
IoT Growing Faster Than the Ability to Defend It - doener
https://www.scientificamerican.com/article/iot-growing-faster-than-the-ability-to-defend-it/
======
Jade_Jet
Can we please stop trying to force everything to be connected to the internet?
I have no issue with those that want to make a smart house, but it seems like
it is increasingly more difficult to find certain quality appliances that are
not connected, televisions as an example.

I find this whole iot thing very frustrating as a consumer.

~~~
nom
The consumer market desires cheap, fast, and push button easy solutions. The
manufacturers have to comply, and due to technological and financial
constraints they opt to open up ports and use fixed default passwords. It's
not going to change until the consumer is aware of the risks, and I can't
imagine that happening soon. We might see 100m node botnets before that.

~~~
TeMPOraL
> _The manufacturers have to comply_

They don't _have_ to do shit. They chose it themselves. IoT market is pretty
much pure marketing/hype creation. Current solutions don't make any sense, and
are pushed to people who don't understand it.

There are deeper problems here though. Current _smartphone_ model doesn't make
any sense either, but this is something even many techies are blind about.
Like apps, third of which shouldn't exist in the first place, and another
third should be OS-level components. Interoperability sucks because everyone
is trying to make a lock-in business out of their small part in the solution.

But I'm just a grumpy techie myself. Until the world gets its shit together
(i.e. never), I'll continue to build my smart home out of Raspberry Pis and
DIY components, while also telling everyone to avoid _anything_ that's done
over cloud.

------
notzorbo3
The article is taking a rather lack stance against manufacturers with words
like "ability" and "interest":

> The IoT is expanding faster than device makers’ interest in cybersecurity

This is just pure bullshit. It has nothing to do with 'expanding' or
'interest' or 'ability'. This type of security has nothing to do with the
scale at which it has it deing deployed or growing.

The fact of the matter is that manufacturers are __too cheap __to provide
decent security. This is a profit problem. And dancing around the issue by the
media is just weak-ass journalism.

The solution is simple: The government holds them accountable for creating
shoddy products. The companies creating these products pay for the damages
done. It's really this simple.

Unfortunately, the U.S seems to have this completely unhealthy obsession with
keeping the government impotent and companies powerful at the expense of the
people. And not just the american people, but the entire world.

Baiscally the only hope we have at this point is the European Union.

~~~
jasonkostempski
The solution is simpler and doesn't involve giving more power to idiots: don't
buy shit.

~~~
vkou
I didn't buy any Internet of Shit products.

Unfortunately, my neighbour did, and now his toaster is used as part of a DDOS
attack against a critical piece of internet infrastructure.

How does your solution help?

~~~
jjawssd
This is an amazing problem. There is simply no solution because most people
don't care!

~~~
TeMPOraL
There is a solution, and it's called "government" and "law". No, really. We've
been dealing with people who don't care from the very dawn of civilization.
There's a reason societies always end up creating governments and regulations,
and it's precisely that reason.

------
lifeisstillgood
This is a huge issue. Bigger than huge.

We live in an age equivalent to the great Pollution period of industrial
revolution. Where any crap steam engine or boiler was built as long as its
golden path worked. Boiler explosions killed thousands and damaged businesses
for decades. Smog killed perhaps hundreds of thousands - and only government
regulation reeled it in.

But we have proved awful at building service based global regulations - TTIP
is barely limping now and there is little expectation that "free open global
internet" is going to be rallying cry to save the agreements.

I would like to see a framework where the user owns root and so is responsible
for the upkeep but the manufacturer is obliged to provide ten years worth of
patches for anything sold - or provided funding to an open development process
to supply patches and updates.

------
kbaker
Does anyone know if there are ongoing efforts to reign this in? Like a
standards working group for a UL-like certification process for IoT security?

Maybe a group like the Linux Foundation or Core Infrastructure Initiative
could take this on and lay out some goals for IoT manufacturers to aspire to
(product update guarantees, secure communication, secure coding practices,
signed firmware...)

One of the biggest problems now is the free-for-all nature of developing IoT
products. Though I personally don't see a complete solution unless there is
regulation or a government agency like the FTC steps in. I view this as kinda
similar to bans on other not-immmediately-visibly-harmful things like CFCs.

But I don't see them having any traction themselves to get started. I think if
the industry developed a standard certification process they could latch on
and help manufacturers and distributors solve the problem.

------
flukus
It's not like there was no warning, anyone with half a clue knew that security
wasn't good enough, yet people plowed ahead with IoT anyway.

------
phmagic
There should be government organization currently responsible for data
security. Unfortunately, with the proposed leadership options for the White
House, I don't think this will be a priority. The FCC is too concerned with
rationing out the electromagnetic spectrum. I doubt UL and CE has enough
resources to step up here.

For the device makers who want to provide a secure interface to their cloud
servers, I think platform and infrastructure providers should set out an easy
to adopt standard that any device maker can follow. The expectations on
getting a device to market is already so high that small companies typically
do not invest in data security.

The incentive to adopt the security best practices could come from retailers.
Retailers who only stock products with this standard would save on returns /
lawsuits. In the coming year, DDOS attacks are the least of their worries if
hackers can commandeer devices that see into people's homes and monitor
people's lives.

~~~
maxerickson
ISPs could provide seed funding for UL to spin up a certification for
connected smart devices. They certainly have the resources and are kind of
mixed up in the problem already.

------
TuringNYC
Many manufacturers incur liability for their products' defects. How do IoT
manufacturers get away without incurring such liability? Is it because the
EULAs users sign are airtight? Is it because they are overseas companies? Is
it because they are small and would just close up shop if they got sued? Is
each incident so tiny that it does not make sense to sue (what about class-
actions or ultimate-victim-initiated actions?)

Not that I'm proposing litigation as a solution here, but I don't understand
what makes IoT manufacturers so different.

~~~
user5994461
They are no different. It's just that noone sued yet.

Wait for an attack to Brick the vulnerable IoT devices and then the class
actions will begin :D

------
phmagic
The horizontal progress indicator on this page is funny (a blue strip on the
bottom if you look). It looks like it's moving from left to right to meet the
scroll bar which is going from top to bottom.

Several online publications have used this web design pattern and it confuses
me. What's wrong with looking to the scroll bar position to know how much text
is left on a page?

------
CommanderData
Routers should be adapting to growing IoT. The ability to easily prevent
Internet access or access to certain country IP pools like China. A really
easy way to manage routers e.g. through an app will help mitigate the threat
somewhat. But it would require a unified API or some sort and not installing
CF.

~~~
icebraining
Routers are themselves often easily hackable and turned into malware launching
nodes. Expecting router manufacturers to help us is a pipe dream.

~~~
TeMPOraL
Routers are a joke. Did I ever tell how my current solution at home fetches
the DHCP leases (to get the list of devices connected to the network)?

Basically, to access the data you need to send an auth token along with
request. How can you get such a token? By logging in, of course. Or, by firing
your request anyway, which will cause the router to return you an error page
with _a cookie containing the auth token you need_.

That's just... ¯\\_(ツ)_/¯.

------
edoceo
Couldn't a smarter home router solve a lot of this? Only allow reasonable
outbound traffic to whitelist ? Or black hole a lot of the internet for
untrusted devices?

------
dev_throw
I think there is a great use case for open source software running on our IoT
devices, where we are cognizant of features, security and implication of
updates. I predict this will be more commonplace in the next 5 years.

At present, we are so blissfully unaware of what runs on our devices that it
is scary.

