Hacker News new | past | comments | ask | show | jobs | submit login
I stayed in a hotel with Android lightswitches and it was as bad as you'd think (mjg59.dreamwidth.org)
928 points by pjc50 on March 11, 2016 | hide | past | favorite | 314 comments

So sad. I find the mechanics here really challenging to overcome. The hotel management no doubt wants "really cool tech" for their hotel to show they are up to date etc. And they send out an RFQ which someone bids on, really cheaply. Knowing that by only doing the things the hotel asks for, they can throw something together quickly and cheaply for a big payday.

This is exactly the mechanism that gets people in trouble going to China for manufacturing. They say "I want you to build widgets" and they get a good price quote, and say "Wow, this is awesome!" because they have in their mind that "making things in China is cheap" but in reality its that if you cut a lot of corners you can make things really cheap, and since the contract doesn't say you can't cut corners, it is all "perfectly" legal. But the manufacturer knows what the buyer doesn't, and exploits that information asymmetry to make money at the buyer's expense without the buyer having any true recourse.

The hotel in question could have said in the RFQ, "System will be impervious to network traffic snooping and at no time will systems or a guest supplied computer be able to access the controls in another room."

Had they said that, the price quotes would have gone up and had the system the author speaks of been delivered, the Hotel could recover the costs of installing it from the vendor. But they hotel didn't even know they needed to ask for that since they no doubt would assume, "nobody would make something that shoddy would they?"

I learned about this when I saw one of the rules in a NetApp hardware contract that said "Manufacturer will install all components shown on the schematic on the final units in their designated locations." That seemed really odd. I learned that before that clause had been part of the standard contract, there had been a manufacturer who decided unilaterally that half of the noise suppression capacitors in the schematic were "unneeded." Units from that manufacturer started failing in odd ways in the lab.

I agree with you on all your points, except:

> This is exactly the mechanism that gets people in trouble going to China for manufacturing.

I keep hearing about the "cheap Chinese tech", even though nowadays a lot of high-quality gadgets are really Chinese. Even Apple's products are mostly from China. And it's not even for the cheap prices, it's because the entire production chain is there[1]

The mistake is not going to China, it's going to China just in order to save money - or anywhere, for that matter. I get that your point is not actually about China, but saving money on the wrong things.

I'd just appreciate if we could stop using "Chinese" as a synonym for "cheap".

[1] http://www.heraldtribune.com/article/20120123/ARTICLE/301239...

This is a great point, and there's a close parallel with the way that people make similar comments about Indian developers and completely ignore the many highly-qualified developers who just won't work at lowest-payer wages.

I was thinking the point would be that one reason for the low price is that the manufacturer wants your design so they can use it to build a competing product at their other factory down the road--a joint venture with the local Party boss. You'll never know, but even if you figure it out, what do you imagine you can do about it? Maybe get a court to block the product in the US (causing them a week's delay while they change labels and distributors), but if you're looking for cheap Chinese manufacturing, you won't usually have the resources for any worldwide legal battle against these guys.

And if the design you are paying them to take from you is for some IoT product, the local Party boss can even make bonus points with his superiors by offering them a chance to backdoor it.

I'll bet the cheap tablets in that hotel for tech conference attendees, the tablets with the ethernet and WiFi listening circuitry, could collect a lot of great technology for their makers, and I'll bet they were made in China.

I read the OP as making exactly your point. They were saying that the people they describe make the error you discuss, and get bad results on account of it.

The practice of unethical corner cutting seems somewhat rampant in China, though. And isn't there a reason why cheap tools that easily break are said to be made of "chineesium"?

But it is rampant in whichever location has the whole supply chain.

It was rampant in the US when there was the manufacturing workshop of the world, and rampant in the UK when they were before them.

That's interesting. What causes the correlation?

The full history of commerce. :p I'd suggest looking at the history of food and drug regulation and testing, or weights and measures regulation if you want more. The early years of both UK and US food and pharmaceutical regulation is terrifying!

TL;DR Immature locations cut more corners. More regulation, experience and reputation helps. Consumers are naive. Manufacturers want you to buy the same things many times over your life.

In all markets, There's always going to be someone willing to cut corners to secure a place in a market, or make a fast buck in a mature market. Or maybe it's a new market that can't yet have matured. That's only part of the problem.

As markets mature regulation increases and companies tend to trade more on reputation (not always deserved of course. eg Beats headphones). Now there's an opportunity to trade on the good reputation of wherever (Proudly Made in America! / Britain! / Japan!), whilst selling you cheap crap. That's the other half of the problem. The meaningless label to tell the consumer it's made wherever they currrently believe is good.

In the early 80s most things Japanese were crap. Hifi sounded awful, but had lots of LEDs. Bolts, tools and vehicles were made of soft cheese. Their stainless steel rusted (I kid you not)! Honda made cam chains of special stretchy metal and probably accidentally invented cheese strings. Now Denon make very nice hifi, Teng make very nice tools and their cars are pretty reliable.

Why pay £50 for a Snap On or Britool[1] spanner when there's an almost identically packaged one, made in the same place, for £3 or £40? Only one will last longer than you in daily use. One risks breaking on first use.

So, it would be more accurate to say "isn't there a reason cheap tools break", "cheap materials break", "consumers naively expect $100 quality for $3.99" or "dishonest people are dishonest" than blame a specific locality.

The ONLY thing that has changed is all manufacturers adding built in obsolescence whenever possible. Now even the premium item is made to last "just long enough" (to get away with), but that doesn't make any one location especially good or bad at making stuff.

The only thing geography introduces is the further away it's made, the harder it is to audit your supply chain. Racism and nationalism has no relevance however.

[1] They're no longer British, or often made in Sheffield, they're just another meaningless brand of Stanley trading on 100 years of reputation. You're actually better served buying Teng these days.

I can remember a time when "Made in Japan" was still used to mean "shoddy and cheap".

What do you mean, Doc? All the best stuff is made in Japan.

I think you misread cheap. The "mistake" is assuming the low cost bids will deliver the same high quality you see in other Chinese exports,so not doing proper research / QA.

There was also a flip back in the 90s where "Made In Japan" denoted a better product where in the past the slogan was thought of as cheap.

He wasn't making a point about China, he was making a point about cutting corners.

Exactly — and so you can make the point better simply by saying “cutting corners” directly rather than confusing the issue by using a nationality to imply it.

Fair enough, however with this audience I would expect they recognize that the manufacturing contracts of China, which by their number rather than their nationality, are expressly tailored this way. It is by virtue of the Chinese success as capturing the manufacturing contracts from all other nations in the world that has helped them develop expertise and skill.

This has been an interesting conversation. I found it particularly interesting that my communication came across as disrespectful to the Chinese.

Few people that I've met have any real world experience with contract manufacturing. Of the ones I do, they have mostly dealt with Chinese manufacturers, although I do know one person who worked with a Japanese contract manufacturer and one with a Vietnamese factory. Everyone who has ever asked me about this I point to Bunnie's "Made in China" blog entries [1]. Which convey the challenges and rewards of taking manufacturing to China much more clearly than I ever could.

That said, people who have had experiences with contract manufacturing in China have all had a very similar experience, that experience was that the contract manufacturers have an exquisite expertise in squeezing costs out of manufacturing through creative techniques, not specifically disallowed by the contract. Bunnie writes about this at length in his blog.

The thing here is the law of large numbers. There are so many contract manufacturers, and their business is so competitive, the ones who develop this expertise survive and the ones who don't, they don't survive because nobody accepts their bids. It is important to understand that they are this way because they are good at what they do, not for any negative reason.

It is this exact asymmetry of information which I expect befell the hotel in its attempt to have "cool programmed light switches and TVs." This mechanism, which many people who have used contract manufacturers have experienced, is that an inadequate specifications on the final product can give the manufacturer room to economize on their costs, which increases their profit, and also increases the chance that the bidder will be around for the next bid.

And it is the large number of Chinese contract manufacturers, the ease with which they can be located and contacted via Alibaba or other web sites, that means so many people have had a chance to experience this effect first hand with them. Using Chinese manufacturers as an example of the challenge in my post was my way to communicate what I was talking about in a way that folks who might look this up could find additional resources discussing this challenge (and they would probably find Bunnie's blog too).

The leap here, was to take what I wrote and assume that I said, or believed that because something was made in China, is was cheap.

That was not what I said, and certainly not what I meant. But a mix of people have both read it both ways. So it certainly could have been written more clearly.

I really do recommend Bunnie's blog. Everyone should understand the challenges of working with contract manufacturers, regardless of their nationality. Not tightly specifying a contract (and worse not knowing how to tightly specify a contract) will create situations like the one with the Android controlled light switches.

[1] http://www.bunniestudios.com/blog/?cat=7

> I learned that before that clause had been part of the standard contract, there had been a manufacturer who decided unilaterally that half of the noise suppression capacitors in the schematic were "unneeded."

I don't understand how putting that in the contract is supposed to help if the manufacturer being used is pulling stupid "you didn't say the product actually had to work" semantics games that would get them smacked in any reasonable court anyway.

Welcome to the world of law. Often I've seen it said that thinking like a software developer, looking for edge cases and such, will get you smacked down by a judge who doesn't let you just use loopholes. There is an XKCD about insurance law on this topic. But the reality is that a lot of loopholes do work, and have a better chance of working if you have a really good lawyer. Part of the equation is how charismatic a lawyer is and if they can pull up records of the loop hole happening in the past (assuming you are in a court that allows past rulings to have impact).

From what I've seen it is extremely arbitrary and is extremely frustrating. I was on a jury once, where one witness was told to tell only what they had heard/seen/etc. They would try to say "I heard so and so say such and such", and the other side would object. The judge would then say to tell only what you saw, heard, etc., not what other people did or said. And I'm sitting there thinking "But what that is exactly what they were trying to do!" (of course I couldn't say a single word for risk to my own safety).

games that would get them smacked in any reasonable court

You're talking about a Chinese court, right? The guy you're planning to sue lives in China and is a long-time business "associate" of the judge who will decide your case.

I'm totally speculating, but it could be that such clauses make the breach of contract case easier and cheaper to win.

It could also be that such clear terms are useful in other jurisdictions where shenanigans like that wouldn't be smacked down without them.

This is exactly right. When you disagree with a supplier you can only disagree based on the contract, and if someone could reasonably (and there is a wide latitude here for "reasonably") argue their interpretation was within the constraints of the contract than your remediation options are limited.

If you read contracts a lot (and over the years I've probably read a couple of thousand and negotiated maybe 100 or so) you will begin to see clauses that are in the contract which specifically prevent what was clearly a problem before that had not been decided as being in breach, so the added clause insures that in future contracts it would be decided as being in breach.

My lawyer once told me that every contract tells a story if you know how to read it. The more I've read, the more I have come to appreciate that sentiment.

> what was clearly a problem before that had not been decided as being in breach

These are the signs that I always have a good chuckle with, thinking, "that sign is there because someone did that."

Why would you take an untested schematic to a manufacturer and ask them to build a product based off of it? If you are asking the manufacturer to both devise the schematic and build the resulting product, then it behooves you to ask for a prototype built from their schematic in order to evaluate the production's performance.

Re "nobody would do that": here's a quote from Destiny's Shield, one of the books in the Belisarius series:

"I was just thinking of the provisions of a typical Alexandrian rental agreement. For a house or an apartment. You know, the one about—"

Zeno smiled, nodding. "Yes, I know." His voice took on a sing-song cadence: " 'At the end of the term, the tenant shall return the house to the lessor free of dung.' "

He laughed himself, now. "It was so embarrassing for me, the first time I rented an apartment in Constantinople. I was puzzled by the absence of that provision in the contract. When I inquired, the landlord looked at me as if I were crazy. Or a barbarian."

Hey, you said you just wanted a car, you didn't say anything about an engine.

This is a nice hacking story. But when you have physical access and expertise you can hack anything. So I don't understand what's so sad about it. I do advocate security in depth, and they should probably have added a few more "layers" of security, like hide the cables and encrypt the network traffic. But then he could just use a screwdriver or pull the encryption key from the device, etc. But they probably judged that stopping kids from playing with it would be enough. The guy is a freaking firmware developer and security expert!

He doesn't have physical access to the other rooms on the floor, yet he can (probably) control their lights.

Say you got inside a datacenter, or nuclear power plant, and pulled a cable from a control unit, you would probably be able to control stuff too, and probably more sensitive stuff then the room lights. As soon as you get access to stuff you are not meant to access, it gets exponentially hard to protect from privilege escalation.

As a security exercise, assume a malicious hacker have physical access to your LAN. (shares, KVM, IPMI, MITM)

There are a few realms of business that seemingly necessitate such games. It's about as aggravating as can be imagined. I wish I knew a way around it. Different people? Closer aligned incentives? The cross-cultural aspects here make it especially difficult. You don't know what you don't know.

This is what makes people with so many years of experience so valuable. NetApp had a woman who would source parts from around the world and she had done it for long enough that she knew many (if not all) of the tricks in the book. Often her conversations would start with a new supplier and her requests with explicit constraints would tell them that she knew what she was talking about and that they had better play it straight. So they started out assuming none of the tricks they might use with an inexperienced buyer would work. That experience had tremendous value to the company.

Closer aligned incentives, yes. If you give someone money as gradually as possible they will need to make sure they can't pull a fast one and run off, they will actually need to perform.

Genuine question: Don't the other companies talk about security in their replies to the RFQ? Wouldn't that cause the original company to stop and ask the other repliers about the security they would implement (if they didn't mention security)?

Well that's just it, security is talked about but the buyer (the hotel in this case) is often not in a position to actually evaluate the vendor's claims.

You can put down "device should not be hackable" but without their own competent IT arm the hotel can't possibly verify the product delivers on the security promise.

> Well that's just it, security is talked about but the buyer (the hotel in this case) is often not in a position to actually evaluate the vendor's claims.

But at least the buyer becomes aware that security might be an issues, and thus take it into account when making the final decision. (Even if its just "take the lowest bidder that talks about security convincingly"). OTOH, this doesn't work for buyers that don't actually care.

> You can put down "device should not be hackable" but without their own competent IT arm the hotel can't possibly verify the product delivers on the security promise.

Sure, but if the vendor puts this in the contract and the hotel does get hacked, isn't the vendor then suddenly liable?

I don't understand why you use China as an example. The example you raised happens everywhere when your contract is exploitable. Pointing you finger to China does not help your case, only shows your prejudice

We still use locks on doors, even though they provide security theatre only. Not everything needs to be that secure. Criminal nuisance laws are probably enough to deter anyone actually turning on all lights at 3am.

> We still use locks on doors, even though they provide security theatre only

This isn't really security theater — the term refers to something which gives the illusion of security and doesn't deliver, not the failure to achieve absolute security. In general, door locks are about as secure as they're portrayed: they don't prevent someone from breaking in but they considerably increase the time, skill/tool requirements, and risk of detection. The other key part is that the threat model is obvious: people understand that if e.g. you put a Grade 1 lock on the door but leave the window open, it's not a failure of the lock.

> Criminal nuisance laws are probably enough to deter anyone actually turning on all lights at 3am.

How are you going to find out who to charge?

When I stayed there, it was just as soul destroying to use these things as you might imagine.

The implementation felt like they'd asked a VB6 dabbler to implement it in Java. Then stuck it in the cheapest 600mhz tablet they could find.

The UI was purely a button grid with distorted graphics, and dodgy typography. Button presses took about 1/2 a second to respond, and every 5th press caused the app to crash (adding a good 30 s to the experience).

My room had 4 tablets* in, and all of them behaved exactly the same way.

* the idea of a tablet to control the room is neat if it could be moved around. Like a remote-control. But for security (and using Ethernet) they were all fixed down. Making them far more useless than plain switches

Light switches that can fucking crash!

Now I'm living in the future.

I keep waiting for this iot/we put a chip in it/etc to produce results that are an improvement...



Here are the greatest hits. http://favstar.fm/users/internetofshit

By the way, it seems like extreme product fail on Twitter's part that I have to go to a sketchy third party site to get the top tweets for an account.

> By the way, it seems like extreme product fail

Not necessarily. They just decided not to have this specific feature. It is a product design decision.

Of course they decided not to have it. It's not like they aren't capable of implementing simple features. I just think it's a dumb decision.

For many Twitter accounts, the top tweets are a lot more interesting than the latest tweets, especially if you've just discovered the account for the first time.

What do you think the basis of that decision is?

It's like on the pilot of Futurama. As Fry leaves the cryogenics he woke up in, the door automatically whooshes open. He stands under it and looks up, only to have it slam down into his face.

On the DVD commentary, one of the writers explained that the future will be like Star Trek, but nothing will work. It's turning out to be true.

but it's got a touchscreen

I'm amused by the use of Modbus. I worked on Modbus networking back in the 1980's at Modicon (a company that disappeared long ago that created the "standard"). Using a protocol invented before the internet to control devices on a semi-public network is insane.

The original Modbus was designed to communicate with factory devices controlled by logic controllers over serial and eventually over a custom token ring network. Modbus got moved to TCP at some point when I stopped paying attention. Modicon rejected TCP when I was there because the OSI model 7 layer network stack was going to be the next big thing.

I think if people actually knew the true extent of the debacle that industrial control protocols are, they would pass out. If you ever want nightmares, check out EtherNet/IP CIP protocol...

Of course, there are no security provisions whatsoever. If you can get a device on the LAN, you're golden. Every device, fully open to monitoring and control of every attached piece of equipment.

In the new world of inexpensive, battery powered LoRaWan to Ethernet bridges with tens of kilometers range, I can't even begin to imagine the industrial carnage we're heading for. A sufficiently funded attacker could find ways to implant remote monitoring and control in virtually every facility, where they can get a minimum-wage cleaning staff member hired. That means -- pretty much every facility (short of military, perhaps).

Exciting times.

I recently went to a LoRaWan workshop funded by my megacorp (a utility company). It felt like paying someone to try and sell you their stuff.

Anyway, what the LoRa did emphasize is that both the network layer and application layer are encrypted with different keys using AES. This means someone would have to compromise both layers to actually control the devices.

Buuut, given that both encryption keys are stored on the device, I bet someone will just walk up with a chip clip and read the keys right out of EEPROM and then the pretty lights will start.

Or they'll just hack the application servers. I've seen some really god awful pieces of software in use.

A vendor once told me "it's so easy to admin our device over the internet. Just go to 192.168..." And of course due to corporate politics we still bought that piece of shit.

> read the keys right out of EEPROM

Usually keys are stored in a part that is not accessible directly, think of SIM and bank cards. Actually lots of LoRaWan use SIM cards.

Moteino (arduino-based wireless dev platform) supports LoRa if anyone is interested in digging into some current sub-$10 ISM transceivers and their capabilities. http://lowpowerlab.com/moteino/#lora it's also a great project to get started with arduino if you've never worked with it before. Really solid documentation.

Don't even get me started on medical devices. Hospitals are facing a disaster they've never even conceptualized.

Same here - I used modbus only a few years ago, as it worked well for reading analog signals from hydroelectric turbine monitors, into a Linux box that converted them to digital for reporting. I cannot imagine actually using it on a modern network.

Perhaps the hotel's HVAC is running Modbus?

Could be. I just spent some time on the modbus.org site. I haven't looked in a while. There is pretty much no mention of security though they claim that Modbus over TCP is an internet protocol.

Given a completely static authentication realm like the rooms of a hotel, Modbus over TCP over IPSec would work just fine, and be transparent to the application. That sort of sounds like a good reason to be using Linux (Android) controllers in the first place; maybe they just forgot to enable it (or let go the installing contractors before their job was done, as soon as everything seemed to be "working.")

Maybe embedded network is the new javascript ecosystem: rediscovering novel ideas (like authentication!) that were invented 50 years ago.

/deploying CAN bus without security

I wonder if what is blindsiding all of these companies and people is routing.

That if you have a box that can talk to network A and B, suddenly anything on A can talk to anything on B.

A CAN bus, or older modbus installs, would be airgapped by its very nature.

Just because its CAN doesn't mean its actually air gapped. If there is a Linux box on one end for SCADA use or similar, then the path is IP -> Linux spl01t -> SocketCAN

> Using a protocol invented before the internet to control devices on a semi-public network is insane.

Using Modbus may be insane, but Internet Protocol (IP) predates it by 5 years.

Modbus is an application layer protocol. Different things. It's more akin to HTTP than IP.

Modbus is still very common in ECUs. I work for a telematics company and Modbus is probably our 2nd biggest bus protocol next to CAN(J1939).

Turning lights on at 3 a.m. is a nuisance. Knowing when lights go on and off can tell you when the people are not in their room - which could help if you wanted to break in and steal their stuff. Overall quite disconcerting how lax they are with security.

Turning the lights on a 3am is a nuisance. Writing

    while true; do turn_on_all_lights $IPADDRESS; done
is enough to ruin your night's sleep. Fighting with the lights that won't go off will probably pump enough adrenaline into your system to wake you up enough that you're not going back to sleep anytime soon.

And why not do that to the entire block of addresses you can reach, of course?

It's no "steal identity, rack up tens of thousands of debt" level of nuisance, but it's enough that some basic security is definitely called for. Given the capability of the devices on both side (i.e. we're not dealing with "embedded" 1MHz processors here), client and server side validation of SSL certificates on an SSL connection, combined with some basic physical security to detect that someone's pried the Android off the wall (this can be something like "seal" stickers; we're going for detection here more than prevention), would have had a pretty good cost/benefit ratio.

(Remember, the goal here isn't to make the security "perfect", merely to make hacking it more expensive than what is being protected, which in this case still isn't that much. Nobody's going to risk being physically fingered as the room that pried out the Android tablet just to screw with lights.)

This might be more amusing:

  while true
    level = 0
      while level <= 100
        set all lights to level%
        level = level + 1
        sleep 5
      sleep 120
    set all lights to 0%
    sleep 1800
The idea is to slowly raise all the lights from 0% to 100%, hoping that because it is gradual it will not wake the person. Then you turn them all suddenly off.

If that succeeds in waking the person, they will wake up in darkness, wondering what the heck woke them up.

More fun with lights: someone at Caltech once modified the wiring of a student's room and the adjacent bathroom so that the light switches in both rooms controlled the lights in both rooms. They they waited in the courtyard that the student's room and the bathroom both overlooked to watch the hilarity that they knew would ensue.

What happened was that the occupant of the room eventually went to bed, turning off his light. Then later someone went to use the bathroom, turning on the bathroom light (and so also the student's light). That woke the student, who got up, turned off the light, and headed back to bed. The guy in the bathroom shouts something, and a few moments later gets his pants under control and goes and turns the light back on and heads back to the stall to resume his business. Meanwhile, bed boy is shouting something and getting up to turn his light back off. What I'm told then happened is that the lights flipped on and off a few more times, with the time between flips getting smaller and smaller, until both guys are just standing at their light switch flipping it repeatedly, before they both go out into the hall to try to figure out what is going on, find each other, and figure it out.

Given the capability of the devices on both side ...

Your're not wrong, but the other point is they are swatting a fly with a sledgehammer. What wrong with a simple light switch for gods sake. Why would a hotel spend hundreds of dollars to do what a $2 device can do more reliably and securely?

I think you are talking thousands not hundreds. They had to pay people to set it up, pay for tablets for every room, and pay for the control devices too.

Maybe the architects/builder forget to lay the cable for the switches and wireless lights can then be a cheaper option.

There might be significant cost savings in the ability to power off a room remotely instead of having to send someone over when a guest checks out. I would be more worried about the tv, the faucets and air conditioning, though.

Also, some hotels manage to have the tv showing a welcome message when you enter.

Sure. I work in a large university building and can power up/down various systems from my desk for the same reason. But it doesn't require a full tablet computer in each room. These are simple network addressable devices on their own VLAN that allow me to (for example) create an interface that sends a string of commands like a remote control, provided I give proper auth. If you're a regular person in any of the rooms in the building, you can't easily gain access to the VLAN, much less connect to any of the networked controllers in the rooms.

As a result, I can shut things down from my office or set up schedules to do the same. I can monitor usage and save resources (lamp hours on projectors and lighting, etc)

The idea of using a full-on tablet computer is just silly and sounds more like something I'd do while tinkering at home and was looking for a use for some old phone or tablet sitting in a drawer. It's not something I'd put in any enterprise or commercial space.

I've been in many hotels that required the key card to enable power to the room. Some hotels used a simple switch activated by presence of an object in the slot. Many could detect if the NFC tag key was present, but not read the value. Only a few I have seen actually verified that the key was the right key.

I've seen those too. They're quite inconvenient because they actively prevent you from charging your phone or laptop while out of the room. They should leave some marked outlets enabled but usually they only do so for the mini-fridge. And of course "fancy" places build that into a cabinet.

I usually have someone's business card on me, so I'll stick that in the card slot so that I can head to dinner while stuff recharges or the room cools down (for places where the A/C is tied to the same switch). I have yet to see one that's anything more than a simple mechanical switch.

Ask for two card keys and leave one in the room.

At least at the one I stayed at once, you didn't need your room card in the slot, just a card. YMMV.

Though I wouldn't be surprised that the cleaning staff would "clean" it up if you weren't there. Might want to put out the Do-Not-Disturb sign too.

The one I ran into that did that had an outlet that would work when out of the room... in the bathroom, for a rechargeable shaver, presumably. So my laptop got plugged in there...


That's nice, if you're into that. Personally, I'd pay a bit extra not to have this.

I think the implication was that some asshole can obtain photos of you sleeping by opening the curtains and switching on the lights in the middle of the night. A nuisance, sure, but also a massive violation of privacy.

>the implication was that some asshole can obtain photos of you sleeping by opening the curtains and switching on the lights in the middle of the night.

So, somebody is going to set up shop across the way, in what is probably another commercial building, commit a couple of crimes, all to take a picture of some random, likely unidentifiable person sleeping in a hotel bed?

Personally, I'm not very worried about that.

I mean, it's not like there aren't easier attack vectors for creeping on people in hotel rooms if you were so inclined.

You or I, probably not. But just this week Erin Andrews won a $55 million legal case where somebody had intentionally booked a room next-door to her hotel room, then modified the peephole to her room, in order to film her naked. Certainly, there's people intent on prying into the private lives of others.

How about setting up shop next door to get pics of $random_politician getting a blowjob for blackmail material?

Or taking a shot at the clearly surprised and now well lit individual.

That would be hard to swallow

Pretty big deal if you are not protecting your customer's privacy http://abcnews.go.com/US/erin-andrews-jury-set-deliberate-75...

I didn't get that implication at all, that's some creepy stuff there.

Wait, doesn't everybody think about the voyeuristic implications of any new technology?

You'd need to access the balcony first, assuming there's one. Why would you think of that first?

Don't worry, this hotel also has a modbus-controlled window washer's crane on the same network.

> You'd need to access the balcony

Or a camera equipped drone.

This is starting to sound like the plot of an NCIS episode.

Or CSI: Cyber, except they need to add something brain-breakingly wrong to those of us in the know for that.

"I've got RED CODE!!!" - Queue hacking montage.

It made Tron look technically accurate.

I would say most hotels have a first floor with rooms. I was at one recently where the "balcony" was connected by a small path to the pool, so it was purposefully easy to access.

Because of this[1] Chrome extension, I wasn't sure whether you were talking about Donald Trump

[1]: http://somerichasshole.com/

Well, if lights (and the article mentioned TV) repeatedly goes on at 3 a.m. this ca give quite bad reputation to the hotel. A few bad ratings hat reservation sites can have a notable impact on the business.

Also, you may be able to start a fire in someones room by constantly switching lights/outlets on/off

How would that start a fire?

CFL ballasts can overheat if you do that.

Maybe it's worse: If these are really off the shelf tablets, presumably the camera can be turned on remotely. Though I'm sure the hotel would have put a piece of black tape over it, right?

I was thinking the same thing. A tablet with a camera on an unsecure network in the bathroom? Hell.

And the microphone

And the GPS

Except they a) know where the room is anyhow and b) GPS doesn't tend to work very well indoors

And the Joke Sensor

And my axe!

The downvotes were worth it.

Depends on how targeted the attack is. A hacker who is bored and is searching Shodan for what entertainment the IoT is offering might find GPS quite useful.

It's on a private subnet. You'd have to have some way to get onto the hotel's internal network. The one described in the post is being physically at the hotel. Now, there might be other ways, but this most likely isn't about to show up on shodan.

You're right that in this particular case it's not a problem. Nevertheless any type of device that can be connected to a network, will be connected to the internet. Someone somewhere will make it happen.

I doubt the hotel came up with this solution completely by themselves. Whoever installed it will probably install it elsewhere and it's only a matter of time until it goes badly.

The silver lining of going with the lowest bidder, the tablets are unlikely to have cameras.

"Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable."

Which takes us to this: "Any sufficiently advanced technology controlled by a miscreant is indistinguishable from a possessed object in a Stephen King Novel."


I can't wait until Random Q. Hacker can flood the lobby with blood from the elevators.

And if you wonder why the blood reservoir has to be connected to both the elevator shafts and to the Internet, I ask you this: who would want a dumb blood reservoir in their hotel? I mean, obviously you have to have one, but wouldn't you rather be able to query tank levels from your phone and automatically order refills online? Nobody wants to be the unlucky employee that has to go up there with a dipstick at midnight during a thunderstorm, right?

Stephen King magic I can handle, it's a particular Stephen Koontz tale of a mad computer nerd turning his town into cyborgs that concerns me. Great read! I think... was almost 30 years ago now....


I feel like I'm missing out on a huge bulk of money simply because when I have ideas of "Internet of Things", I cant get over the security obstacles and cancel the ideas. If only I just didn't care (or didnt know) and just implemented whatever the heck brought in money from oblivious customers.

Under pressure in an interview, yesterday, I found myself saying "'The Internet of Things' is short for 'The Internet of Things you don't need, sending surveillance data you don't want, to people you don't know.'"

> to people you don't know

What is worse, your data being sent to people you know or to people you don't know?

I argue to people that I'd rather have my photos on Googles servers than on the friendly local Dropbox clone.

Why? Because I know Google has systems in place to detect sysadmins browsing in data unrelated to their job and I know they have fired people over it even if was tought to have been done with good intentions.

Edit: as for tracking I wish they would up their game and stop providing ads for <insert eastern country here>-dating.<tld-of-the-day>

I wish they would take into consideration that I am happily married with more than 3kids, belongs to a subset of the population that has way less than 10% divorce rate and I might even be in the market for a new car at some point.

In fact I would even tell them if they asked.

There's surely a Wildean quote in there somewhere.. "The only thing worse than your data being sent to people you don't know..."

That's a puzzle question worthy of a board of ethics interview.

Depends -- WILL I know them afterwards?

The people you do know will purchase the information from the people you don't.

#2 I believe. Better the NSA than your auntie.

Maybe they'll appreciate your honesty?

Nah companies want obediant placid fungible workers not free thinkering radicals. Even the hipster ones that let you work remotely and choose your own projects and stuff.


At the interview for my current job I was asked how I'd secure a remote service. My first response was along the lines of "Ask someone who actually knows about security, because I know just enough that I'd probably mess it up".

I would have hired you

Well, coming up with that while being under pressure is still to be commended for.

Smart things? Sure.

Smart, connected things? Yes, maybe.

Smart things connecting over the Internet to a corporate cloud? Hell no.

If you find yourself saying something uncomfortable under pressure, this is probably not the right place for you.

Or you could just implement them as-is, earn a shitload of money and then enhance their security in the next version or with a firmware update once you'll have the luxury of investing in R&D. At least it's better if a security-wary entrepreneur implements them instead of someone who simply doesn't give a flying fuck.

Did you keep a straight face while you suggested that people actually upgrade firmware?

Keep in-mind that we're talking about always connected devices. Firmware updates could be done remotely without the end user needed to do anything, except perhaps give his approval.

Great my fridge just rebooted for a firmware update and bricked itself now the peas are rapidly defrosting and I am in a panic.

Edit: Shoutout to Internet of Shit https://twitter.com/internetofshit

There are way to build things so that this isn't a problem. Modularize.

It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.

My problem with this whole hatred of iot is that it's not productive.

it's a bunch of people commenting how the trend is dumb and how everything was so much better in the past. Nobody ever gives suggestions on how to improve it, or how to fix some of these issues, or even what they would like to see. It's always just "Who wants a wifi light switch anyway?" or "Oh great now my door lock can freeze".

> It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.

If it's so easy, why don't more companies do it? Why didn't Nest build their thermostats so that when the battery runs out, it reverts to a "dumb" thermostat instead of turning off your heat? http://www.theguardian.com/technology/2016/jan/15/bug-nest-t...

To be fair, most "dumb" thermostats still require an external power source to continue to operate.

Very few actually pull operating current from the 24v C wire if it even exists on the given system. If it doesn't, R (the switched 24v power for Heat and Cold signals) isn't guaranteed to continually have current. Only when your Heat is turned on (probably a standard toggle lightswitch on the side of your furnace) will there be current on the Rh line, and only when your AC is enabled (possibly a breaker shunt on the side of your house near the condenser unit in a small box) will there be current on the Rc line.

Nest tries to recharge it's battery by trickling the C wire, if available, and if not it will try to charge off of one of the R wires, either during normal operation, or it will try and "pulse" the heat signal to pull a little bit of current to keep going. Thermostats were designed at a time where they didn't even consume any electricity on their own. We're trying to retrofit computers into signaling system, not a circuit.

Really? Most thermostats I've seen are a bimetallic strip with either a magnet or a mercury switch for hysteresis.

Can you even buy those anymore?

The GP is right: most new thermostats don't take power from the 24VAC line. That surprised me when my heat wouldn't come on one morning because the battery was too weak to pull in the relay for more than a few seconds. That's what I get for ignoring the "low battery" warning! All my previous electronic thermostats only used the battery as a backup.

In any case, are you really saying that using a toxic metal (mercury), or an imprecise bimetallic strip is really an improvement over a simple $10 electronic thermostat?

I guess when I think of a "dumb" thermostat I think non-electronic. None of the 5 places I've lived in as an adult has had an electronic thermostat.

I should have been more specific by stating the difference between a dumb digital thermostat as I was describing, and a truly analog thermostat like the Honeywell T87.

A dumb digital thermostat is just a thermocouple and a relay, which you could rig together with very little EE knowledge and a weekend with an Arduino.

Honestly, i'm not sure.

It's clearly more work to do it that way, as you'd need multiple "layers" of firmware/code which all need to communicate and run on their own, but i personally see that as insurance against the exact situation you are describing.

Nest is far from what i'd consider a good IOT company. They are the epitome of vendor lock in, proprietary and buggy code, and shitty support.

What would you consider a good IOT company?

I'd consider Philips one (specifically whatever part of the company does Hue products; even with their recent base-station changes to only work with their bulbs). I don't think their base station has EVER crashed on me, not once. They made sound architectural decisions for the product as a whole - it's not some bloated Linux thing but it runs FreeRTOS and does only what it needs to. I have one of their push-button kinetic power light switches in my setup and I've forgotten that it isn't an old-school lighting setup most of the time. That's because of another good architectural decision - they had the sense to decide that simple RF code-sending to the base station was good enough for the switch, rather than trying to make the switch into some kind of Wi-Fi connected thing running a TCP/IP and web stack (did I mention the switch needs no battery or external power of any sort?). The system stays out of my way and just works when I want it to, while still allowing me to dig in and add-on cool automation where it's appropriate.

The thing I don't get with 'control everything with your smartphone!' is that people don't think about everyday use. It's like the people that design these products don't look at the actual, repeated use cases. Why would I want to pull my phone out of my pocket, unlock it, find the app I need, launch the app, wait for it to connect, hit the buttons I want....

(Even when I'm on Android and I can have an IoT control widget on my homescreen, that's still pulling the phone out, switching it on, unlocking it with my fingerprint, finding the page, hitting the button.... oops I forgot to turn Wi-Fi back on, better do that....)

I think IoT is great, but to do a great job at it you need to design the product with that in mind to begin with. The whole architecture of the product has to fit (see again, Hue). Sure, picking an Android tablet is easy, but why would you architect all that complexity? Why not a touchscreen device with a really simple real-time OS that does only what it needs to do?

I'm confident that this will all be self-correcting in the end. Consumers and 'the market' are smarter than we give them credit for. Certainly it takes a long time for them to react, but I think that when enough of the public is jaded by 'bad IoT' and the fad phase has passed, the actually good IoT products will survive and those companies that really think about their designs as a whole will be rewarded.

My nest had a bad firmware update and my heat turned on to 99 degrees. Good thing I was home....

Your nest is not built in this way...

This is exactly the sentiment i was talking about though.

If you buy a car that had a faulty AC unit, do you just swear off cars altogether because "they all have shitty AC"?

Why do so many people like to bring up bugs/issues with poor iot devices and act like it is something that can't be improved or fixed?

I think it's because it's so prevalent. If your car had a faulty AC unit, you wouldn't swear off all cars, because most cars don't have that problem. But I feel like we're all still waiting for an Internet of Things Thing to show up that's actually done right. And it's been long enough that if nobody has done it right so far, it seems like a distinct possibility that nobody ever will.

>And it's been long enough that if nobody has done it right so far, it seems like a distinct possibility that nobody ever will.

But it hasn't been that long at all, and there are people doing it right.

The problem is that they are expensive and don't offer the same amount of features that some people want.

Take the "traditional" smarthome networks like z wave and friends.

I have a z wave light switch that works as a lightswitch 100% of the time. I actually installed the switches before i had a controller for them.

Add a controller and you have a "smarthome".

Connect that controller to your wifi and you have the ability to control these things safely from within your own network using anything from a bash script to shitty iphone apps.

Connect that network to the internet through a firewall and an authentication system and you now can control all of that stuff securely across the planet.

If any one of those breaks, functionality is reduced. Internet is down, i can't control it outside the house. Controller goes down, i can't control them as groups or from within the house but still "remotely". But it will literally always turn on/off the lights when i hit the switch. I don't need to worry about the security of a cheap chinese zwave knockoff thing because the controller is that gatekeeper.

That's IOT done right.

But people don't want to pay the money for that, they don't want to pay an electrician to come out and install them across the whole house, they don't care about security or what happens when the internet is down, they want a light they can control from their phone for as cheap as possible as fast as possible. And of course when people are asking for a product, manufacturers are going to make it.

Indeed, I'm quite happy with my INSTEON system. They're stylish, high quality in wall switches, they have a very reliable (though unfortunately proprietary) communications protocol. The serial and USB adapters for them are easy to code for and there's a variety of third party control programs available. I'm writing my own actually. They also now have a cloud hub for people who want that sort of thing.

If nearly all cars available had a faulty breaking system, would you swear off cars altogether or would you keep looking for one with it fixed?

having a $3500 fridge go dumb via updates made people very unhappy


I think if people actually wanted the products, they'd be more likely to offer constructive solutions.

If you connected fridge can brick itself in such a way that it stops refrigerating things then it wasn't worth buying in the first place, especially for things like this where you could end up accidentally poisoning someone the failsafe in case of software failure should be switching to an old school circuit that just keeps things at a fixed temperature.

> wasn't worth buying in the first place

Hence my shoutout to IoS! :)

Sure, I'll tag along. Problem is in a few years you may not have a choice because all fridges will be Internet-enabled by default. It's already happening with TVs where 70% of new sets are smart TVs. And you know, personally I don't mind because if it bothers me too much I'd just make sure that the damn thing never gets online access but I doubt the average consumer could go in such lengths. So instead of moaning and bitching about it perhaps we, as a community, ought to think about ways to solve security issues. Otherwise the industry will just go ahead and build them no matter what.

> if it bothers me too much I'd just make sure that the damn thing never gets online access

Which might be quite a challenge with some devices when your neighbors drown you in free WiFi.

How about a market for custom made Faraday cages? :)

I wrote this rant, along the same lines, in 2001:


Fifteen years ago. Wow, I love the way I gave Jini a shout-out.

Daquiri liquified ftw!!

First, calm down. Defrosting peas is not in absolute or relative terms a big deal.

Nothing in remote/automatic updates requires being brickable. Don't buy such a crappy fridge.

Or, call a serviceman to fixe it, just like you would today with dumb fridge.

Add a physical switch for firmware updates, on an opt-in basis.

How does Tesla implement updates?

So we're back to a couple of comments above: suggesting that people actually upgrade firmware.

An opt-in switch is merely convenience for the incredibly thin % that bothers with this kind of thing. And that % will actually be informed enough to not opt in.

Come to think of it, that % will likely be informed enough not to buy this kind of device in the first place.

> How does Tesla implement updates?

Tesla has a pretty vested interest in shit keeping working considering it's a pretty luxurious and high-profile product. The cut-price manufacturer of your $20 lightbulb or $300 fridge? Not so much.

The cheapest Chromebooks ship at $149 and have a pretty much unbrickable automated update flow that includes the firmware for the CPU and embedded controller(s).

It's not a matter of luxury, it's a matter of having people work on it who care.

Disclosure: I work with them. Much <3 :)

Except when you're abroad on roaming cellular charges, and your three laptops decided that since your iPhone's personal hotspot is WiFi, it's time to download today's ChromeOS image version, because the one you had downloaded the night before was not good enough anymore.

Source: Chromebooks are awesome, and even with excesses like this, they're still the cheapest to operate by far.

Chrome OS tries to honor various DHCP server flags that state that the connection is metered. Unfortunately iOS doesn't seem to provide any such indication.

A comment in https://bugs.chromium.org/p/chromium/issues/detail?id=323010 claims that the BSSID is used for a "suspected" state, but that may not be enough to actually stop it from downloading updates, but I'm far from an expert in that domain.

In short, identifying tethering states with iOS seems to be hard.

You can determine whether the network is a Personal Hotspot heuristically. It is nice of them to have implemented private DHCP flags in Android, but if you routinely pull hundreds of megabytes without user interaction...

Then the opportunity is to convince customers why they should pay more for well-supported connected products. Easiest way is to make high-margin products.

That's the Tesla case. Or alternatively the Apple case. The vast majority of customers go with not that, and history shows you won't convince them the intangibles are worth it.

Opt-in just means nobody gets updates again. I realise this is more a techy audience but think of these things from the mainstream perspective. Especially when the tabloids and social network copypastes get the word out that hackers can turn your oven on or something if you enable updates

Which introduces a whole new set of security challenges to prevent attackers from getting write access to the devices.

You can do what Apple does and require the firmware to be signed

Heck, a third-party could probably update their firmware for them!

So we're now talking about insecure devices that can recieve firmware updates remotely?

If it's a true IoT, people might not really have a choice ;)

No. Bolt-on security doesn't work.

It is either possible to do something securely and won't really take significantly more time, or it's not possible to do it securely at all, and no future update is going to fix it.

So why do I bother clicking "install updates" on machine every few days?

There's a difference in security issues due to programming bug vs insecure design.

If an application was created without security in mind in worst case it might require complete rewrite. In other cases it might be a whack-a-mole game.

For example compare ssh vs application that simply opens port and starts bash as root. You can use both to control your server, but if you want to add security it would be a lot of work (you could incrementally add authentication, encryption, maybe restrict user what s/he can do but there will be million and one ways to escape).

After fixing one issue after another without seeing the end you'll realize it would be less work to just rewrite it from scratch with security in mind.

Security is not a feature, it is a process.

I think the parent post is talking about a design for security rather than fixing security bugs. A device or system designed without security in mind likely isn't going to get security as a priority at any point in its lifetime, or isn't going to be worked on by security minded folk. Any updates are likely going to be superficial, poorly implemented, or simply not a priority for the developers.

In regards to IoT devices, as the article is lamenting, many are designed with no security in mind and instead seem to be thrown together as quick as possible to achieve a function, without considering the implications that a security breach may have with said device. (e.g., IoT baby monitors, thermostats, home locking systems)

Because in practice, for the moment, there is a difference between "insecure" and "insecure and being exploited in the wild".

I dislike that we live in a world where this is acceptable to people.

I worked for a startup and found cross site scripting vulnerabilities and other issues like GET urls for deleting things. I was told to leave it alone and not "waste my time" because we dont have a lot of users and we weren't popular. I cringe at the justification. Security should be a necessary skill. It shouldnt be something after the fact

I call this the "we don't do anything special" fallacy. They consider hackers to be something like in the movies where a team of slick black leather clad folks plan a digital heist, and why should a bunch of movie stars care about our little business.

In truth it's much much more like how Google just has computers trying to index every site on the internet that they can find. Most of the attacks these days are broad searching things, just testing every exploit they can against every site they can.

Also, seriously, Google will find and index those GET+DELETE non idempotent URLs and ruin their day.

Absolutely true! I have to tell people that many attacks just try every door to see if its unlocked. They are not movie plot-style targeted attacks. And such an attack can and do lead to data breaches!

This is why I absolutely believe and publicly talk about security being a matter of developer ethics. I have used my walk away power to get a company to do the security they needed in a similar, but not quite the same type of situation.

Here is the professional ethics piece of a talk I gave last year to a developer meetup: https://www.youtube.com/watch?v=dj196NhPyWs&t=43m36s

I think they were right to tell you to leave them alone, but a better answer would be: "we'll add them to our backlog (or whatever way you manage issues or work), and get to them by X iteration". As long as you were really working on an MVP and not a version 1.x .

That's technical debt, and it's hard to fix. A prototype, sure, it can have flaws, it's a proof of concept of feature X, not feature X SECURED. But then the release has to be a rewrite. If it's not, those flaws are more likely to become permanent. And when they do begin work on repairing their codebase, they'll spend several times the money and time to fix than if they'd spent some time early on. They'll also likely introduce numerous other issues in the process.

Ok, I'll clarify: I think they were right as long as it was a throwaway prototype. And the GET delete operations are probably a bad idea even for a prototype. I was thinking of a rewrite for release 1.x.

I don't have enough knowledge of the stage the OP's startup was to have answered, so I stand corrected.

In my experience, "throwaway" prototypes almost never are.

I'm scared that when the prototype is done someone says "looks good, ship it!"

That's a totally legitimate fear.

These days, this is the kind of thing I negotiate up front. When they ask me how long something will take, I explain that they can have a prototype quickly, but only if they promise to throw it away as soon as the experiment is done. I explain that they can have me build a movie set or a real house, but that there's nothing in between. [1] And then I leave the choice up to them, explaining that it's really about their business judgement.

Generally people keep their promises on this, although sometimes it takes a little reminding. When they do, the business benefits are substantial. A good product person really benefits from doing quick, cheap experiments. And they also benefit from having a solid platform of high-reliability code for production use. But they can only get the benefits of both if they're careful not to mix the two.

[1] There is actually something between, but they don't want it: http://agilefocus.com/2009/06/22/the-3-kinds-of-code/

I'm old and have been in this industry a long time, and I'm genuinely surprised on those oh-so-rare occasions when what you describe doesn't happen.

Prototypes-become-products is a trope much like _The Mythical Man Month_. We all nod knowingly when it is mentioned, we all know how it will turn out, and then we (well, management dictates that we...) turn right around and do the opposite.

The problem is those things end up being forgotten or interfaced to in so many places that in the end they become un-fixable or won't be fixed to keep other stuff running.

You need to do it right from day #1.

I was thinking more of a throwaway prototype, but the answers on other threads convinced me it wasn't good advice, and I don't know what stage the OP's startup is.

I build stuff like that - my approach is to limit capabilities to the absolute minimum, and anything that is not needed for function but necessary for debug/diagnostics stays on the device rather than going across the network. This limits the devices a fair bit - firmware update across the network with no local interaction is not allowed, nor is accessing the local data store. Want to email me and talk about this?

Which is exactly what a physical switch would do. No wireless internet, no GUI, just a switch.

Absolutely - and for a light switch it's appropriate. As an example of a thing that needs internet to function, consider a heater controller that has a high power and low power mode depending on momentary cost of electricity - it fetches price data across the network, and it's important to log things like temperature at various points of the device for diagnostics. Now, it's very tempting to send the diagnostic data across the network, but this leaks usage information. It's also tempting to allow things like remote configuration, firmware updates and reading device memory for debug, but that can leak network access credentials or make the device a beachhead for access to the internal network. This is why any feature like that is to be avoided and, if present, needs to be activated from the device itself, not remotely. If you NEED remote control, see if you can limit its scope of functionality to the bare minimum, and consider who needs access to it - in the case of the heater controller, the provider of the pricing data doesn't need to know or control the state of the device, so there's no need to allow that on that connection. Where possible, make the device a CLIENT rather than a SERVER - have the device itself initiate connections, to an address that is entered by local interaction, rather than accept connections from anywhere. If you MUST break those rules and accept connections from anywhere, that's when you really need to spend a fuckton of effort securing every aspect of your device, client applications, and protocol.

In addition to this, my problem is usually, "I could solve that problem with $5 in discrete electronic components." :P

Wouldn't the way to go about this be: Create an MVP (w/out much security) - get funding for the MVP, hire security experts, get over the obstacles?

I wonder if the competition wouldn't just skip the security, then beat you on the price because you are paying lots of money for security experts. Most customers don't care about/understand security and your company fails.

Find a way to demonstrate the flaws in various products, aim for non-consumer markets. Businesses that have an actual motivation to have secure devices like the hotel in the article would be more inclined to spend the extra money, especially if it at least eliminated a trivially hackable configuration like, again, in the article.

Hire Russian black hats to sabotage the competition?

The problem is that the entire industry would get a bad reputation, not just the competition. You might be shooting yourself in the foot.

I wish you would.

The difference between you and the dunces building things like this hotel light system is that you know that there's a problem and will work to fix it. As the market matures, security will become more important. But the only companies with the chance to fix it will be the ones with substantial market share. And the people who will fix it best will be the ones, like you, thinking about security from the beginning. But that can only happen if people like you get in early and lay down the infrastructure in a way where security will at least be possible.

Android/iOS is an interesting idea for a business. They already have secure app distribution. A private channel in the Google play store or via app store adhoc. Communication between the devices via a server should be possible at least using HTTPS but also private/public key encryption. Doesn't have to be an actual server just one of the devices in server mode.

What could possibly go wrong?

Yep, you have to lose all shame to be successful. See also the subthread about MIFARE cards in the "towel with RFID" submission.

Good point, seems like places get sold products that are smoke and mirrors. If they knew what was going on in the background they would be shocked. Best plan is to build up a big customer base with a smoke and mirror product and then sell out and hope you don't get sued.

Yes, I'm sure that the only thing standing between you and untold riches is your resistance to lax security measures in app-controlled sous vide machines.

The security risk in an app-controlled sous vide machine includes starting a fire that burns your house down.

- Sous vide normally uses a water bath at a controlled low temperature over a long period of time.

- Hike the temperature up past the boiling point, and the water is evaporated, allowing you to hike the temperature up to ignition points.

- Or, cycle the electronics fast enough to overload the power supply. If it isn't designed well, either the wall circuit blows or the power supply bursts into flame.

- In any case, the expectation of a long unattended cooking process means that human observers might not be in the loop.

It seems unlikely that the device received a UL certification without a simple thermal cutoff switch that is common even in low-end cooking appliances.

Even without deliberate hackers, the device needs to contend with software errors, running without water, or a stuck relay that could leave it boiling dry and overheating.

You just need to look at Therac-25 for a device which lacked hardware interlocks/cut-offs, had flawed/buggy software interlocks, and still received certification.

You mean I only need to look back 35 years to a professional medical device built when computer control was still very new and that wasn't intended to be operated by unskilled consumers, and wasn't certified by to be safe for home use?

Therac's often used as the "canonical" example, but there are more recent issues that stem from a lack of a physical interlock:

  - VW's dieselgate (although that was intentional)
  - Virgin Galactic VSS Enterprise crash
    (yes, designed for a skilled operator, but still: no interlock on the brake)
  - Pyranha Moulding's industrial oven [1]
  - Hotpoint tumble-dryers catching fire [2]
Even without network connectivity, household products still get recalled for issues such as fire risk, because they lack things like thermal cutoffs, or the cutoff is in some way inadequate.

Perhaps 35 years ago computer control was still very new, but right now, IoT is very new, so there's a whole new world of mistakes to learn from, and the evidence is very clear: serious mistakes are being made.

  [1] http://www.cps.gov.uk/news/latest_news/pyranha_mouldings_ltd/
  [2] http://www.bbc.co.uk/news/business-35744313

I thought you were supposed to implement it in a basic way then have the investor money pay for other people to think through your project

I am coming to the conclusion that these devices should be treated like every other URL on the web. It should have TLs with a proper cert, a global domain name, wifi, and access controlled by something well known like Openid/oauth. With native apps and CORS firewall traversal is solvable without special protocols and adaptors.

You have to put things in perspective. It just have to be secure enough. It's for example hard to build anything, if it has to endure a meteor strike.

This is the unfortunate outcome of a bunch of factors.

OEMs moving to XXX over TCP protocols which have zero security by default and documenting this in the datasheets.

VAR installers switching to the newer products because CAT5 cable is cheaper and easier to pull than what they used to use.

The previous solution was just as insecure but harder to hack because you needed more specialised equipment.

I'm not sure how we are going to fix this without getting the OEM industry and the industry bodies behind xxx over TCP to understand that they need to bake a security model in.

Also, for the particular case of MODBUS over TCP, MODBUS itself doesn't have any security aspect (by design) it is a very simple byte read/write protocol really.


Just read over their FAQ. They claim that Modbus over TCP is an internet protocol. No where do they even mention security. I wonder how many devices are sitting on IPv4 addresses that are completely controllable over the net without a shred of security. Lovely.

Previously: https://blog.shodan.io/dont-be-clever/

> For example, you might know that Shodan crawls the Internet for industrial control systems (ICS). One of the most popular protocols in ICS is called Modbus that runs on port 502. At the moment, there are about 17,000 devices listening to Modbus on the default port. It turns out there are also 700 devices listening on port 503, again a one-off sort of situation.

Probably over 20k by now

Thanks. Exactly as bad as I expected.

how we are going to fix this

Lawsuits for damages, as usual.

I couldn't agree more. It shouldn't surprise anyone that cheap outfits are cutting corners on something optional.

Structural engineering solved these kinds of problems with building codes. While I'm not sure that's the answer here, I think most people would welcome guidance beyond "just put whatever devices you want on a shared network and hope for the best".

> Structural engineering solved these kinds of problems with building codes.

I'm guessing a lot of buildings and bridges had to collapse for codes to take hold. I hate to think about how many power grid shutdowns and crashing cars we will have to go through. Clearly the routine theft of personal data has not made enough of an impact to improve security.

Technology for technology's sake is a real shitshow and a big problem.

I was in my friend's Honda Pilot the other day, which has the new trendy big screen interface to replace the radio. I'm sure it is insecure junk, but more importantly it is a nightmare for humans.

I have a BS in CS, have developed some enterprise apps, run major complex tech programs successfully, and could program my dad's VCR in the early 80s. And... It took me nearly 10 minutes to figure out how to turn off the radio on the weird touchscreen.

To turn the radio on requires 4 clicks, and the key button is on the corner of the screen, where it is least responsive to touch. I would probably be safer driving with my knees and texting with two hands than controlling that radios.

KNX, being one of the most sophisticated and proven building intelligent protocol, widely adopted in Europe.

If anyone interested, cross scan its default IP interface port 3671 and, say German telecom ISP IP range (and there is CSV available on www), with efficient penetration test tool like masscan, challenge it with 0x0205, look for 0x0206 on response.

Thousands of home and factories and commercial buildings welcome you with real time datagrams on all their switches/appliances/presences/sensors/cams/... Bonus point: writable!

The title is implying that Android is the culprit here, and not just a horrible design and implementation.

yes i was also misled by the title. You read again, android in the text as well as in the title as if something to do with the android OS is responsible especially taking into account that the guy is a security developer at CoreOS.

* "I stayed in a hotel with Android lightswitches and it was as bad as you'd think "

Another title would be:

* "CoreOS security developer stays in a hotel, and hacks the light switches to.."

All that internet, and the android tablets are still just sitting on the wall where the light switches used to be. What's the cost in hardware and electricity to move from light switches to android tablets for an entire hotel?

Look, the sales guy gave the president a _really_ nice lunch.

I feel like the only thing that can fix this type of mentality is a line of products targeted towards annoying nerdy 13 year old boys-- the type of boy that a lot of us were. We need to make it easy for them to abuse security lapses in IoT products. When I was in middle school, I brought a universal remote to class and turned on the television set. Yeah, I know, I was a badass. But these kids will do much more.

The problem is that when a software engineer goes to the front desk of a hotel and complains about the security of the brand new Android-Powered Hi-Tech system that they just put in, the person working the desk thinks, "Haha wow! That nerd was a real Sheldon Cooper, like on the television!" and they don't care at all. If you live in a bubble where programming and computer work is black magic, well then of course it is completely inevitable that someone so nerdy and so smart would be able to hack everything on the planet. So they don't really think there's anything to be done.

When it's a group of annoying little 15 year olds that sneak out in the middle of the night to wake up all of your guests, it's a lot bigger of a deal.

Not sure why this is getting downvoted. This is a big part of what happened with internet security over the years.

Back at the dawn of time, less than a billion seconds from epoch, it was considered rude to exploit obvious security holes. People would actually track down casual hackers and get them in trouble. But once script kiddies came on the scene, it became a lost cause. Once it could be any 14-year-old idiot on the planet scanning your ports and exploiting your old, unpatched software, it became clear that tacit agreements and social pressure weren't enough. The burden of security began to shift to people who created the software.

I like that idea! A 21st century version of: https://41.media.tumblr.com/b56a0e413ba7869ffc4a9ec99777f132...

Except that nowadays they'll be locked up for 5 years.

This whole IoT craze is turning into a nightmare. People are building all kinds of devices in complete ignorance of Security.

Just let them. The sooner people realize that buying a cheap $35 smart watch, or embedding the cheapest Android tablets into walls, or turning off your heating completely after the battery in your smart thermostat dies... the sooner we'll be in a place where the security of IoT is actually considered, not only as important, but as crucial. Then, we can have nice things.

Maybe we'll end up with a standard certification equivalent to UL or the green padlock next to the URL. Probably about 5 years in the future.

I liked how the article gave the commands used to set up the correct networking config with the bridge.

Can anyone recommend a good reference / tutorial for learning basic network-fu in unix ?

Yeah, wow. Twelve years ago, I worked for a firm that built DVOD (digital video on demand) systems for hotels across Australia and UAE.

Even then, and with the limited 'damage' that could be done, each and every single room got its own VLAN. That was certainly a little ugly to manage at times, especially in a 1200 room hotel, but yes.





Isn't this just a modern day equivalent of Phone Phreaking ?

There used to be party lines in villages where the whole village could listen in to anyone's phone call.

Never mind the operator could also have a sticky beak.

Now if they can change your sound system to play Kanye West... that truly is a problem worth worrying about.

This is why I don't understand the "Internet of Things." A light switch is a pretty effective solution to the problem; there seems little advantage to networking it. Ditto for a toaster, refrigerator, et cetera, et cetera.

Now get off my lawn!

You want to have your lights come on at a certain time.

You want to add motion detection to lights turning on.

You want to attach light sensors to have variable intensity bulbs be brighter or dimmer depending on ambient lighting conditions.

You want your lights to turn on inside your garage when the garage door opens.

You want your front hallway light to come on when your door is opened.

You want to be able to check all the lights in your house at a glance to make sure you did not accidentally leave any on.

You want to have all your lights auto-off when your kids should be in bed.

And of course, most importantly:

You want to turn your house into a rave party, or an epileptic seizure inducing disaster, and I don't think there is actually a difference there.

Your networked toaster might have online profiles for how to optimally toast bread, bagels, rolls, etc based on the type of bread and they would be available on a per-toaster basis. Rather than just odd balling how you want your toast done, you could buy a toaster that has profiles with high ratings that will toast your bread to your exact desire with your given model of toaster.

For your fridge, it could have isolated temperature and humidity per compartment, give alerts when different foods are low in quantity / going bad, track the expiration dates of all your food, and have the same lighting features as your house lights.

There are plenty of applications of "smart" devices. The problem with the IoT is that once you put software in a device you need to be responsible for it, and I don't believe there is actually a single hardware manufacturer on Earth right now who is legitimately responsible for their hardware and respectful of their users (particularly their software freedoms in relation to that hardware).

None of these things sound like killer applications, and few of them require any kind of computational power let alone networking. There are much simpler ways of accomplishing the same things. That is my point; IoT proponents are adding unnecessary complexity for dubious gains. Some examples:

You want to have your lights come on at a certain time.

I can get a timer at a hardware store.

You want to add motion detection to lights turning on.

I can get a motion sensor switch at a hardware store.

You want your lights to turn on inside your garage when the garage door opens.

Yep. That happens with most existing garage door openers.

You want your front hallway light to come on when your door is opened.

I've never seen this implemented, but it could be done in a multitude of ways such as the motion sensor or a simple contact switch on the door itself.

I've long been interested in "home automation" stuff, so I'll give you a quick example of what I have at my house now that can't be done with timers/motion sensors from the hardware store.

There's keypad in the entrance to the kitchen, with buttons labelled "Bright" "Dim" and "All off". If you press Bright, all of the lights (sink, under-cabinet, range hood, and island) turn on 100%. Dim sets just the under-cabinet lights are on at 50% and island is 10%. Without this keypad, you have to walk to 3 different switches on opposite sides of the room.

There's also a keypad by the front door. It has an 'all off' button which is great when we're leaving, and as we also walk by it on the way upstairs, handy when we're going to bed.

The front door keypad also has a "Garage" button. It lights up red if the garage door is open (as we can't see the door from anywhere inside the house). Press it and it'll toggle the door to open/close.

That stuff is just simple scenes, but I also have some more complex things..

The outside lights go to 20% from dusk until midnight, then turn off after midnight. On top of that, at any time between sunset and sunrise, if the garage door is open, or if the outside motion detector sees motion they go to 100%, and once the door is shut or no motion is seen for a few minutes, they return to previous level.

At sunset, if none of the lights in the house are on, one of the lights in the kitchen and one of the lights in the living room turn on (to make it look like someone is home).

At ~midnight, if only the one kitchen light and living room light are on (and nothing else has been adjusted, indicating someone is home), turn the lights off.

At sunrise, turn off all lights. (This used to be 3am until we had a baby, then it was annoying because, well, crying baby + preparing bottle + 3am + lights suddenly turning off = ..not good).

At some point I will also set up a motion sensor in the front hall (or maybe a door open sensor), so if the outside motion is triggered followed by the inside motion (or door opening), the inside front hall light turns on. A bit tricky, since I don't want to happen if I'm just walking around the house (or leaving).

Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.

Btw, I can control this from a PC/phone, although I basically never do (the keypad/switch on the wall is always going to be faster). I could also set it up to work via internet, but I don't, because 1) there's an attack vector and extra security to worry about, 2) adjusting the lights while I'm not home is pointless, 3) I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.

Thank you. Genuinely interesting, and in my opinion, one of the few examples of the technology done right.

I would point out that the three different switches on opposites sides of the kitchen sounds more like an issue of poor switch placement (admittedly, a common problem) than anything crying out for automation, but the ability to control sets of lights with one button is intriguing.

I think the take-away is this:

> Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.

Which I contrast with: "Let's hook my toaster up to the internet because: Internet of Things!" which seems to be the prevailing attitude.

> I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.

Yup, this.

I built an automated heating system. It does all the right things at the right times. I never touch it; it has some graphs if I want to see what it's doing.

The shoddy consumer systems all have manual control and an app, because you just spent all that money, you want the warm fuzzy feeling of having an app to fiddle with.

Marketing is why everything has to be networked.

I wouldn't pay a dime for most of those features, even if it worked perfectly. Where I can see the use is doing things remotely, as in when you're far away: locking/unlocking the doors, making sure the lights and appliances are off when you're traveling, turning on/off the heat remotely etc. IF you could do those things securely.

Too lazy to walk up to the light switch when I'm at home? Just no.

This is not "Internet of Things", this is "Building Automation" and it's been the norm for decades.

Yes, but now it's "on the internet". Therefore it can be called Internet of Things.

IoT is an amazing, awesome, innovative and entirely new concept. Just like "The Cloud" was.


Depends what you mean by "Building Automation." If you mean things like a thermostat to control my heating, sure that has been around for decades. However, it can be a very simple mechanical device. Even for the computerized ones, I see little advantage to networking it (at least compared to the disadvantages).

If, however, by "Building Automation," you mean networked computers controlling your lights and every other aspect of your environment, this is not the norm now, never has been, and I would hazard a guess that it won't be any time soon because the cost and complexity is not worth the marginal advantages. Yes, some elements are creeping in: particularly systems to shut off lighting and environment control in office buildings at night because the power savings are worth it, but those systems are relatively simple and closed. There is no need to connect them to the sort of network that is featured in the article let alone the internet at large.

Lighting systems are very common in the building automation industry but they're typically connected to physical switches. Placing a computer or tablet there doesn't really change things - this could have been hacked regardless of the end-user input. The core protocol Modbus/TCP has been available and easily hackable for decades.

Building Automation is exactly what your describing and it is the norm. It's common for schools, hotels, and commercial buildings to be "smart", with something like Modbus or BACnet connecting lighting, HVAC equipment, smart meters.

I will defer to you re: Modbus/TCP as it is outside my area of expertise. Even if these systems are "common," I would still claim that they are not the "norm" for the simple reason that I have been in buildings that were clearly "smart" buildings and ones that were clearly not, and the latter outnumber the former. However, even if it were the norm for commercial buildings, I was thinking far more generally and that may be the source of our disagreement. Automatic doors, for example, are the norm for major retail stores (as well as airports, et cetera), but they just don't exist in private homes. It would be expensive and serve no purpose, and that is how I feel about most "Internet of Things" devices [EDIT: and most "home automation" devices].

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact