Good idea in principle
Getting manufacturers to comply is another story.
"Too hard" and "afterthought" generally are the terms used when security for IoT devices.
Can we overcome the SOHOpeless security of the Internet of Things at the home and small business level? An Internet-Draft from Ericsson engineer Mohit Sethi suggests so. Sethi's ambitious proposal isn't destined for the hall of internet standards. Instead, it sets out a possible way to get IoT gadgets connected securely to the …
Agreed. I've dealt with IoT devices ranging from sprinkler controllers to thermostats to DVR's to cameras to "smart" MoCA adapters to video streaming boxes. I've yet to see any that have the ability to interface to my main WPA2 Enterprise WiFi SSID backed by a radius server. As soon as IoT crap started showing up, I had to create at least one WPA/WPA2 - Personal SSID for them.
Other than reconfigure their admin credentials (& hope they don't have undocumented other hardwired accounts I can't see), all I know I can in general do is
(1) Have the SSID they log into have a MAC Address white list.
(2) Have the SSID they log into configured so that if the IoT device has to access the Internet then it can't access any computers, and if it does not need to access a computer then it's on a LAN/VLAN that is devoid of any computers/servers. In other words: (a) Be on a LAN/VLAN that no computers/servers are on. or (b) If the IoT device must see an internal computer/server, then have a firewall rule blocking it from accessing the Internet.
"This server could run on the wireless access point, or be an online service on the public internet run by the maker of the gadget."
Therein lays the problem, I have been reducing the need for my custom built IoT systems to communicate with the internet, (in the main weather API calls) and replacing them with locally sensed data. outbound API calls are handled by one server and API responses are evaluated to ensure they conform to the expected response. The problem lays with the unending addiction of device manufacturers to have anything from your printer to the light bulb in the hall communicate with their backend servers. The reason is by and large to collect aggregatable data to sell on.Eliminating that extra income stream from manufacturers wold eliminate much of the attack surface. It was this "calling home" that lead me to build my own devices. relying on manufacturer to continue to secure your long ago bough IoT can opener requires trusting in the company to value your security over share holder value , the later being protected by law. . Got burnt by Synology obsoleting a recently bought NAS. If they do that with thick profit margins on a NAS box what hope for a sub £5 IoT device?
Synology DS209j It was when the security updates stopped i started building devices and branched out into IoT. Open Source NAS software gets updated and continues to be supported. my synology replacement costs about £50 based on a rock 64 sbc That's one advantage of not having shareholder value to consider ;)
> my synology replacement costs about £50 based
I went the opposite way as I'm replacing my old NAS. I built it myself, but I went silly with the components to future-proof and due to scope creep (maybe I can run some VMs on it for the additional services I usually run on my NAS, so yeah I'll put in 32GB ECC RAM...) and it's cost a heap - probably more than buying an off the shelf 8 or 10-bay NAS - but been interesting to do.
Right there is why people should be concerned about IoT.*
Mfg goes down pan, device is bricked, despite the only reason needing to talk to the server is probably to spy on you.
*Along with the usual code monkeys who fling their s**t code onto the devices of course.
The solution fixes the security issues, but doesn't address the lifecycle issues of either vendor/middle-person/device.
But that's ok.
I'm not expecting one solution to fix everything. In fact, it's better this way. A solution that fixed everything would be some thick manual that IoT manufacturers couldn't implement.
While it's a good idea, I can't see it getting traction for a long time.
*lots of rebranded Chinese tat won't use it
*Philips et al might look into it as a "social responsibility" play but will drop it because
**Nerd is needed to implement it
***X and Y don't use it, why should we.
I have a lot (100+) IoT devices in my home. Where I can't run custom firmware on them I run them in isolated networks.
For one which "had to phone phone" I did a MITM "attack" and feed it back 303 and black-hole it. It's happy :)
Options? When thin margins are pushed, there are very few options...
I'm glad to know that you have the technical knowledge to handle your home network in all aspects. You do realize that you are part of the one-in-a-million club, don't you ?
I know just enough about networks to ensure that I can connect my home computers to my NAS, keep a firewalled router to access the Internet, and have all connected PCs, laptops and tablets be able to print on the shared printer. Oh, and ensure that my wife can access the WiFi when she's somehow unconfigured her phone again.
I'm pretty sure that there are a lot of people who don't even know what I know. They are the mass for which a solution must be found, because the blight that is IoT is only going to get worse. Any step towards a solution is a good one in my book.
> We techies often forget that Joe User hasn't a clue or the interest in learning this stuff.
The problem becomes when the only mechanism put in place caters for the lowest common denominator and us techies get stuck having to do it that way too.
I mean, they say "at time of purchase you give to the manufacturer a passcode". Who does that? How is it done? I bet you $100 bucks that it'll be an interface on the checkout's screen, so the BestBuy or other minimum wage person ask you for the code then inputs it on your behalf. And since that's the only way the device will work, you have no option other than announcing to the other people in earshot what the code is, and having the checkout person enter it, possibly being saved in the store's system before going to the manufacturer, if you want to buy the device.
As long as such a system were optional, I'd have less issues with it. But it won't be.
Nobody cares more about your security than you do (ok, possibly your mum). All home routers* already provide a large number of services that the owner never touches so all that is needed is a decent GUI slapped onto the protocol and the owner to get into the habit of zipping their fly. I'm not confident on the last point given the rise in IOT doorlocks but at least for those who do there will be some benefit.
Cloud based security will only be as good as the manufacturer wishes to pay for and many will simply buy-in the service to pass the buck, the resulting centralised systems then become a priority target for evil-gitsTM and TLAs
*Yes, IOT & home routers are generally pants for security updates - that's the underlying problem here.
What does a cheap and insecure gizmo add to anyone's life? A thermostat that can be controlled from the far side of the world, but not from the same room if the internet, server, ISP or anything else falls over. So it is with the rest of the tat. The washing machine can message indicating its progress through the wash cycle, but why bother? I have no need for such fluff and it is a Wi-Fi not spot anyway, it is either washing or finished and if finished it needs an attendant on site. A time switch can turn on lights if I am not there, if I am there I have light switches. So it is with all the not much use functions. The TV could monitor our channel habits, but we almost always use a PVR as the real time or time shift tuner. As for using voice controls, I might have some movement issues, but I can still move and press buttons on a remote. People get paranoid about mobile security, but then invite a pack of uncontrolled spies to come in, one question, why.
If there is a real need, do the job correctly, do not use something out of a Christmas cracker or worse.
The washing machine can message indicating its progress through the wash cycle, but why bother?
I don't understand the appeal of mindlessly throwing so much technology at things which are simple and basic enough for human beings to run reliably on their own wetware. Once you know the wash cycle lasts fifty, sixty or seventy minutes (whatever it is for your machine) that's all you need to remember to be able to predict when it will be done. That's going to hold true for 85% of your household washing needs (more like 99.9% if you're a single bloke).
Two reasons I can think for all these IoT devices. First, it's a fad and manufacturers are afraid that if they don't include the latest and greatest, they won't be able to move their wares even if they implement it in much the same way as slapping a different color paint on it all. In fact, it wouldn't surprise me if we some day soon have IoT paint.
Second, the idea that all this stuff can provide a real, automated household is an interesting and compelling dream. The problem is that there is no way to hold it all together without building it yourself. Most people want to get in their cars, turn the key and go. What they don't want to do is have to build it from scraps and spend all their time maintaining it. We haven't got a Henry Ford of IoT yet. We don't even have a Karl Benz.
> Second, the idea that all this stuff can provide a real, automated household is an interesting and compelling dream.
I have no problem with this dream.
What I have a problem with is the way it is trying to be implemented. That is, introducing 'the cloud' into it all.
There is no need for the cloud for home automation tasks. All that's needed is to use the internet for a communications medium between your in-home server that is managing everything, and whatever communications device you need to use to manage it or receive updates on.
I do not want any management, automation, access, monitoring, security run in the cloud.
...because 'can'. And will until something breaks.
As for the current crop of IoT, they're basically Christmas Cracker novelties: fridges, lights, front door locks, toilet flush, etc. I'm sticking with tradition. Tradition works - we're going back to vinyl, (and VHS tape now I read, but that was also crap, so I'll skip that one!).
I have just 6 Internet Things: a router, 2 phones and 3 laptops. And those alone cause enough problems.
The idea that a vital, fundamental home device such as a lock requires a live connection back to the manufacturer just to work, is insane.
> I have just 6 Internet Things: a router, 2 phones and 3 laptops
> And those alone cause enough problems.
Only 6? You don't have a smart TV, a PVR, a Set top box, a games console or two?
> The idea that a vital, fundamental home device such as a lock
> requires a live connection back to the
> manufacturer just to work, is insane.
Yeah.... I think it hit home to me when all those pets died... (The Petnet SmartFeeder which had a 3rd party server go down rending the feeder useless.)
> I have just 6 Internet Things: a router, 2 phones and 3 laptops.
Do we have a formal definition of IoT?
I ask because I would not consider a laptop, a general purpose computer, as an 'IoT' device.
I always view an IoT device as (usually) an appliance, a limited function device that needs internet connectivity back to specific vendor/product back-ends, to work.
General Purpose devices that can work without a constant, or near constant, connection to the internet, that don't have a specific manufacturer/vendor frequent/constant required connection to, I personally wouldn't regard as an IoT device.
But that's just me, and I know I'm weird.
"Won't be the first time. Just ask anyone who's ever had a music subscription - 99% of those are dead.
How often do you ask dead people about their music subscriptions? I find it generally doesn't come up in conversation.
I look after a part of this at work (Radius infrastructure) and it is not trivial. I can't see being able to get an entire AAA system on home routers being a goer for reasons people have outlined above. BT struggles to get a stable NAT and firewall on their hubs after all.
The principle sounds like a good one though if manufacturers can be persuaded to go along. I think that this might be an area for legislation though. Manufacturers could then be compelled to put a standards compliant authentication system in their toys and also be prevented from using it to harvest/sell personal data.
I make no comment about an internet connected fridge though.
We have a new WiFi standard coming - this is an opportunity. We used to just have a WiFi AP, then "security" promoted a "Guest Network" which is an automatic option on most Wireless AP's these days. Let's add an "IoT network" with direct outside access (rate limited) - this would work with all legacy devices and requires nothing from the IoT cheapskate manufacturers.
It's not perfect but we could have this running tomorrow.
Biting the hand that feeds IT © 1998–2019