back to article Traffic lights, fridges and how they've all got it in for us

No doubt many of The Reg’s readers are tired of the term “the Internet of Things”. It is both a nebulous term and a vague idea. What it attempts to encapsulate is the masses of networks of automated machines that didn’t traditionally have connectivity, working to manage the environment around them, supposedly for the benefit of …


This topic is closed for new posts.
  1. petur

    Don't connect them to the internet directly

    I've been experimenting a bit with simple things, and found it easiest (at least for peace of mind) to have some kind of hub (my NAS in this case), and write a bit of interface code to interact with them. Much easier to secure and no need to worry about gaping security holes that will never get fixed.

    And remember, once a hacker is inside one of these things, he can use it as relay to attack the rest of your network from the inside.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't connect them to the internet directly

      Bluetooth 4 seems to make more sense inside the home, connected over some kind of gateway. These guys look like they've got some good ideas:

      1. Robert Helpmann??

        Re: Don't connect them to the internet directly

        Yes, I do not see a reason why home devices should use a routable protocol and running everything via a management console seems to be a sensible approach. Rather than Bluetooth, why not something designed for these systems? I would guess TCP/IP is only used because that is what is familiar. It will be difficult to educate people on the need to keep management consoles updated or what to do when a problem happens, but it would seem a viable alternative.

        He says he managed to cause desk lamps to explode by exploiting weak control channels in power devices.

        It took technology a bit of time to catch up with Hollywood technological fantasies, but it managed to do it in the end.

        1. Richard 12 Silver badge

          Re: Don't connect them to the internet directly

          Lyne also tested a number of faults in home automation systems, using existing research. He says he managed to cause desk lamps to explode by exploiting weak control channels in power devices.

          That one is definitely false. A desk-lamp sized power-control device simply cannot do that, no matter what commands you give it.

          The absolute worst you can do is flash it as fast as the underlying power controller can do. In some cases that'll reduce the life of the lamp, but it can't explode because electricity does not work that way.

          The only thing I can think of is perhaps he dimmed a non-dimmable transformer. That's no different to saying you "hacked" a diesel car by getting the owner to fill it with petrol.

    2. I ain't Spartacus Gold badge

      Re: Don't connect them to the internet directly

      I was going to post the same thing. It would be nice if we could have some kind of home security / network device that handled back-ups, firewall, content filtering and the like. It's all possible now of course (there may even be several products doing this), but I have one extra feature to add. The killer feater. It be usable by non-techies.

      I've not yet come across a wireless router that didn't have some very weird quirks in its management software. They either make it relatively easy to set up the network, and make connecting to the internet a nightmare, where you have to browse through about 15 different screens in no obvious order, or setting up the internet's a doddle, but the network is awful. I've also used routers where both were obscure, split over many screens and incomprehensible.

      But I have no trust in the manufacturers. Who mostly seem to want to sling kit out the door as fast as possible, and then forget about it. Why don't Wi-Fi routers have an automatic update mechanism, when they're riddled with bugs and permanently connected to the internet, by definition.

      I guess at least the data-snafflers might help. For example Google's NEST offers a subscription service. Now if they have a massive security oops, and no method of updates, people will just stop paying the subs. Plus the oodles of lovely data will stop flooding in. So they have some incentive to not leave you vulnerable to hackers. The problem is, they're already hoovering up your data as fast as they can themselves...

  2. Anonymous Coward
    Anonymous Coward

    Connected fridge - a small subset of first world problem

    A refrigerator needs only a few electrical (not even electronic) components to work: motor, thermostat. A fuse for circuit protection, and a light bulb to show its working/the contents.

    How much better can you make a fridge by connecting it to the rest of the world, or the food inside? How much complexity in production and supply chain is added to replace the simple human act of looking at the Use By date, and what are the benefits brought?

    And would not diverting the expenditure to education or developing countries prevent more food poisoning than a warehouse full of clever fridges ever could.

    1. Richard 81

      Re: Connected fridge - a small subset of first world problem

      Mostly agree.

      The potential reduction in food wastage could (and should) be achieved by teaching people that just because their carrot is past its Sell By date doesn't mean it's bad, that mouldy cheese can be shaved, milk is only off when it smells/looks/tastes nasty etc.

      Being able to detect pathogens and alert the user could save lives and productivity, but the tricky bit detecting them, not Tweeting that they've been detected.

    2. Mine's a pint

      Re: Connected fridge - a small subset of first world problem

      It's not about this fridge being better for being connected to the world, it's about added "features" so the consumer may select this model over that one based on the quantity of feature bullet points in the description. These days it seems that "Feature Stuffing" is seen as leverage to sell a new product to a consumer who perhaps is bored with their plain old model.

      1. Mark 85

        Re: Connected fridge - a small subset of first world problem

        The thing about "features" and "services"... until the marketing droids hit their stride, you won't know that you want these things. At which point, they become a profit center and feeding frenzy will really start. Then.. at some point, there will be a "service" to protect you from hackers/crackers/script kiddies.... more profit.

    3. Tom 13

      Re: Connected fridge - a small subset of first world problem

      I had this debate about 25 years ago when I was working for a home automation firm. They were always talking about connecting the fridge, oven, and VCR to the telephone gateway which would let you control them. I would look at them and ask "Why? What benefit does this give me?" They kind of looked back at me dumbfounded. Once one of them said "Well, if you forgot to set your VCR, you could do it with your phone." My response, "But if I forgot to set the VCR, what are the odds it is loaded with a blank tape anyway?"

      Mind you, I thought it was a cool system and had some useful features. I was trying to direct them away from trivial stuff to things that would make it worthwhile. In the end, I sort of won the argument, but it was the king of Pyrrhic victories: the company filed for bankruptcy a year after I left.

  3. Evil Auditor Silver badge

    ...of the term "the Internet of Things"

    I wanted to read the surely interesting article. Unfortunately, I fell asleep while reading its first sentence.

    1. Destroy All Monsters Silver badge

      Re: ...of the term "the Internet of Things"

      Maybe you need a device that wakes you up over the Internet?

      1. I ain't Spartacus Gold badge

        Re: ...of the term "the Internet of Things"

        Maybe you need a device that wakes you up over the Internet?

        Hmmm. The Internet of Tasers.

        Now you're talking!

        1. Richard 12 Silver badge

          Re: ...of the term "the Internet of Things"

          You want a DMX Shock Collar (PDF)

    2. Euripides Pants

      Re: ...of the term "the Internet of Things"

      I think its about time that someone invented the Thing of Internets...

      Mine's the one with the Internet in the pocket

  4. Mage Silver badge

    Forseen long ago

    1975 Shockwave Rider by John Brunner :Nick rewrites the "computer tapeworm"

    Many others.

    We don't learn well.

    1. Destroy All Monsters Silver badge

      Re: Forseen long ago

      But in that story, this turned out to be a Good Thing.

  5. Anonymous Coward

    Pure Hyperbole...

    The more I hear the IoT mentioned, the more I'm convinced that someone, somewhere (probably a bunch of junior engineers after a Friday liquid lunch) came up with the idea as a way of winding up the Marketing Noobs - "Who comes up with the silliest idea and convinces a Marketing Wally it's a great idea wins a free pint!!!"

    Unfortunately, it has somehow got out of hand and no-one can now convince them otherwise...

  6. Nick Ryan Silver badge

    On the fridge example above, while I agree that in general the simpler something is the better, it doesn't mean that things can't be enhanced. For example, the temperature of the fridge could be monitored allowing an alert to be generated if the temperature goes outside defined limits for a period of time, for example when a toddler (or drunken / sleepy adult) merrily raids the fridge and leaves the door open, the cooling unit fails or some other miscellaneous and annoying problem that'll ruin your morning when you find the milk is off. Hell, just the opening of the fridge between certain hours could raise an alarm if you really want to stop midnight fridge raids. A little more sophisticated could be humidity sensors, where if something leaks a similar alarm could be raised. These are just a couple of simple enhancements to a basic fridge, nothing complicated, nothing that can't be easily implemented right now.

    Much of the IoT press is just marketing fluff and noise, but there are useful things to be had from it all.

    1. T. F. M. Reader

      @Nick Ryan: I am with you. The only question is how your suggested enhancements will benefit from Internet connectivity. If someone leaves a fridge door open, how will an email or text to your cell phone in the middle of a working day facilitate closing it? And wouldn't it be better if the fridge just beeped if the door was not closed properly (after a certain short timeout maybe?) - before the guilty party leaves the house?

      And as for midnight fridge raids, do you mean when you are on vacation with your other half and your teenage kids are home alone? Which of them are you going to call and scold at 3AM when your phone wakes you up in a hotel bed? Oh, I forgot: the fridge will take a picture of whoever opens the door at night and post it on Facebook, right? In a nightgown. Hopefully.

      1. Evil Auditor Silver badge

        ...wouldn't it be better if the fridge just beeped if the door was not closed properly...

        And that's exactly what newer fridges do.

        Neither would I see much use in being notified when the fridge stops working properly. I do know that fridges can give up their ghosts but generally, they are very reliable. Adding an IoT device means adding a device that can fail and probably is more likely to do so than the fridge itself. Anyway, even if you're notified when it stops working, how likely is it that your able the get it fixed/a replacement before it's warmed up? And how important would that be? For normal people that's hardly a life-threatening situation, it is? (Okay, maybe it is.... cf. icon)

        1. Tom 13

          Re: And that's exactly what newer fridges do.

          The only other useful thing I can think of would be something that warned you if the power had been out for an extended period of time. Or maybe make it even simpler and just warn if the temperature had exceeded certain parameters and indicate the time period for which they were exceeded. But again, a simple sensor arrangement on the fridge with an indicator on the door would seem to be far more useful.

          I can think of one person I know of who might have benefited from a message sent to his email or smart phone on this front recently. Had to throw out a freezer because it came unplugged and he didn't realize it until weeks later. But even at that it wouldn't have helped him. He's still fighting with Verizon to get FIOS connected to his newly built home.

        2. el_oscuro

          The mark of a good beer is that you can drink it warm. So just make sure you always have good beer and it won't be life threatening.

    2. P. Lee

      > there are useful things to be had from it all.

      Useful, yes. Worth the effort? I don't think so.

      I can see if there is mold on the jam. It isn't worth adding all this complexity and possible spam sources (geddit?) to every fridge just so the odd one that breaks can let you know about it.

      "Nothing complicated" is a light on the front, at a stretch, a serial interface. As soon as you add an IP stack, its very complicated.

      Perhaps its time for a new physical standard of "secure but anti-social" where there are no receive wires in the NIC and data is broad/multicast. I fear that's just a slippery slope which isn't worth it either.

      1. Nick Ryan Silver badge

        Re: > there are useful things to be had from it all.

        With the fridge I was trying to demonstrate that while it may currently be a relatively basic example, there are potentially useful things that can be done. Even for these examples I would agree that it's a toss up whether or not it's worth the effort, but that's something else and once these things become more commodity then the effort is diluted sufficiently and what was previously a gimmick or "nice to have" feature, becomes standard. The same arguments about "it's not worth the effort" were probably thrown at a lot of the technology that we currently use, take for granted, and would be inconvenienced without. And we'll have forgotten the stuff that really wasn't worth the effort at the time.

        An IP stack may be rather complicated but like most technology these things are built on a stack of previous modules incorporating standards, knowledge and experience. Even a serial interface isn't particularly simple if you have to build one from scratch from the physical layer up (and you wouldn't believe the mistakes that I've come across when people have tried), however modern IC systems can handle most of the annoyances and details for you. So while an IP stack is rather complicated it's becoming an established module that is just another tool that a higher level layer can use.

        The only question is how your suggested enhancements will benefit from Internet connectivity.

        I don't consider that the "Internet of Things" is specifically about giving everything possible an Internet connection - it's about connecting devices that were previously or are currently not connected to anything else, more local or personal area networks. Typically IoT has evolved as a marketing term / buzzword from Machine to Machine (M2M) communications, which doesn't sound particularly inviting but we've been doing this at various levels for years. What it boils down to is that IoT is little more than the miniaturisation (and feature stripping and simplification) of much larger and more unwieldy systems down to the level where they can become commodity / consumer items. There will be a lot of pointless ideas that fail, it won't be anywhere near as big and pervasive as the habitual "industry" tech-predictors predict, but it will become more and more pervasive once people find useful things to do with it and devices like Arduino, Raspberry Pi and similar are the start and allow a lot of interesting, sometimes useful, experimentation.

    3. Anonymous Coward
      Anonymous Coward

      My fridge-freezer currently needs a new fridge thermostat unit - £40 part then labour on top. That assumes the repair person doesn't fracture a refrigerant pipe in locating the sensing element end of the new thermostat. The technology appears to still be a simple mechanical device whose hysteresis gradually get worse over the years. The compressor never seems to fail. It seems that a better design would be some sort of passive "heat pipe" threaded into the carcase - and a small electronic sensor/control unit that is easily changed.

    4. Anonymous Coward
      Anonymous Coward

      " For example, the temperature of the fridge could be monitored allowing an alert to be generated if the temperature goes outside defined limits for a period of time, for example when a toddler (or drunken / sleepy adult) merrily raids the fridge and leaves the door open, ...."

      Err, most fridges have crap control of temperature in the first place, so I'd have little confidence that the new web connected models would either be better able to monitor something they currently can't manage. Things are different for well made fridges by reputable makers, but then there's little chance of temperature going out of spec.

      As for "door open" alerts, wouldn't it be simpler just to have good basic design that causes the door to close itself? Kitchen draws are expected to shut themselves gently these days, so I'd have thought that getting a fridge to do the same would be a better way of spending any available design money than stuffing it full of electronics to tweet that the door's open, could somebody do something about it?

      Admittedly the compressor failure notification would be a new capability, but why spend money to monitor one of the most reliable pieces of equipment in the home? The incremental complexity of the monitoring kit and communications would probably make the new product less reliable than an old dumb fridge.

      Which brings me to the root problem of TIOT. The internet of things is shaping up as a riot of technically possible solutions, desperately searching for some problems. On the occasions where a problem can be solved, it often seems an expensive solution for a mildly inconvenient or infrequent occurrence, often with significant additional risks. So TIOT has given rise (for example) to ninety quid fire alarms that require wifi and a user account to activate, and then turn themselves off if waved at. Or you could buy an expensive thermostat that requires professional installation, and then tries to guess your habits - great if you are too dim to programme a simple timer or programmeable thermostat, and you don't mind it telling servers all round the world when you're in or out. And at the end of that, these thermostats still need to be told if you are on holiday, or require heating on and off outside of the normal pattern.

      1. Tom 13

        Re: causes the door to close itself?

        Having an audible alert is still helpful for those rare instances where the self-closing door gets stuck on something that wasn't put away quite right. But again, this isn't an IP stack function but a local sensor loop and you are correct that the first step is the self-closing door.

        Now this on the other hand:

        The internet of things is shaping up as a riot of technically possible solutions, desperately searching for some problems. On the occasions where a problem can be solved, it often seems an expensive solution for a mildly inconvenient or infrequent occurrence, often with significant additional risks.

        deserves about a googleplex of upvotes.

        1. Nick Ryan Silver badge

          Re: causes the door to close itself?

          I agree... I probably didn't get the right level of cynicism over. If you want real fun, try thinking of "Wearable tech" that isn't medical or health fanatic focused.

    5. el_oscuro

      Already have it

      I replaced my 10 year old fridge last year with a new one that is an almost identical model. The only difference is a alarm that goes off if you leave the door open for more than a few minutes. My freezer downstairs also has an alarm that goes off if the temperature goes too high. Neither requires an internet connection.

  7. Nasty Nick

    Never mind a foot in the door...

    The door is wide open for nasties, intentionally devised but mostly otherwise, to be bought into their homes by unthinking consumers.

    No doubt like the first few IOT devices, they will have some novelty value, especially for El Reg tinkerers and the like, but here in Britland our concern should be not just focussed on the technical security stuff, but on the more run of the mill issues.

    Our government is relying heavily on IOT to facilitate a massive programme of invasive monitoring and control of our domestic activities.

    To whit, the infamous Troajn horse known as the "SMART Metering" project that British consumers are forced into paying through the nose for via their utlity bills.

    Yes, the plan is to link your friendly fridge, central heating boiler, washing machine etc. to your smart meter that you WILL install.

    The way you will be forced to do it will be in a similar way to the introduction of water meters in Britain. When a new house or flat (apartment) is built, it will be part of the build. For existing housing stock, when the consumer moves out, the new owner/tenant will find they have to take the smart meter when they take over the property.

    You will then see on sale boiler control systems, ovens, freezers, etc. that will be compliant with this smart metering system - maybe the retailers and installers will eventually only be able sell these kind of devices - like the way you have to buy condensing gas boilers now.

    For early adopters, the bribe will be that you get discounted electricity/gas/water bills.

    In due course, you will find that you will pay a lot more for your utility services if you don't use the smart meter system with "approved" appliances.

    The deal will be that "un-smart-metered" services will become progressively more and more expensive than un-metered. Smart meter households will be able to pay a lot less per unit of whatever by allowing the utilities to limit the use of their ovens/fridges/kettles etc, to off-peak times.

    If they are well off or desperate, the mart meter household will be be able to overide the device limits, but will have to pay heavily for the priviledge.

    Here's a scenario, it's Sunday evening Winter 2025, the kids need their school clothes washed and dried for the morning.

    Unfortunately there is a big energy gap in the UK. We now have no nuke power stations, and the new Chinese/French designs are running 10 years behind schedule and the first won't be ready until 2035. World natural gas supplies are up 25% over the last 10 years, but world demand has gone up 50%.

    UK shale gas is coming on stream in larger quantities, but early bores have been shown to have a very short commercially productive life and so government is having to underwrite all new development and infrastrcuture costs.

    So if little Jonny needs his school kit cleaned and dried by tommorrow, it will costs his ma & pa £25 for the priviledge.

    1. Destroy All Monsters Silver badge

      Re: Never mind a foot in the door...

      £250 if you account for "inflation".

      Upping pension payouts? Where do you think you are?

  8. Will Godfrey Silver badge

    @nasty nick

    Actually, they'll have cut off the power during the night and Jonny won't be going to school at all because he's been rushed to hospital suffering from hypothermia.

    Kids can drop into a dangerous state much faster than adults.

  9. Decade

    Free Software is a requirement

    The Internet of Things needs to be Free Software, top to bottom, device firmware and all. There's no other way for it to be secure.

    These security researchers are wrong that we just need a security focus. The problem is that a manufacturer's product lifecycle goes from sale to end of useful support typically in much less time than a device's service life. And in many cases, they don't even have the ability to push out security updates.

    The normal way I hear these things go, you have a chip platform devised by Broadcom or Qualcomm or somebody, with binary drivers locking it to a specific Linux kernel version, and then you have a product design from some obscure Asian manufacturer, and then you have the big brand OEM's customization, finally releasing a product years later. Neither the OEM nor the original chip maker can release effective updates for this setup, and both want to move on to the next thing.

    The real solution is for everything to be run by Free Software. Linux has already proven that PCs remain useful long after the end of manufacturer support. The Internet of Things needs the same opportunity.

    1. Charles 9

      Re: Free Software is a requirement

      That's impossible. Many of the IoT items have trade secrets attached to them, usually protected by patents. Free software can do sod all against trade secrets OR patents (this is one of the big stumbling blocks concerning Linux and Android device support). Unless someone is altruistic enough to design an IoT item AND release the specs to the public (and you can forget about the law forcing them--these kinds of people would just move out), everything's going to be locked up tighter than a miser's purse. AND YOU WILL LOVE IT, TOO (if you value your life).

      1. Decade

        Re: Free Software is a requirement

        Personally, IoT without Free Software is impossible, because I won't buy it.

        Trade secrets? Excluded. Patents, especially on the software? Of dubious benefit to society and should be eliminated. If you want me to buy the thing, then I need to be in control of it.

  10. Tromos

    I want my breakfast...

    ...but I've forgotten the password for the toaster!

    1. Fatman

      Re: I want my breakfast...

      You can't have it because

      The Microsoft designed DRM says so.

      DRM - (in this case) Diet Restrictions Management!

    2. Tom 13

      Re: I want my breakfast...

      Oh no! There's a blue screen of death on the micorwave.

  11. Anonymous Coward
    Anonymous Coward

    Antisocial people

    Professional criminals aside - it only takes a very small number of antisocial people to make life unpleasant in a neighbourhood. Recently our council planted some new saplings to replace a few diseased trees by a public path. Several were broken in two within days. A friend in an upmarket village receives continual harassment for no known reason - nails in tyres, glue in locks, even a large plant pot thrown through the window. Such malicious behaviour suggests there are people who take a delight in hurting the local community. Similarly people who spray their tag incessantly on any surface will possibly want to do something with IoT devices.

    The exploit information will be available on the web or in the playground. It will facilitate an anonymous attack with presumably some visible result.

    1. Charles 9

      Re: Antisocial people

      I put it this way: whereas most people live on food and water, some can only survive on schadenfreude. They're not happy unless everyone else is miserable.

    2. Anonymous Coward
      Anonymous Coward

      Re: Antisocial people

      Like script kiddies shutting off everyone's fridge, hot water heaters, and freezers during holiday periods, just for the lulz.

      That would make TIoT immensely popular, sure.

  12. regadpellagru

    No they haven't

    “The lessons have already been learnt on modern OSes."

    No, they haven't. Supposing Windows is part of the "modern" OSes (and I'd happily argue against this, but given its spread, let's assume yes), they haven't learnt a thing, otherwise they'd have rewritten IE long ago, after designing a proper security layer, and no flaw nor patch would ever exist, covering 6 major versions ( for a period of now 13 years and counting.

    Instead, they kept patching holes after holes, like drunken lemurs scooping water out of their sinking ship, forgetting to plug the big gaping hole first. Why is ActiveX still in W7 by the way ?

    "The mitigation techniques are out there and secure development lifecycles are well documented. IoT developers have access to the answers, if end users force them to use them.”

    Yes, the technology is here, but end users don't understand a thing, so can't force anything onto vendors. So they won't, and no-one else will, since only end-users have such an interest.

    Furthermore, the NAT barrier is today artificially protecting most devices, as an encouragement for doing security wrong safely (from a vendor reputation standpoint). So this will add to the problem.

    I personally think the whole thing will rapidly collapse under the impact of security flaws exploited by crooks, together with less than stellar added value, a bit like some electronic "solutions" in cars died under reliability issues for no added value (at least for the part of manufacturers that are still on the reliable cars market, again, customers don't understand a thing, and still a market for gadget cars exist).

    I liked this article ( which by the way managed to kill the idea without even digging into some of the difficult aspects (like lapsing dates of food, liability in case of bugs, etc ...).

    1. Anonymous Coward
      Anonymous Coward

      Re: No they haven't

      I got news for you. THAT HAPPENS EVERYWHERE. Microsoft's just the company with a big fat bullseye on it.

      Yes, even in FOSS software (the infamous Hearbleed affects OpenSSL, which is FOSS) and even Linux. Nothing's perfect, nothing's even close to perfect, and a determined adversary will find SOME way in no matter what you do (Don't believe me. Check out CVE details). That's life. Live with it. It's like thermodynamics. You can't win, you can't break even, and (barring suicide) you can't leave the game.

      1. regadpellagru

        Re: No they haven't

        "I got news for you. THAT HAPPENS EVERYWHERE. Microsoft's just the company with a big fat bullseye on it."

        I agree it's not only ms, others in OSS and elsewhere get it wrong too.

        If this is gonna be permanent, as you and me seem to believe it, then, as I said, the darn thing will collapse.

        No-one will ever accept their supplies to be owned like their entertainment device is ..

        1. Charles 9

          Re: No they haven't

          "No-one will ever accept their supplies to be owned like their entertainment device is .."

          And if they don't have a choice...?

          1. regadpellagru

            Re: No they haven't

            "And if they don't have a choice...?"

            Hmmm, Doom ?

      2. Destroy All Monsters Silver badge
        Thumb Down

        Re: No they haven't

        That's life. Live with it.

        No, I won't live with it. F.U., go back to your fly-by-night-fresh-from-uni-it-compiles-ship-it-no-money-for-software-assurance coding horror.

        1. Anonymous Coward
          Anonymous Coward

          Re: No they haven't

          Sorry, but life doesn't take no for an answer. FU? They just FU back (through the back door and without lube). We're more likely to find a unicorn than the perfect program.

        2. Jamie Jones Silver badge
          Thumb Up

          Re: No they haven't

          " No, I won't live with it. F.U., go back to your fly-by-night-fresh-from-uni-it-compiles-ship-it-no-money-for-software-assurance coding horror."

          Ah..... Someone else who has the cheek to expect software in aircraft, missile guidance systems, traffic lights, power stations etc. not to fail.

          How naive of us(!)

    2. Mike 137 Silver badge

      Re: No they haven't

      The most serious culprit in all this is the EULA. As soon as you "license" rather than sell the product (or the software component of the product even if you just paid for the hardware) all the established legal protections relating to safety, functionality and even fitness for purpose suddenly cease to apply. Consequently there's absolutely no incentive to make the software secure or even robust against failure. In short - the EULA is a perfect get out clause and that's very unlikely to change due to the pressure of the vendor community on legislation.

      It's ironic (and self-defeating) that you can, just for an obvious example, buy a car (a potentially lethal machine) the mechanics of which must meet increasingly stringent safety standards in order to prevent fatalities, but the software that controls many of its safety critical functions can be complete garbage and there's very little comeback. Indeed someone usually has to die before any action is taken, and even then there's financial penalty, but no guarantee the next piece of software will be any better.

      If you aren't convinced yet, read then extrapolate its findings to the entire hypothetical IoT. That's not unrealistic - the flaws Barr described are _seriously_ basic stuff - the kind of mistakes a student would be marked down for on any adequate programming course, and furthermore protecting the vendor's IP seems from that report to have taken precedence over the level of facilities provided to a court-appointed expert examiner. Does that not shout volumes about the way forward?

      Then of course there's the rather funnier (in hindsight) incident of the Satanic Renault

  13. Anonymous Coward
    Anonymous Coward


    Make the suppliers of IoT stuff pick up the bills for any breaches that happen, say 30 days, after they have been notified of a flaw/exploit.

    I think you will find it amazing how that would focus their minds on having it secure and patchable from the start.

    1. Anonymous Coward
      Anonymous Coward

      Re: Liability

      They'll just complain that most problems are PEBKACs and that it's buyer beware, take responsibility.

    2. regadpellagru

      Re: Liability

      "Make the suppliers of IoT stuff pick up the bills for any breaches that happen, say 30 days, after they have been notified of a flaw/exploit.

      I think you will find it amazing how that would focus their minds on having it secure and patchable from the start."

      This would be the right approach. Except all vendors would cry foul and would force regulators to back off immediately. Such a liability has never been imposed to a vendor in the consumer market to date.

      And we're talking potential life threatening liabilities here !

      1. Charles 9

        Re: Liability

        And they have justification. ANYTHING that a human interacts with can be subject to human error. ANY such legislation will have the manufacturers crying foul over being held liable for other people's faults. And it can be hard to tell the difference between a genuine fault and a PEBKAC, and you need to know which so as to point the blame (and the bill).

        1. Paul Crawford Silver badge

          Re: Liability

          The point is not that someone did something stupid like not change the default password when prompted, it is when:

          1) The user is not subject to any reasonable attempts to point this out to them, or

          2) Said password can't be changed (looking at you Siemens' SCADA equipment), or

          3) Software supplied is subject to a known flaw (e.g. Heartbleed) and they DO NOTHING to fix it.

          All software has bugs, the issue is not that this will happen but that there will be lots of stuff that is simply not fixed because the manufacturers are too incompetent to do so, or just want to sell you another one.

          If they were held liable for, say 5 years, after the product was on sale and for all bugs not fixed after a reasonable notification time (like the suggested 30 days), then maybe they would take it a bit more seriously. Of course it would cost a little more, but think of how much better we would all be if the race to the bottom on development, testing and support was halted in the name of security.

  14. Anonymous Coward
    Anonymous Coward


    I'm sticking with my mechanical coffee grinder...

    1. Anonymous Coward
      Anonymous Coward

      Re: Me...

      How does that compare with ?

  15. earl grey

    Oh Hell No

    I don't want anything inside, outside, or near my home "connected" except for my personal computer through the firewall; and it's hardwired. It's bad enough the government can (and will) snoop at will via any means possible (serious stop drinking reminder to those who think otherwise); and the griefers out there will find a way to bollox up your home and devices there if there is any access to the controlling device. I'll just keep my manual cookstove, furnace, leccy, fridge...thanks very much.

  16. Yugguy

    I reviewed an Internet of Things project back in the 90s

    Back in the 90s I worked for a large IT provider, took a trip to Scotland to review a bid from a little group of young blokes who wanted our clout and money from a certain chap who would later become a Dragon for their project.

    They wanted to use pressure sensors and Citrix to let your fridge monitor its contents and automatically order your milk when it ran out.

    The collective response unfortunately was 'meh'.

    Bit like now really.

  17. Anonymous Coward
    Anonymous Coward

    Need a "home controller"

    That has the security if you want to interface with these things from outside the home, so you don't need to worry about a million companies separately implementing security in a bunch of devices, some of which will have less computing power than an Apple II. There's no reason your fridge or light bulb needs to be directly accessible from the internet. None.

    They should send out all their packets with a TTL of 1 (or maybe 3, to account for some basic in-home routing) so that it is impossible to connect with them from the outside.

    Its not perfect, anything else on your home network like your computer, router or the home controller itself are still vulnerable, but at least you wouldn't have to care about the security of a light bulb in case someone finds an undocumented way to cause it to short and explode and thinks its funny to make 200 million light bulbs simultaneously go "pop" all around the world!

    1. Anonymous Coward
      Anonymous Coward

      Re: Need a "home controller"

      Except the MERE EXISTENCE of that connection makes it vulnerable. As you say, cutting the TTL to 1 means it can get lost before it gets out while raising it any higher means someone could conceivably listen in by being within the TTL window. IOW, if it's not isolated, it's vulnerable, full stop.

      Here's the thing. Processing power or not, that IoT item is the proverbial foot in the door. You don't need it to do anything except bridge your connection inside, and once you're inside, your house is Mallory's oyster. A patient Mallory would take their time, using the thing as a bridge to map out your network and find something more suitable to attack, like your desktop.

      1. Anonymous Coward
        Anonymous Coward

        Re: Need a "home controller"

        How is it going to "bridge your connection inside"? If you're outside the TTL window, you can't even complete a TCP/IP handshake. I suppose if it accepted UDP commands it would be vulnerable, but there's a simple fix for that. Don't.

        1. defiler

          Re: Need a "home controller"

          Given that we're talking about billions upon billions of devices (in the article), and you don't want them to be visible outside the local network, shouldn't you be just using IPv6 local link addressing?

          Anyone trying to use internal routing in their house should have the savvy to be able to effectively firewall, and the responsibility to accept when they've screwed up. They can then enable routable addressing on these devices if they like.

          Just a thought.

  18. Anonymous Coward
    Anonymous Coward

    Someone doesn't watch enough movies!

    "The flaws, which revolved around improper validation of data, would allow a hacker to head out on the streets, hook up to the affected machines from a laptop and trick the lights into sticking on a colour, or changing unexpectedly. That could cause some nasty traffic, or much worse."

    If this has only just been discovered, I guess the person responsible hasn't seen Die Hard 4.0 or any of the other movies / TV series that have used this as a plot device...

  19. TopOnePercent


    “It is scary to think how many devices around us that we have just accepted and ignore as a 'black box device' when really they are a computer running old software - ancient versions of Linux not being uncommon - with basic security failures like default passwords, unpatched and simply exploitable software and web vulnerabilities that make it feel like 2005,” adds Lyne.

    Anyone else got a mental picture of Lyne as a PFY? To listen to him you'd think 2005 was actually a long time ago, or that default creds and unpatched boxes hadn't existed before then.

  20. Euripides Pants

    Obligatory XKCD

  21. spiny norman

    It's bad enough already ....

    I bought a Samsung fridge freezer. It has an LED panel on the front, which tells you the temperature in the fridge and the freezer, and an alarm if you leave the door open. Three weeks after it arrived, the temperature display stopped working, so we phoned the shop and the shop phoned the company Samsung outsource their service to. A week later two guys turn up with a new door - yes, they have to replace the whole door - but when they get it out of the box, it's damaged. So, back in the box, and off they go.

    Another week goes by, another two guys turn up with another door, but, guess what, that's damaged too.

    Two weeks go by and the service rep phones to say they've finally found a door that they've checked isn't damaged. So another two guys arrive, fit the door and off they go.

    Fortunately the LED panel has worked ever since.

  22. ProperDave

    I used to work for a telco billing company several years back. From that I learned that pretty much every street light, traffic light and telephone box (obviously) in the UK is hooked up to a telephone number. The company had a database of all the numbers for one of the clients.

    I dunno if the system's ever been updated in the past 10 years, but traffic light re-sequencing and street light reprogramming could be done by dialing up the street furniture and issuing new commands through modem interface.

    I've never fully understood the obsession with IoT. I get the suspicion it's just a massive conspiracy to increase electricity consumption when we already have scare stories about the UK's power grid is reaching breaking point. eg; ( ).

    I've always thought the better approach to intelligent appliances would be to create a master computer in the house, that all devices connect to, to become smart. Does the Fridge really need a brain? Surely it should just be a rig of sensors reporting to a main unit somewhere in the house - and the reporting could be done over something other than TCP/IP to save network bandwidth.

This topic is closed for new posts.

Other stories you might like