "yes" because I'm not wired that way (pardon the pun).
* This could be a crypto protected tunnel, but as long as you have no independent review of that I wouldn't trust it..
-
Biting the hand that feeds IT
