back to article FBI tells Jo(e) Sixpack to become an expert in IoT security

Internet of Things users need to become sysadmins, America's Federal Bureau of Investigation says. That's a summary of the Feds' blog post, published this week, in which the agency's Beth Anne Steele wrote that Things are best deployed on their own network, with an off-switch. Steele's post offered a checklist explaining how …

  1. Peter Prof Fox

    Don't use a router provided by an ISP

    With factory-set credentials ready for abuse. (ie. It works out of the box so no need to bother with difficult things like password.) Not to mention some remote management that can't be turned off. Complete with undocumented Fisher-Price interface totally devoid of key settings.

    As IoT things are basically a sealed box with no way of opening the bonnet and having a poke around with a few OS tools, what the hell am I supposed to do when, say, my Mum's security camera stops working for no known reason? Just about the ONLY thing I can do is throttle potential harm at the router.

    1. Anonymous Coward
      Anonymous Coward

      'Don't use a router provided by an ISP'

      Great! But some ISP's including the only one in my region, lock down the router 100%, no passwords will be given out ever etc.... Needless to say air-gapping PC's has become a kind of religion!

      1. Naselus

        Re: 'Don't use a router provided by an ISP'

        "But some ISP's including the only one in my region, lock down the router 100%, no passwords will be given out ever etc"

        In most cases, Wireshark will allow you to pull the ISP account username and password from a router, since the handshake negotiations are usually done in plain text. In fact, this is the only way you can acquire your password info if you have a Sky Broadband subscription.

        1. kain preacher Silver badge

          Re: 'Don't use a router provided by an ISP'

          Not all ISP use passwords.

        2. SImon Hobson Silver badge

          Re: 'Don't use a router provided by an ISP'

          ... Wireshark will allow you to pull the ISP account username and password from a router ...

          How do you use wireshark on a DSL connection ? It might well work where the ISP presents the interface as an ethernet port or provides a separate modem - but it won't help with an all-in-one router where the sniffing would have to be on the xDSL connection.

      2. eldakka Silver badge

        Re: 'Don't use a router provided by an ISP'

        Great! But some ISP's including the only one in my region, lock down the router 100%, no passwords will be given out ever etc....

        Then put your own router in series with the ISP's router:

        your LAN <-> your (packet filtering firewall) router <-> ISPs router <-> WAN

    2. Paul Kinsler

      Re: a sealed box with no way of opening the bonnet and having a poke around ....

      s/bonnet/botnet/

      ... at least, that's how my brain chose to read it...

      1. HieronymusBloggs Silver badge

        Re: a sealed box with no way of opening the bonnet and having a poke around ....

        "s/bonnet/botnet/"

        UK English: bonnet

        US English: hood

        1. ArrZarr Silver badge
          Joke

          Re: a sealed box with no way of opening the bonnet and having a poke around ....

          "s/bonnet/botnet/"

          English: bonnet

          Gobbledygook: hood

          FTFY.

          1. jake Silver badge

            Re: a sealed box with no way of opening the bonnet and having a poke around ....

            Bonnet is Scots, not English. 14th Centuryish.

            Hood is Old English. Pre 12th Century.

            Botnet is Usenet gobbledygook. Mid 1990s. (I'd give an exact date, but the gookids have fucked up the irreplaceable Deja News archive, thus losing this kind of trivia forever. Those who forget history ... )

    3. ecofeco Silver badge
      FAIL

      Re: Don't use a router provided by an ISP

      Not all ISPs will LET you use another router.

      But that is beside the point. The product should be safe from the factory. THAT'S where the responsibility lies.

  2. veti Silver badge

    Who is this aimed at?

    Let's assume, as a starting point, that the FBI is not completely stupid.

    Then they know no-one is going to do this. This blog post is not so much instructions for users as a checklist for agents investigating what has gone wrong, when it inevitably does.

    I shudder to think what sort of IoT-related shenanigans are going to attract the attention of the FBI in future; but I'm sure it'll happen, if it hasn't already.

    1. Doctor Syntax Silver badge

      Re: Who is this aimed at?

      "Let's assume, as a starting point, that the FBI is not completely stupid."

      It could be an arse-covering move. At some point they might need to turn round and point at this and say "well, we did tell you, it's your fault for not taking the advice".

      Another possibility is that it's a starting point for mandating features and default configuratons for stuff to be sold to the public.

      1. ma1010 Silver badge
        Thumb Up

        Re: Who is this aimed at?

        @Doctor Syntax

        Another possibility is that it's a starting point for mandating features and default configuratons for stuff to be sold to the public.

        From your mouth to $DEITY's ear!

    2. swschrad

      next, The Ultimate Solution....

      "Hi, we're the FBI. You can't manage your network, so we will do it for you. No problem."

    3. Sir Runcible Spoon Silver badge

      Re: Who is this aimed at?

      Anyone capable of reading, understanding and implementing that list already knows it's missing something from the very top of it..

      -Don't buy it in the first place

  3. GrumpyKiwi Silver badge

    You know its not often that I wish for a "like" button on anything, but if el-Reg had such a button, then this article would certainly get one "like" from me.

    1. Anonymous Coward
      Anonymous Coward

      Continuous product and service improvement

      @GrumpyKiwi

      "its not often that I wish for a "like" button on anything, but if el-Reg had such a button, then this article would certainly get one "like" from me."

      El Reg used to have something pretty much along those lines. It was labelled "rate this article", valid input was roughly 1 to 10 (maybe 0 to 10, whatever).

      In line with the company's policy of continuous product and service improvement, the people paying El Reg's wages (the readers, without whom none of this would be possible) no longer have "Rate this article", and there's nothing, not even a proper "thumbs up"/"thumbs down" count, to replace it. Can't imagine what caused that to happen, but presumably it was viewed as progress at the time.

      Fwiw, I rate this article 10/10. 11/10 if fuzzy inputs are acceptable.

      1. Huw D

        Re: Continuous product and service improvement

        Uhhh... there's the up and down arrows at the bottom of every post.

        That's your upvote/downvote right there.

        1. Steve K Silver badge

          Re: Continuous product and service improvement

          Those votes are for comments, not the article to which they relate though...

          1. Doctor Syntax Silver badge

            Re: Continuous product and service improvement

            "Those votes are for comments, not the article to which they relate though."

            Nevertheless, comments such as GrumpyKiwi's serve as a proxy for voting for the article.

      2. Mage Silver badge

        Re: Continuous product and service improvement

        All excellent, except I think advertisers, not readers, pay the wages.

        1. John Smith 19 Gold badge
          Unhappy

          "All excellent, except I think advertisers, not readers, pay the wages."

          And you'd be right.

        2. Anonymous Coward
          Anonymous Coward

          Re: Continuous product and service improvement

          "I think advertisers, not readers, pay the wages."

          Kind of.

          Think about who provides El Reg's direct income (yes, the advertisers) and who pays the advertisers (the readers and potential readers, directly or indirectly).

          Restore something resembling "Rate this article" and trial it as a proxy indicator for "I'd pay 10p/20p/40p etc for this article" and see how well it works. Might cause a bit of an upset in e.g. the DevOps and "security research" article sectors. Which might benefit lots of people.

          Merry Christmas. You're fried.

          1. Tom 38 Silver badge

            Re: Continuous product and service improvement

            Restore something resembling "Rate this article" and trial it as a proxy indicator for "I'd pay 10p/20p/40p etc for this article"

            So, what? The page loads with no adverts, and then after I click the 40p button, I get 8 adverts back to back?

          2. earl grey Silver badge
            Happy

            Re: Continuous product and service improvement

            "Merry Christmas. You're fried."

            Erm, not yet, but i'm working on it. Happy solstice to you, too.

          3. jake Silver badge

            Re: Continuous product and service" improvement

            "Merry Christmas. You're fried."

            Around here, it's probably more along the lines of "Solstice Blessings. We're boiled."

            But ta for the sentiment.

      3. iron Silver badge

        Re: Continuous product and service improvement

        I think the article ratings were removed due to abuse. There were groups of readers who would down rate anything by certain authors without reading them.

        1. LaeMing Bronze badge
          Meh

          Re: Continuous product and service improvement

          "I think the article ratings were removed due to abuse. There were groups of readers who would down rate anything by certain authors without reading them."

          Also, I got the impression that a lot of people were rating the /topic/ of the articles rather than the article itself. So an article about some government/corporate idiocy would get a lot of down votes irrespective of how good it was in response to people's opinions on the idiocy itself.

          1. Sir Runcible Spoon Silver badge
            Joke

            Re: Abuse of rating system

            "certain authors"

            <cough>Orlowski</cough>

  4. jake Silver badge

    Earth to the FBI ...

    .... you are ostensibly advising people who have trouble setting a digital clock. Why do I have a sneaking suspicion that this is just another case of plausible deniability? Covering your ass, by any other name, is still wimping out on addressing the real issue.

    Lot more of that going around than usual since the last general election ...

  5. whitepines Bronze badge
    Holmes

    The way out

    They left out the most important part:

    If you can't handle the above, and have no idea what it means, then don't buy IoT devices. If you do, when they start engaging in illegal activity after being hacked, you're partially to blame for that activity.

    Rather evil? Yes. Necessary? If we want to have something that looks like a functional and somewhat free Internet down the road, quite possibly....

  6. Anonymous Coward
    Anonymous Coward

    Is the FBI advice Office Space 2.0? There comes a time...

    Where people just have to learn the hard way. I welcome the meltdown of the net. I honestly think the security and privacy tech apocalypse is now pretty much unavoidable.... Its 11:59:59 on the doomsday clock etc.

    The FBI missive confirms it! We need a reset to stop the sleepwalking to stupidity cycle. Build from the ashes of that. For sure, more Shadowbrokers leaks of NSA crack tools, will lead to total chaos worldwide once more!

    Is this all rubbish by an AC? Maybe... But I wonder what kind of Christmas they're having at FedEx / Maersk and many Hospitals that got hit this year?

    1. kain preacher Silver badge

      Re: Is the FBI advice Office Space 2.0? There comes a time...

      But how is the aver joe going to know ? If this was a car with the issues the main stream media would be all over it? the fact that and industry is so shit that the FBI has to give advise should be all over the news.

      But out side of places like el reg were do hear about the dangers of IoT ?

  7. Anonymous Coward
    Anonymous Coward

    Maybe the better advice would be don't buy shit you don't need. I know there are occasions where this stuff does make a difference but they are so few and far between that hackers wouldn't bother with them.

    1. kain preacher Silver badge

      Sounds easy enough till manufactures crams this in to every thing. It's not easy to buy a 4k tell that is not a smart TV. Why does a fridge need wi fi? Want to buy a security cam? Why does my car need to come with a wi fi hot spot.

  8. MrT

    FBI creates syllabus for 'Home IoT Network Engineer'

    Is that on the list in Oregon yet?

    Sounds like there's a lot of overlap with the CWNP courses. I did CWNA/CWSP ages ago, long before IoT changed from 'Objects' to 'Things', when the flashest device on the WiFi side was probably a HP iPaq 5550 - sales of Internet-connected tatt might take a tumble if even that lowish level of knowledge was understood. But, companies stick connectivity into everything these days as a way to sell to moneyed tech-fans and bright-eyed wannabes alike, so raising risk awareness like this is necessary. It's only lightly covered even in tech site reviews, though, so the old problem of selling copy, or shifting boxes, will mean proper device security (beyond stating what the headlines are, e.g. "WPA2" and "a/b/n/ac", etc.) will never be a high point on the feature list.

  9. Jeroen Braamhaar
    Go

    I am an IoT security expert

    ...because I know how and where to wield a hammer to smash the damn things, therby preventing any IoT item from becoming a security hazard.

    ;-)

  10. Herby Silver badge

    Maybe they shoud also turn off...

    Something that Microsoft calls "Universal plug and pray play".

    All of this "automatic" stuff makes for complacent users that probably don't know better. How many times have you wandered around to find routers with default names.

    Another alternative might be to require vendors that don't keep updating software on their interconnected devices to release it under a GPL type license.

    Then there was the router near my mother-in-law's condo that had its default credentials (and was open). I made a point of adding a password to the administrative access and locking it up to keep it open. It has since gone dark (*SIGH*).

  11. andyp-random-number

    Almost no education

    Schools are teaching less and less technical stuff. There's a lot more to computers than a bit of coding, such as how things work and what the capabilities are. The whole of the internet, from computer/phone to email, dns, to routers and servers etc is a complete black box.

    I've been trying to teach 13 to 15 yr olds computers on a one on one basis (to earn some cash) and not one has known anything technical learnt from school.

    The generation or two that have been taught how to consume computer products (MS Office etc) can play games and do social media but that is where it ends.

    It's fine saying that kids will learn these things when they go on to Uni but so few do it means there is almost no understanding of how the modern world works in a technical way.

    In the past (1980's) my school taught Electronics - details about transistors etc, car engines (ie, the combustion engine) and adopted the modern tech of computers when it appeared on the scene. The digital world is now in every bit of our lives and yet the further we go down the road of integrating the technology into our lives the less is taught about how it works. I appreciate it is getting more complicated but the idea of expecting Joe Bloggs home user to even listen to tech advice about a camera or router is so far into the world of La La Land that it is pointless.

    Past company bosses would have understood core aspects of their business, a welder would have understood metals, farmers used to understand growing stuff etc.

    Now farmers follow instructions from suppliers and company bosses that run entire businesses on the internet have no idea about the core aspects of running their business. Digital tech is so deeply embedded into our world it should be reflected in school subjects.

    The only focus now is money.

    It'll take a generation at least before this changes and school leavers understand the world around them, but this can only start when schools and attitudes in society change, and that isn't on the horizon yet.

    How many people know or can explain how a calculator adds 1 and 1 using electronics? The most basic calculation we can do is a black art, let alone how the internet works and how to firewall it off and why.

    1. Doctor Syntax Silver badge

      Re: Almost no education

      "I've been trying to teach 13 to 15 yr olds computers on a one on one basis (to earn some cash) and not one has known anything technical learnt from school."

      Selection bias could be at work here - if they learn it at school they're not your target market. But, depressingly, you're probably right.

      The root problem - what's the intersect between teachers and elReg readers and what's the probability of finding a member of it in any given school?

      1. jake Silver badge

        Re: Almost no education

        "what's the intersect between teachers and elReg readers and what's the probability of finding a member of it in any given school?"'

        As a sample-of-one testimonial, I'd say there is one ElReg reading educator in an area the size of The San Francisco Bay Area (I'm the only one I've met, ~8 million residents, not certain how many schools there are, several thousand anyway. Note that I don't teach K-12 anymore. Also note that I only teach IT related subjects; I'm more geared to the vocational than the academic).

        Totally useless statistically, but it's a start.

    2. dbtx Bronze badge
      Facepalm

      phase plum

      The girl with the 32GB convertible tablet thing (which ultimately did not get rescued from Win10 because of nonexistent drivers) is 12 and in the 6th grade. Because the school is/has "reasonably modernized", she needs tech for everything and has basically no idea what things really are and barely any idea how to make them do whatever makes them useful. But she's been taught and effectively forced to use Chrome on (I think) Chromebooks and God knows how many Google services/apps. They're selling the kids farther up the river than my own middle school sold us all to Apple by having filled the computer labs and libraries with Mac Classics and sometimes Performas and so on, 25 years ago.

      And why wouldn't they cheerfully take whatever discounts they could? They also got 19" or 21" CRT TVs for free (or at least cheap), mounted up on the wall in every classroom and the library and the lunchroom, all wired into a central playback system with automated poweron/off control. The teachers could wheel the few VCRs on AV carts-- without the few heavy TVs strapped onto them any more-- into any classroom and watch any useful video, whenever... and the students could do morning announcements on camera. And the only catch to cover the cost was that we were all *required* to watch Channel One News for ~11 minutes every day, including (I think) one or two minutes of the same exact commercial advertisements you'd see on any local station. I distinctly remember receiving (or rejecting?) the suggestion that I should be afraid to show my face in public if I was having acne problems, and Clearasil paid far out the ass to get the Channel One people to somewhat forcibly show that to millions of teens.

      So this is hardly new-- though there's a new one leading the pack and the ads are actually now a little bit blockable without going into autistic mode (if you even realize you would want to and you can, but I wonder how well they teach *that*) and of course now there's the constant realtime feedback to the mother ship. She was apparently taught that it was quicker and easier and correct to search Google for home of the huskies rather than to actually use or remember or (God forbid) correctly spell a URL to get to the middle school's site. At least, that's the way she acted-- it's all she could tell me to do when I was just trying to help her find out when a thing was happening.

      The future is a shitty place. Yeah I use GMail for most everything, and that's my choice and my privacy or lack thereof. When I decide to stop, no one can stop me. She has no privacy, no right to refuse, no proper initiation, no advocate (well, besides EFF & friends, I guess), and no clue. I want to go to the district's admin building and make lots of angry noises about how this is NOT teaching kids to use computers or how to survive on the web or how to maintain some dignity outside of the herd, this is merely teaching kids that GIYF-- but it very probably won't help. I kind of already (eventually) learned that lesson from trying to be a die-hard open-source junkie starting 15 years ago:

      Nobody Cares.

  12. adam payne Silver badge

    Some useful advice there but are the people that buy these things going to take any notice of it.

  13. Naselus

    In fairness to the FBI

    Many modern routers - even default ones from ISPs - are now dual-band and default to creating two wifi networks, so it's not quite as unthinkable that Auntie Maud might be able to run her wifi light switch on 2.4ghz and her actual internet connection on 5ghz.

    Also, the majority of outright technophobes appear completely disinterested in IoT stuff, so the average IoT punter is probably considerably more technical than the average population. Probably not technical enough to understand things like 'put it all in a DMZ' but bright enough to find the admin interface and change a password on it if instructed to do so.

  14. CrazyOldCatMan Silver badge

    DHCP

    that two DHCP servers on the same network is … difficult

    I think that's a little harsh - especially when the advice is to run the IoT *on a different network*. Thus neatly avoiding the problem[1] of two DHCP servers on the same network..

    [1] Which isn't actually a problem at all if you want them to be serving the same ranges - my home DHCP setup has two DHCP servers, each serving half the scope. One is configured to delay more than the other so the quicker responding one is almost always going to respond. And, since I do have a second network for guests and IdiocyOfThings devices, the DHCP servers all have another virtual netword card on that separate network, both serving half the range on that network in the same way as they do my live network. And the IoT network has *no* access to my live network since my firewall also has a virtual adaptor on that network and rules to prevent traffic from leaking across.. (and allowing DNS access to the IoT network and the DNS used won't resolve any internal addresses on my other internal network ranges). Slightly OTT for a home setup but I had some fun building it..

  15. big_D Silver badge

    Rules of IoT

    1. don't use IoT devices on your network.

    2. if you need to use IoT devices, see rule 1.

    1. mbiggs

      Re: Rules of IoT

      @big_D

      Yup.....let's rewrite the Phil Knight/NIKE advertising slogan:

      *

      JUST DON'T DO IT

      JUST DON'T DO IT

      JUST DON'T DO IT

      JUST DON'T DO IT

      ....

      *

      Cool!!

    2. Patrick R
      Trollface

      Re: Rules of IoT

      You and the FBI talk rubbish. IoT devices are perfectly safe. I asked my friend Vladimir personally. I asked him TWICE.

      He said "yez, ..errr.., dere iz no problm".

  16. DubyaG

    Internet of S***

    I'm in IT and I have that one solved. I have no Internet of S*** devices at home and never will. My wife received an Echo Dot as an office holiday party secret Santa gift. I told her to throw it away.

    1. Tom 38 Silver badge

      Re: Internet of S***

      My wife received an Echo Dot as an office holiday party secret Santa gift.

      Swanky AF! All I got was a mug.

    2. jake Silver badge

      Re: Internet of S***

      "I told her to throw it away."

      Instead, become a hero. Re-gift it to the child of someone you know is going to buy one anyway. Niece or nephew for bonus points in the "cool aunt/uncle" department.

      1. DubyaG

        Re: Internet of S***

        The people that I know that would get such a thing already have one. Besides, I don't want to spread that kind of electronic disease.

  17. Mike 16 Silver badge

    Pray they update?

    And don't forget to pray that none of those updates don't introduce backdoors of their own.

  18. ecofeco Silver badge
    Gimp

    Same mistake all tech support geeks make

    Every tech support geek thinks users should know as much as they do and they are just stupid if they don't.

    Stop making this assumption. Computers are cool as hell, but really are designed by some seriously deranged people.

    1. Sir Runcible Spoon Silver badge
      FAIL

      Re: Same mistake all tech support geeks make

      "Every tech support geek thinks users should know as much as they do and they are just stupid if they don't."

      Every single one of them? Logic fail. :P

  19. Dinsdale247

    Or is it?

    "The depressing thing is that every single item on this list is necessary and true, and nearly all of it is beyond the home user. It would, however, make a sound syllabus for some kind of certification, if anybody would study it, which they wouldn't."

    How about a certification that vendors need to adhere too that validates their products provide all these items (in a simple, consistent manner)?

    I think we have hit a level of complexity in computers that is far higher than even most "computer people" can handle and businesses have masked that complexity without solving it. The result is unmanagability.

    SO we could continue this route, or look at changing the network to something that will protect users rights. If only someone had suggested a way to do this before...

    https://en.wikipedia.org/wiki/Project_Xanadu

    We should ask Google... er... I mean the Internet governing bodies what they think of that...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019