back to article Why is the smart home insecure? Because almost nobody cares

It's easy to laugh-and-point at Samsung over its latest smart-thing disaster: after all, it should have already learned its lesson from the Smart TV debacle, right? Except, of course, that wherever you see “Smart Home”, “Internet of Things”, “cloud” and “connected” in the same press release, there's a security debacle coming. …

  1. Leitchy

    This!

    SO...this!

    The only thing that matters is getting product to market so money can be made. So shortsighted it's mind boggling.

    I'm telling everyone that anything labelled "IoT" is the devil incarnate.

    1. VinceH
      Black Helicopters

      Re: This!

      "I'm telling everyone that anything labelled "IoT" is the devil incarnate."

      That's pretty much what I've been trying to do.

      Unfortunately, though, I get the distinct impression that every time I tell someone something like that, they walk away thinking I'm a paranoid nutjob who probably has his walls lined with tinfoil.

      1. Rich 11

        Re: This!

        who probably has his walls lined with tinfoil.

        Which might be one way of helping to secure smart home devices...

        1. Anonymous Coward
          Anonymous Coward

          Re: This!

          the JVPESS chose a chip so stupid the Republicans want to field it as Trump's running-mate.

          The chip is called the Joe Biden.

      2. Steve Davies 3 Silver badge
        Pint

        Re: This!

        wonderful statement Sir!

        Add 'cloud' into the mix and 90% of the public will go glassy eyed.

        Apart from a fe affictionados who really cares about the IOT? Is it more like the wrong answer to a question that hasn't been asked yet.

        Anyway, on the day that the OED includes 'Beer-O-Clock' I'll raise my glass to you later.

        1. G.Y.

          "cloud" = "swamp" Re: This!

          Ron Rivest (of RSA fame) says "the cloud" should be renamed "the swamp"

          1. Anonymous Coward
            Anonymous Coward

            Re: "cloud" = "swamp" This!

            Ron Rivest (of RSA fame) says "the cloud" should be renamed "the swamp"

            That's like saying "the servers" should be renamed "the sewers". A distinct lack of distinction can be distinguished.

    2. Anonymous Coward
      Anonymous Coward

      Re: This! - not necessarily

      Some people are trying to build IoT stuff for people like you:

      Run all the core logic with a docker container running on your PC (NOT a damn phone) and firewalled by default so it can't be accessed by the outside world. Outbound notifications also off by default and, if enabled, take the form of ASCII text email and JPG attachments.

      You can enable remote control if you want to, but there are warnings. NO "cloud" nonsense - unless you run your own AWS instances or something and then it's your problem.

      Wireless is read only by default, C&C requires wired EtherNet or CANBus. You can enable encrypted wireless C&C if you want to, but you're warned again.

      anon because I work on it

    3. madscientist42

      Re: This!

      It doesn't have to be...but then...all it'll take is one player caring about this stuff without impairing most of the functionality being sought and they'll be king in a land where the rest are blind beyond words.

    4. Anonymous Coward
      Anonymous Coward

      Re: This!

      The only thing that matters is getting product to market so money can be made.

      Err... hello?? Are you phoning in from Nork?

    5. Charles Manning

      I've watched them being developed...

      During last year and a bit of this year I was involved in developing a Bluetooth LE (aka BT4, BT Smart) device based on a single-chip BTLE solution from Nordic Semiconductors that runs the BT stack on a Coretex M0 micro.

      Of course the chip comes with a board support package (BSP) + example code that is intended to show off how the chip works. The code has clear disclaimers saying that this is for demo purposes. Some of the demos are for remote controls, heart rate monitors etc etc... the sorts of IoT things that people are designing.

      They also have a forum where people can discuss issue. That's where it gets scary...

      From the forum is is plainly obvious that there are many people developing these devices for market who are just taking the for-demo-only examples, tweaking them a bit and then pouring them into products. Job done.

      Some of the blame can possibly be placed on marketing and management. The engineer takes an example, tweaks it a bit and demos the desired product function and shows it to marketing. They get excited. Engineer then says the code needs to be rewritten properly and that will take 6 months. Engineer gets overruled - they want to go into production immediately.

      But engineers must cop some of the blame too. Most of these frameworks and protocols are incredibly complex and very few engineers scratch below the surface. They like the idea of just taking a demo and tweaking it because that is the easy path. The really hard work is in taking ownership for full product function - not just the few lines of tweakery.

      These low quality BSPs are a huge problem. They encourage people to generate shoddy products.

      I suppose I should not complain too much. Fixing up the mess is what keeps me in gravy.

  2. Decade
    Trollface

    Follow-up to the previous post, right?

    This post is following up on Mark Pesce’s report on kids using Raspberry Pi, obviously.

  3. Lyle Dietz
    Pint

    Sounds like a job for Simon

    If the JVPESS could spend a couple of months under the tutelage of his neighbourhood BOFH, he'll be able to sort things out quite quickly.

    Assuming he survives the encounter. Either way it's win-win; no more dealing with crap, he's either dead, or the tossers are.

    1. madscientist42

      Re: Sounds like a job for Simon

      Heh... In my case, the tossers will be that way. >:-D

  4. Pascal Monett Silver badge

    Chilling

    A chilling, but oh how realistic, tale.

    And I'm pretty sure it's true as well.

  5. Stork Silver badge

    this is social realism!

    I was at a project with a large and normally security-consious client. They asked for a facility to log in as if they were a specific user of their website, and after looking at each other we (developers) asked our project manager: "so, they want a back door?"

    - no, you have to call it something else, back doors are not allowed

    1. Anonymous Coward
      Anonymous Coward

      Re: this is social realism!

      But for that facility you would (hopefully) have to have admin credentials anyway.

      So, not a backdoor. Stop the drama.

      1. Pookietoo

        Re: you would (hopefully) have to have admin credentials

        Yeah - hard-coded into the app.

  6. Turtle

    *I* Care. And In My Home, That's All That Matters.

    "Why is the smart home insecure? Because almost nobody cares"

    Well, *I* care. And that's why I won't be buying any "smart" appliances at all. Insecurity problem solved!

    1. YetAnotherLocksmith Silver badge

      Re: *I* Care. And In My Home, That's All That Matters.

      Eventually though, your CRT will stop warming up, and the only modern TV will have this crap built-in whether you want it or not. Bit like your phone, only worse.

      1. Steve Davies 3 Silver badge

        Re: *I* Care. And In My Home, That's All That Matters.

        That might well come to be the situation.

        Now if those new fangled bits of kit are connected to anything is another matter competely.

        I connected my new TV to the internet for all on 30 minutes. Just long enough to get a software update. That's it. I might connect is periodically just to do the same but in normal operations?

        forget is sunshine, it ain't gonna happen this side of the second coming.

        1. Roo
          Windows

          Re: *I* Care. And In My Home, That's All That Matters.

          "I connected my new TV to the internet for all on 30 minutes. Just long enough to get a software update. That's it. I might connect is periodically just to do the same but in normal operations?

          forget is sunshine, it ain't gonna happen this side of the second coming."

          The problem is that a lot of this IoT shite is going to have wireless networking built in, and let's face it vendors are always finding new ways for software to phone home without asking the user first. Not sure what can be done about that aside from physically taking it apart and connecting any aerials you can find to 0v... Still no guarantee you'd find them all of course. :P

          1. Anonymous Coward
            Anonymous Coward

            Re: wireless networking built in ...

            nah, mobile data: it will bypass any of the owners (and/or neighbours) wifi restrictions.

            1. Roo
              Windows

              Re: wireless networking built in ...

              "nah, mobile data: it will bypass any of the owners (and/or neighbours) wifi restrictions."

              That's why I was careful to say "wireless networking" rather than WiFi and suggest sabotaging their aerials rather than trying to convert one's home into a Faraday cage. :)

            2. Koconnor100

              Re: wireless networking built in ...

              Mobile data, requires a cell phone. Or at least a data stick that pretends to be a cell phone.

              And a monthly contract with the local provider. Who's gonna want money every month.

              How is that gonna work ? They gonna charge you a monthly rate for your Telivision ? Forget that !

              1. Anonymous Coward
                Anonymous Coward

                Re: wireless networking built in ...

                You forget Whispernets, a la the original Kindle. The TV makers can have contracts with cell phone companies to bum some data on occasion off them, allowing the devices to sip from mobile networks without needing an additional device.

                Plus they can make the devices such that if you try to sabotage the antenna, you break the device altogether...oh, and void the warranty. And since they have to plug into mains, they can probably use it as an antenna, so good luck trying to shield it with a Faraday cage.

  7. RainForestGuppy

    Is it anything new?

    All security staff have had the battle of "shiny, shiny, new stuff that absolutely must be delivered today" over "boring old, security that is just a cost center".

  8. tirk
    Terminator

    Top article

    True, funny and scary. Could be the back-story for the next Terminator reboot.

  9. Anonymous Coward
    Anonymous Coward

    Finally...

    ...someone's actually said it. At last.

  10. Anonymous Coward
    Anonymous Coward

    This article is a tad too optomistic

    Speaking as someone who's been there, this doesn't ring true. In my experience the idea that the secure version briefly exists on paper is not realistic, as there's usually at least one 'essential requirement' (which might well be the entire point of the product) that can't be made secure without obviously violating the laws of physics.

    1. Anonymous Coward
      Anonymous Coward

      Re: This article is a tad too optomistic

      In my current gig it's even worse. Security features are cut for no other reason than budget. Risk management doesn't use the idea of exposure (probability x impact), nor do they bother with contingency (because "we've always done it this way"). These guys do checklist security (SSL? firewall? You're good, bro.) There's this glee when big names get hacked, which is ironic because their own approach is based entirely on the "it won't happen to us" thinking.

  11. kmac499

    MBA Case Study

    Just goes to prove that in many organisations Bullshit Baffles Brains. Of course the simple way to fix this is to make the 'designers' and C<insert letter here>O's personally liable for any loss suffered by their customers.

    I'm just off to have a flying pig bacon butty, washed down by a Unicorn milk latte. (Well it's more beleivable)

    1. madscientist42

      Re: MBA Case Study

      Heh... Depends on the company. I've known businesses where you ran this sort of bullshit past their CxO crowd, they'd politely tell the player in question to GFY. I know, if it wasn't myself, it was the CEO doing it. So damn much snake oil, bullshit, and just stupid notions out there.

    2. Anonymous Coward
      Anonymous Coward

      Re: MBA Case Study

      Ah, but part of the REAL real job of being C@O is to be able to reassign blame. That's why you got up there in the first place. And if a law threatens to pin blame onto you, you bribe a lawmaker to help defeat it, and if all else fails, threaten to move to a more lenient location.

  12. Paul Hovnanian Silver badge

    Smart Home

    This says it all.

  13. madscientist42

    Most of the IoT things are merely ill-advised. Some of the idiot notions, like those remote control deadbolts...they're bloody fucking stupid, insane, and downright dangerous. You don't want them *ANYWHERE* near any place you own. Period.

    1. Ben Tasker

      Fuck..... I thought you were being sarcastic with remote control deadbolts....

      WTF thought that was a good idea? The whole point in a dead-bolt is you can only unlock them from the side you can physically access them from. If you're going to be able to open from the otherside, might as well just use a key-lock.........

  14. kain preacher

    Idiot of Things IoT

  15. Anonymous Coward
    Anonymous Coward

    So

    is this the echo chamber or the support group or what?

    1. Anonymous Coward
      Anonymous Coward

      Re: So

      Welcome to IoTers anonymous, dear anon.

      (And what exactly was the Samsung refrigerator debacle of 2015? Sounds like a Philip K. Dick notion that went full reality?)

      1. This post has been deleted by its author

  16. Rusty 1

    Two types of security

    Air gap - for the electronic side of things.

    Gap filled with steel - for the the physical side of things.

    1. Anonymous Coward
      Anonymous Coward

      Re: Two types of security

      Three types of security

      You forgot the starving rottweiler

  17. Anonymous Coward
    Anonymous Coward

    People WILL care about smart home security when thermostat ransomware turns the heat up in the summer and asks you for money to turn the AC on. Malware-induced heat strokes. The future is going to be weird.

  18. jonathanb Silver badge

    Well why would you want to control your alarm clock from your phone when your phone already has a perfectly functional alarm clock app?

    1. Pookietoo

      RE: already has a perfectly functional alarm clock app

      The phone doesn't have AM radio. Or an eight-track.

  19. Bruce Ordway

    Not only JVPESS

    >> job is to give advice that's routinely ignored or overruled

    Sounds like my function too...

  20. Number6

    Of course, the only reason any of these devices needs to talk to the wider internet directly is because someone out there wants to make money from it. If I've got a home security system, smart Fridge, alarm clock, whatever, I want all the information gathered by these devices to stay within my network, talking to a server under my control within that network. If I want remote access then I'll do it by implementing an ssh tunnel or VPN from the remote device and minimise both the attack surface and the leakage of personal information to third parties.

  21. DerekCurrie
    Facepalm

    The Dark Age Of Computing Continues Apace

    Exactly: Almost nobody cares. Technology requires comprehension, which is too difficult for execuTards. Therefore, stupid reigns. And You Can't Stop Stupid.

    This is CLASSIC technology project management HELL. The only way to get things done correctly, very sad to say, is to go TYPE A on everyone and become a Napoleon. That works great in the short term, as long as Napoleon knows exactly what he's talking about AND has people around him who know all the critical details he couldn't possibly keep in his single sized human brain.

    Again world: Technology requires COMPREHENSION. You can't skim through it and survive. You will be metaphorically killed if you go slacker on the job. PAY the experts for their expertise and FOLLOW their expertise to that finish line called SUCCESS.

    Again, for the uninitiated, The Problem Solving Protocol:

    1) IDENTIFY the problem.

    2) CREATE a solution.

    3) ENACT the solution.

    4) VERIFY the solution worked.

    - AND - My own addition -

    5) Keep the marketing people OUT of The Problem Solving Protocol, except as sources of marketing information and advice. NEVER allow them to be in decision positions. If you do, you're gonna have a bad time and so are your customers. Marketing-As-Management is a prime business project KILLER.

    Are you reading me Samsung, Sony, Microsoft, News Corp, Comcast, Google, Oracle, Qualcomm, General Electric...?

    I know Apple understands, another reason why I <3 Apple.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Dark Age Of Computing Continues Apace

      "5) Keep the marketing people OUT of The Problem Solving Protocol, except as sources of marketing information and advice. NEVER allow them to be in decision positions. If you do, you're gonna have a bad time and so are your customers. Marketing-As-Management is a prime business project KILLER."

      Well, how do you do that when Marketing stands over you AND has a direct line to the investors?

  22. Mike 16

    Hardly limited to IoT

    Once while working for a Colossal Internet System Component Operation, I happened to run into the CSO (some12 layers above me in the Org-chart) and mentioned that I had been syrprised to see a particularly bad bit of mandated security procedure. His reply "I know, but it's not my call". What part of 'C', 'S', or 'O' was being misinterpreted?

    Of course, I got there by being acqui-hired from a startup where the *nix boxes were all pretty locked down, except for this management-mandated requirement that any Windows user could mount any *nix hosted filesystem as any user they wished (selected from a convenient drop-down menu). Because we cannot have people who wear suits more expensive than my car, or the folks who bring them coffee, need to remember their own usernames.

  23. Anonymous Coward
    Anonymous Coward

    how does IoT work....

    How does IoT work ...

    When I refuse to give anything the pass code to my router ?

    Are they hitch hiking on my neibours unsecure router ? The one with the terrible down load speeds because everyone is downloading movies and leaving the blame to him ?

    Does it have a built in cell phone to phone home periodically ? Doesn't that add substantially to the price ?

    Is it going to demand to be plugged into my network ? Because not only am I NOT going to plug it in , but if I see "Internet connection required" on the box I aint buying it in the first place.

    How , exactly does Iot Work ? How does it phone home ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like