I've already opted out . .
. . .of my supplier's offer of a "smart" meter.
I did ask what security they were using but was told that they couldn't discuss "the wide range of security measures" for - security reasons.
IoT developers need to get their act together on security or the chaos caused by the likes of Anonymous in traditional computing will seem like a picnic, security vet Josh Corman warned the Building IoT conference in Cologne yesterday. Corman, the founder of iamthecavalry.org and director of the Cyber Statecraft Initiative for …
I've also said no to one, when I was looking into smart meters the whole IOT put me off. As anyone with a background or even a vague interest in hacking (white hat or not) knows there is massive scope to screw with peoples homes with these. I'm just not bloody interested.
You just know this infrastructure will be thrown in and forgotten about, never updated etc etc. National scandal waiting to happen.
"a flaw everyone 1000 lines of code. Windows comprised around 10 million lines of code, he said, while a modern connected vehicle featured 10 times that number, and featured multiple attack surfaces, from in car Wi-Fi, to entertainment systems and Bluetooth locks."
What?! Ten times as much code in a car than Windows? I don't believe it.
People are using bluetooth for locks? Madness.
Why does in Car WiFi connect to anything other than Mobile?
Is there some exaggeration here?
It's probably even crazier than that. I looked at buying a new BMW recently, they all came with some cellular connectivity baked in. But the bit that gives the most shivers was that the cars all had remote access.
This feature would let me from my phone use an app to unlock the car from anywhere in the world to 'let a relative get in'. What could possibly go wrong with that?
Also BMW has access to dial into the car at any point ostensibly to diagnose faults.
I asked if these facilities could be disabled and was told no.
Didn't buy it.
Even turned off, the car communicates via email, etc. to manufacturer, amongst others. My wife receives email from her car (probably routed through the manufacturer but we're not sure) about low tire pressure, oil changes, etc. We get these even if the car hasn't been started for several weeks.
As for the amount of code... everything in the cars seems software driven from audio system to the tire pressure indicators. Even the power windows are actually controlled by the "computer" or some sub-system.
It's scary to think about how much of the car is software controlled. On the other hand, it is comfy, drives well, and gets excellent mileage. But... those don't make up for the insecurities.
The idea is still that if you do not want your own techie monitoring things, you just need to ask for technical boxes that can be repaired by a techie if they brake down.
Basic technification: make tech responsible and select a wifi-system, a meter-system, a monitoring system. If something does not work it is someone else's problem.
It will be interesting to see the probllems popping-up in homes and SMEs first, though I'd be surprised if some major big enterprises were not caught with their IoTs down as well.
Maybe it would be a good idea to have a checklist to keep the worst cr*p out of the door.
Q1: Modern syystems need to automatically update and patch. Is the gadget "rolling" or is that switched off? If it is switched off: what services are theey offering?
Q2: Modern gadgets need data-communication to larger sytsems: how about documentation about what is uploaded by your gadget, privacy statements etc.?
Q3: Where / in which jusrisdiction is the data stored and processed?
Any other good suggestns?
Q4: Does it use an Open Source, strong encryption system when communicating with other modules in the system or with the outside world?
Q5: For how long will the manufacturer keep sending security updates to the device?
Q6: Has the manufacturer signed a written statement promising not to remove any features of the device?
Q7: If some services or features depend on external servers controlled by the manufacturer, for how long will they keep said servers running?
Its going to get really bad before it gets better. If it gets better at all. Here we are, 2016 and Windows still has vulnerabilities. So we cant just sit back and presume these are teething troubles that will go away. Don't get me started on Flash. How can there still be exploitable bugs in software that's basically doing the same damn thing for 15+ years?
I read with horror that VISA is teaming up with car manufacturers to automate payment via your cars computer system. I guess the idea is that you drive into a petrol station, fill up and drive away, and the car automatically pays? I really hope that up until the day I die I will still have the option of buying the 'old fashioned' items that didn't have all this integrated nonsense.
Fundamentally I think the problem is software engineering, and the perception of it. People seem to think that "coding" is a simple skill even kids can be taught. In fact, given the reliance of the modern world on software, it should be something more like surgery, with strict license and qualifications for those (of us) who work on software that really does shit.
Fellow Game Coder (was one, among other embedded and infrastructure work).
I was with you down to the last sentence.
While the current system of software development (slap a bunch of third-party packages together, disclaim all responsibility, re-purpose that toaster-controller code for the nuclear power plant...) has its issues, my experience is that the careful and caring mindset needed to produce reliable code is not correlated with certification. Often it is negatively correlated. We have plenty of worthless certificate programs already, and a multi-hundred (thousand) year history of licensing organizations being far more concerned with restricting the ability of "undesirables" to work. Someone who does not recognize, let alone understand, things like Big-O notation needs to learn more, but someone who can parrot them back for an exam without understanding the limitations of such models is not substantially better. Giving that person a certificate that says "you can stop learning now" is dangerous.
I recall back in the 1960s, when some work for NASA was performed by people who could actually do it, "supervised" by people who had the required certification. Maybe something like that could arise again, but be careful what you wish for. People (yourself?) who would work conscientiously and understand the ramifications of what they did could be priced out of the housing market by people who could memorize the right multiple choice answers and golf with the right people.
It's not a Wintel problem, IoT developers ignore security probably at the behest of some really dim PHBs. If the system is left open by design (extremely stupid) then it does not matter what the OS is or how secure it is if all the security features are bypassed.
While I've seen my share of atrocious XP Embedded systems and the like, some really bad cases don't even run much if anything of an operating system (often just some libs supplied by the uC/SoC manufacturer) and/or doesn't have a MMU (good luck running Windows - or remotely normal Linux - on that).
I really need IoT said no consumer ever
Not sure if it really counts as IoT, but the McLaren F1 had on-board diagnostics and a GSM module to warn the factory when anything was going wrong.
The first most owners knew of the problem was when the mechanic met them en route to sort it out...
...and their never updated, security hole ridden, constantly phoning home devices - and the accompanying rise in my income that they will bring.
I see a strong demand for the crippling of these devices 'phone home' capability, patching of security holes in 'obsolete models' and so on, amongst a growing segment of the population. If you can wield a soldering iron, provide a limited warranty of basic functionality after the modification, and avoid crippling the useful functions in the process you can probably earn a good off the books living. Shade tree mechanics did this kind of work for decades when automotive dealers demanded exorbitant prices for repairing their broken designs. I have yet to coin a term for this new occupation, privacy repairman does not quite have the ring I am looking for.
I'm so glad I keep an eye on the Twitter account @Internet_of_Shit where you can see the coming techpocalypse in glorious 5-D ! The screams of things fucking Americans will buy IoT crap will see that half of the globe so bent over to Skynet it ain't going to be pretty.
You own a home that can suffer from flooding due to rivers overflowing occasionally. You build a small retaining wall that you hope will keep your home safe in all but the worst of situations. You go on vacation to Europe feeling more secure that your property is safe. A once in a lifetime flood occurs and your home is wiped out. The moral of this story is that when you think about improving your world, for something to be worthwhile it does not have to be 100% secure or mitigate all risk, it must improve your situation either by quality of life or by limiting failure from your prior state. This nonsense of fearing, which will certainly occur, infrequent failures in a system that improve our lives substantially is ridiculous and in my opinion is promoted by people who will be well served by either power or money if their ideas are considered seriously. All of us should put our practical hats on and adopt first and secure second.
All of us should put our practical hats on and adopt first and secure second.
*Fuck* *Right* *Off*.
Security comes first. If we can get something useful after that, then great. But compromising security just to add some shiny is idiotic.
That's not irrational fear; it's certain knowledge of what will happen to unsecured systems, based on decades of first-hand experience.
Amen. OP's analogy is ludicrous. The river can't be commanded to flood your home by a botnet operated by script kiddies 10,000km away, but the IoT boiler  can sure as hell be commanded to close its inlet valves, boil itself dry and burn your house down remotely. Good luck trying to get the insurer to pay out when they claim that it "clearly must have been your fault", because computers are perfect and the manufacturer claims the IoT boiler is secure.
 Y'know, so you can warm up the water from work before you get home, because, like, everyone totally needs that and a dirt cheap mechanical timer just wouldn't cut the mustard.
... for help with a question about programming.
He has been studying a variety of languages including Java, .NET, PHP and a little mobile java for android.
The question was to compare .NET and PHP, specifically mentioning security.
He wanted me to clarify some points and said to me;-
"PHP is just not secure, right, but .NET is secure out of the box so you don't need to do anything".
I looked at some of his work and they are teaching very insecure and outdated practices running on very old (and now very insecure) versions of things. I was horrified that a university in England is doing this and now charging for it.
I was torn whether to even correct him or not, I half hoped that he will get a fail and get kicked out, but i doubt that will happen.... he'll probably be a graduate recruit at GDS!!!