Hacker News new | past | comments | ask | show | jobs | submit login
This is why people fear the Internet of Things (krebsonsecurity.com)
404 points by wtbob on Feb 29, 2016 | hide | past | favorite | 237 comments



What concerns me, as somebody who has absolutely zero interest in internet connected thermostats or fridges or whatever, is that as IoT devices become more and more ubiquitous, I'll probably still end up with some kind of quasi-surveillance garbage in my house. Either because I didn't mean to purchase it, or because there was no alternative because in the future every under-sink garbage disposal requires a wi-fi connection or some nonsense.

Due to smart phones, computers and tablets, I already have all my internet habits being recorded, and half a dozen cameras and microphones all over the house.

Whats just as concerning is how many quasi-legitimate service providers, for reasons of people desperately trying to secure themselves from bad actors, end up finding technical solutions that are indistinguishable from malware and other kinds of network attacks/exfil techniques.

Argh, this is a stupid future, I want to go back and try again.


Sadly, all of the IoT-devices I have read about so far are either deeply creepy (like that Barbie doll that records and transmits children's conversations to the mothership) or completely useless (like a razor that automatically orders new blades).

And given the mediocre job we have done with online security so far, one can easily think of half a dozen scenarios for the "IoT" (the term alone makes me cringe) to turn in to security nightmare. Think of the Windows malware wave of 2003, when you could not install XP on an internet-connected machine without catching some worm before the installation was finished; now think of billions of lightbulbs, fridges, thermostats and whatnot and how much thought their designers must have put into security. Unless we wise up soon, the future is going to become very "interesting".

EDIT: I just remembered one useful device - a networked smoke detector that the fire department remotely query to see e.g. what parts of a building a fire has spread to and that can tell a central computer when its battery runs out. I could imagine this being really, really useful often enough that it's worth it. But still, the security concern remains. (IIRC, the smoke detectors were not connected to the internet and did not use regular Wifi, which would make sense - if my living room is on fire, my internet connection and wifi router probably aren't so much working as ... liquified.)


All the deeply creepy ones derive their creepiness from cloud tethering-- they transmit everything back to the mothership and can only be used via the mothership. You are putting a microphone, camera, etc. in your house that someone else has absolute real-time control over, and then because it's a "thing" you are going to forget it is there.

Yet every single IoT kit, howto, stack-as-a-service, or other piece of material or IoT startup I see enshrines this as The Way. IoT devices connect to IoT cloud backends and that's how it's done. Period.

There are several reasons:

(1) Vendors desperately want to avoid total commoditization. Competition in the hardware space comes from cheap Chinese vendors with unbelievably cheap labor and monstrous economies of scale. Tethering your device to a backend provides both some amount of lock-in and keeps your secret sauce away from the Chinese reverse engineers. (Or so people think.) This is as true for Chinese vendors as it is for domestic ones-- don't expect them to forgo this strategy when their competition is each other.

(2) There is no good solution for end-to-end transit that copes with the ugliness of endpoint networks.

Full disclosure: I am founder of a company that is trying to address #2 in an open, scalable, reliable, and interoperable way. I am therefore partial to this problem. Yet I also think it may be the easier of the two to solve since it's mostly just a technical problem. Problem #1 is deeply baked into the structure of the market and I have no idea how to solve it. Pathological emergent behaviors like this in complex systems like markets are notoriously hard to fix. You can see the train wreck but you as an individual are helpless against it-- in fact you are almost forced to help drive the train off the cliff because every market incentive points that way. Usually the ham-fisted solution of legislation is the only thing that can address such pathologies in the real world. I hate that as a still-semi-libertarian but it is what it is.

Edit:

It gets worse. Now add:

(3) All kinds of creepy agents from governments to crooks to (perhaps worst of all) quasi-crooked "dark pattern" companies who want to "monetize the user," would love to get as many Internet-connected cameras, microphones, sensors, etc. into your house as they can. It's a gold mine of private data they can do creepy things with. Think about the malware situation on PCs -- that is about to happen to your house.

#1 and #3 obviously interact constructively. The race-to-the-bottom nature of hardware and the ease with which software is copied means that companies must look for any revenue stream they can. We've seen what this has done to the web: the most successful web companies are free services that monetize the user through surveillance. It's hard to imagine that the same economics won't drive IoT vendors to the same endpoint.

Edit #2:

I toy around with the deeply contrarian idea that what we need are significantly stronger intellectual property laws to upend this economic death spiral, but I am not at all convinced that that is the answer or that it would have any chance of working.

The other less radical idea is that this is a marketing problem, and that IoT is ripe for a higher-end vendor to come in and say "we aren't creepy."

Would customers pay twice as much for a genuinely useful or enjoyable IoT device that came with an iron clad privacy policy, open APIs, and direct connectivity so you could avoid any cloud dependency? The conventional wisdom that I hear endlessly repeated is "customers don't care about privacy or security." I see evidence of this myself -- e.g. not a single user out of many thousand has asked us (ZeroTier) about the quality of our crypto. "It's end to end encrypted!" With what? A software implementation of a cereal box cipher? Nobody cares. Yet I wonder: just how creepy do you have to get before people start caring? Do people care when Barbie is listening to their children? When their Amazon Echo is submitting the sound of them having sex to Amazon? How pitifully abusive and downright gross does our relationship with "the cloud" have to get before people actually start caring whether their doors are locked?

Okay enough rant -- back to work trying to put a dent in this problem in a way that's probably more effective than posting to HN. #1 might be the harder of the two problems but if #2 isn't solved there is no chance of #1 being addressed.


> (2) There is no good solution for end-to-end transit that copes with the ugliness of endpoint networks.

Yes, there is. And it exists right now, and it's completely free.

TOR.

I've been using TOR hidden services for months now. On every machine (Linux), I install TOR and set 22/SSH available as a hidden service. This gives me a [HASH].onion address.

Now, why is that useful? The Hidden Services gives you a flat address space so that every .onion is reachable easily. There's no NAT, no firewalls, no stupid of any sort. And unlike "static IP/port forward/hole in NAT/Dynamic DNS" anti-solution, you install TOR, set up which ports are to be forwarded, and off you go.

I've also figured out how to get full .onion resolution on a Linux system as well. That means, instead of having to do a "Run Tor Browser/proxy" for every program, you simply use the .onion where you want. The DNS resolver takes care of obfuscation and TOR handing and everything. So that means you could have a list of servers in different physical locations with firewalls, NATS, and other network tools. And you can administer them via CHEF or Puppet or Ansible using a list of .onion in your config files.

I use Mosquitto, a MQTT broker to handle my data store. I have sensors in 3 physical different locations (my house, a friend's house, and my local hackerspace). I don't have access to the border router on 2 of them; but that doesn't matter. TOR takes care of all transit.

The last piece of this puzzle is Node-Red for handling of IoT data. With the aforementioned DNS solution I figured out, I can pub/sub data to my mosquitto broker, sitting on port 8883 on my onion. The Node-Red doesn't have to know where the machines are, nor does my Mosquitto broker.

My hardware platform is self-made: Arduino Nano clones, nRF24L01+ mesh networking chip, whatever sensors, and the MySensors library. Works really well.

Tl;Dr. An IoT system that guarantees anonymity, privacy, and security. And doesn't rely on someone else's machines.


This sounds awesome! Any plans of putting any of these scripts on Github? I think this stuff could do a lot of good.


I'm building my tools from Node-Red, so they're in JSON. But the caveat is they fill my niche I need. The TOR part, is something that would work everywhere. Configuring Hidden Services isn't hard, but resolving .onions across the system is... So here's how to do it.

(from my previous comment a few weeks ago)

*

4 points by kefka 18 days ago | parent | on: The Research Pirates of the Dark Web

I find the way TOR is used lacking. I really would like to have .Onion resolution across my whole system (in my case, I extensively use Linux). So, Here's a way to do just that:

I use a significant amount of HiddenServices to communicate back and forth with my machines. My eventual goal was to be able to process data from different geographical areas and have them inserted into MQTT via Node-Red. Until now, it was all or nothing with regards to proxy settings.

I have figured that out. For those that want to integrate seamless .onion usage across the whole of Node-Red (and every other Linux program), follow this.

get the following packages (Ubuntu, Debian)

    sudo apt-get install tor iptables dnsmasq dnsutils


 
Add the following to the /etc/tor/torrc file

    VirtualAddrNetworkIPv4 10.192.0.0/10
    AutomapHostsOnResolve 1
    TransPort 9040
    DNSPort 53
    DNSListenAddress 127.0.0.2
Restart TOR

    sudo service tor restart
Edit /etc/dnsmasq.conf and add the following:

    listen-address=127.0.0.1
    resolv-file=/etc/realresolv.conf
    server=/onion/127.0.0.2
Make a new file, called /etc/realresolv.conf . Add this in the file:

    nameserver 107.170.95.180
    nameserver 8.8.8.8
Restart DNSmasq:

    sudo service dnsmasq restart
Run the IPtables firewall update for redirection

    sudo iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
Also, this script must be run at every boot, so add this in /etc/rc.local, ABOVE the "exit 0"

    /sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040

Once you do those things, your whole Linux sustem will be able to resolve .onion addresses seamlessly, yet leaving alone canonical address schemes. this means that you can talk with a MQTT-out on an .onion, or control remote servers via exec node and SSH. And since you don't have to poke holes through firewalls, networking between Hidden Nodes with Node-Red sitting on top makes IoT sensor capture from remote areas (Work, home, car, hackerspace) very easy.

Of course, this does not discuss how to actually add a new hidden service You should think very hard before enabling a service: Make sure there is good authentication on them along with the newest updates. There is no determining origination on these kinds of attacks.

cite: http://www.linuxquestions.org/questions/linux-networking-3/h.... , Have confirmed directions work flawlessly on Ubuntu 14.04, 15.04, and 15.10 (various flavors of Ubuntu, XUbuntu, KUbuntu)


Thank you very much. This has given me a lot of food for thought. I hadn't ever considered TOR for NAT traversal for a start.


I'm glad I have :)

HN seems to have gotten poisonous with people saying "you cant, you wont, you shouldnt".. and yet the alternative solutions aren't posited. That disturbs me. I try to set a rule, that if I complain about something, I try to have an alternate path to go forward.

Right now, I'm looking into IPFS (interplanetary file system. tldr: single worldwide git repo backed by bittorrent). So far, I've been able to share a staggering amount of content quickly. Our hackerspace has decent bandwith, except when we have open house nights every wednesday. Using IPFS allowed me to share the newest Star Trek Horizon movie with 10 machines in ~6 minutes.

Turns out, they are also working on IPFS-aware Tor, so that the file hosters can reside purely in .onion space. You can probably see why that is interesting to me: worldwide backed tor repo access. Files can be hosted with little/no knowledge who they came from, or to unknown destinations.

I'm also working on porting http://s-macke.github.io/jor1k/demos/main.html so it resides purely on IPFS, including your user data (just stored in a separate key). This would allow distributed computing in a Linux js environment, with networking support... unlike Ethereum which processes data in "Instructions per second" speeds (10^8 slower than your laptop).

I've my hands full, but distributed applications are really, finally here. It's what I can call the cloud, without hearing "other peoples' servers" in the back of my head.


And Tor even provides rudimentary ACL built into .onion address itself with somewhat obscure options of HiddenServiceAuthorizeClient, and HidServAuth. This basically lets you create a circle of Hidden Services you can only access if you have a matching key.


To provide some insight into the mind of someone who does care about their privacy:

When I see an app or product that touts some security claim, I check around their website to see what they offer to back that claim up. I do not file support tickets asking for clarification unless I really really want the product.

People like me probably note that the product mentions end to end encryption and simply move on if there is no more information provided to explain this.

My thinking behind this is: When vendors are proud of their security they flaunt it. When they don't flaunt it, you should be concerned about why they aren't.

From my perspective anyway. Just my 2c.


Security is not so much about sophistication as it is about lacking backdoors and fundamental flaws.

I can imagine this would be hard to "tout".


Well, not really. What you're describing is the floor for any product I'll consider (depending on what "fundamental flaws" means), but that's not security.

Security is process.

- Do the engineers writing the code have sufficient time to do a good job (assuming they are competent in the first place? Which gets to the hiring process), or does marketing win that battle?

- What is the security audit process? Who has the keys to the servers, who changes the keys when one of those people leaves/dies?

- What processes exist to deliver security fixes to the lightbulb/baby monitor/robo-proctologist? How are consumers notified of the need, and how does the update payload delivery work?

- etc. etc. etc.

I mean, I do have a checklist of features for networked devices for my house. Those include things like user-serviceable certificates, root on things I own, etc. But unfortunately, when searching for a product, the important parts of the security picture are invisible, and reputation and visible implementation are really all there is to go on.

Which is why my lightbulbs don't get wifi.


> I can imagine this would be hard to "tout".

Open source client + whitepaper describing how the client encrypts the data with a particular scheme that still allows the server processing they need, without leaking undue data.

This can be as simple as: audio stream is discarded on device unless "ok Thing" is recognized, by a low quality open-source on-device recognition software. After that, the next 2 minutes of audio are sent to the mother-ship for higher-quality recognition and analysis.

Done, privacy-preserving Amazon Echo alternative. Get a third party (the EFF?) to audit it for you and put a badge that means to semi-technical users, 'this product goes beyond snake-oil on privacy'. Super-paranoid users can inspect the code for the client, which anyways includes little more than well-known open source libraries and some trivial glue code you don't care who copies anyway.

Of course, the real reason not to do this, is that companies don't want the 2 minutes of audio after the user asks their devices a question. They want the 'big data' of 24/7 surveillance (with all the beneficial applications this can have, but also the chilling ones).


As long as they're not trying to roll their own crypto, the concern is significantly lessened. I need to be convinced that this new app doesn't just rot13 everything and call that 'advanced new encryption'.

Just explaining which established crypto you're using and where you're using it goes a long way. (And please don't let Marketing write this part - specifics matter)


> just how creepy do you have to get before people start caring?

It has to be in some way that isn't automated.

If a tree falls in the forest, and a surveillance system integrates it with the sound of millions of trees falling in forests all over the country in order to build and monetize a detailed model of trees falling in forests, but no one actually listens to it ... did it make a sound?


Got it. So it's going to take a pedophile site appearing on a darknet that contains thousands of hours of captured home camera footage of naked kids, or a well documented case of an activist or journalist being singled out for a high-resolution IRS audit based on their home political speech.


pedophile site appearing on a darknet that contains thousands of hours of captured home camera footage of naked kids

That was the GCHQ database of hacked webcams.


Already happened.

A school district recorded photos of kids in their bedrooms at home via laptop camera

https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School...


There are other scenarios. Apparently (I do not own a car, so forgive my ignorance), it is possible now (at least above a certain price) to unlock your car remotely via smartphone or something. Imagine a criminial organization gaining access to a car manufacturer's network so they can steal cars.

Some people apparently like the idea of being able to lock/unlock the front doors of their houses/apartments via smartphone app. I am not certain how this is more convenient than getting a key out of your pocket, but it doesn't matter - the same scenario applies. These are probably going to be "cloud"-based, so if someone can compromise the servers, they can now gain access to entire neighborhoods. (Or, alternatively, lock the doors, keep the people inside.)


> Some people apparently like the idea of being able to lock/unlock the front doors of their houses/apartments via smartphone app.

I'm not sure why doing it through the Internet is a good idea, if you can do it via the 433 MHz unlicensed spectrum.


Why not just rfid?


Someone wanting to force US legislative action on this might be so inclined to create a site that live streams video from cameras across the country, searchable by city.


I mean, that already exists; it's called Shodan, and it lets you search the webcam output of cams that have their security improperly configured and are dumping data in the open.

The engine: https://www.shodan.io/ The Ars Technica story: http://arstechnica.com/security/2016/01/how-to-search-the-in...

... and still the public does not care.


If anything, people would think of it as evil hackers breaking into their webcams, the legal solution would be harsher punishments for computer crimes.


Shodan is really not at all what I had in mind. I wouldn't expect the public to get worked up over it. You show it in a news report and people shrug because it's a search engine with text results.


Check the Ars article. The images.shodan.io feed (available to paid accounts) allows you to get the actual feed data.


Note that Shodan grabs a snapshot/ image for many different services, there isn't a focus on webcams and the way Ars characterized it was slightly misleading. And Shodan doesn't show you a feed: it provides a snapshot/ image of the moment that the crawler saw the device - there are no live streams or any special support for webcams.


More pedophile, less activist (who gives a shit about activists...).


(2) There is no good solution for end-to-end transit that copes with the ugliness of endpoint networks.

Yes. That's why the camera in the parent article calls home. The vendor says it does that so the phone app can find the camera. If the camera and app can establish an Internet connection with each other, they communicate without going through the vendor's servers. That's the "P2P" feature. If not, they communicate by sending video and audio through the vendor's servers.

This is insecure, of course. But it's the only way to establish phone to device communications without setup problems.

Skype has a similar architecture, except they don't even try for a true P2P connection any more.


"This is insecure, of course." No really it's not insecure per se. I _can_ be insecure if not done properly just as well as it can be safe if done properly.


I don't think consumers know exactly how these devices could be accessed - the assumption for almost anyone is that cameras and microphones don't turn on when the user doesn't know about it. Were there a company that did such a thing the backlash would still be incredibly strong I think - even the most anti-privacy "I have nothing to hide" person would object to their watch microphone turning on in their bedrooms. Unfortunately we need to get to the point of having some real public privacy disaster for the public to pay attention. We have wiretapping and recording laws for a reason - the idea that people give their right to privacy up to a EULA on a daily basis is a false choice - either stop engaging with the world or give up your privacy to the goodwill of a company. There'll be a tipping point sooner or later.


>I toy around with the deeply contrarian idea that what we need are significantly stronger intellectual property laws to upend this economic death spiral, but I am not at all convinced that that is the answer or that it would have any chance of working.

Or to just toss out IP laws, and every other toehold companies have that prevents their products being totally commoditized, and let the free market do its magic.

Or shift to an economy based on the social good over locking things down for profit.

Whatever.


Thank you for the interesting and thoughtful post. Any thoughts on how pervasive IPv6 might impact the problem? It seems like NAT and dynamic IPs are a big obstacle for self-hosted cloud services. The other half of the problem seems to be that computer security is difficult and terrible, so we rely on feudal protection from the big providers who can scale that kind of operation. Perhaps that is the more vexing issue.


I did not understand item number 1...

How does connecting to a network provide lock-in? By forcing the user to use a particular interface? By keeping your files incompatible with general purpose computers? What do they do?

Is there really that much 'secret sauce' in an internet connected camera?


Many devices nowadays won't work unless they can contact the manufacturer's server.

For example, you can buy wifi-enabled SD cards for your digital camera. Unfortunately, you can't transfer files directly from the camera to the computer to use in your favorite editing app because the card requires you to connect to a particular server which automatically uploads your photos to their service and you then have to re-download them to your computer if you want them locally.

This is where manufacturers are trying to lead us. They want users to be locked in to their service any time we purchase one of their devices.


It just seems like a matter of time before most people feel like I do about this: once you've had a device or two bricked because the manufacturer went out of business or just doesn't feel like supporting it is worth their while any more, this simply becomes an unacceptable condition for a product.


Unfortunately, the more probable reaction will be "Why are you using the X device anyway, don't you know it's three years old already? Y has been on the market for months, just buy it and enjoy"


The nest camera is a good example of this. You must be connected to the internet, and the (paid)nest service to view video from the webcam. If your internet connection goes out the webcam is unusable.


But interestingly the Chinese competition from Xiaomi has a hybrid model - it can be set up to record everything onto a micro-sd card, which it does whether or not it's connected to their servers. If it is, you can can then view a live stream on your phone (and get notifications for motion, etc), or shuttle back through the recorded video on the card in the camera. I am actually happier to be spied on by Xiaomi, I doubt they would share anything with various TLAs in the US somehow... (mine is watching my front yard, too, not especially sensitive).


There was a link on HN(?) a few days back about a guy that was testing some LED Light Bulb.

Those light bulb are a bit clever as they need to plug into your wifi for remote control. He discovered that the plug was creating a new wifi network, with hardcoded simple password and security setting such that it exposed you internal network to an external attacker. I can't remember if it was calling home, but surely a future version will.

So yeah, you will eventually end up with something connected, light bulbs are connected now !


I don't know about the HN link but here's the article in question :

https://mjg59.dreamwidth.org/40397.html

And the list of things it does :

So, in summary: it's a device that infringes my copyright, gives you root access in response to trivial credentials, has access control that depends entirely on nobody ever looking at the packets, is sufficiently poorly implemented that you can crash both it and the bulbs, has a cloud access protocol that has no security whatsoever and also acts as an easy mechanism for people to circumvent your network security.


@mjg59, on Twitter and his blog there, is an amusing, if not depressing, feed to follow.

He has poor impulse control for purchasing internet-enabled devices and investigating how terrible they are.


I'm not paranoid or a conspiracy nut, but I can see where people would jump to the conclusion this is being done purposefully by the government to extend its blanket surveillance of the population.

I may not be able to hack your iphone, but if I can get on your network through a rather easy means, it will give me access to what the information I really want and then correlate it with the rest of the information they can get from the carriers.

I would imagine this is exactly the sort of soft target the NSA looks for.


Incompetence is convenient to state actors, hence why there is a panic that people are waking up to its consequences and will end up using encryption competently.

I wouldn't say it is at all intentional.


Hanlon's razor: "never attribute to malice that which is adequately explained by stupidity"


Clark's Law: Any sufficiently advanced incompetence is indistinguishable from malice.


I wish it were being done by the government. If only it was some supervillain using mind control, slowly acquiring all these weird and ubiquitous credentials so they could spy on me...

While that would be bad, there's a way to fix this. We can expose the supervillain, fix the problem, and TA-DA! everything's good again.

What I actually suspect is that the typical person is just dumb enough (and hey, I'm not doing the superiority complex thing here, pretty sure it applies to me too) to let this happen accidentally. We don't need to be manipulated or brainwashed or tricked. We'll do this because Amazon will list the bad device 2 cents cheaper, and the companies making the good stuff anticipate this and don't bother to make the 2-cents-more-expensive-but-better one.

It helps that people are oblivious to how damning metadata is. One could easily foresee being able to tell who is adulterous just by when the front door opens and closes, for instance.


It helps that people are oblivious to how damning metadata is. One could easily foresee being able to tell who is adulterous just by when the front door opens and closes, for instance.

And in some other parts of the world, far removed from TV cameras and annoying privacy advocates, that's basically how we decide who gets a drone strike.

Metadata is really, really important... otherwise the government wouldn't be interested in collecting it.


This is really just silly, anybody working "on the ground" so to speak with technology understands there is no need for malice here.

I would agree with the narrative that so far in the digital age the elephant in the room (NSA) has purposefully withheld security related information based on the calculus that "it's worth having insecure things floating around, so long as it's mostly just us that is capable of hacking them at scale"-- that math is rapidly changing now, hopefully their policies and objectives will shift with it.


I look forward to the future where I can come home and my space will welcome me individually, turning on lights, media, and climate to my personal preferences, and respond to "tea, earl gray, hot" at any time. My groceries and other expendables will replenish as they run low; menu planning will stock more. I'll get a chime when my kids arrive home, and another if their love interest show up after hours. Etc etc. All this information will be held strictly per my privacy settings and is fully encrypted when offsite.

Now, the real question is, how do we get there, integrated and private, without selling out the whole stack to 100 different vendors with different API's, without one of them hacking the rest of your network, and without your government either hacking you, hacking one of those vendors, or just pressuring them for your data?

I don't have an answer.


I honestly don't think that future is worth the cost. Some of those things would be great, but controlling lights with Iot? Why? Aren't we solving a problem that doesn't need to be solved? I currently spend roughly 0% of my time thinking about and managing light switches, the system works great as is. Same goes for turning on media and setting the temperature. These things just work and they are bug free. I can only see them getting worse by adding networking and software.

Of course, it's a different argument when your house starts making food for you, but but I think I'll still lean towards maintaining my current system.


To use lights as an example - there are uses cases for some people. I have my downstairs and external lights set to turn on and/or flash if my home alarm goes off at night time. When my kids were infants I had lights set to turn on/off as I moved around the house at 3am to make a bottle etc. When I'm away for a long period of time I use it to control the lights and make it look more like someone is home. Another example is monitoring water leaks - my house was destroyed by a water leak several years ago. I absolutely sleep a little better knowing that I'll get an alert if the sump pump fails etc. I really don't understand why so many developers are so opposed to IoT. There are issues to be resolved (security concerns, standardization of protocols, some obviously stupid devices etc) but there is also the potential to make modest improvements to common routines and tasks.


The best feature for a house would be a self-cleaning device. I'm not talking only about automatic cleaners like the Roomba (which, as far as I've read, only work some of the time under some particular circumstances), but about the whole package: dust-cleaning robot, toilet-cleaning robot, dish-washer cleaning robot (we're almost there for this thanks to the dish-washer machine itself), putting-things-back-in-place cleaning robot (books, pillows, toys, DVDs etc). Basically I'm thinking of something like Rosie from the Jetsons (https://www.google.ro/search?q=rosie+jetsons&client=firefox-...)


Media devices don't really work that well.

For example, my cable box comes with a remote that has a 'turn everything on' macro button. Except there's no integration, it just blasts the power toggle IR for the TV. Does it work? Yeah. Does it work well? No.

Buying a single brand and carefully selecting devices can help with that sort of thing, but it's BS you have to be careful to get any integration, it should just work.


That's true, somehow universal remotes aren't that great still. At this point I have to use a TV remote and a Roku remote. I tend to not use surround sound just because that requires yet another remote. But still, this is a problem that can be solved with better device integration, rather than connecting everything to the internet.


A good number of newer devices ship with https://en.wikipedia.org/wiki/HDMI#CEC which is meant to help with this type of thing.

I'd agree that a lot of the time it still doesn't work 'well' though.


I vaguely remembered that HDMI had something and had looked it up and checked if the cable box supported it before I posted; it doesn't (unsurprisingly).

The sad thing is that it is so easy to imagine so much more. If the cable box provided the available programming as data, I could use whatever interface I wanted to access it. Instead, I'm stuck with their customer hostile crap (no way to hide channels, etc.).


FWIW, the Logitech Harmony Home Hub was my favorite tech purchase last year. Slightly annoying to setup, but rock solid. I put all my other remotes away in a cabinet last year and haven't once used any of them. I only use it for media devices, but it can also control some other home automated stuff (lights, blinds, etc).


> Some of those things would be great, but controlling lights with Iot? Why? Aren't we solving a problem that doesn't need to be solved?

Try installing new lights and switches in your house sometimes and come back and ask that again.

Not to mention, why do we want 120/240VAC to the controls rather than low voltage DC (less shock risk, less fire hazard, etc.)?

This is even more desirable in office buildings.


>Try installing new lights and switches in your house sometimes and come back and ask that again.

I've installed plenty of lights and light switches... I still don't see the problem. Either you have the requisite knowledge to do these things, or you hire an electrician who does. Furthermore, no fancy IoT device is going to remove the basic requirement for running wires to the light socket and (semi-optionally) from the socket to a switch. This is fine because it only has to be done once when a space is built.

I would much rather have simple and reliable wiring done once when my house is built than have to buy new light switches every two years because my old light switch is obsolete.

>Not to mention, why do we want 120/240VAC to the controls rather than low voltage DC (less shock risk, less fire hazard, etc.)?

Oh come on. the shock/fire risk of a properly installed light switch is indistinguishable from zero.


I just installed new switches (and receptacles) throughout my house. It wasn't difficult. The system is pretty simple, and it's marvelously stable---my house was constructed in the '70s, yet all of the new components fit into the same boxes as the worn out ones they replace. This is great!

Not to mention that the whole project has cost just a few hundred dollars, and the results will last decades. Why would I ever want my house to jump on the high tech upgrade treadmill?*

*Call me back when you can sell me robotic chicken legs for my house. That would be awesome.


> Not to mention, why do we want 120/240VAC to the controls rather than low voltage DC (less shock risk, less fire hazard, etc.)?

Because its simpler, and therefore both cheaper and less failure-prone, to run the actual power to the device through the switch.

We've had alternatives with a complexity cost for a long time; they are rarely preferred because the complexity cost is rarely justified.

IoT provides more alternatives with complexity costs, but doesn't really change the basic reality for most light switches.


Honestly I think open-source and sane-defaults are the answer to this. I use to have one of these cameras, but before this news broke out, I'd replaced it with an rpi. My lights are controlled with an rpi, and code I've written myself. My computer talks to me. All of these things are doable with open-source, it's just that we're prioritizing closed-source devices.

FOSS doesn't solve every problem we currently have with IoT, but it can if we give it enough power to.


I'll get a chime when my kids arrive home, and another if their love interest show up after hours

I imagine your kids (and potential interests) might have something to say about that. Taking that to its logical extreme, how is your desire to invasively monitor people in your care any different from what the government is doing?


Without using IoT as an example.

Parents are permitted to sit on their porches and wait for their children to arrive home.

Government agents aren't permitted the same right.


Maybe there's a case that parents can track their own children, though I hate the idea.

But that surely cannot extend to other children (i.e. the boy/girlfriend).

My mother was very much the "helicopter parent". The result was that friends never came round to my house, but I'd go to theirs and simply lie about what I'd done. "Why are you so tired?" is as easily answered with "we stayed up until 10am playing Warhammer" as "we drank three litres of wine and played GTA2 until dawn." Even my best friend's parents agreed my mum was terrible in this respect, and they'd fabricate cover stories if we'd gone out drinking somewhere and my mum phoned.


Right. Kids get more and more liberties as they get older, as your responsibility shifts more from life support towards advisor.


I think government agents certainly are permitted the same: it's called "shadowing". I know, reasonable suspicion and all that, but within the confines of a parent-child relationship, it is the parent that holds all the power, including the ability to define what "reasonable suspicion" means, and to act on that definition alone.

So no, I still don't see the fundamental difference between a parent claiming "I reserve the blanket right to monitor my childrens movements" and a government claiming the same on its citizens.

(edit: not saying they're equal, there certainly are differences in scale and execution -- but the fundamental policy is still one of distrust and subversion)


What's the difference between this and a CCTV camera or cop on your street corner?


Depending on how frequent or for how long, that would also be illegal. See http://www.dailytech.com/Federal+Court+Cops+Cant+Spy+on+Your... Or the ruling itself: https://www.eff.org/files/2014/12/15/vargas_order.pdf

From the ruling: "The Court rules that the Constitution permits law enforcement officers to remotely and continuously view and record an individual’s front yard (and the activities and people thereon) through the use of a hidden video camera concealed off of the individual’s property but only upon obtaining a search warrant from a judge based on a showing of probable cause to believe criminal activity was occurring. The American people have a reasonable expectation of privacy in the activities occurring in and around the front yard of their homes particularly where the home is located in a very rural, isolated setting. This reasonable expectation of privacy prohibits the warrantless, continuous, and covert recording of Mr. Vargas’ front yard for six weeks."


I don't need to record your property to see who arrives to and leaves from your home.

Having that ability is also convenient, even if you can't use the evidence in a court of law. It could lead to obtaining evidence that can be procured in legitimate ways.


One involves the full power of the state. The other doesn't.


Isn't that what border security does?


> the real question is, how do we get there, integrated and private, without selling out

We don't, because people don't care.


This is the real (and depressing) answer. Same as our mobile phones, people will trade their privacy for a graph of how stocked their fridge is compared to other households.


People trade their privacy because they don't see any alternative.

https://www.asc.upenn.edu/news-events/publications/tradeoff-...

(or, in some cases, they don't understand how much privacy they are giving up)


We get there with robots. You have one personal assistant, or call it whatever you like, where you program your references and it’s the only programming device in your house. It handles the appliances which could be as dumb as they are today and we have a single point of failure security-wise. We don’t need Internet-connected fridges, and TV’s, and thermostats and all that crap. This is a future that has been envisioned decades ago by sci-fi authors. Perhaps it’s time to start making it a reality.


Why have all that when you could instead indulge in the 80s Clapper:

https://en.wikipedia.org/wiki/The_Clapper

Clip clap!


The real question for me is are you really that lazy? I'm not being cheeky.


It's not a stupid future at all. People thought home pages and the under construction guy GIF were stupid, now look where we are.

There are some very asinine products on the market, there are so very many badly implemented products that throw security and privacy out the window, and there are some that are trying their best with what we have today. All of these are fleshing out the ideas that will stick for tomorrow... and hopefully are getting the user base familiar with the right questions to ask when looking at new stuff.

The ability to reduce home energy usage, let people in remotely, get alerted to activity inside your house when you're on vacation, detect a leak or flood while away or asleep. These aren't stupid. Some of these will genuinely (attempt) to help the world, most of them are nice to have, but not stupid by any means.

Where we're likely headed is that all of these individual devices don't need a direct connection to the Internet, but will have some local/mesh communication protocol to get the data to a main hub. Each local protocol will have security so that you can't sniff raw data just by being near the house, and the hub would use whatever the latest and greatest 'Internet security' offers up, a la TLS.

This is pretty much how Z-Wave and ZigBee devices work with the more established home hubs from Mi Casa, Samsung (SmartThings), and Wink.

We will continue to get burned by manufacturers in the near term. We will get burned by expensive, cheap, no name, and trusted brands. It's a growing pain, we don't have to accept it, but the majority of the products in the near term are going to be awful. Find reviews and analysis, create them yourself, or sit out, but your 'stupid future' is not going to magically stop marching into your house.


In reply to a comment that was deleted (maybe it was getting downvoted?)

I think (hope) the difference will be the utility to the the average user of these devices. We're basically in the infancy of IoT and are already seeing useful consumer grade devices. Going back to the home hubs as an example: You can grab a z-wave light switch from a big box store, a generic z-wave thermostat from Amazon, the hubs go from free to $200, and The only knowledge you need are to be able to replace a light switch in your house and the knowledge you would use to install a new WiFi router, you can have your outside lights come on only when it's dark outside and your thermostat respond to outside temperatures or vacancy just like Nest does. All in, you're less than the price of a Nest Thermostat, are (probably) more secure, and have a real shot at actually reducing your electric bills- and that's just with what we have right this second.

Is it saving the world today? No. Is there WAY too much hype. Heck yes. Are there some REALLY useful devices out there today? Yeah, once you wade through the crop.

Admittedly we're in the super early adopter phase, but there are real non-superficial benefits to making our biggest home energy appliances smarter with respect to consumption. There are attempts to interface with the power providers to have things like dishwashers and washing machines automatically wait for lower usage times to run- which means we can use slack in the energy network instead of firing up more coal or bringing more turbines online. It's a bit of a rosy picture as its well understood that residential use doesn't compare to local industrial use, but let's get any efficiency we can.

As I've said to friends that are dubious on global warming- even if it's not a real threat, is it really a bad thing to use less energy and tear up less of our environment? Even if our residential efficiencies barely make a dent, assuming our privacy and security aren't completely compromised, is it bad to make our homes work just a little better?


Why does this stuff have to be networked though? My outside lights turn off and on each day with a timer switch that installed much like the networked switches today. I input the date and my zip code and now the timer adjusts for the sunset/sunrise throughout the year. It will even randomize the timing +/- 30 minutes so it's not quite as obvious to any observers. I've had this setup for almost 11 years now and it cost me ~$30.

Programmable thermostats have been a thing for about 20 years now. There is no need to have these things networked for only a slight gain in convenience. I'm pretty certain I can turn my thermostat down for vacations in less time than it would take to launch an app and do it.


If the logic is baked into the each of the lowest-level control elements (like the switch/timer that controls your lights) there's no flexibility. What if you later decide you want the lights to turn off from 3-5AM or to turn on 20 minutes earlier than the timer decides? I suppose you could conceivably have a re-programmable but non-networked timer for them, but that still prevents you from establishing more complicated interactions between devices. What if you only want the exterior lights to be on before you arrive home and so you want your phone being connected to your home wifi to override the timer rule?


I don't think each needs to be networked, at least not via IP or directly to the Internet. In fact, I'm hoping the design goes towards local protocols and hubs that are directly connected.

Your programmable thermostat very likely doesn't accommodate the situation where you're out of town for 8 days over the winter holidays and you need it to be just warm enough to not have pipes freeze, and you want it to be warm when you show up with your two toddlers and pregnant wife at 7pm (bedtime). Also, what if you can't remember if you actually turned the heat down or not?

Also, I'm sure you can't turn your thermostat down in less time as I have a Vacation Mode shortcut button that I can access from the Today pull down in iOS that sets the thermostat to 55, turns off all the lights, and turns on motion detection notifications- without unlocking my phone. I'm being pedantic, but it is truly that easy.

Your light switches hooked up to a surprisingly power hungry timer don't tell you that they actually turned on when you're gone. Can't remember if you left the living room on and you're out of town? Check your phone.

Using a local communication protocol helps keep your gadgets from leaking your info all over the Internet like those god forsaken Internet cameras and such are doing these days, and the hubs they connect to allow you to actually interface with them remotely. This leaves the hubs as the weakest remote link, but in that case you only have to worry about one vendor getting it right instead of every vendor. It doesn't remove the risk, but it certainly makes it more manageable.

Z-wave and ZigBee both have their flaws, especially around security, but they do have the advantage of not making everything in your house addressable from the Internet.

These things aren't necessary, but they're not frivolous. They already are bringing efficiencies with not all that much effort.


Probably because since the 2007 when the mobile bonanza started, everything has to be "apped" and sold on shiny websites, animations, cute logos etc. "There's an app for that" is one of the main reasons for this insanity.


> is it bad to make our homes work just a little better?

Not at all. Unfortunately, very few people are actually including proper security and risk costs. A device that improves energy use and makes usage data or admin control accessible by a network may not be "just a little better". The network attack risk may even make the device a net harm.

It is rare to even see these negatives addressed by the people promoting IoT. I consider this extreme negligence, as any problems from a network attack are paid by the end user. Like coal based power, insecure consumer devices avoid paying for their negative externalities.


I also have zero interest and would also be alarmed to have a bunch of transmitters and protocols and services running, possibly invisibly, in my home.

However, I am not particularly worried and that is because there will always be industrial/commercial models. I know this because it is the case with flat panel displays.

We are certainly well over the transition to "smart" TVs and all of their accompanying features - you probably can't buy a single display at Best Buy that isn't "smart". However, you can also buy an extremely well built, completely dumb "signage display" (like those thin-bezel NEC models you see airports use for departure/arrival boards, or what video walls are made of).

They aren't even much more expensive, since the buyers (airports and shopping malls) need economies of scale when they are buying 200 of them at a time. They last longer, are more rugged ... and are completely dumb.

The same is true with commercial refrigerators and ranges, etc. - pro cooks in a kitchen can't be dealing with the wifi or the facebook integration.

I am very optimistic that this will always be the case and that "dumb" models will be available to smart people for a small premium.

It's also easy to predict that lack of smart features (and screens and lights and boopity-beeps) will be a subtle class distinction. When everyone in the trailer park has a flat panel on their refrigerator, you'll see them disappear from the highest end models.


But if that's the case, we run into a problem I saw someone write about with the ongoing Apple VS FBI case, only the "rich" would have access to strong encryption/privacy...

If I remember who talked about that I'll edit this message.


That may be the case with privacy, or other intangibles like that, but we're talking about electronics.

As I said, the airports (or the commercial kitchens, or the industrial lighting consumers) need to buy these things in bulk, so the prices get driven down.

Yes, a brand new NEC displaywall panel purchased quantity 1 might cost 20% or even 100% more than a panel at best buy, but go backwards one revision and its as cheap as any electronics.

In this case it's not "the rich" but rather the informed, or the savvy.


Opinion: there's a lot of interlap between "rich" (not necessarily rich as in the "1%") and the "informed"/"educated".

I think people with a will to learn often end up living comfortably, because they like learning and informing themselves.


> you probably can't buy a single display at Best Buy that isn't "smart"

I just bought a non-smart TV at Best Buy. It was somewhat difficult to discern, let alone find a non-smart model. It's do-able but your overall message is right: soon you won't. Worst, you won't even know one way or another.


> Worst, you won't even know one way or another.

Perhaps there needs to be a move for mandatory labeling here. Certainly, a better case than for GMOs.


Is there a reason why one couldn't just buy a "smart" TV and just never connect it to WiFi?

I have never used a "smart" TV, mine is a dumb TV with a Chromecast sticking out of it.


As someone who has played around with home automation and done some homebrew IoT, my biggest concern to be honest is that the extra functionality will make common appliances more difficult to maintain than they already are.


Yeah, exactly. I really don't want an internet-connected IoT refrigerator, but I wouldn't mind one with some standardized interface that allows it to be optionally augmented with IoT functionality of my choosing.

That interface shouldn't be much more complicated that some connectors and passive wiring. Then I could connect a communications and sensor modules and replace them independently as needed.


Right, maintaining a dozen sensors and integrations with other appliances is a pain in the ass. Also, I have no interest in moving the controls of the device from the appliance to my smartphone. 95% of the time it's more work to pull out my phone and launch an app than to flick a physical light switch.


Yep that's my concern too.

I'd actually go for a little home automation, perhaps a Philips Hue or two if they were LAN only.

99% of these things should be blocking WAN access. Even the smartphone apps should be limiting themselves to never be on the net.

Unlike gmail and facebook actions driving ads, I fail to see what manufacturers get out of the data from when I use my fridge, toothbrush or thermostat. Seriously, I don't see what earthly use it is for them, unless next step is an ad driven toothbrush.

Every time I see an article about what's been found on Shodan I shudder. It's a very stupid future.


> toothbrush

Incentive for dentists to recommend their internet enabled toothbrush so they can suggest specific brushing plans and monitor how well the person has been adhering to their regular brushing. There might also be some software on the dentist side for managing all of this.

I have one of these toothbrushes, that's roughly pulled from the features section of the manual. (I have it because I can track how well I keep to brushing my teeth over time, well worth the ounce of prevention.)

> thermostat

The local power company has a program where they supply a smart thermostat that they can regulate during peak use. With certain caveats of course, I think you can opt out of the automatic regulation several times a month.

> fridge

Haven't seen a practical use for this yet.


I have a recent Samsung refrigerator, which has a nasty habit of forming ice in the fan blades. Samsung refuses to further warranty it....

So, I use 2 thermistors and a photoresistor and equipped them in my fridge. I used an Arduino Nano clone with a nRF24L01+ chip and MySensors library for getting data.

The data then is posted to my MQTT server (Mosquitto) and also saved in a file. The file is parsed by a graph library and is displayed on my http://[hash].onion/fridge . Also, if I detect >45f or higher after last fridge door open event, I throw an alarm (chirp on piezo speaker and email).

And yes, It's saved us at least 1 fridge load of groceries. We can't afford to buy a fridge every 3 years, even though throw-away culture sure would want us to.


> so they can suggest specific brushing plans

For me that's a hell of a stretch. Just seems hellishly complex for checking the preferred 2 mins of brushing. Timer sure, especially for the kids. But, if people see real benefit...

> thermostat that they can regulate during peak use

OK, that's a benefit that's difficult to fault. Wasn't aware of any doing that.


I agree with the sentiment, especially with regards to terrible ideas like touchscreens. But open up any "smart appliance" and you'll still find the same simplistic sensors and actuators performing the core function. If things get bad enough a modding market will spring up, replacing "intelligent" control boards with versions that work for the user. Likely with non-mandatory network capability, but without the hostility.


> for reasons of people desperately trying to secure themselves from bad actors, end up finding technical solutions that are indistinguishable from malware and other kinds of network attacks/exfil techniques.

Additionally, IoT security "solutions" can actually be worse than a malware. Here is a recent example:

Password Extraction Via Front Doorbell http://hackaday.com/2016/02/28/password-extraction-via-front...


>>is that as IoT devices become more and more ubiquitous, I'll probably still end up with some kind of quasi-surveillance garbage in my house

You mean like Google and Facebook with the web?


To fix this, the Federal government (most likely the FCC) needs to publish rules and regulations regarding the "telemetry" that software and hardware is allowed to collect and to issue recommendations / requirements that the consumer have full control and be able to disable all features of that "telemetry" and that the consumer's right to do so cannot be waived or abridged via a terms of service agreement or some other such (ie, the behavior cannot be automatically enabled after a systems update, nor can additional or new "telemetry" that didn't exist in the original product be added via a systems update and be enabled by default). Additionally, it should be a requirement that all hardware / software vendors be required to disclose all host(s) and points of origin that telemetry is collected and these hosts should be registered with the FCC. The points of location where that data is collected needs to be regulated under similar security information rules/laws that surround HIPAA. Any device/software not complying should not be allowed for sale within US borders. Additionally, any vendor who accidentally breaks that (ie, Microsoft "accidentally" pushing auto-updates that automatically reenable "telemetry") need to be punished with large and punitive fines (ie, $1,000 per violation/instance). Additionally, it should be mandated that any "telemetry" system cannot impair, disable, or otherwise render the device inoperable should the telemetry 1) be shut down, 2) fail. There should also be punitive fines for this.

Barring this, this is only going to get worse and worse as time goes on.

A bigger concern for me, is that since all this software / hardware is being built in the purview of repressive regimes (the US government not withstanding), that government actors will employ or dictate methods by which they can tap that "telemetry" without a court order.

It is important that the US pass these laws, as the majority of software that goes into these devices is built in the US (and, also, since the US is still the single largest market for them). If laws are passed in other countries, because of the cowboy mentality in the US (see: Uber, Facebook, Google, Microsoft in Europe, et al), I highly doubt there is any hope for self-regulation within the software industry itself, and that government intervention is necessary in this case.


I agree on general terms, but not necessarily in practice.

Fortunately, market segmentation relegates certain features, network/internet connection being one of them, to the high-end/luxury segment.

It may take a (relatively) long time before network/internet will be so cheap that it will permeate down to the lower segment; considering also that being connected requires a backing infrastructure, which is cost added, I think this time will be very very long.


The Barbie Doll incident kind of jump started this on a non-Luxury item.

Also surprised no one posted the video of the guy on tech support phone call while his webcam was hacked and playing The Police "Every Breath You Take." https://www.youtube.com/watch?v=CUx8_JNNKsM


I agree; my main concern is that at least I need to have a choice, to be able to opt-out.

However, if your electric company already uses smart meters, which capture your power usage at a high resolution, they can determine a lot of what goes on in your home already: They can see what machines are on or off (they have different power signatures), even what TV show you are watching (again, based on the power signature), and make good guesses about when you are home, awake/asleep, how many people are there, etc. If you are less busy than I am at the moment, you can find reports from the Congressional Research Service, Colorado Public Utility Commission, ad IIRC MIT and the Dept of Energy detailing this (I think the CRS report references the others and is a good place to start.)


Since it is getting harder to find devices that aren't "smart", I've decided to stop worrying about it and simply not connect them to my network. I assume if they automatically search out unsecured wireless, I'll be able to sue them, since accessing networks without permission is illegal.

As long as what I want them to do (be a refrigerator, a tv, or a thermostat) isn't dependent on network connectivity, the "smart" device isn't much of a threat.


Great. Waste more time/resources/etc and make products even more fragile than they already are. For what? Some nonsense that will mostly die out as people realize toasters don't need to talk to anything.

Awesome. Consumer electronics seem to get worse as fast as they get "better."


People have been installing networked microphones in their homes since the 1890s. What is the change now that makes you concerned?


Big differnece. There was no software installable on "dumb" telephones. They could not be programmed remotely to change functionality to listening without ringing. That would have required an easily detectable hardware change. Smart devices on the other hand are always vulnerable to this possibility.


Granted it took a bit more doing than nowadays, but the old phones had a mechanical ringer that is basically a microphone. No rewiring necessary. http://www.bugsweep.com/instrument.html and https://www.schneier.com/blog/archives/2010/01/eavesdropping...


Most of these new microphones do not have physical switches that can be off and still be useful, and most do not have networking that can be killed by unplugging.


Would you buy soundproof cases to leave some of these miced devices in when not in use? Like the amazon fire remote?


Yeah, that's kinda how I feel about our democracy.


From 1950:

"What concerns me, as somebody who has absolutely zero interest in computers or electronics or whatever, is that as electronic devices become more and more ubiquitous, I'll probably still end up with some kind of quasi-electronic garbage in my house. Either because I didn't mean to purchase it, or because there was no alternative because in the future every under-sink washing apparatus requires electronic connection or some nonsense.


What point are you trying to make here? I don't see the parallels between OP's comment and yours.


Between IoT and the deployment of IPv6 (meaning no more automatic NAT firewalling), I feel like we need to take a fresh look at how home routers are designed.

I'd love to see products that provide a user-friendly way to help me audit what my network is doing, and create firewall rules for different classes of devices. For example, if you're running a DVR server, the camera mentioned in this article probably shouldn't have been granted Internet access.

While some routers have basic firewall support, it's really rudimentary and nowhere near sufficient when you have several dozen (or more) relatively unknown devices on your network. And definitely not user-friendly enough for most home users.


> help me audit what my network is doing, and create firewall rules

We need be a better solution than this! I already dread having to configure and tweak firewalls every time I add a new device or install a new application.

Even with the most user-friendly firewall in the world, we'll still end up in a world where 99% of users don't do anything and have no security/privacy. And the 1% of technical users will end up breaking basic functionality because they blocked something that the manufacturer of the device or app deemed to be an essential connection.

Thinking out of the box for a moment: If you install a camera, suppose your router automatically encrypted everything coming out of the camera such that it could only be decrypted on your smartphone, or whatever you're using to view the feed from your camera. The encryption, decryption, and keys are completely independent of and outside of the control of camera manufacturer. The encryption is unavoidable; even if they get a secret feed of the video, they cannot decrypt it.

Instead of the router, perhaps it's the device driver that does the encryption. The point is that this is something automatically done whenever you plug in a camera and which the camera manufacturer cannot subvert. (This idea is for cameras and such. For other kinds of IoT devices, this particular idea may or may not help.)


> no more automatic NAT firewalling

NAT != firewall

IPv6 doesn't take away your stateful firewall, and NAT isn't providing ANY security. Your private IP addresses are betrayed all the time by your browser (and TCP option headers). NAT has done an incredible amount of damage to the internet; it prevented the development of true peer-to-peer software and forced everything to centralize.

The solution - even for IoT in the few places IoT isn't a surveillance scam - is to remove NAT by using IPv6.


> IPv6 doesn't take away your stateful firewall, and NAT isn't providing ANY security.

That's not really true. By its nature, stateful/dynamic NAT, which is what the majority of the consumer world is using, means internal services aren't exposed to the Internet. Short of layer 7 stateful packet inspection, or some other IDSy type thing, a consumer-focused 'firewall' isn't going to do any better... they have to be generic and fuss-free. Just go back to the early 00s or mid-90s to see the ramifications that exposing ports from Windows machines to the Internet had, then tell me NAT hasn't had a positive security impact.


> Just go back to the early 00s or mid-90s to see the ramifications that exposing ports from Windows machines to the Internet had, then tell me NAT hasn't had a positive security impact.

NAT has had the same _security_ impact that a default REJECT ingress firewall policy would have. (Coincidentally, this is the default firewall policy for non-Enterprise Windows Firewall configurations.)

If you combine default REJECT with a port opening protocol like uPnP, you have a really nice, reasonably secure, self-maintaining border firewall. (Hyperventilation about security issues with particular implementations of uPnP notwithstanding.)


I'm not saying we need NAT, just that without prior need for NAT, perpetuated by ISPs only giving us one IP, I doubt anybody would have any ingress filtering at the border. It's a lot easier just to block ingress to the whole house than it is to ensure a dozen devices are secure against unwanted incoming connections... this problem will present itself with the IoT sooner or later.


> ...just that without the need for NAT, perpetuated by ISPs only giving us one IP, I doubt anybody would have any ingress filtering at the border.

I disagree. Defaults are a powerful thing. If one's router ships with a default REJECT ingress firewall, a non-technical user is not likely to change it.


What I haven't seen in a home router is proper egress filtering. The use of NAT you're talking about just seems like a really blunt version of that.

I think a router with a smartphone based controller could work well - push notifications when your TV wants to connect to the net for the first time or a friend has dropped by and wants to log on to your guest wifi


Except that on a consumer grade router, UPNP is probably turned on with no authentication. Anything that wants to get out, will.


What's the alternative? Consumers want something they plug in, turn on, and forget about.


The alternative is an easy-to-use router summary page that list every network device and controls what it can contact (eg local-only, manufacturer, wide Internet).

Consumers want things that "just work" because they haven't been shown that they can have control. It's really a matter of selling the value proposition of such administration, and making these devices' communications patterns legible to the average consumer.


> "... router summary page ..."

You've lost probably 95% of the mass-market: users who visit their router's setup page either zero times or one time throughout the devices' stay in their home. Users do not want a list of devices or controls or toggles, or text fields to fill in IP addresses. They want to buy their plastic internet box, plug it in, and go download cat videos. You can try to communicate value proposition until you're blue in the face. People want to plug it in and get on with their lives. Trying to convince users of the value of "administering a computer" is fighting a losing battle.


If a user is really that uninvested in their digital life, then why bother thinking about them? After all, nothing can be done.

I heartily disagree with this defeatist figure of "95%" though, and feel it reflects tech feelings of inferiority more than the actual ability and desires of people using technology.

Most people will apply their brain to overcome straightforward problems and most people seem to be concerned about security. Of course this concern comes from mass-media scaremongering, which also misleads them into thinking that centralized entities will protect them. But it still means there's a demand, and the concern-actualization gap should be able to be bridged with sufficiently-accessible administration.

If plugging in a device makes it just work, then a user is likely to forget the step of modifying the ACL. But if going to the router page is a required part of setting up any new device (because they have previously chosen this mode when setting up the router), then it will just become part of their workflow, the same as entering SSID/passphrase.


That's why I think a smartphone app with well calibrated alerts would help. People learn pretty quickly how to administer a router when Xbox Live doesn't work properly.


Exactly. It's not so much that people can't figure out tech, it's that they only do so if necessary to accomplish their immediate task, regardless of possible repercussions down the line.


"NAT isn't providing ANY security" - except for the fact that there's no way for a host outside your NAT to initiate contact with any host inside your NAT. That sounds quite a lot like security. As for "your private addresses are betrayed all the time by your browser", I'm not sure what an internet host is going to do after discovering my IP address is 192.168.something that they couldn't already do.


> except for the fact that there's no way for a host outside your NAT to initiate contact with any host inside your NAT

Not true. Someone on the Internet can mark your router's external IP as the gateway for your internal network range and send packets to your internal devices fine.

(In practice most NAT devices also do firewalling to prevent this, but the two functions are independent)


When you say "someone on the Internet", you mean "someone who has a device on the same network segment as your router's external connection", right?


While that is still a serious risk, IP packets support a source routing header option header.

http://www.networksorcery.com/enp/protocol/ip/option003.htm

http://www.networksorcery.com/enp/protocol/ip/option009.htm

I have no idea how well supported these headers are on the modern internet, but they are still part of the protocol.


That's a characterization of a network gateway, not a NAT - there's no reason for a NAT router to accept and gateway packets addressed to its internal network since there's no reason for external hosts to be using those addresses in the first place. I would be astonished to find a NAT which also enabled routing to its private address space for external-origin packets.


You might be astonished to find such a NAT gateway without the functionality you describe, but what you're describing is a firewall.


I would not describe having two different routing domains as a firewall. It's not a fence set up by a firewall that only lets correct packets through. It's a gaping chasm that only the NAT process crosses; packets are transformed as they cross and only some packets are possible to transform.


In general, if you're intentionally dropping packets it's a firewall. NAT is just an address translator.

> only the NAT process crosses

Nope, a router that doesn't have a firewall but supports NAT will route a packet if it has the proper destination address. That is, if a packet is received that has a destination address of e.g. 192.156.1.2, it will be routed onto the LAN. However, this is a very rare configuration, as most routers (including ~all home routers) also include a firewall that does packet filtering.


>will route a packet if it has the proper destination address

Iff the ports are logically connected. Nothing forces routing to be global.

If they're separate, it doesn't have to intentionally drop packets. An example configuration: You're NATing 15.x.x.x to 10.x.x.x, with a 1:1 mapping. It's wide open. But it simply doesn't understand what to do with a packet addressed to 10.x.x.x on the external port. No destinations in the external port routing table contain 10.x.x.x, so it gives up.


What does that router do with packets a local program (running on the router) sends to 10.x.x.x? By default it would likely do the same with an external packet addressed to 10.x.x.x, and that would not be to drop the packet.

When I've seen a "NAT" box configuration it's literally been two iptables rules: one to do NAT, and one to default drop packets from outside.


Filtering packets that don't match a criteria (such as a destination port) is done by a firewall, in addition to the NAT. These are typically used together, such as in the "full-cone" situation you described.

Yes, I'm making a pedantic argument about terminology, but it's an important one because IPv6 means we can remove just the NAT part - all of the other filtering/etc features can remain. The goal is to make all devices addressable globally[1], which some people assume is a change in security. That isn't a correct assumption, as an IPv6 router (with a stateful firewall) should drop the same types of packets as their current IPv4-with-NAT router.

[1] NAT badly damages the network by imposing an imprimatur[2] on the hosts behind the NAT.

[2] https://www.fourmilab.ch/documents/digital-imprimatur/


But filtering packets because you don't have a routing destination is not done by a firewall. If I send a packet destined for 253.7.7.7 to a pure router, it will get dropped.

The routing engine on the outside port has a destination for 15.x.x.x. Those packets go into the NAT engine. It does not have a destination for 10.x.x.x. Those packets suffer the same fate they would if you gave them to any router in the middle of the internet. Nowhere to send, abort.


I don't think anyone was claiming what you seem to be arguing against; the point was merely that even the accidental and minimal security brought on by being unable to externally address internal networks is going away with IPv6. It was never "real" security, but it did make it materially harder to breach into someone's network.

Of course it's also going away with all the IoT things actively reaching out, since every external connection made without care is also an avenue for attack. ("Oh, you want your firmware update little camera? Have I got an unsigned blob for you! You're gonna love this update.")


I am a sysadmin who has been slowly preparing for IPv6 as an eventuality, and have read quite a bit on it, though I admit there is much more to learn. That being said, and knowing that the industry says otherwise, I disagree on the seemingly accepted state that we should get rid of nat for ipv6, for a few key reasons.

1. Yes, browsers and other things will leak your private ip space sometimes, but nat does indeed provide a level of security simply due to complications in routing issues for attackers. Its certainly only a base layer, but it does help.

2. In many situations, we dont want devices on the internet at all, and on private only networks. This is doable with site private, but that brings me to

3. There is a lack of clearly communicated best practices for the industry. To the pont that adoption is almost nill. I recently had a private network setup via ATT, and they said I was the first customer on that network type to request ipv6...

4. Knowing how heavily the NSA was involved in ipv6 (in particular ipv6 ipsec), I have my concerns about the protocol itself, albiet as of yet unverified doubts. The corruption of NIST committees is a very serious thing to me.

5. As the admin, I want to be able to see non encrypted traffic and metdata traversing my exit points. I am having a harder and harder time diagnosing IPv6 because of how often it wants to tunnel to some ipv4 address that I dont trust (read: microsoft).

I know that all these points are fairly weak and suspect to criticism, but what gets me is that I dont hear this discussion. Instead I just hear either how ipv6 is god and you should embrace its loving arms, or I see people just sticking their head in the sand who say, I dont like it so Im going to ignore it and hold on to my ipv4 blocks until they make me.

Im open to conversations on the topic, and my list is larger but Im on mobile and late for fixing some ipv4 networking issues .


> 2. In many situations, we dont want devices on the internet at all, and on private only networks. ...

Unique Local Addressing (RFC 4193) solves this problem and requires no coordination with outside parties. The network admin gets to choose the scope of the ULA prefix, so you can trivially make your ULA traverse multiple LANs if you wish. (This addresses your first point, too.)

> 3. There is a lack of clearly communicated best practices for the industry.

Eh? This is the first hit for "IPv6 BCP": https://www.apnic.net/community/ipv6-program/ipv6-bcp

> 4. Knowing how heavily the NSA was involved in ipv6 (in particular ipv6 ipsec)...

Then -uh- don't use IPSec and block IPSec connection establishment attempts at your border firewalls. Or, because implementation of IPSec is -sadly- not a requirement for IPv6 implementers, use an IPv6 implementation that doesn't implement it.

Edit: You are aware that OpenVPN uses TLS for session authentication and IPSec for transport of tunnelled data? :)

> 5. As the admin, I want to be able to see non encrypted traffic and metdata traversing my exit points. I am having a harder and harder time diagnosing IPv6 because of how often it wants to tunnel to some ipv4 address that I dont trust (read: microsoft).

Are you talking about IPv6 over Teredo tunnels? If you are, then get a packet dump and fire up Wireshark... Teredo doesn't encrypt the traffic that it tunnels. If you aren't, and you're talking about something that's wrapping traffic in TLS, then -well- that doesn't have anything to do with IPv6.


I knew I was going to get flak for this, butnit has inspired me to dig into it further and I plan to come back with stronger points... Or perhaps Ill realize I was wrong and change my mind. Thanks for all the responses though, I have some reading and thinking to do.


4. Knowing how heavily the NSA was involved in [..] ipv6 ipsec, I have my concerns about the protocol itself

That's not an issue against IPv6. The entire ipsec standards were backported to IPv4, by people from the same organizations. There is no reason to assume IPSECv4 is any less tainted.


This line stood out to me (especially after reading the protocol explanation points from a manufacturer just above): "I’m baffled as to why such a well-known brand as Foscam would enable P2P communications on a product that is primarily used to monitor and secure homes and offices."

Well the first answer that came to mind for me was NAT. There's a reason you'll see both botnets and (commodity, cheap) security cameras generating P2P traffic: NAT.

NAT+IPV4 is a problem that adds complexity and less usability at the cost of security. It's a clear bolt-on design that consumers have tolerated probably for longer than we should have. I think ISPs have mostly created this problem in being slow to adopt something else.

I would also agree that we have a basic usability problem in home routers and pretty much the entire concept of firewalls when it comes to normal users. How do you explain egress traffic filtering to someone who just wants to control their thermostat from their phone and stuff?


The Turris Omnia router project has the Majordomo component, which sounds somewhat similar to what you have in mind.


Even if we get a user-friendly way to authorize outbound network access, users will still just click "Allow" and "Accept" to make the notifications go away.

I am wholeheartedly open to maintaining a whitelist for all of what's trying to reach out of my home network, but the sheer magnitude of domains being queried makes it unfeasible.


I worked in a company that provided remote power monitoring. We put a box in your circut breaker panel and monitor your power use. Its kinda neat, but way more intrusive than I imagined.

It didn't occur to me how much you can learn until looking at power consumption home page of our demo house when the owner was on vacation (owner = boss). All the circuits are flat. A manager at the company who installed it too, came hold and told his wife "I see you came home at 3". He knew because he could watch the power come on. We could count loads of laundry done and watch the sun rise from solar panel output. Then there is the awkward conversations when you know the dog walker didn't walk as long as they said they did.

I was glad the company transitioned to monitoring businesses, but I left after a few years for unrelated reasons.


This dad used remote power monitoring to bust his daughter throwing a party at home while she was supposed to be staying with family: http://www.rowetel.com/blog/?p=2381


Great story. I can totally see that happening. We used the same tech (CT-current transformers), but lots of them in the panel that would radio it out to a base station then up to the internet.

https://www.flukso.net/installation

circuit breakers are starting to have the measurement technology built it.

http://www.carlingtech.com/node/670


I want to thank you for making me aware of this. I had never thought of the ability to track me merely by energy usage. That one's "silent" enough to not even have crossed my mind and shy of wasting energy (and money) I don't see a way to "beat the system" here outside of getting off the grid.


I was a little surprised by it too. The new "smart" power meters that are starting to be installed by power companies deliver hourly power use data to the power company for a variety of reasons.

Parts of California US has a moratorium on these smart meters for "health and privacy" reasons https://en.wikipedia.org/wiki/Smart_meter#California

I though you could write a good mystery that could be solved using a power monitoring system... But alas I am not a writer.


'fuzzing' by putting a space heater on a timer, or a big storage battery to smear out the load over time

the first option might burn your house down though


Trust, but verify. I like the idea of knowing when the teenager actually got home, or how much the dog walker is stiffing me.


Do you like the idea of service providers being able to monitor those things about you? How about the fact that by providing the data to a third party you've abandoned your expectation of privacy re: when and what you do within your own home?


What you don't seem to get is that the default scenarios for IoT are other organizations monitoring you.

You're not the one in control of this data.


Only in this case you are not the one who knows. Your electricity provider is the one who knows when your teenager kids got home and if your dog walker is stiffing you.


I think the bigger problem is that not enough people fear the Internet of Things.


The zen of the Internet is this: it minimizes the significance of physical location from the interaction equation. This seems small, but is in fact huge: as any high school social studies student can tell you, most of human history is a story of "Location, location, location."

This is the huge feature that the Internet of Things is built upon, but sadly, far too few players in this market have yet accepted the full ramifications of the feature---while all the devices you own are now functionally within speaking distance of each other, every criminal on the planet is also now within speaking distance of them.

Hopefully, more manufacturers will wise up to this concern. Until then, I'm rolling my own IoT solutions.


Maybe there should be some kind of IoT security standards or maybe some Security Company testing and handling "Secure IoT device" rubber stamps to every tested and compliant device?

This is because every company that has been making "Things" for the last 5-100 years are now thinking about making IoT devices without understanding anything about Internet or Security. The Nissan Leaf or that toy maker Vtech cases are good examples of this.

A Quick starter for the rubber stamp list: 1. Authenticate every request 2. Use encryption in every phase (transport, passwords etc) 3. Really, handle basic Web security 4. Be really, really protective about your customers data in every way 5. Don't sell the data without consent from the customer


Step 0: Do a cost/benefits analysis of your network connectivity, taking into account the risks of doing it wrong and the expense of doing it right, plus the support pain of doing it right but still having to deal with dodgy home network support calls, and figure out if it's even worth it.

Networked cameras do make sense to me, but a lot of the IoT stuff I see, if one really takes into account the full range of costs and benefits, are quite absurd propositions.


Although I agree with your premise, I don't know if it would work out. Look at PCI compliance nowadays: it's all bullshit. PCI is really there for the bank to pass the buck when something goes wrong. It pretends that it's making things more secure, but IME, it does not.

I don't know the answer to this problem though


Don't have any experience with PCI compliance but I assume this kind of stuff _should_ remove the most idiotic security holes.


You'd think so, and it's supposed to. IME: As long as your not audited, nobody cares. I know of a place that was PCI approved for over 3 years that was doing every single item on the "do not do list". Since they weren't audited, nobody cared.


The IoT startups are trying to get market share right now so they don't care at all about security. About a year ago I went to an IoT startup interview and asked if they used ssl when transferring data to and from the devices. Answer: at this stage it doesn't justify the investment, we're on vc money now and we need to get clients first.. It's going to get crazy when this becomes a real fad..


My coffee pot and your water heater are touching each other via strips of metal.


Why was this down voted? Yes he could have made a far better post, but it is an interesting point.


I did not vote on the post, but it probably isn't true, there are all sorts of gaps in a power distribution system (at most or all transformers).


It's about as interesting as noticing that my house and your house are on the same street, if you think about it.


Whenever people ask me if I'm lost I just remind them that all streets are connected and if we just keep trying novel turns we're bound to reach our destination at some point.


Related: "I bought some awful light bulbs so you don't have to" - https://news.ycombinator.com/item?id=11171839


I'm surprised he's surprised about this. What they claim to be doing is totally reasonable, and pretty much every IoT device works like this. There's simply no good way to get out-of-the-home communication to work reliably without having the device connect to the cloud. At least they (claim to) use NAT punching when possible.

I guarantee Nest, Canary, Ring, etc. all do the same thing. HomeKit and Weave do to (although they use Apple/Google's servers which you probably trust more).


>> What they claim to be doing is totally reasonable, and pretty much every IoT device works like this. There's simply no good way to get out-of-the-home communication to work reliably without having the device connect to the cloud.

None of these devices need out-of-the-home communication for the users benefit. Not even Nest.


To change the temp on my Nest when I'm away from home there are 4 options I can see;

- central control via the manufacturer (thermostat talks to nest server, my app talks to nest server)

- dyndns with NAT hole punching or upnp (a way for my app to know what IP the nest is listening on and connect directly to it

- a vpn from my phone to my home and the app discovers the nest as a local network device. You still need a way to make the VPN connection to your router, bringing us back to dyndns or some way to discover your IP or hope it is static

- a P2P overlay network, such as what Krebs is complaining about, or more securely, a Tor hidden service.


As we increase the mass surveillance of our citizens, consider what a certain U.S. Presidential candidate - who advocates religious and ethnic discrimination, torture, reduction of press freedoms etc. - would do with that power. Consider what it would be like to be Muslim, constantly under threat of official and unofficial discrimination in many Western countries, and have this surveillance everywhere around you, in your home, on your phone, etc.


This is a perfect use case for Tor hidden services. They punch the NAT, they encrypt, there's a robust discovery network, and the entire setup could be either scanning a QR code from the app on the phone or delivered over Bluetooth or local LAN or hypersonically or even clicking a link in an email the device sends you directly via SMTP (prepare to check your Spam folder).

I believe the latest gen hidden service descriptors also effectively authenticate as well because the unique domain is kept secret and has enough entropy. I'm not sure if it's quite as simple as hash(domain) is public and the preimage is used as a key, but something like that.

I thought this article was going to be about the camera emailing snapshots back to China we talked about a few weeks back. A bit disappointed that it's mostly FUD over simple IP discovery with perhaps some STUN/TURN added in. So, in that regard using Tor instead may not help.

However IMO anything that makes .onion become mainstream is a very good thing.



The typical end user has no hope of sniffing their network traffic, analyzing it, and configuring their firewall to block undesired transmissions. I don't have the time to do it myself.

We need a hosted VPN service that provides a user-friendly firewall that defaults to deny all and offers a whitelist. Does that exist?


I am losing my enthusiasm for IoT because of concerns over how strong the security and privacy will be. It is not just concern over governments' desire to backdoor and monitor: I think there are valid concerns that organized crime will also exploit weak security in IoT devices.


People don't 'fear' IOT, they just don't care about it.

I am yet to see a single IOT device with would compel a non-techy-nerd to buy it.

IOT is stupid as it stands now.


Not an expert but I like my IP cameras.

Most people won't want to setup DDNS through their router with a service such as DynDNS (expensive at $40 per year). So the IP camera manufacturers offer DDNS as part of the product. Register the device, and you're up and running with the live camera feed appearing on your phone.

Increasingly the cameras have 2-way mic capability, so it's actually very cool to access it from your phone.

It's possible some of the fear is coming from not understanding the connections taking place as part of the DDNS. The actual video stream does not need to be uploaded to the manufacturer, unless they offer media management, backup etc and you've opted in. I prefer saving the video triggered from motion sensors etc to a local NAS.


There are many features that a P2P network would enable for this sort of hardware that would require large central infrastructure if done any other way.

Probably, it's either something like this or paying a subscription fee for these devices, as having them use other local hardware infrastructure is a non-starter.

I'd love a device like this that does P2P and lets me build meeting rooms across the different P2P devices. Just something that looks like a webcam, or like this, plug into the TV, and maybe have a button to start a meeting. That it gives access to my home network, oh well. I let anyone who visits more than once on my home network anyway, and also devices by a dozen manufacturers that I know aren't secure.


Anyone know how the cameras specifically punch through firewall? I have a number of Apexis cameras which I believe are essentially rebranded Foscams. I set them up with static DHCP leases, placed them in a DMZ, and specifically blocked all outbound communication from those cameras to the outside world. Now I'm curious whether this would be enough if they had this p2p feature. In my case, all they seem to do is register with a Chinese based dynamic DNS service. Still, I don't need them to communicate with the outside world and would prefer to prevent it.


Hole punching is nothing spectacular, let me explain simply:

You're on your computer connected to a regular home router. You hit google.com in your browser. What happens is that you create an outgoing request towards google.com port 443 (TLS/HTTPS). The router opens up a temporary firewall rule allowing responses from google.com port 443. (Without it you wouldn't get any response)

Holepunching is simply using that fact, your device A and B shares their external IP:port with eachother (outside of STUN/TURN scope) and then does a simple connect() to eachothers external ip:port. When A does connect(B_IP:B_port) it opens up for B to respond to that channel, and since B is doing connect(A_IP:A_PORT) his request will be let through and they can connect to eachother. A direct connection, a P2P (peer to peer) connection between those two clients, no one else.

Imagine it as a temporary port forwarding that's most importantly limited to one specific IP and PORT that can use it: the other device.

(There's some technical limitations to this like the type of NAT/firewall you have, but for the simple home router the above usually works.)


I'm still not sure I follow you regarding how the above applies to my situation. I believe in your case, you mean to say that A is a local machine and B is a remote machine, and if they're complicit together, allowing A to connect outbound to B then allows B to communicate back to A, which could allow the two of them to do things you really don't want.

However, if I have the cameras on a completely separate subnet and network interface on the firewall and block communication from this subnet to my regular lan and to the outside world, I should be immune to this, correct? A is in my DMZ, and can't communicate with the outside world based on my firewall rules, so A would never reach B.


If the device can't communicate outbound then no you're completely safe. There's no magic into this, hole punching is just a silly name for a simple technique.

Hole punching works when both A and B are behind NAT. It also allows B to contact A if A is behind a NAT (no matter if B is behind one or not). If both A and B have public IP's then the hole punching is "already done", they can already connect to eachother.


I'm also interested in this. Most of the Foscams (and rebadged Foscams and similar) I've seen and used were OK once you made sure the DDNS stuff was disabled. But these were mostly the previous gen as I've moved on from Foscam for the most part and I'm not familiar with their latest IP cameras.

The one thing I've noticed in general is that a lot of these IP cameras and NAS devices have DDNS or some other type of automatic forwarding on by default because users just want to plug something in and be able to access it from their iphone. The ability to do this with no more effort than pointing at a picture on a phone screen is apparently a selling point. The idea that you'd need to set up your own port forwarding or firewall rules is enough to turn a large percentage of potential buyers off to a product.

It's an unfortunate situation and it's the one good case I can see being made for the whole "cloud" dependent devices like Dropcam and friends. If the only thing leaving your LAN is an encrypted stream from the camera, at least in theory it's harder for casual snoopers and Shodan tinkerers to find something sensitive to look at.

Personally I prefer to have my IP cams connected to a separate LAN and record to a NAS hidden in a closet but in this day of "there's an app for that" and "plug and play" being the norm, it's interesting to see how companies sell networked devices to end users with the basic capabilities they want while not opening up home networks and sensitive data to anyone with the right search terms and the latest exploit.


Network webcams aren't even close to what iot will be. They are 1990s gopher servers compared to today's WWW.

And the fear mongering(ooh Chinese, be scared! Must be worse than all American company/gov soon same.) Scenario presented is by far not one of the scary scenarios that ubiqitous, constant, and networked sensors of all types make possible.


I know this is in the context of "consumers", but is that how most people see Internet of Things? I thought IoT was more of a name for business applications, or the trend in general, rather than the category of device. I thought that "smart (appliance)" was how the devices are sold to "consumers", and that Internet of Things referred to a trend that mostly means businesses using internet-connected devices to simplify IT and get information about assets. In that context, it doesn't seem like people are afraid as they are just skeptical and curious about what value it could provide. It is a strange future indeed if fridges that enforce thought crime fall into the same category of technology as a plant floor weight sensor. At that point, they just become "things" again.


For those trying to build privacy and security into their products is there some resources for what should be done before putting a product out?

I have seen a list from Brian Knopf for some preliminary criteria in an article.(1) I am always looking for more standards or advice on how to create a useful product that doesn't expose the user especially marginal gain products. I mean why give up all the privacy and security just to control our lights? The gain is small but the harm is very large.

1. http://arstechnica.com/security/2016/01/how-to-search-the-in...

EDIT: Grammar


There was a talk at an event I work for (that's the full disclosure done) on building security into the IoT. It was made by a Hardware Manager of the original iPhone, a patent holder for NEST and is now CEO at Electric Imp. In short, he argued that security has to be layered into every stage of the design process. The current paradigm is to make something and try to retrofit security features into it.

http://iot.thebln.com/2016/02/building-security-into-iot-int...


Question borne of ignorance: Have any of these vendors opened themselves up for any legal liability for these shenanigans?

Also, if some small developer wrote a mobile app to control such devices, would they also see themselves liable?


Meanwhile, if the same camera would only phone home to <manufacturer>.com and all the peer-to-peer stuff would be handled at the manufacturer's servers, there were probably no outrage at all...


By definition, if it phones home, it defeats the purpose of a P2P network.


Well, that was kinda the point.

I agree with the stance of this post that this demonstrates the dangers of the internet of things. But I think it's misleading (and a little funny) that it's the p2p aspect that causes all the outrage.

You could move all the p2p stuff from the device to a central, manufacturer-controlled proxy, relabel the p2p connections "3rd party APIs" and suddenly your former security nightmare has transformed into an ordinary, industry-standard IoT product, even though the data that gets transmitted is exactly the same...

Instead the focus should be on what data is transmitted at all, but that is an old, well-known problem of course...


It's only when companies take security in IoT devices seriously are we likely to see any meaningful progress in the sector. Security is an afterthought right now for companies who design products, but don't necessarily have the expertise in security to counter those who wish to hack their products. The reality is security today is as important part of the initial design in IoT products, as look and functions of the product is.


This would be a good place to mention Silk Labs' Sense. They're an ex-Mozilla team designing an IoT platform with privacy baked in from the ground up. They recently launched a successful Kickstarter, https://www.kickstarter.com/projects/gal/sense-personalized-...


Every time I read a headline like this, I can just picture a raving Alex Jones "They want to spy on you through your dishwasher! They want to look at your naked daughter! Ahhhhhhh it makes me so sick!".

Unfortunately this is one of those issues that he is right about.[0]

[0]: http://www.wired.com/2012/03/petraeus-tv-remote/


Open source software like https://kerberos.io/ enables many standard USB cameras to become wifi cameras. It'd be great to see things like this become a consumer product, there's no reason surveillance software should be propriety.


This sounds basically like a STUN/TURN + P2P solution which in itself _does not_ mean it's unsafe! It can be unsafe just as anything else out there if it's made unsafe.

As explained by the company representative (including my own added explanations) the devices, when behind NAT, can not receive any incoming requests without setting up port forwarding in the router (this is done automatically and temporarily for outgoing requests to allow incoming respones, but thats another story). Setting up port forwarding is not a good solution so what I pressume they are doing is that they are connecting to a TURN/STUN server from the camera outwards to be able to communicate. When the application wants to connect that one also connects to this server to have the camera create a p2p link (that means direct connection between camera and the device the app is running on). If that one fails then they are relaying the data through their servers.

Now there's some ceveats for the above solution. If one relies solely on encrypted channels and certificate security it should be as safe as the encryption is strong or the strength of the certificates. If not done properly, say client/peer verification is missing or the encryption chain isn't complete, then it's most likely bad. However:

The single most important thing is that the _functionality itself_ and the technique used is not unsafe per se.

The author makes it sound like it's a giant P2P-pool of camera devices, however this does not seem to be the case. Rather it seems to be a big network of relay servers to reduce latency for the connected devices. Big big difference there.

(Then one may question the inability to turn it off or that its enabled by default, but thats another question)


Maybe you should read the story again. The core focus of the criticism is directed at punching holes through firewalls by default, and in this case you cannot even disable it.

"This is a concern because the P2P function built into Foscam P2P cameras is designed to punch through firewalls and can’t be switched off without applying a firmware update plus an additional patch that the company only released after repeated pleas from users on its support forum."

Later he quotes Nicholas Weaver from ICSI:

"Given the seemingly cavalier attitude and the almost certain lack of automatic updates, it is almost certain that these devices are remotely exploitable."


I do fully understand how the technology works. Let me explain:

"punching holes through firewalls" <-- This _simply_ means that the device does a connect() call towards the clients IP:port while the client does a connect() towards the device:port at roughly the same time. You simply use the fact that a simple home router opens up a temporary rule allowing the destination:port to respond to your outgoing request. This won't work on symmetric NAT's for instance.

It's basically a completely safe method and does not open up for anyone else to connect ...

(The enabled by default is as I wrote in my original post is another question. The way I read the article it seems like the core focus of the post is to say that the solution used is bad or unsafe, which with given information cannot be said).


There you go again, misunderstanding what was actually said. I never questioned your understanding of the technology, but your understanding of what Krebs says.

Krebs also understands the technology, and quotes David Qu from Foscam about how their P2P technically works.


Yeah I noticed that it sounded like I misunderstood you, however I did not. Lets just get it straight:

I agree with you and him that it would be a lot nicer to let the user choose to enable this, and definitly not make it impossible to disable.

With that said, I'm still not sure that the author actually understand the technology behind or how it works.

Reading David Qu's answers they just align with what I'm saying about the technical part though. No matter what the author says, I think it's easy to misunderstand the text and make it sound like the manufacturer are doing something unsafe...


> It's basically a completely safe method and does not open up for anyone else to connect ...

Yes, "only allows connections to a small number of peers". However, depending on how the IDs in the P2P overlay connection are chosen, an attacker may be able to select an ID that causes their node to be one of the nodes that your device contacts. Also, in the case where a remote login or remote execution vulnerability exists, the entire P2P network can be rapidly compromised, even though each node only punches holes in firewalls to a small number of other nodes.


I don't know where your getting the first part from? As I said earlier I don't know how they've chosen to protect themselves, I do hope they use certificates to authenticate camera/client to verify that the client has access to the camera and that the camera verifies that the client has access.

I don't think you understand how the technology works. Each camera does _not_ "punch holes to a small number of other nodes", it setups a direct connection between itself and the client device (you) using a technique called hole punching... It's just a simple connection between you and the camera, no server in between.


Ahh, my background in decentralized P2P systems engineering, along with the phrase "Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online (see screenshot below)." lead me to believe they were using a DHT or other decentralized P2P system. I'd need more details to determine if they use a set of centralized coordination hosts or if they use a DHT or other decentralized system for the hosts coordinating the hole punching.


I think (I still don't know the details of their implementation) the confusion is caused by them using the term P2P servers. I think thats actually STUN/TURN servers that they use as help to get P2P (direct) connections between camera and your application. So in that sense it's not a P2P server as you imagine it but just a bad name for what the server is meant to help out with :) Again, I don't know but given that I've worked with these type of technologies for years it would make sense.


It's basically a completely safe method and does not open up for anyone else to connect ...

Except that it's opening a port into an unverified P2P network. How can you say for certain that none of the peers are compromised or nefarious?


What I described is a safe method (except ofc if you have someone in your network that can spoof adresses or your other endpoint has been compromised, however those are factors that we can't do much about).

I'm not saying that their solution is safe, nor am I saying that its unsafe, simply because I don't know. What I do know is that you can make it rather safe and you can do it really bad.

If they are using a TURN solution which I think they are, then it's not really a "unverified P2P network" either because the peers do not know of eachother nor do they talk to eachother. They talk to the server and have no clue about one another without some external signaling. The server connects two peers upon request of a specific uid, however this where authentication gets important and I have no clue how they've done it.

Of course you can try to create connections towards random ID's (you have a lot of ID's to go through judging by the screenshot) but hopefully you won't be allowed to connect since you don't have the correct certificate/key needed. Again I don't know how they've implemented it though.


> Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

They forgot the part where my government keeps trying to make it illegal to fix it even if I know how.


With all the talk of phoning home to particular manufacturer networks in this thread, does anyone know what happens when an IoT manufacturer goes bankrupt? Are their devices left as useless bricks?


I know IoT sounds scary and privacy invasive (it is), but in reality, most of the IoT devices are not dependent on the internet. For example, my toaster, refrigerator, washing machine, dish washer, coffee machine, TV would never benefit at all from using the internet, so I would never connect them.

The only device that actually benefits from the internet is a computer, and maybe a mobile phone (because there is this app craze). The rest I predict will fade when consumers discover the devices were fine the way they were.


You're right but you won't have a choice. Many devices will require connection to the internet to be configured, and you won't always know ahead of time what they are because most people won't care enough to put it in a review. For example it drives me crazy that my washing machine beeps for over an hour when it's done... I don't care - just stop making that noise... However, it's impossible to search for "doesn't beep like crazy" when buying a new product on amazon.


>Many devices will require connection to the internet to be configured

Impossible. My bachelor pad apartment came with a washer and dryer. Those need to work without the building owner paying $50/month for internet access for a clothes washer. Maybe you could write into the lease terms that the appliances only work if the tenant pays for internet access. Imagine if the thermostat refused to turn on the heat because there's no internet access because no tenant, then the pipes freeze in winter...

Likewise my MiL does not do internet. She has no computer, tablet, smartphone... but she does have a lot of retirement income. Most of the VCRs in the USA blinked 12:00 because most VCR owners were uninterested in using that appliance to set up timed recording. A VCR that forced owners to set the clock before it would play back rented tapes would never survive in the market. She has one of those smart TVs that spy on people and spam them, because she liked the style of the case (bezel, stand, etc), but its not connected to the internet and never will be.

UI design is beyond human ability today, and will only get worse. I have one of those "efficient" nearly silent clothes washers and it drives me crazy that there's no way to predict when it'll finish, because it spin cycles until water stops coming out, etc. So from an efficiency standpoint I want to move damp clothes as fast as possible into my dryer, but the darn thing quietly plays an annoying little song once and then goes silent. I wish it beeped for an hour. Most UI design choices are made solely to impress other UI designers, therefore the user is left out. This is an extremely bad portent for the UI for internet of things.

There's just too much money to be ignored in places without internet access.


I can't see how any appliance would be required to be online for use or configuration. Even every laptop off the shelf doesn't have such a requirement. The only device I know that does is a smart phone (maybe?).


Just as an example: the Logitech Harmony range of remotes. The only way to program those remotes is to go through Logitech's application portal.

I'm not saying it has to be done that way; I'm just saying that it is.


Even every laptop off the shelf doesn't have such a requirement.

While Windows activation can be done offline, for all practical purposes it + Windows Update requires you to be online.

I help an older lady with her technical struggles. Recently she moved into a retirement home and does not currently have internet access for her laptop. Microsoft Office started bitching about it being an illegal copy presumably because it could not phone home and verify her license. Sigh.


This seems awfully shortsighted. Perhaps some 'home' devices are gratuitous at this point but certainly there are other uses for headless devices to be connected to the internet.

Yes, the only thing that benefits from a an internet connection is a computer, but eventually everything will need to have a computer in it.


Are you sure about the TV? Personally, I think streaming services are great. Granted, most "smart TVs" aren't actually that smart, but still useful.


Smart TV's get out of date quickly and are useless. Why else do you think people have been plugging things into the back of them for years now? Boxes which can be easily replaced and still work


Sure, and I tend to agree. It's the same reason I was never interested in an all-in-one desktop computer where the actual computer is integrated into the monitor. I want to be able to upgrade or swap out one without binning the whole thing.

That said, I was recently in the market for a new TV and the models with the best image quality in my price range didn't offer a non "smart" version for less money or even the same price. As a result, I've got a TV with AndroidTV built in and it's actually a lot nicer than having to cast everything from my phone or PC to Chromecast (although that functionality is also built in).

Now, granted, when the AndroidTV bits become outdated as they surely will before the actual display does, I'll be back to plugging external devices into it but for now, there's definitely a lot of benefits to plugging that ethernet cable into the back of it.


I'm living in a furnished flat and the fact my "smart" TV takes 30-40 seconds to boot up is bizarre. I don't think I remember the huge CRT things taking that long.

I personally think they should just bundle something like a Fire TV stick or Chromecast with the TV


I had a Philips "smart" TV that did the same. Even switching inputs was about 10 seconds (if I was lucky).

My next TV will be as 'dumb' as I can find, at the moment off-brand TVs you get in supermarkets still seem to fit that bill.


Fully agree, but those things you plug into the TV are most likely connected to the internet, right? The parent said that his TV would never benefit at all from using the internet. I think it does, doesn't matter if the connection is built into the TV or via a gadget plugged into it.


TV's are specific case of computer monitor. They benefit from devices sending them signals which they can interpret and display on their screens. They benefit from things sending them signals which may or may not have originated from the internet.

Personally, the only thing attached to my TV is a computer. I said previously that a computer benefits from the internet, so I suppose you might say my TV benefits from the internet?


On the other hand DIY IoT doesn't sound as scary so long as your Raspberry Pi or Arduino board don't phone home.


So apparently everyone on HN agrees IoT is bad. Who can make/ or has made a reasonable argument defending this progress? Why is this progress happening?


What we really need is a universal IoT OS. Something like Android for devices. Then we can enforce the same set of safety rules that apply for smartphones and have some relative ease of mind. Otherwise it's gonna be hell because on top of everything we'd have to deal with manufacturer's incompetence to build decent software.


The IoT encompasses a huge number of heterogeneous devices - for consumer electronics you have webcams, smart TVs, wearables, smart white goods, thermostats, etc. - all with vastly different hardware that requires varying levels of complexity at the OS level.

On top of that, the space is very immature and a huge nascent market, so you have all the big players trying to beat each other out for a large slice of the pie - Alphabet, Apple, Amazon, Intel+Qualcomm+Microsoft+Samsung (OCF Alliance), etc.

What you really need is a strong vendor with a compelling security story who you can credibly trust to create good devices with a lot of thought on end-to-end security...any guesses who that might be?


Well, even though I am not sure it would (because that OS would surely allow http requests, right?), there is no incentive for manufacturers to use such an OS, at least yet.

I can't really think of anything that would change this situation -- although IoT devices will get more sophisticated, they will likely remain quite single-purpose, with webapps or mobile apps serving as the UI, so there isn't going to be much to gain from a large common code base.


Android is nothing short of an utter security disaster, a huge percentage of androids have critical root exploits and will NEVER be updated.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: