back to article Securing the Internet of Things - or how light bulbs can spy on you

It's going to be a tough task securing the Internet of Things, an upcoming massive global network of web-connected fridges, freezers and pacemakers. But according to experts gathered in Cambridge last week we can't even start locking it down until we know who's going to make money from it. The meeting was run by Cambridge …


This topic is closed for new posts.


  1. Pete 2 Silver badge

    Who let the data out?

    > ... data to be secured between just the device and a home hub

    So all this stuff will be routed through the home's internet connection. That makes it a trivial task to simply block it going out at all. It does seem that until someone (a vested interest no doubt, but vested in what, precisely?) can answer the question: why should I give away all this information about my household? there's nothing in it for me to let this data go back to where ever it is being sent.

    Sure, I can see that there is a possibility, but only a possibility, that I could get a discount on my utilities bill if I allow smart reading of the various meters - or more likely a penalty if I don't. But after that: who cares?

    What do I gain if a lightbulb tells someone "Hello, I've just been switched on" or if the kettle squeaks up "this is the third cup of tea this hour!".

    Just because something becomes possible, that doesn't mean that it will be adopted. Unless I can see a real, tangible benefit TO ME for all this data that would counterbalance the disadvantage it would put me at , I can't see why I should let it pass.

    1. Ragarath

      Re: Who let the data out?

      We are the Borg. We will add your biological and technological distinctiveness to our own. Resistance is futile.

    2. Magister
      Big Brother

      Re: Who let the data out?

      You almost answered your own question. The reality is that they will probably drop a huge penalty on you if you don't allow the data to be collected. (Everybody should be encouraged to watch Charlie Brookers "15 million merits" available on YouTube to see just how bad it could get)

      For the utility companies, if they chose to use this data, it could give them some useful information (to them) about a given individual / family behaviour. For example, they might be able to see how frugal or wasteful you are by the way that the lights are turned on and off as people move through the house. This means that they could adjust your tariff based upon this to extract the most money from you; and if you don't allow the data collection, they just slap the most expensive tariff on you by default.

      Make no mistake, this is not about making things better for you and I, but for those people that just see us as consumers to be the target of their incessant marketing campaigns.

    3. amanfromMars 1 Silver badge

      Re: Who let the data out about Hot AIgents?

      Let Internet Brains take the Strain, Pete 2. IT can Handle IT with Virtual Machine Activation Codes to Bots in LOVE's Live Operational Virtual Environments for Greater Games Plays with Pandora's Toys for Surrender to Temptation and a Resultant Alternative Perspective ...... More Comely Insatiably Satisfying View.

      Crikey, I hope El Regers are thinking that it's gone all 50 Shades of Black for the Brilliance of Light Edutainment Being.

      The Dark Side too has ITs Master Brilliants. Don't Forget to Remember Current Presents for Future Past Reconstruction and Destruction in History WiFied Clean and Refreshed with New Archives with Sublime Instruction Sets for Virtual Tablets of Stone from Global Operating Device Stores with Superb Diagnostic LogIC Returning Output to Feedback for Input to Output as Novel Source of CodeX-XSSXXXX Standard.

      And their shenanigans are great fun ... and most reassuringly disorderly:-) .... courtesy of vine, grain and hop invariably? :-)

    4. Flywheel

      Re: Who let the data out?

      Probably that big(ger) shiny, flat screen TV you just installed. You know, the one with the gesture control that'll eventually know when you're committing an act that contravenes the Government's latest rulings on [insert diktat here] and will eventually summon the police to correct you.

    5. Anonymous Coward
      Anonymous Coward

      Re: Who let the data out?

      A connected fridge, microwave or light bulb?

      Gimmicks that suck fools in..

      1. Peter2 Silver badge

        Re: Who let the data out?

        But there is going to be good old fashioned offline devices around until the sun burns out so this is never going to be an issue.

        And that's good, because i'm going to be one of the people using them. What the hell do I need my fridge, microwave, toaster or lightbulb connected to the internet for? Automatic facebook updates ie. "8:47- opened my fridge"?

        Until somebody comes up with a convincing reason for such connectivity then most people aren't going to be interested.

        1. Anonymous Coward
          Anonymous Coward

          Re: Who let the data out?

          > Until somebody comes up with a convincing reason for such connectivity

          I read that and agreed. And then I realized you probably weren't meaning Facebook ...


        2. Tom 13

          Re: a convincing reason for such connectivity then most people aren't going to be interested.


          I first heard someone proposing connecting a fridge to a communications channel way back in 1992. Of course the same person thought it would also be peachy keen to connect your washer, dryer, oven and vcr to the same communications channel. Now to some very, very, limited extent I could see the point of allowing these things to talk to an energy management console on the same internal network, but I never really saw the point of it being able to talk to much beyond that. Someone tried to claim it would be cool for the VCR to be able to talk to your phone because that way if you forgot to schedule recording for your favorite tv show you could call it in. Bloke never considered if you forgot to set the time, you probably also forgot to put in a tape. Granted a DVR changes the last one, but I still don't see the general need for appliances to talk to the internet.

      2. James Micallef Silver badge

        Re: Who let the data out?

        "A connected fridge, microwave or light bulb? Gimmicks that suck fools in"

        Actually, light bulbs suck the dark in :)

  2. Tanuki

    And when you move house....

    I can see a novel and amusing set of problems associated with moving house and taking some of your "smart appliances" with you but leaving others behind for the new owners.

    Hell, it's already enough of a hassle getting a house "re-keyed" when you buy it; moving into a property and finding the cooker won't work because the previous residents have taken their 'home hub' with them and the cooker/toilet/jacuzzi needs a manufacturer-only 'service reset' before it will pair with your home-hub is not likely to make the moving-process any less stressful.

    1. Anonymous Coward

      Re: And when you move house....

      You just know there will be an 'administration fee' etc to digitally move your washing machine to your new home and connect it to 'the cloud'.

    2. Anonymous Coward

      Re: And when you move house....

      You forgot the charge to have your 'new' appliance activated.

      1. Tanuki

        Re: And when you move house....

        We'll just have to jailbreak them then!

        [ Methinks they'll be declaring oil/wood/coal-powered Agas and Rayburns as "unsupported legacy devices". ]

        1. Anonymous Coward

          Re: And when you move house....

          That all of a sudden, your lamp, fridge and TV are going to phone home with their new location and the next thing you know Fridgidaire, Sony and the Department of Homeland Security are going to be emailing you that "you must have forgotten to enter your new address in our databases".

          The "Internet of Things"--does that include annoyance?

  3. Irongut
    Thumb Down


    If this data goes through my boradband connection then security will not be an issue because I will not connect it. I don't want some useless data from the fridge stealing bandwidth from my online gaming, watching films, etc.

    If a secondary connection is provided specifically for this purpose then I'll just disconnect it anyway because it's none of their business what devices I have turned on in my home. If they make it a legal requirement to have it connected then it'll just suffer some unfortunate but seemingly accidental issues.

    1. Yet Another Anonymous coward Silver badge

      Re: No

      So you can pay premium rate for your electrciity rather than economy7 or economy-super where you let the power company turn down your AC at certain times in return for a 50% discount

      1. Phil O'Sophical Silver badge

        Re: No

        > So you can pay premium rate for your electrciity rather than economy7 or economy-super where you let the power company turn down your AC at certain times in return for a 50% discount

        So what's different aboiut how it works today? They'll tell you that you can surrender control in order to get cheaper prices, and a year in you'll find that it isn't that much cheaper anyway.

      2. Mark 65

        Re: No

        Except that turn down the AC at certain times will be all the time.

        1. Steven Roper
          Big Brother

          Re: No

          "...and at present the electric current was cut off during daylight hours. It was part of the economy drive in preparation for Hate Week."

          Except that even Orwell couldn't have imagined the extent of this horror.

  4. Roland6 Silver badge

    User initiated pairing?

    Ignoring whether we need it or not, the simple communications security solution is just pair the new gismo with a home management hub, in the same way as today we pair bluetooth devices, or wireless electricity monitors (eg. the OWL). The software on the hub would have a management interface (probably browser-based) that would enable a user to pair devices to applications/services, this would also permit the user to give devices meaningful labels and so map them into any external service management application.

    It doesn't matter how clever the software is on the device, there is no way a bulb say can determine it's location in a house or the role it is supposed to fulfil. We can make the outlets 'intelligent', but even this requires 'user' intervention so that the outlet 'knows' that it is for the open/close sensor for the front door. Hence as 'user' intervention will be required to set the system up it makes sense to build security with the same assumption.

    The current approach being adopted by the security guys seems to favour a vendor lock-in approach to security, namely Philip's light bulbs would only talk to Philips servers, GE light bulbs to GE's servers etc. etc. ... which is totally daft.

  5. JimmyPage


    never underestimate the banality of evil.

    If history has shown us anything, it's that it's pathetically easy to get 80% of the public to willingly give up any and everything for some shiny - or the promise of some shiny.

  6. Don Jefe

    Internet of Fail?

    I like the idea of everything connected but I'm concerned that things we currently consider 'durable goods' will be insanely prone to failure like most consumer IT kit: Losing the 'durable' aspect while simultaneously increasing the base purchase price.

    If my $500 phone or $4,000 workstation craps out in the next 10 seconds I won't be surprised, annoyed, but not surprised. We've gotten used to these sorts if failures. If my $800 washing machine craps out though it is a big deal, I can't just go to the store and replace it (without a lot of logistics) & no one is going to same day replaced it. I've got to call the store (or repair center), go through all the bullshit involved with fixing or replacing a major appliance. Most people will experience major appliance failure a few times in their lives but it is not a regular occurrence (clothes dryers don't advertise MTBF for a reason) and I don't want it to become a problem because the logic circuit in my dryer failed or a previously unknown programming error 'bricks' my dryer.

    1. Michael Wojcik Silver badge

      Re: Internet of Fail?

      I like the idea of everything connected

      Why? That's a sincere question - like many of the other commentators, I can't imagine having any use for most of what's being touted here.

      I don't want it to become a problem because the logic circuit in my dryer failed or a previously unknown programming error 'bricks' my dryer

      Already an issue with many appliances, even without Internet connection. I've replaced logic boards in my washer three times (all under warrantee, so the vendor's more than lost their profit on the unit). It's a lousy design[1], but it's also a common one - the manufacturer of this washer OEMs to several of the major US brands, and apparently to several European ones as well.

      (If I lived alone I'd have bought a cheap washer, but I'm not the one who does the laundry around here.)

      [1] The washer has three logic boards with custom ASICs. The boards cost around $200-$300 each if you buy them through the appliance vendor's parts division; you can get them directly from the manufacturer for about half that. Dispensing with the unnecessary electronic controls would get rid of one board. Alternatively, they could use an off-the-shelf fanless Linux box connected to a single board with a USB adapter, some A/D logic, and a handful of relays to control everything.

  7. Jonathon Green

    "Liz Fitzsimons of "legal innovators" Eversheds..."

    Does anyone else here find that the phrase "legal innovators" fills them with a deep seated existential fear?

    1. ecofeco Silver badge

      No, but it does raise my adrenaline levels to the point I want to puke.

      Unless that's what you mean?

    2. Tom 13

      Re: existential fear?

      No, but then I'm one of those bat-sh*t crazy 'Merkins you lot are always complaining about. I find myself repressing my natural instinct to use a high speed lead injection to remove the demon from the gene pool.

  8. Anonymous Coward

    > (as opposed to traffic lights, parking meters or cow bells)

    Erm, what? Cow bells? Where did that come from?

    1. John Sager

      Didn't you know? It's actually Swiss farmers who are driving all this stuff. IPv6 wouldn't have happened without their reps on the IETF...

    2. Captain DaFt


      "It needs more cowbell!"*-Christopher Walkin

      Everything is improved with more cowbell!

      *google youtube, it's an hilarious SNL skit!

    3. Allan George Dyer

      Don't fear the cowbell

      the black one with the cowl, thanks.

      1. Tom 13

        Re: Don't fear the cowbell

        If you're the opposing team in Beaver Stadium, ALWAYS fear the cowbell.

  9. Captain DaFt

    Hacking the internet of things

    Flash a few roms, now the AC reports it only runs 15 minutes a day, the lights all report that they only come on long enough to flash "peek-a-boo" in morse code once a day, the fridge reports that it maintains room temperature, and the stove reports that it's never in use.

    (OK, nothing so blatant, but you get the idea.)

    1. Anonymous C0ward

      Re: Hacking the internet of things

      Yet the meter, with a tamper seal, that can be inspected by the electricity company, still reads >9000. So, where's all that weed you're growing?

      1. Captain DaFt

        Re: Hacking the internet of things

        Yep, I bought and paid for the electricity, it's mine to use how I want, and *that's* none of their business!

        (Weed? Nah, I've always preferred cigars and cheap wine.) :)

  10. Dodgy Geezer Silver badge

    ...Smart meters are supposed to make changing suppliers easier. The enormous cost is, in part, justified by their ability to drive down prices by increasing competition....

    Such a justification is nonsense. Smart meters ONLY reason for existence is that when 'green' power was first proposed, it was obvious that it could never be truly 'dispatchable' - that is, it could never be always provided when it was needed. The answer was found in 'demand management' - that is, forcing you to use energy when the provider company says you can rather than when you want.

    All these stories that things will somehow be 'cheaper' are just that - stories. Remember how the Identity Card was going to stop criminals? Same trick. The idea is to get the service or policy out into the country, and then, when people start complaining, say that it's there now and would cost too much to take away...

    1. Anonymous Coward
      Anonymous Coward

      but but ...

      How hard is it to change suppliers anyway? Read meter. Phone new company. Say "I want to switch". Most will sort out the rest for you.

      It takes all of about 5 minutes. The main issue is that they are all a bunch of profiteering bastards and awfully close to cartel pricing (i.e. once one jumps they all put up their prices within a week).

      But still not of that justifies a many 100 £££ smart meter which will probably need replacing every 3 years once the security bugs start rolling in.

    2. Tom 13

      @Dodgy Geezer

      Not entirely true. Electric companies had differential rates for power way at least as far back as the 1970s. My dad was no tree hugger, but we switched to it because it saved money. Off peak costs were about 1/3 of on peak, and we could do things like laundry in the off hours. He even put the electric water heater on a timer and insulated it, then timed it so it would be on during the off peak time and it would hold long enough to get us to the next off peak. On the rate occasion we needed to, we just went in the basement and flipped the heater back on.

      These days, yes, it is mostly tree-huggers shaking down people.

  11. Paul McClure

    Pre internet access

    In days of yore we had homes with walls and doors. In addition to keeping the elements out it would limit access to people in the proximity. In addition to standard security why can't devices have a proximity 'sensor'. If the communication is more than x hops disallow. Add a guard/controller within the radius that the external can communicate with the appropriate enhanced security.

  12. 404


    Why wouldn't they just use cellular 3g/4g connections and squirt the data as required and bypass any consumer control?

    1. Pascal Monett Silver badge

      Re: ahem

      Sorry ? Are you suggesting that the next washing machine I buy I have to pay for a 3/4G phone line as well ?

      That's going to float as well as a brick in the current market for sure.

      1. Charles 9

        Re: ahem

        I'm wondering if he's referring to a WhisperNet as used by the classic Kindle line. It was tolerated because they didn't use a whole lot of data, so Amazon footed the bill. Thing is, cell coverage is not universal and more limited in indoor settings, plus so many devices may leave cell providers scratching their heads.

  13. Herby

    privacy? Privacy? PRIVACY?

    All that is necessary for evil to triumph is for good people to do nothing.

    Evil in this case is the constant monitoring of all that we do. Yes, the Borg is us and we need to recognize it as such.

    As for monitoring, watch the show "Person of Interest" (presently on US television, I don't know about elsewhere). Shows the penetration of the Borg! While I hope that it is a great work of fiction, on some level I believe it to be true!

  14. mark l 2 Silver badge

    the devices will more than likely talk back to your smart meter which will have its own connection to the cloud either over wired (as in the power grid itself) or cellular wireless as the amount of data will be very small they are transmitting as they aren't going to be streaming HD movies just sending/recieving a few kilobytes of data an hour.

    I am just waiting to be able to root my fridge and install debian on it :)

  15. The BigYin

    Open and under my control

    So long as the security is an open standard, I can intercept and decrypt any message, every manufacturer publishes details on their messages and everything is ultimately under my control; I'm easy.

    Put what ever other checks and balances you see for, but the one goal had to be that the owner/user MUST BE in control. Not the OEM, Google or Facebook.

  16. Cipher

    Not a Luddite, but...

    Why would anyone connect their toaster to any network? So script kiddies can burn our toast?

    I am also perfectly capable of managing the contents of the refrigerator without data analysis...

    And BTW, my old fashioned rolodex with my contacts on it is not only faster then any computer model of it, it also works when the power is down...

    (And before someone pipes in: In most of the USA landline phones have their own power, rarely go out of service when big electric goes offline, say in a storm)

  17. This post has been deleted by its author

  18. Denarius

    move on, nothing to C here

    usual waste of space clevers flogging solutions for which there is no real problem. Personally, given the utterly crap network locally, I doubt much could get out, even if I wanted it to. In Oz, move 60 km from a city and voila, internet security due to network timeouts. Also a meaningless choice of ISP, because the hardware to move the bits quickly does not exist.. And no, despite claims to the contrary, satellite is also too slow. Aside from all that, getting new networking gear to handle IPV6 is just another cost from which I gain nothing.

  19. Anonymous Coward
    Anonymous Coward

    Makes for a great alibi.

    After reading all the cons in this thread about the obvious privacy invasions, my mind spun to trying to find pros to all this...maybe I'm dark!

    Imagine a psychopath attaching a trigger to the flusher of a toilet, then a snuggly fit beach ball filled with concrete on the seat...

    "No your honor, I couldn't of skinned him alive, I had the shits all night...check the logs for my toilet."

  20. Anonymous Coward
    Anonymous Coward

    Warranty void

    What's the betting that as more appliances get connected, the Apple way of doing things starts to become the norm and you no longer really own products, but get to use them the way the manufacturer intended, or else. "Sorry sir, your RoboVac 3000 has no monitoring data on our servers from the day it was installed. I'm afraid we can't repair it under warranty, as you may have been violating our Acceptable Use Policy. We have an out of warranty repair program, please sit down before I give you the price..."

    If it benefits big business, you can be sure we'll all get to pay for the "internet of things" whether we like it or not; either in hard cash or loss of privacy, or most likely both.


This topic is closed for new posts.

Other stories you might like