back to article Standards body wants standards for IoT. Vendors don't care

The Internet Society (ISOC) has added its name to the growing list of groups concerned that insecurity and a cavalier attitude to privacy pose a risk to the Internet of Things (IoT). In a paper published last Friday, ISOC notes that individual threats and vulnerabilities are, in aggregate, what's going to make-or-break the IoT …

  1. a_yank_lurker

    Fridge on the Net

    Many of the IoT ideas are idiotic after about 10 seconds reflection. The fridge on the net? Why Hyperconnectivity is excessively risky because many will not be able to properly configure the fridge and the vendor certainly will not do it. People have enough trouble with devices which primarily connect with the net getting them properly configured.

    In many cases I do not buy the convenience argument. To know the stock in the fridge will require constant updating of a database. Often it may just be easier to spend about 5 minutes rummaging through.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fridge on the Net

      Some ideas may be good - i.e. a refrigerator that somehow warns me of a failure and inability to keep the proper temperature so my food may be at risk (and me too if I blindly eat it, but it can do it with a local display), or about to expire or expired food - other are utterly dangerous - i.e. a fridge that checks what I buy, eat and sends all those info to someone who will use them "against" me. Just, I'm afraid the driver is the latter, not the former, and to ensure the broadest intrusive and sniffing capabilities, the implementation will be utterly unsecure.

      Actual protocols and networrks were never designed for a such "intrusive" level of conections on little attended devices, and we already see the can of worms blindly using them opened in the automotive sector - or just look at SCADA.

      Connected devices could be good - but not the way they are being implemented now. Especially if the main idea is to collect as many data as possible from them, and send them outside beyond user control.

      1. Rich 2 Silver badge

        Re: Fridge on the Net

        I really don't see the point of the IoT thingie. A fridge that can tell you when it goes wrong? That would be an idea except how often does your fridge go wrong? Every 15 years. 10 if it's a really crappy one? It's just not worth it.

        As for re-ordering some milk when you run out - well if you're too bloody lazy to make a shopping list then there's no hope.

        Maybe a toaster that emails you when it pops up? Or a washing machine that ....errrr randomly emails you to tell you to do some washing? Goodness knows.

        1. VinceH
          Stop

          Re: Fridge on the Net

          "Maybe a toaster that emails you when it pops up?"

          Nah... it would also email you to suggest you have some toast. Imagine Talkie the Toaster, but with the ability to spam you with toast suggestions.

          This possibility more than any other is why this Internet of Things nonsense needs to be stopped before it goes too far!

        2. Captain DaFt

          Re: Fridge on the Net

          "A fridge that can tell you..."

          "a toaster that emails you..."

          "a washing machine that ....errrr randomly emails you..."

          No, not you, them, the advertising agencies that want all that lurvly lurvly data about your daily routine, shopping habits, consumption levels of various goods, that sort of stuff so they can sell it to advertisers and marketeers to help them pinpoint target you with ads you don't want or need.

          Also, sell it to your Government, your boss, the local plod looking to pad their arrest records, your ex-spouse, or anybody else that can pony up the cash. All while reassuring you about your "enhanced customer experience".

          Welcome to the goldfish bowl.

      2. BillG
        Megaphone

        Re: Fridge on the Net

        Some ideas may be good - i.e. a refrigerator that somehow warns me of a failure and inability to keep the proper temperature so my food may be at risk

        While that may SOUND good, it's impractical and not needed.

        I have the job of actually speaking to manufacturers as well as people that build things. Home appliance manufacturers tell me that while people are talking about connected appliances they see no compelling PRACTICAL sales advantage.

        Consider the above quote - in truth, refrigerators have something like a 99.9% reliability rate. I'm told the reliability of the electronics to monitor and report the status of the refrigerator is much lower than the reliability of the refrigeration system!

        For that reason, while the major appliance manufacturers may showcase test products, they have no real plans to produce connected appliances in quantity.

        Innovation is actually being driven by insurance companies. They are getting into the act and hiring highly technical, and very expensive, security experts to evaluate the security technology of insurees. In more and more cases they are refusing to insure, which is telling manufacturers that they better get their act together or face financial consequences.

      3. Chris King

        Re: Fridge on the Net

        "Actual protocols and networrks were never designed for a such "intrusive" level of conections on little attended devices, and we already see the can of worms blindly using them opened in the automotive sector - or just look at SCADA."

        If the SCADA boys still can't get it right after all these years, why do the IoT crowd think they're going to do any better ? Security is an afterthrought - if it is even thought about at all - and IoT devices will be so short of memory/processing power, IPv6 or dual-stack operation isn't likely to be an option.

    2. Anonymous Coward
      Anonymous Coward

      Re: Fridge on the Net

      The fridge on the net? Why

      Primarily so that somebody can package up the energy demand of a fleet of fridges, and sell that as a demand side response measure. DECC are in love with the idea of "demand side response" as a fix for the electricity system that they have broken, so they're very keen on all of this sort of stuff, although the simple reality is that the value of DSR at the household level is so low that you'd not be interested in changing your behaviour to take part, so it all relies on automation.

    3. Anonymous Coward
      Anonymous Coward

      Re: Fridge on the Net, cupboards next

      Fridge on the net, closets and cupboards as well. All are needed to have a complete picture of the consumer, the voter, the worker, the real product.

  2. dan1980

    "SOC calls on the industry to be fair in how it collects and handles data, transparent in what it intends to do with that data, and to make privacy a design consideration."

    Thanks - I needed that one. Been a lousy day and that was just the pick-me-up I needed.

  3. Voland's right hand Silver badge

    IOT ignoring standards

    I would have ignored them as well.

    It is sufficient to attend one meeting of any of the following working groups to decide to ignore them from there onwards: Constrained Restful Environments, Ipv6 over Low Powered Networks, Routing over 6LoPan.

    If you do not decide to ignore the standards after that there is something wrong with your head.

  4. Fraggle850

    It's going to be a mess

    Unless there is a single, open set of standards.

    The Internet is built on open standards and it works. Home automation, which you could argue is the forerunner of the IoT, has various different protocols and methods, many of which are proprietary. It doesn't work because things don't play nicely together.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's going to be a mess

      And the manufacturers won't cooperate because they're fighting to become the standard-bearer, which in their eyes is a zero-sum game. Each has patents and other trade secrets staked in the game, so it must be them to pay off; the inherent exclusivity of their assets means they can't share. Even a compromise will result in winners and losers, so they're all fighting tooth and nail to be on the winning side.

    2. Phil O'Sophical Silver badge

      Re: It's going to be a mess

      Unless there is a single, open set of standards.

      Frankly, I think that standards are irrelevant in this sort of product, the lack of standards isn't the problem.

      If the "Things" are insecure, people won't buy them because of all the bad press.

      If the "Things" are secure, people won't buy them because they're too hard to configure.

      The only security most people are comfortable with is physical lock&key type security. Maybe what we need is some sort of hardware widget, where you buy a box of 100 tokens that are coded to be unique to you, and plug one into a standardized slot on each device in your home. Any devices with the same tokens can communicate with each other. If someone does manage to compromise your token, you just buy a new batch & replace them. It should be possible to make them for pennies.

      1. Fraggle850

        @Phil O'Sophical Re: It's going to be a mess

        > Frankly, I think that standards are irrelevant in this sort of product, the lack of standards isn't the problem.

        But what you propose is another standard, albeit one that uses a physical token. Unless you are simply proposing a single platform/manufacturer solution, in which case there is no interoperability.

        Upvote because I really like your idea, just fail to see how this isn't a standard

        1. Phil O'Sophical Silver badge

          Re: @Phil O'Sophical It's going to be a mess

          just fail to see how this isn't a standard

          You're right, I suppose I am proposing another standard, have an xkcd.

          What I really meant was that manufacturers getting together to define some new secure software interworking standard isn't a solution. The problem here is to make security easy to use, and anything which relies on users pressing buttons, logging in to web-based admin servers, or, tbh, doing much more than plugging the gadget in, is doomed to fail.

          1. Fraggle850

            Re: @Phil O'Sophical It's going to be a mess

            Ha Ha, most apposite cartoon, ta! Standards? You can never have too many...

            Still really like your suggestion though - software security fails so often these days, often in unintended ways long after mass deployment - having a physical token that you control sounds like a good idea, no reason to limit it to the IoT either.

            I guess the only possible flaw might be if the end user details and the token definition were stored in a database that could be hacked. Also, you might well get the kind of social engineering-based hacks whereby a bad actor calls the support line and convinces them that they are their target meatbag, get's all of their current tokens disabled and delivers a fake new set with a fake message from the provider.

            1. Anonymous Coward
              Anonymous Coward

              Re: @Phil O'Sophical It's going to be a mess

              "having a physical token that you control sounds like a good idea"

              Until someone finds a way to COPY them. We might as well go back to physical metal keys. They're no better or worse than this proposal.

              The BIG big problem is getting the average man to care about electronic security when they have trouble opening their front door at night. What do you do when your safety depends on a person with the intelligence of a stick? I'd probably pray if I weren't an atheist...

  5. Anonymous Coward
    Anonymous Coward

    Internet of Tat

    That is all

  6. Paul Crawford Silver badge

    "lack of security for IoT deices results in a negative externality, where a cost is imposed by one party (or parties) on other parties"

    OK, simple solution - make IoT vendors liable for the consequences of security breaches if any identified flaw is not automatically fixed within 30 days, maybe forcing them to have some insurance policy to cover it. That liability and/or how the premiums are calculated might just focus the idiots design and marketing minds of having a proper development, testing and support process.

    What, then IoT is too expensive?

    Oh dear, how sad, never mind! </Windsor Davies>

    1. Anonymous Coward
      Anonymous Coward

      You'll never get such a law in the books. Vendors are smart enough now to use their money and influence to get the ears of legislators.

  7. Pascal Monett Silver badge
    Windows

    They ignore IPv6 ?

    That may actually be a good thing. Might be able to lock all the traffic at the router's firewall then.

    In any case, I have already decided a few years back that I will not participate in IoT. Never will my fridge be connected to the Web, and I will always avoid using my phone to pilote anything in my house.

    Good old hardware switches is where it's at. Makes you move that lardass.

    Now get off my lawn !

    1. Missing Semicolon Silver badge
      Devil

      Re: They ignore IPv6 ?

      Why not? No home LAN has it, so why implement it?

      1. Yes Me Silver badge

        Re: They ignore IPv6 ?

        > No home LAN has it

        What makes you believe that? It simply isn't true. Of course, if you're still stuck in IPv4-only land, you'd gave no way of knowing better.

    2. Anonymous Coward
      Anonymous Coward

      Re: They ignore IPv6 ?

      "Good old hardware switches is where it's at. Makes you move that lardass."

      Tell that to someone with arthritis...and no one to help them...

      1. Saigua

        Re: They ignore IPv6 ?

        Missed that part of the Martian movie. They have to move too...unless you found the solution for that?

  8. Doctor Syntax Silver badge

    Cause for hope

    If they can't agree on common standards the whole thing might collapse by not giving users what they're daft enough to want. And good riddance.

  9. Anonymous Coward
    Anonymous Coward

    IOT is a lot of bedroom ideas from unskilled techies

    Hence lack of securiy, IP v6 and indeed useful interconnected functionality. They are all just sellable prototypes.

    Why else would you want dedicated apps for heating, lights, fridge, kettle etc all working in different ways, when all you want is a cup of tea when you return to a warm home. You could spend your whole commute telling all these things you are on your way home - so whats the use?

    No backroom inventor is really looking at a hardened, dedicated home control appliance to manage this stuff, and include some kind of open and extensible app-UI for all the gadgets the housholder could add. This would have to be regulated in by a party with some global market or regulatory muscle.

    I certainly lose interest fast if I have to manage independant patch cycles and end of life product replacement for things embedded in my house - I am a homeowner not an enterprise datacenter. I certainly dont want my IOT fridge maker to decide next month they are pulling their support to the built-in fixed, irreplacable shopping list app. That makes it a broken and frustrating appliance even if still operating as a fridge.

    Listen up - IOT and smart home applicaces has to have some long term support and direction to be anything other than expensive gimmicks...

    1. Anonymous Coward
      Anonymous Coward

      Re: IOT is a lot of bedroom ideas from unskilled techies

      IOT and smart home applicaces has to have some long term support and direction to be anything other than expensive gimmicks

      Before that, they need to have some genuine benefit. I'm still struggling to see what the IoT will do for me.

      1. DropBear

        Re: IOT is a lot of bedroom ideas from unskilled techies

        " I'm still struggling to see what the IoT will do for me."

        You and everyone else on the planet, including the manufacturers themselves. None of them could even come up with an idea worth stealing, we're all still stuck at the "teasmade, now on the internet" level...

    2. [a-z][A-Z]*

      Re: IOT is a lot of bedroom ideas from unskilled techies

      And you know this reminds me of the mid 70's when microprocessors started showing up in home workshops, it seemed everyone wanted to build a central home control system, manage the heating, lighting etc. Dreams of course for the most part. It kept me off the streets for a while and I learnt a lot from building and programming my first (and only) central heating controller (8008 with toggle switches 16 LEDs and ex Post Office relays), but of course it never really saw active duty. It strikes me the IoT is another tinkerers plaything that lets you do cool but ultimately non-essential tasks. Sad the snake oil brigade has already hijacked this stuff.

      Alarmingly, I sound a bit like my Dad who got me the 8008 in the first place and wondered why everyone wanted to build central heating systems when we had perfectly good mechanical switches for that job.

  10. Anonymous Coward
    Anonymous Coward

    It's our data, we own it.

    Laws need to be changed to make it clear that data we make, data we generate, data that is us is owned by us, the individual and stealing, piracy, or abuse of that information will be prosecuted to greater extents than that of government or hollywood data.

    Of course for that to happen countries would have to represent the interests of their citizens and stop thinking of them as a resource to be sold to the highest bidder. The recent TPP reminds us that governments listen to business not their citizens or electorate, who need to be managed and kept in the dark.

    1. Fraggle850

      Re: It's our data, we own it.

      Haefen: are you a European court judge? Sounds like you'd have decided against the Safe Harbour agreement that recently came to court too!

      I'm not a massive fan of the European project; it has it's (many! innumerable?!?!) flaws, however I've gotta give them some respect for their stance on matters such as Right to be Forgotten and data transfers to the USA. Despite the best efforts of unelected members of the European Commission, European Parliamentarians and their unduly being influenced by lobbyists and all of the related political shenanigans, it still seem that there are decision makers within Europe who are prepared to question the intentions of both business and government to run roughshod over our rights.

      I'm sure that 'Call me Dave' will flub the renegotiations, a convincing case for staying in will not be made and we'll be exiting the EU in 2017. Then the great and the good will be able to make free with our data and send us all off to hell in a handcart.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like