
Internet of Things security is so bad, there’s a search engine for sleeping kids - nikbackm
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
======
50CNT
I still don't get the Internet of Things.

The mental calculation just doesn't work out for most things. My personal rule
of thumb is:

    
    
      benefitofmeaccessingXremotely(X) - costofotherpeopleaccesingXremotely(X)*riskofthathappening
    

Benefits being low for most things, costs high, and risks...uhmm...nah. Only
exception I can think of is very limited amounts of sensors (eg. is X on?).

What's the benefit of me turning on a gas stove remotely? Almost none. What's
the cost of someone else turning on my gas stove? Really high. How much is the
risk? Way too high.

Then there's smart devices, another component of IoT. But how much smarts do
we actually want? Screens are nice. Making my shower multi touch isn't
(capacitive touch + water = no bueno. Imagine water from hell scenario and no
way of turning it off with your wet hands). Fridge compiling shopping lists
automatically? Neat. Cheap android tablet that comes with a fridge glued to
it? Nah.

The only utility I see is locally connected devices. Using your phone as a
remote. That seems handy. To a certain degree, we have that. Extra points if I
don't need to download an app for everything, because don't you dare tell me
that your blue-tooth on/off switch needs a 15mb .apk. If I gave one about the
14.9mb of branding you're including, I'd download your press kit.

There's some utility in home IoT wudget-thingimabobs, but I'm almost certain
we'll mess it up to no end in our excitement. There'll be some legitimately
useful products coming from it, but most of it will be utterly cringe worthy
in retrospect.

/rant('IoT')

~~~
sorokod
I was around when TV remote controls became popular. Couldn't see what was the
point of them.

~~~
tdkl
I guess what parent meant was that using some "smart" stuff locally (same
room, same house, same LAN) can be useful.

To put your example in the perspective : how much useful would it be to
operate the TV remote over the internet ? Yeah, it sounds cool that I've set
the TV to channel 5, but I'm not there to watch it anyway, so it's kinda
useless. Only thing that is now possible is some other people jerking around
with the remote.

~~~
pjc50
Operating the TV over the internet is useless .. but operating the PVR over
the internet could be very handy. And operating the TV over the LAN from a
smartphone could be handy: scroll through the EPG without disrupting the
current programme.

(I spend an hour this afternoon trying to get tvheadend+Kodi working to do
almost exactly this, to replace my Windows Media Center PVR)

~~~
icebraining
Operating the PVR over the Internet is already obsolete: with IPTV, you can
just "go back" and watch the show. There's no need for each client to record
it, when the provider already has a copy and your device can stream it on
demand. Both of our largest ISPs here in Portugal already offer this bundled
with the TV service.

Same for the EPG: the app offered by my ISP simply downloads it from the web,
no need to connect to my TV.

~~~
pjc50
It seems everyone else already does it like you say, but the "go back" is
usually time-limited. Whereas I still have the 2012 Olympic opening ceremony
on my PVR in nice accessible MPEG2-TS format.

------
saboot
It's much worse than just passive webcams. Some devices which were never meant
to be connected to the internet are out there.

Stoplights? HVAC Systems? Carwashes? Ice Rinks? POWER PLANTS?

Yes!

[https://www.youtube.com/watch?v=5cWck_xcH64](https://www.youtube.com/watch?v=5cWck_xcH64)

EDIT: I looked at his more recent talk from last November ... the situation
has not improved

"115 batshit stupid things you can put on the internet in as fast as I can go
by Dan Tentler"

[https://www.youtube.com/watch?v=hMtu7vV_HmY](https://www.youtube.com/watch?v=hMtu7vV_HmY)

Featuring Spanish Chicken Controls

~~~
elorant
How about smart TVs? Give it a few years and you’ll have hundreds of millions
of TVs with a camera on them exposed to the wild.

~~~
Silhouette
The disturbing thing today about smart TVs in particular is that it's
increasingly difficult to buy a TV _without_ those features. Personally, I
have no interest in them even without the obvious security and privacy
concerns. I want my TV and speakers to be as good as possible at showing
pictures and making sounds, and to accept signals from whatever sources I want
to use in sensible ways. Everything else is just more cost, more scope for
failure, and less future-proofing.

The _really_ disturbing thing about a lot of these IoT devices with sensors
and remote communications in the future will be when they no longer rely on an
explicit Internet connection being provided via the home network, and instead
use some sort of mesh arrangement where they can get online independently and
you won't even know about it. At that point, I think robust laws about both
disclosure and the ability to opt out will probably be necessary.

~~~
rangibaby
Have you considered using a PC monitor instead of a TV? Honestly, their
biggest feature when used as a TV is their lack of "features".

~~~
Silhouette
Unfortunately, PC monitors tend to be missing a few _too_ many features that
really are basic TV functionality -- remote control, sound, large numbers of
switchable inputs (particularly HDMI) on high-end models, etc.

They also tend to be physically smaller but often with a higher native
resolution than TV/movie standards, so not the best fit for efficiently
showing that kind of content.

~~~
golergka
Everything but size is solvable by building a small PC to use it as TV
controller, no?

~~~
kbenson
The cost difference of this theoretical setup is now reaching laughable
proportions (in time, money, or both)

------
miander
I'm not sure how many others share my view but I think that regulation is
worth the benefit to security. I have always been very skeptical of the "but
it'll hurt innovation" claim. Won't it promote innovation in new approaches
for securing low-cost devices? It sure seems nebulous to me, but I am willing
to be convinced otherwise.

~~~
manyxcxi
I wholeheartedly disagree about letting regulators have anything to do with
technology. It moves too fast and has too many interpretations to be codified
into common sense law, leaving just the big pocket corps to write the
regulations just like they've already done everywhere else.

How do you define reasonable security practices? If there's PII, what's
reasonable then? What's reasonable today OAuth, tokens, 2FA was over the top
crazy/impractical/expensive/impossible in 2001. You think there's going to be
a committee evolving this crap every month in perpetuity?

On top of that, if actual harm comes to users of these devices as a result of
these devices then we already have plenty of consumer laws protecting them.
Granted, they're going to have to come up with ways to apply it sometimes and
you're going to have to prove it was that device that allowed the harm, but we
have it.

I will say this though: I'm mostly okay with laws (whether they exist or not
yet) that say that if your negligence or stupidity was the root cause, as a
manufacturer of these goods, you are on the hook for a multiplier of damages.
There are a lot of companies out there that know they are pushing shit to
market in a race to the bottom and then just claim security is hard and they
tried their best when clearly, they knew about an 8 year old bug and shipped
anyway. I'm that case, I'm okay with hitting them hard.

~~~
cstross
> I'm mostly okay with laws (whether they exist or not yet) that say that if
> your negligence or stupidity was the root cause, as a manufacturer of these
> goods, you are on the hook for a multiplier of damages.

Such laws won't work, however, without a regulatory framework that ensures
that -- for example -- click-through EULAs aren't used to lock customers into
sleazy "binding arbitration" agreements that sacrifice their rights in return
for permission to use an appliance they bought in good faith.

It may be difficult for regulators to keep up with specific technologies, but
_much tougher_ consumer rights protection is _essential_ in order to hold
negligent manufacturers responsible, because it's cheaper for the cowboy
manufacturers to hire a lawyer to draft some dodgy contract boilerplate than
it is for them to hire security experts and ship a safe product.

~~~
manyxcxi
I agree with that. I'm much more in favor of punishing harshly when the mess
up happens and could've been avoided but for willful negligence than trying to
write a bunch of catch all regulations before we have a problem.

I think, at least in the US, we need much stronger consumer advocacy laws,
something with teeth that can't be arbitrated down by a group of expensive
lawyers.

We'd have to find a balance though, as we are already way too litigious and
we'd be stifling innovation out of fear of getting accused of negligence.

~~~
LinuxBender
I am a technologist; and yet, I am all for stifling innovation with IoT. The
folks creating these devices are not qualified to make decisions for
themselves or for us.

~~~
manyxcxi
What decisions are they making for you? It's your decision to opt in to their
system by buying. As a technologist you have a good idea how to spot the
crappy ones that can put you at risk- or would just (rightly) assume that
something like an internet connected Elmo is a bad idea. It's the general
population that we have to worry about, as they'll be the ones most seriously
harmed (identity theft is the thing I worry most about any of this) by these
things going awry. They may also not even put things together that some of
these devices could be or are internet connected in the first place, where to
us it's obvious that there must be network connectivity of some sort.

That being said, let the bad actors fail. Let their names get dragged through
the mud, let the big companies sober up after a few too many VTech/Mattel/LG
style failures that make the headlines. Let them either back out of the market
because this shit is hard to keep secure, let them work with someone who can,
or let them triple down and figure it out themselves. We're going to see a lot
of failures, but we'll be better for it.

I've connected my own devices around my house (securely), use z-wave, and
consumer home automation hubs/hardware, as well as some well known stuff like
Nest and Amazon Echo. I don't ever want to go back to NOT having these things.

I've accounted for many of the likely failure points by these very well
regarded manufacturers and I've firewalled my network very tightly, among many
other things. But damn it, I've seen the future and I don't want to go back.
It's too nice, too convenient, and adds too much real value.

It's your decision to buy their goods, no one should be preventing anyone from
trying to enter the market just because you get the heebie jeebies or don't
see the value. Someone else does- or no one else does and they fold up shop.

~~~
LinuxBender
History has shown us that all the the IoT devices are poorly coded at best and
completely un-managed at worst.

It is also assumed that these devices have unfettered internet access. Most of
them can do HTTPS. Either you allow it or you don't. How many Barbie dolls
have been having inappropriate conversations with children that a human would
otherwise be arrested for? How many televisions are feeding audio from
families back to a company? How long is this data saved? Who has access to it?
When must it be destroyed? What legal protections does anyone have against
data abuse? What is deemed data abuse? If it turns out I am being spied on,
what binding agreement do I have with the manufacturer and seller that will
make them feel pain? Are they obligated to give me more than, "We're sorry.
Gosh, we're just so darn sorry."

Sorry, no. These devices need to be recycled before they are ever used.

------
davidgerard
1995: Every object in your home has a clock & it is blinking 12:00

2025: Every object in your home has a IP address & the password is Admin

[https://twitter.com/mcclure111/status/688775402584731649](https://twitter.com/mcclure111/status/688775402584731649)

------
DyslexicAtheist
During a review of W3C WoT & ETSI M2M standards I noticed that security is
totally ignored in these tech-standardization bodies. The standards leave
security as an exercise to the industry and the maker communities (who are not
spending money on security until they have an problem). That said, it's also
not trivial to implement something that at first sight seems straight-forward
like 802.15.4 Security[0][1] without a deep understanding of the security
architecture supported by the underlying platform:

[0]
[http://www.jwcn.eurasipjournals.com/content/pdf/1687-1499-20...](http://www.jwcn.eurasipjournals.com/content/pdf/1687-1499-2006-093830.pdf)
[1]
[https://www.cs.berkeley.edu/~daw/papers/15.4-wise04.pdf](https://www.cs.berkeley.edu/~daw/papers/15.4-wise04.pdf)

Since the web is now getting "engaged" to the devices with CoAP and other
protocols I wanted to create awareness of how bugs can spill over into the
real world and do real damage there. If hacked insulin pumps or baby monitors
don't scare you enough how about hacking a train?
[https://media.ccc.de/v/32c3-7490-the_great_train_cyber_robbe...](https://media.ccc.de/v/32c3-7490-the_great_train_cyber_robbery)
?? (everyone should probably watch this simply because SCADA strangelove guys
are crazy and awesome)

Anyway to counteract the usually very "marketing intensive" tone of IoT groups
on LinkedIn I decided to start this IoT Security group:
[https://www.linkedin.com/groups/4807429](https://www.linkedin.com/groups/4807429)
it would be great to see people from _all_ camps (IoT is a combination of 3
silos: 1) embedded, 2) web 3) infosec) actively contributing with technical
topics in this group. I will keep it open to posts from marketeers but am
heavily policing it for blogspam and remove any posts that are not security
related).

Also I have some ideas about hackerspaces
([http://hackerspaces.org/](http://hackerspaces.org/)) which IMO every city
should have and support. They're needed to propagate knowledge between these
individual camps properly. (my contact details are in my profile in case you
are interested to discuss more offline).

------
api
Most embedded engineer types know nothing about and never think about
security. One example I saw once was an FTP server where the auth commands
worked but were irrelevant. All commands always worked. It passed the unit
tests therefore it was good.

~~~
jlgaddis
I'm not even a developer so I know very little about unit tests but I would
assume that in something with an authentication system you would have a unit
test that verifies that known invalid credentials don't permit access.

~~~
mikeash
It's _extremely_ common to write unit tests that only test success cases but
not error cases. It's pretty much a special case of confirmation bias, as
illustrated by the classic "2-4-6 task" (implemented here as 2-4-8, but it's
the same idea):

[http://www.nytimes.com/interactive/2015/07/03/upshot/a-quick...](http://www.nytimes.com/interactive/2015/07/03/upshot/a-quick-
puzzle-to-test-your-problem-solving.html?_r=0)

You're totally right that you should have a unit test that verifies failure
with invalid credentials, not just success with valid credentials. But a lot
of programmers are not as smart as you are here!

~~~
gardano
I guess my worry is that I don't know what I don't know (regarding security),
but I'm pretty sure there are use-cases that haven't even been defined yet
(insert favourite Relmsfeld quote here).

~~~
mikeash
Security is hard, no doubt, and even careful tests may not turn up all
problems. Not testing your negative cases _at all_ is such a basic failure,
and an extremely common one too.

------
purpled_haze
While I agree this is bad, I think it's a misuse of the term IoT. Webcams have
been around since the 90s.

~~~
jdietrich
The sort of webcams we're describing are very recent. For $50, you can buy a
CCTV camera that includes a network interface and a web server. That has only
been possible for a few years thanks to cheap smartphone-derived SoCs.

The IoT is turning consumers into inadvertent sysadmins. For the first time in
the history of computing, inexpensive consumer products are functioning as
servers. These servers are often dreadfully insecure, e.g. internet-accessible
root access with a default password.

The market for a $50 IP camera is inherently different to the market for an
$800 IP camera.

~~~
woodman
> That has only been possible for a few years...

I had a Linksys WVC11B IP camera like 12 years ago, I don't remember how
expensive it was but it was definitely cheap and targeted consumers for home
use.

------
arthur_pryor
well, that was mostly depressing, but i found the part about mudge and the UL-
like initiative encouraging:

"Peiter “Mudge” Zatko is a member of the high-profile L0pht hacker group who
testified before Congress in 1998, and since he's gone on to head
cybersecurity research at the Defense Advanced Research Projects Agency
(DARPA) before joining Google in 2013. In June, Zatko announced he was leaving
the search giant to form a cybersecurity NGO modelled on Underwriters
Laboratories."

and above that, a section about a similar "consumer reports" style rating
organization. that was also the first time i'd heard of the group i am the
cavalry, which seems like a cool idea (in principle, at least, without really
knowing much about the actual group).

and i understand this objection to that sort of approach:

"It’s not the same quality problem... UL is about accidental failures in
electronics. CyberUL would be about intentional attacks against software.
These are unrelated issues. Stopping accidental failures is a solved problem
in many fields. Stopping attacks is something nobody has solved in any field.
In other words, the UL model of accidents is totally unrelated to the cyber
problem of attacks."

it is a very different problem in a lot of ways, but that doesn't mean that an
approach similar in spirit or presentation is doomed to failure. and i think
it does fit into the broad category of messy consumer information problems
that are hard to solve with specific detailed regulation.

------
abrkn
Brings to mind the Twitter account @internetofshit

[https://twitter.com/internetofshit](https://twitter.com/internetofshit)

------
gengkev
Isn't it common sense to at least set a randomly generated password as the
default one? Especially for something as sensitive as an Internet webcam.

~~~
_pmf_
> Isn't it common sense to at least set a randomly generated password as the
> default one

You're increasing your support cost by a factor of 100 to 500, and that's a
very conservative estimation.

~~~
masklinn
Boo-fucking-hoo? As things stand these devices are dysfunctional or broken,
would you recommend delivering new cars without brakes and brake fluid because
that saves you money?

~~~
_pmf_
> would you recommend delivering new cars without brakes and brake fluid
> because that saves you money?

No, I recommend delivering cars with brakes and brake fluid because that saves
support costs.

------
exogen
I have a Denon receiver with a web interface, which can control everything
over HTTP (volume, source selection, firmware, etc). Of course there's no CSRF
protection, so anyone could just control my receiver by getting me to visit a
page that tried POSTing to 192.168.0.XXX – it would be trivial.

