
Internet of Crappy Things - kalleboo
http://blog.kaspersky.com/internet-of-crappy-things/
======
swombat
I hate to be running to the government for this, but... the FCC has
regulations that require some level of testing for devices that are going to
use certain parts of the spectrum. Some parts have been declared "free zones"
and I believe that's where the wifi systems tend to operate.

Perhaps we need the FCC to step in there and mandate some basic security
certification for connected devices. At the very least the certifications
should check that:

* The device always uses some form of encrypted communications if at all possible based on what it's communicating with

* If the device implements some form of remote control, that remote control includes both sufficiently secure authentication and authorisation mechanisms to ensure that at least it will take some effort to break into

* The device does not leak personal data to unauthorised or unauthenticated requesters, and provides a clear list of what data will be willingly communicated to whom (software should do that too...)

And so on...

The certification process could/should be implemented by high-reputation
security companies like Kasperski or Matasano...

Until/unless some barrier to entry is erected, I think it's inevitable that
everything that can be connected will be, and that this will mostly be
insecure. In the meantime, I guess the solution is to only buy potentially
connected devices from premium technology companies (e.g. Apple, Microsoft,
Google, Tesla, Nest, etc) - but then, of course, those companies don't sell
everything (e.g. no microwaves, car washes, etc) so that would limit the range
of things you can safely purchase, for now...

On that note, given how corrupt and broken the US system is, perhaps this
needs to start in Europe, where there is already a general mindset of consumer
and personal data protection...

~~~
greggman
I agree with the sentiment but do you really trust the government can actually
audit some giant codebase? The internet of things really includes your
computer and your PS4 and every piece of software on them. It includes your
router and your printer and your IP cam that's basically the same thing as
your router with camera attached.

I don't know what the solution is but I really can't imagine a government body
able to audit all that code in any meaningful way.

I think rather (and please punch holes in this idea) ... maybe fines if
something isn't secure? I can't see how that would work either though. Not
even the big guys have secure software as new issues are found all the time.

Basically it seems like you need to shun companies that get caught which will
hopefully send a message. Also possibly take precautions. Put your internet of
things devices on their own networks etc., don't let them on the net directly,
...?

~~~
tzs
> I agree with the sentiment but do you really trust the government can
> actually audit some giant codebase?

He didn't say that the government would do the code auditing (unless I missed
it). It would be outside firms. I believe they do something similar for
certifying hardware. The FCC certifies outside hardware testing labs as being
qualified to certify that hardware satisfies FCC requirements. The hardware
makers wishing to gain certification hire one of those labs.

~~~
swombat
Indeed... the government can't even audit their own code, let alone someone
else's!...

~~~
tptacek
The government _does 't_ audit their own code; they contract Lockheed, SAIC,
and Raytheon to do that.

------
_cudgel
I continue to fail to see how connecting appliances or small electronics to a
network adds actual value. Simply throwing technology at a thing doesn't
automatically make it better.

Yet, here we are, rushing headlong into the "IoT". We ought to recognize this
for what it is: pursuit of profit from uninformed purchasers.

~~~
eveningcoffee
I think that connecting devices directly to the Internet is great nonsense and
great danger to our privacy and security.

Still it would make sense to have an possibility to connect them to local
network.

~~~
TheLoneWolfling
local network = internet

~~~
eveningcoffee
No, it is rather:

Internet = Second party controlled server,

Local network = Your own controlled server.

~~~
TheLoneWolfling
Your local network is airgapped, then?

Because otherwise it's still internet-connected. If nothing else, the first
person connecting to it with a cell phone is enough.

~~~
eveningcoffee
Yes, sure, but there is big difference between leaking your private data out
of your home and break in.

------
amirmc
The push is that all devices will end up connected as commodity manufacturers
continue to search for 'value-add' services (even if that value is dubious).
In a few years, I wouldn't be surprised if 'smart TVs' were the only ones
available. Security also becomes an afterthought as companies rush to get
products in the market. This is mainly because the components used to build
software rarely take account of security/privacy themselves so it has to be
considered by the developers -- who are rarely trained to handle it.

One approach to this is to build new tools and components that incorporate
security & privacy by design. Discarding elements that are not required for a
particular use case is also beneficial as there's less a hacker can do if they
do manage to get in.

These approaches are captured in ideas behind unikernels, such as MirageOS
[1], which themselves can be part of a larger stack [2]. I work on both of
these and we even put together a contest (Bitcoin Piñata) to incentive a
search for weak spots (and a bit of fun) [3]. I honestly think that only new
software stacks or government regulations can fix these issues. Given mass-
surveillance, I don't hold out much hope for the latter.

[1] [http://mirage.io](http://mirage.io)

[2] [http://amirchaudhry.com/brewing-miso-to-serve-
nymote/](http://amirchaudhry.com/brewing-miso-to-serve-nymote/)

[3] [http://amirchaudhry.com/bitcoin-pinata/](http://amirchaudhry.com/bitcoin-
pinata/) and
[https://news.ycombinator.com/item?id=9027743](https://news.ycombinator.com/item?id=9027743)

~~~
jknightco
\- "In a few years, I wouldn't be surprised if 'smart TVs' were the only ones
available. "

To your point: when I purchased a new TV last year, the only available "non-
Smart" models were of generally inferior quality to the Smart models, from
picture quality to physical design. I ended up purchasing one simply because
it was the best TV at its price point—I had no interest in the "Smart"
features.

~~~
Torgo
My TV isn't even "smart" but it has a USB port used for doing system updates
(there's been exactly one in years.) I did some very basic investigation on
the firmware update and could see it had busybox. It got me thinking. I'd
settle for a TV where the firmware could be replaced.

------
tsotha
I'd rather not have everything I own connected to the internet. My appliances
do everything I want them to do already.

It's not just about hacking, either. It would be pretty easy to chart
someone's routine if you knew every time he used something electronic.

~~~
Sir_Substance
Not only would I prefer not to have everything connected to the internet, I
believe it's imperative.

In my first IT class at high school, my teacher told me something which has
stuck with me as a golden rule of computer security:

If you want to make a computer 100% secure, you should unplug all the cables,
drop it in a vat of cement and then drop the entire block into the Mariana
trench.

He's right, but that's some next level security. However, a more usable tenant
of security is that devices should be smart enough to do their job, and no
smarter. Connecting your fire alarms to the internet will, at some point,
result in someone setting all your alarms off at 2am just to fuck with you.

The flip side is that if you're at home, you'll hear the alarm before you hear
your phone, and if you're not at home then as long as it calls the fire
brigade ASAP what different does it make if you get an alert on your phone?

Why bother connecting it to the internet at all?

~~~
confiscate
"Connecting your fire alarms to the internet will, at some point, result in
someone setting all your alarms off at 2am just to fuck with you."

I disagree. The "at some point" argument can be applied to anything. Having a
smartphone connected to the internet will, at some point, result in someone
hacking into your phone and calling 911 using your phone number, tens times a
day. At some point, it's going to happen to someone.

By your argument, we should ban smartphones because they are not 100% secure.
Phones should just be phones, and web browsers should be separate devices.
Phones should not be internet accessible because then they can be hacked into.

~~~
Sir_Substance
>By your argument

It's a shame we still have illiterates in this day and age, truly a black mark
on modern education.

To review: my argument was that we should make devices no smarter then they
need to be.

Phones gain tangible benefits from being smart. Do kettles gain tangible
benefits from being smart?

~~~
confiscate
Let's not make personal attacks here. Focus on the issue, not the person.
Whether or not I am illiterate is not what we're debating here, and quite
frankly, is none of your concern for the sake of this thread.

Back before smartphones became popular, everyone I knew used to make the same
argument for phones. "Do phones gain tangible benefits from being smart?"
"Sure, you can check email on your phone, but I can do that at home--I don't
want to check email on my phone" "I'd rather have a small flip phone than a
huge PDA--too bulky to fit in my pocket."

If Steve Jobs held the same attitude, smartphones wouldn't be the industry it
is today. It would still just be an idea, being dismissed as "a toy" and not
useful

Have you used a kettle that is smart? I assume you must have given the
conviction in the way you dismiss IoT as not useful. What pros / cons have you
experienced from using a smart kettle that led you to dismiss it as being not
useful? Was the smart kettle you were using designed well? How could it have
been improved?

~~~
Sir_Substance
>Let's not make personal attacks here.

I was calling you out on the worlds most obvious straw man. Would you rather I
just call you a liar, instead?

>Have you used a kettle that is smart? I assume you must have given the
conviction in the way you dismiss IoT as not useful.

It's not a sensible funding allocation decision to attempt to make everything
smart on the off chance that it might make it better. Smart pegs? Smart
carrots?

Generally, in the real world, we theorycraft before we invest using that
miracle of nature, our ability to model and predict the future in our heads.

Provide for me a tangible way that a kettle might be improved by being made
smart, because my theorycrafting is coming up blank.

I'm willing to be shown wrong, but I will compare any benefits you vision
bestows against any downsides it may introduce.

Amaze me.

~~~
confiscate
> I was calling you out on the worlds most obvious straw man. Would you rather
> I just call you a liar, instead?

I'd rather you not call me anything. As I said, it doesn't matter who I am.
That's not the issue I'm interested in.

Likewise, I have not called you any names--I care only about the arguments you
make.

> in the real world, we theorycraft before we invest using that miracle of
> nature, our ability to model and predict the future in our heads.

That is my point. If we only invest in making anything we can predict will
succeed, and avoid potential failures, a device like a smartphone would not
have existed, because I was there when companies like Apple tried to launch
PDAs like the Newton, and the world did not care. Based on prediction,
smartphones would not gain traction in the consumer market. And yet, the
iPhone made that happen

Same for iPods--"Hundreds of dollars for a music player? Everyone would get a
$30 sony". It was only with a lot of conviction pushing a "theoretically
blank" idea, that the smartphone industry became what it is today.

If we only invest in things that seem "not dumb" in "theorycraft", a lot of
the successful startups today would not exist. Success requires experimenting
on things that may not seem obvious at first.

> Amaze me.

1\. I don't need to amaze you. You as an individual are not that important.

This is especially true if you are the type of person who sits and waits to be
amazed. The most important people in the world go out and amaze others, as
opposed to waiting to be amazed by others

2\. Ideas are not dumb until they are proven good. They are ideas until proven
wrong. You don't get to dismiss an idea with near-certainty that they are
"dumb", until you've actually tried it out yourself and can prove that it
doesn't work.

> I'm willing to be shown wrong

That is not true. Someone who is willing to be shown wrong, would encourage
others to try new ideas, even ones that are not apparent successes "in
theory", or "dumb"

From the conversation so far, it sounds like you are not supportive of
investing in ideas that are not proven in theorycraft. Based on the
conversation alone, and the trust you put in theorycraft, it does not look
like you want to be proven wrong.

~~~
Sir_Substance
>I'd rather you not call me anything. As I said, it doesn't matter who I am.
That's not the issue I'm interested in.

Actually, argumentative technique is extremely important. Arguments only work
as a method of changing peoples minds if neither side cheats.

------
sgentle
I wonder if this might be the push that functional programming + formal
verification needs to hit the mainstream.

Compare Erlang, for example, which must have seemed needlessly complex and
theoretical outside of modern super-horizontal-scale computing.

I understand that NASA, the #1 in "if this code breaks we all lose our jobs"
driven development, are big into formal methods. I think applying that same
rigor to smart microwaves wouldn't be such a bad thing.

~~~
amm
The formal verification subject is tricky. For a lot of software (especially
in the web startup world) it is often not possible to hire someone trained in
formal methods to perform extensive checks/proofs on software which undergoes
rapid change as the company pivots every couple of months.

Functional programming alone doesn't give you any guarantees about safer or
more correct software than any object oriented language unless you ruthlessly
exploit its type-system. Even if you do, the specs have to exist upfront and
they have to be correct and stable. One can make the case that isolating side
effects and capsuling them in a controlled structure is "the right thing" to
do, but that alone does not give you any formal verification of your program.

From personal experience I can only say that whenever I brought up formal
verification because of security/correctness concerns, I was immediately shut
down by business, because it's simply too expensive for software that doesn't
control life-critical systems.

~~~
nmrm2
I think with security (and esp. privacy), the problem is more coming up with
the specs in the first place. If you can do that in a reliable way, designing
appropriate static analyses is probably doable.

------
geographomics
Even worse, the same sort of problems apply to SCADA systems, which are
typically controlling much more dangerous or critical equipment than home
appliances, e.g. [http://www.computerworld.com/article/2475789/cybercrime-
hack...](http://www.computerworld.com/article/2475789/cybercrime-
hacking/hackers-exploit-scada-holes-to-take-full-control-of-critical-
infrastructure.html)

------
jhou2
I was hoping to read more about the crappy quality of most "things" in the
Internet of Things (The Nest thermostat is an exception to the rule). To cut
costs, the sensors involved are usually very simple, "dumb", often built
poorly with low quality components and not integrated very well. It's up to
the software, which often isn't written that well either, to compensate. Just
getting the system to work is difficult enough with the budget, time, and
resources available. Never mind securing it. So, welcome to the Internet of
Things that don't work half the time and could probably hurt or kill by
accident.

------
higherpurpose
IoT devices should _not_ be connected directly to the Internet. I don't want
my "smart" lightbulbs to be turned on or off through the _Internet_. I also
don't want them to become yet another way for the NSA to spy on us.

All things that are connected to the Internet can be hacked, let alone things
that come with poor security and from manufacturers that never intend to
update them either. In fact, the plaftform makers for IoT (or governments if
you will) should _require_ manufacturers to update the security
vulnerabilities for 80 percent of users until the end of life. For example, if
80 percent of customers keep the smart lightbulb for 5 years, then that's how
long they should be updated.

So far Google and ARM's Thread protocol for mesh networking between IoT
devices looks interesting and seems focused on security. The devices connect
only through a "gateway" through the Internet (which can be your smartphone).
That feels like the right approach to me.

[http://threadgroup.org/Technology.aspx](http://threadgroup.org/Technology.aspx)

~~~
digi_owl
Even if something is not directly connected to, or reachable from, the net
they can still be a issue.

Consider something like a network printer.

Convenient as heck, but if your PC gets compromised only for a shot while the
attacker may have left a little surprise in the printer firmware. End result
is that even after you fully scrubbed the PC the attacker returns because the
printer is acting as a proxy.

More and more it feels like a no win situation, unless you physically unplug
the router between each time you need to do something online.

~~~
jorgecastillo
>More and more it feels like a no win situation

It feels like this because most people are just not willing enough to spend
the time, effort and money to be secure. The only thing you (as an average
consumer) can't be secure against even if you tried really really hard (why
bother) is a well funded government organization (from any country). Security
threats for everywhere else are more or less manageable if you really want.

------
jessaustin
Presumably the "things" are networked via wifi? In that case I just won't
enter my wifi creds, and they'll remain off the network. Possibly some devices
might be more valuable when networked with each other locally, and the WAP
they use just won't get connected upstream.

Of course the things will still be vulnerable if they just connect
automatically to any visible rogue WAP, in which case maybe one could glue
some lead sheets around the antenna. The only government reaction to this
phenomenon I would welcome would be a requirement for device vendors to
clearly label devices that automatically connect to any visible WAP, or will
only function when connected to the public internet.

Demanding that devices like this be "secure" is silly. Only devices the
firmware of which is regularly, securely updated, which update process is
regularly observed by human beings, can even hope to be effectively secure for
any period. We probably can expect that from POS devices in corporate use. We
probably can't expect that from a refrigerator in some random family kitchen.

~~~
MiguelHudnandez
Some HP printers, P1102w, have wifi cards, and when not associated with an
access point, they will broadcast their own open network. There is no way to
disable this except to open it up and remove the wifi card.

I think some Roku models will also broadcast a wifi access point for the
remote control to connect to.

~~~
jessaustin
Our new Canon all-in-one will optionally run an AP, but it's off by default.
I've seen roku APs before but I guess I just assumed they could be turned off
or secured.

------
tootie
I know these aren't all web-based hacks, but I'm guessing the majority of
connected devices are using http. Simply switching to https everywhere would
remove a huge amount of attack surface for almost no cost.

~~~
0942v8653
This is partly due to the big red warnings you get with self-signed
certificates. Yes, it would certainly help, but to the user seeing a crossed-
out https is worse than a simple http. And the user's perception matters much
more than security does to these people.

~~~
troymc
@tootie didn't say anything about the certificates being self-signed. Later
this year, the new Let's Encrypt CA will make it free and easy to get
certificates.[1]

Moreover, it's my understanding that the default with HTTP/2 is for
connections to be secure.

[1] [https://www.eff.org/deeplinks/2014/11/certificate-
authority-...](https://www.eff.org/deeplinks/2014/11/certificate-authority-
encrypt-entire-web)

~~~
jethro_tell
But then you'd have to update the certs, which an appliance manufacturer isn't
going to do.

~~~
tootie
Only if the appliance is serving requests, not if it's requesting. For a piece
of hardware like a carwash that is running servers, the manufacture should be
maintaining that software routinely anyway.

~~~
0942v8653
My sound system runs an HTTP server.

------
ansible
We're currently working on a consumer device that could well be classified in
the IoT category.

We're pushing hard to put in multiple good layers of security, even though the
hackable potential of the device is low. The amount of personal or otherwise
exploitable information is also low. But that is no excuse to leak anything,
or to allow the device to be taken over by attackers.

The path isn't easy... the library support on many of these embedded platforms
is poor. But it must be done.

~~~
chaz72
Will you have automatic upgrades for the life of the device?

~~~
ansible
That is the plan (it will be Internet-connected).

------
jdhouse4
There are two things that can break IoT, security and fracturing. But security
is a necessary condition for IoT to succeed.

I know Apple has surprised many of the companies that want to work with
HomeKit with its security requirements. I heard from one company that, for
example, was upset that locks cannot be remotely activated. The last thing
anyone needs is their house getting hacked and robbed as well.

~~~
draven
Remotely activated locks? What's the use case for this? Call your girlfriend
when you're locked outside your house and ask her to open the door with her
cellphone?

There seems to be a high risk for little benefit, or perhaps I don't have a
lot of imagination.

~~~
ianhedoesit
I would imagine it was more of the opposite scenario. Rather than calling your
girlfriend when you forget to lock your house, you might want to just lock it
remotely.

~~~
jkestner
That goes back to what someone else questioned: Should we not address the
problem more directly with devices that take action themselves? All we've done
here is move the interface off the physical object. Not much in the way of
actual smarts. Requiring an owner to take action on a smartphone is a
transitional phase.

------
blueatlas
I agree that not every device needs to be connected, and there are security
implications for those devices that could benefit from being connected. IoT
will continue in a big way, and just like the early deys of the Internet,
security solutions will develop. It would have been nice if Kapersky would
have offered something in the way of potential solutions in this post.

------
chiph
Sure, the device you create for IoT is secure today. But in 3 years it may no
longer be.

~~~
alltakendamned
Judging by history, it _will_ no longer be.

------
anotherevan
I'm far more interested in the Intranet of Things than the Internet of Things.

------
blueskin_
This is why outbound filtering on firewalls is just as important as inbound,
especially as manufacturers cram more spy capabilities into everything.

------
task_queue
I can't wait for my dishwasher to report back to KitchenAid about its usage +
the sights and sound it picks up while idle.

