back to article Sloppy security in IoT putting 'life and limb' at risk, guru warns

IoT developers need to get their act together on security or the chaos caused by the likes of Anonymous in traditional computing will seem like a picnic, security vet Josh Corman warned the Building IoT conference in Cologne yesterday. Corman, the founder of and director of the Cyber Statecraft Initiative for …

  1. Anonymous Coward
    Anonymous Coward

    I've already opted out . .

    . . .of my supplier's offer of a "smart" meter.

    I did ask what security they were using but was told that they couldn't discuss "the wide range of security measures" for - security reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've already opted out . .

      It is remarkable the uniformity of suppliers response to that question - at least in the UK. I also declined, although they did try to 'suggest' it was mandatory.....

    2. Halfmad

      Re: I've already opted out . .

      I've also said no to one, when I was looking into smart meters the whole IOT put me off. As anyone with a background or even a vague interest in hacking (white hat or not) knows there is massive scope to screw with peoples homes with these. I'm just not bloody interested.

      You just know this infrastructure will be thrown in and forgotten about, never updated etc etc. National scandal waiting to happen.

  2. Mage Silver badge
    Paris Hilton

    "a flaw everyone 1000 lines of code"

    "a flaw everyone 1000 lines of code. Windows comprised around 10 million lines of code, he said, while a modern connected vehicle featured 10 times that number, and featured multiple attack surfaces, from in car Wi-Fi, to entertainment systems and Bluetooth locks."

    What?! Ten times as much code in a car than Windows? I don't believe it.

    People are using bluetooth for locks? Madness.

    Why does in Car WiFi connect to anything other than Mobile?

    Is there some exaggeration here?

    1. 0laf

      Re: "a flaw everyone 1000 lines of code"

      It's probably even crazier than that. I looked at buying a new BMW recently, they all came with some cellular connectivity baked in. But the bit that gives the most shivers was that the cars all had remote access.

      This feature would let me from my phone use an app to unlock the car from anywhere in the world to 'let a relative get in'. What could possibly go wrong with that?

      Also BMW has access to dial into the car at any point ostensibly to diagnose faults.

      I asked if these facilities could be disabled and was told no.

      Didn't buy it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "a flaw everyone 1000 lines of code"

        Well I didn't either - but that was because I could not afford it.

    2. Eddy Ito

      Re: "a flaw everyone 1000 lines of code"

      Can't say there's much exaggeration if any. Perhaps you missed the story last year?

    3. Mark 85

      Re: "a flaw everyone 1000 lines of code"

      Even turned off, the car communicates via email, etc. to manufacturer, amongst others. My wife receives email from her car (probably routed through the manufacturer but we're not sure) about low tire pressure, oil changes, etc. We get these even if the car hasn't been started for several weeks.

      As for the amount of code... everything in the cars seems software driven from audio system to the tire pressure indicators. Even the power windows are actually controlled by the "computer" or some sub-system.

      It's scary to think about how much of the car is software controlled. On the other hand, it is comfy, drives well, and gets excellent mileage. But... those don't make up for the insecurities.

  3. Anonymous Coward
    Anonymous Coward

    The idea is still that if you do not want your own techie monitoring things, you just need to ask for technical boxes that can be repaired by a techie if they brake down.

    Basic technification: make tech responsible and select a wifi-system, a meter-system, a monitoring system. If something does not work it is someone else's problem.

    It will be interesting to see the probllems popping-up in homes and SMEs first, though I'd be surprised if some major big enterprises were not caught with their IoTs down as well.

    Maybe it would be a good idea to have a checklist to keep the worst cr*p out of the door.

    Q1: Modern syystems need to automatically update and patch. Is the gadget "rolling" or is that switched off? If it is switched off: what services are theey offering?

    Q2: Modern gadgets need data-communication to larger sytsems: how about documentation about what is uploaded by your gadget, privacy statements etc.?

    Q3: Where / in which jusrisdiction is the data stored and processed?

    Any other good suggestns?

    1. Mephistro
      Thumb Up

      How about...

      Q4: Does it use an Open Source, strong encryption system when communicating with other modules in the system or with the outside world?

      Q5: For how long will the manufacturer keep sending security updates to the device?

      Q6: Has the manufacturer signed a written statement promising not to remove any features of the device?

      Q7: If some services or features depend on external servers controlled by the manufacturer, for how long will they keep said servers running?

    2. Mark 85

      How about the ability to turn off the IoT locally. I really don't need my refrigerator, toaster, etc. to talk to anyone. As for a light bulb... forget about it. Not going to happen.

  4. Anonymous Coward

    VISA and your car

    Its going to get really bad before it gets better. If it gets better at all. Here we are, 2016 and Windows still has vulnerabilities. So we cant just sit back and presume these are teething troubles that will go away. Don't get me started on Flash. How can there still be exploitable bugs in software that's basically doing the same damn thing for 15+ years?

    I read with horror that VISA is teaming up with car manufacturers to automate payment via your cars computer system. I guess the idea is that you drive into a petrol station, fill up and drive away, and the car automatically pays? I really hope that up until the day I die I will still have the option of buying the 'old fashioned' items that didn't have all this integrated nonsense.

    Fundamentally I think the problem is software engineering, and the perception of it. People seem to think that "coding" is a simple skill even kids can be taught. In fact, given the reliance of the modern world on software, it should be something more like surgery, with strict license and qualifications for those (of us) who work on software that really does shit.

    1. ecofeco Silver badge

      Re: VISA and your car

      People think ALL technology is simple. It's bad enough when the customer presumes it is, it's disaster when the board of directors think it is.

      1. Oengus

        Re: VISA and your car

        I can always cancel the account. What will they do then?

    2. Mike 16

      Licensing and qualifications

      Fellow Game Coder (was one, among other embedded and infrastructure work).

      I was with you down to the last sentence.

      While the current system of software development (slap a bunch of third-party packages together, disclaim all responsibility, re-purpose that toaster-controller code for the nuclear power plant...) has its issues, my experience is that the careful and caring mindset needed to produce reliable code is not correlated with certification. Often it is negatively correlated. We have plenty of worthless certificate programs already, and a multi-hundred (thousand) year history of licensing organizations being far more concerned with restricting the ability of "undesirables" to work. Someone who does not recognize, let alone understand, things like Big-O notation needs to learn more, but someone who can parrot them back for an exam without understanding the limitations of such models is not substantially better. Giving that person a certificate that says "you can stop learning now" is dangerous.

      I recall back in the 1960s, when some work for NASA was performed by people who could actually do it, "supervised" by people who had the required certification. Maybe something like that could arise again, but be careful what you wish for. People (yourself?) who would work conscientiously and understand the ramifications of what they did could be priced out of the housing market by people who could memorize the right multiple choice answers and golf with the right people.

  5. Anonymous Coward

    IoT developers and security

    As long as they're running their IoT on WinTEL then security will always be a joke.

    1. a_yank_lurker

      Re: IoT developers and security

      It's not a Wintel problem, IoT developers ignore security probably at the behest of some really dim PHBs. If the system is left open by design (extremely stupid) then it does not matter what the OS is or how secure it is if all the security features are bypassed.

      1. patrickstar

        Re: IoT developers and security

        While I've seen my share of atrocious XP Embedded systems and the like, some really bad cases don't even run much if anything of an operating system (often just some libs supplied by the uC/SoC manufacturer) and/or doesn't have a MMU (good luck running Windows - or remotely normal Linux - on that).

    2. Chezstar

      Re: IoT developers and security

      @Walter Bishop Are you actually trying to be serious with that comment? Go find anything IoT that has windows on it, oh wait, they don't.

      1. Richard Plinston

        Re: IoT developers and security

        > Go find anything IoT that has windows on it, oh wait, they don't.

        There is Windows 10 IoT for Raspberry Pi 2/3. Previously there was Windows 8 IoT for a couple of boards. Someone may actually have used this for stuff.

  6. asdf

    things never said

    I really need IoT said no consumer ever. Corporate data miners however. Corporations eventually will give us a choice but it will cost 5x more without it.

    1. Vic

      Re: things never said

      I really need IoT said no consumer ever

      Not sure if it really counts as IoT, but the McLaren F1 had on-board diagnostics and a GSM module to warn the factory when anything was going wrong.

      The first most owners knew of the problem was when the mechanic met them en route to sort it out...


  7. Anonymous Vulture

    I welcome our new IoT overlords...

    ...and their never updated, security hole ridden, constantly phoning home devices - and the accompanying rise in my income that they will bring.

    I see a strong demand for the crippling of these devices 'phone home' capability, patching of security holes in 'obsolete models' and so on, amongst a growing segment of the population. If you can wield a soldering iron, provide a limited warranty of basic functionality after the modification, and avoid crippling the useful functions in the process you can probably earn a good off the books living. Shade tree mechanics did this kind of work for decades when automotive dealers demanded exorbitant prices for repairing their broken designs. I have yet to coin a term for this new occupation, privacy repairman does not quite have the ring I am looking for.

    1. Mephistro
      Thumb Up

      Re: I welcome our new IoT overlords...

      That was insightful!. I could try that when MS stops forcefully pushing the Windows 10 'update'.


      1. Anonymous Coward
        Anonymous Coward

        Re: I welcome our new IoT overlords...

        That's easy even without GWX Control Panel and the like. The telemetry's the rub, and not just Windows, 10 or otherwise.

  8. ecofeco Silver badge

    And I get downvoted for saying the same

    Nice to see someone else understands the problem.

    Sloppy security will be the rule, not the exception.

    1. Anonymous Coward
      Anonymous Coward

      Re: And I get downvoted for saying the same

      Not just security, sloppy coding period. Even in much more expensive packages, the error rate is near constant or even higher.

  9. s. pam Silver badge

    IoT Luddite and proud

    I'm so glad I keep an eye on the Twitter account @Internet_of_Shit where you can see the coming techpocalypse in glorious 5-D ! The screams of things fucking Americans will buy IoT crap will see that half of the globe so bent over to Skynet it ain't going to be pretty.

  10. Anonymous Coward
    Anonymous Coward

    IoT for Cars?

    Will they be using CSMA/CD ?

    1. Oengus

      Re: IoT for Cars?

      Hopefully CSMA/CA (Collision Avoidance)

  11. iotgenie

    The Greatest Fear is Fear Itself

    You own a home that can suffer from flooding due to rivers overflowing occasionally. You build a small retaining wall that you hope will keep your home safe in all but the worst of situations. You go on vacation to Europe feeling more secure that your property is safe. A once in a lifetime flood occurs and your home is wiped out. The moral of this story is that when you think about improving your world, for something to be worthwhile it does not have to be 100% secure or mitigate all risk, it must improve your situation either by quality of life or by limiting failure from your prior state. This nonsense of fearing, which will certainly occur, infrequent failures in a system that improve our lives substantially is ridiculous and in my opinion is promoted by people who will be well served by either power or money if their ideas are considered seriously. All of us should put our practical hats on and adopt first and secure second.

    1. Vic

      Re: The Greatest Fear is Fear Itself

      All of us should put our practical hats on and adopt first and secure second.

      *Fuck* *Right* *Off*.

      Security comes first. If we can get something useful after that, then great. But compromising security just to add some shiny is idiotic.

      That's not irrational fear; it's certain knowledge of what will happen to unsecured systems, based on decades of first-hand experience.


      1. Andrew Hodgkinson

        Re: The Greatest Fear is Fear Itself

        Amen. OP's analogy is ludicrous. The river can't be commanded to flood your home by a botnet operated by script kiddies 10,000km away, but the IoT boiler [1] can sure as hell be commanded to close its inlet valves, boil itself dry and burn your house down remotely. Good luck trying to get the insurer to pay out when they claim that it "clearly must have been your fault", because computers are perfect and the manufacturer claims the IoT boiler is secure.

        [1] Y'know, so you can warm up the water from work before you get home, because, like, everyone totally needs that and a dirt cheap mechanical timer just wouldn't cut the mustard.

  12. Anonymous Coward
    Anonymous Coward

    a 2nd year university student recently asked me....

    ... for help with a question about programming.

    He has been studying a variety of languages including Java, .NET, PHP and a little mobile java for android.

    The question was to compare .NET and PHP, specifically mentioning security.

    He wanted me to clarify some points and said to me;-

    "PHP is just not secure, right, but .NET is secure out of the box so you don't need to do anything".

    I looked at some of his work and they are teaching very insecure and outdated practices running on very old (and now very insecure) versions of things. I was horrified that a university in England is doing this and now charging for it.

    I was torn whether to even correct him or not, I half hoped that he will get a fail and get kicked out, but i doubt that will happen.... he'll probably be a graduate recruit at GDS!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like