
We're Surrounded by Billions of Internet-Connected Devices. Can We Trust Them? - tdrnd
https://www.newsweek.com/2019/11/01/trust-internet-things-hacks-vulnerabilities-1467540.html
======
semiotagonal
> But Kennedy's biggest concern at the moment is in the area of automotive
> safety

No doubt. I was pricing out a Mercedes online, and looking through the summary
one of the standard features was "over-the-air updates". That is the last
thing in the world I want. An expensive car shouldn't be acting like an
Android phone. It shouldn't be connected to the internet at all.

If it's updating anything other than the entertainment system, then they're
_completely_ nuts. Get the internet out of my car, I already have a phone for
that.

~~~
JohnFen
> looking through the summary one of the standard features was "over-the-air
> updates". That is the last thing in the world I want.

I agree. Under no circumstance would I buy a vehicle that is connected to the
internet or is capable of wireless communications, unless I could physically
disable that and still be able to use the vehicle.

The industry seems to differ, though, so I pretty much expect that any car I
own in my lifetime will be a rather old one.

~~~
Spare_account
>I pretty much expect that any car I own in my lifetime will be a rather old
one.

I recently came to this conclusion, for similar but not identical reasons.
Modern vehicles have increasingly complex electronic and mechanical systems
wrapped around the engine to improve efficiency. The complexity is becoming a
risk, in my opinion, due to the potential cost of maintaining the vehicle
beyond 5 years of age.

My usual buy in is around 5 years old, and the cars I have access to now are a
huge liability due to all the additional features that can go wrong (DPF, EGR,
variable vane turbo etc etc).

My next vehicle will be an old, normally aspirated, petrol engine with the
simplest wiring loom I can find.

~~~
eprparadox
not exactly related to the IOT issue in the article, but the actual lifespan
of the drivetrain of these EVs is -really- appealing [0]. unfortunate that we
have to be worried about the peripheral software issues and can't just get the
benefits of the more environmentally friendly and reliable cars

0: [https://qz.com/1737145/the-economics-of-driving-seven-
teslas...](https://qz.com/1737145/the-economics-of-driving-seven-teslas-
for-2-5-million-miles/)

------
pjc50
I don't think they can be trusted to be either secure or reliable or even
supported. Any of them could be remotely disabled at any time as the parent
company goes out of business.

On the other hand, at the moment they're mostly in frivolous devices. As they
become ubiquitous this is going to demand EU-level intervention, just like the
existing WEEE directive against lockout chips on printer cartridges.

Americans will be stuck with _caveat emptor_ levels of consumer protection.

~~~
jodrellblank
caveat the neighbour of the emptor, whatever that is in Latin.

Your neighbour’s video doorbell will have the easiest time picking up on your
face, but your neighbour’s cloud WiFi AP will surely see your WiFi devices
coming and going in WiFi range through the day, and how long will it be before
Siri is listening to your upstairs neighbor’s footsteps and telling you
they’re unusually quiet for this time of the week and maybe you should check
on them in the mandatory gig economy of social care?

~~~
SilasX
>caveat the neighbour of the emptor, whatever that is in Latin.

For anyone who's curious, I think that would be "Caveat vicinus emptoris". I
only mention it because that should be its own thing, to "beware of spillover
from stupid consumers".

------
CapitalistCartr
IOT devices use standard, commonly available boards and chips, which are meant
for widely varied applications, so offer wifi/Internet connectivity easily. So
companies can add that "feature" painlessly by applying a snippet of (usually
OSS) code. And collecting all the customer data they can is a bonus. No
penalty of zero security, major upside if they sell it.

This is dangerous to all of us, even if you don't own any IOT devices.

~~~
wil421
My brother and father in law bought a bunch cheap WiFi security cameras off of
amazon. People online were complaining they phone home all kinds of stuff to
Chinese IPs. My father in laws other cameras are Nest which phone to Google
but it’s a selling point.

I was going to put the Chinese cameras on a subnet but I don’t want to
complicate his network. My father in law has 3 routers with 3 WiFi networks
competing with each other; office, living room and outside but that’s a story
for another day...at least I got him to replace it with a UniFi AP.

I like UniFi protect because all the data stays at my house and their cameras
are strictly no subscriptions.

~~~
blacksmith_tb
I have three Wyze cams, which pretty much fit the bill of "cheap WiFi security
cams which phone home to Chinese IPs". Though you can flash them with other
firmware, if you want to control that. Personally, being in the US, I am less
worried about Chinese companies sharing my data with US corps or government
agencies (that doesn't seem too likely, somehow) but I would certainly be more
nervous if I lived in the PRC. I suppose there's still the possibility they
could be compromised to try attack other machines on my network, but those
aren't wide open.

~~~
jandrese
Maybe it wouldn't be a bad idea to blackhole those IP ranges on your router?
Maybe you're not afraid of the PRC company directly, but who says they aren't
going to try to make a buck selling your data to whomever asks?

~~~
blacksmith_tb
Not a bad idea (unless you flash your own firmware, since then you'd want to
be able to rtsp to them), though I am still fairly skeptical the cams could
intercept much on the network that wasn't encrypted, and that their tiny SOCs
have the horsepower to do much of that...

------
_wldu
Zero Trust. This is a basic network security tenet that was first introduced
in 2010: [https://www.darkreading.com/attacks-breaches/forrester-
pushe...](https://www.darkreading.com/attacks-breaches/forrester-pushes-zero-
trust-model-for-security/d/d-id/1134373)

------
dsalzman
IOT. The S stands for security.

~~~
freeflight
Some like to call it the IoS, but there the S most certainly doesn't stand for
security [0].

[0]
[https://twitter.com/kcimc/status/1099934485301276673](https://twitter.com/kcimc/status/1099934485301276673)

~~~
choward
Sadness?

------
xyzzy_plugh
> Can We Trust Them?

Of course not.

------
phs318u
We need something like this:

[https://foundation.mozilla.org/en/privacynotincluded/](https://foundation.mozilla.org/en/privacynotincluded/)

expanded to every type of IoT. Imagine a kind of mandatory labelling for any
device with data-capture and/or telemetry capabilities.

------
JohnFen
I think the clear answer to this is "no" on a couple of different levels. I
don't think it's safe to trust that the actual communications are properly
secured, and I don't think it's safe to trust the companies that these devices
report to.

------
forgingahead
No.

/end thread

------
Havoc
Yeah the cheap IoT stuff is just wild. No passwords / weak security is pretty
much the norm

------
ubertakter
No. Next question please.

------
ryeights
Betterridge's law of headlines strikes again:
[https://en.m.wikipedia.org/wiki/Betteridge's_law_of_headline...](https://en.m.wikipedia.org/wiki/Betteridge's_law_of_headlines)

~~~
ZenModeRy
lol nice share

------
moonbug
Betteridge.

------
stopadvertising
Every time I try to buy some device that is LAN only and doesn't talk to the
net, ever, I usually find zero options or few crappy, expensive choices. Why
anyone would install a camera that then talks to some corporation's cloud is
beyond me, I have zero interest in that.

~~~
ohazi
The problem is that LAN only can't be verified as long as that LAN also has a
route to the public internet. It could be LAN only for the first week so that
it passes your initial smoke test, and then goes on to do whatever it wants.
Or a firmware update could add new mothership pinging features.

If you want LAN only, you really need to put the device on a LAN that is
actually isolated, and use a trusted device to bridge that gap so that you can
shuttle commands and responses from your actual network.

I cobbled together my own system that works kind of like this using a
raspberry pi and hostapd, and it works quite well for most things.

