Smart lights?
More like dim bulbs.
Nine security holes, four of them still unpatched, have been found in the Osram smart light bulb system, potentially giving attackers access to a home or corporate network. The issues in the Lightify Home and Pro systems range from cross-site scripting (XSS) to problems with the ZigBee and SSL protocols to insecure encryption …
bought by
'Dim wits'.
How long before they put a microphone into every bulb?
Oh, that's so that you can tell the light to switch off or it will switch on when it hears the sound of you coming into the room.
With all these security holes, it does not take someone with a brain as large as Enisteins to realise that this could be used to spy on you. not only the spooks but the ad-slingers and retailers.
"We noticed that you were talking about 'X'. We think that you would like 'Y' instead. Just say 'Buy it Now' and it will be delivered in less than 30 minutes by our drone fleet that is working in your street at the moment"
Do not want. Will never buy. I'd like to give the person who thought that this IoT thing was a good idea a good seeing too.
We'll probably have to return to Tilley Lamps and Candles just to get away from the snooping in the not too distant future.
that almost every day, some stupid fucking pointless IoT device ends up on the front pages of this and similar Tech news sites for the only reason that it has been discovered it has flaws in its security, potentially opening your *entire* network to miscreants.
Its a sodding bulb, it has TWO, read em, TWO functions. On and Off, nothing more. I mean Osram, you had one job and you singularly failed to make it do that without all sorts of other unwanted pointless "features". If you count "Opening your network to attack" as a feature.
Cookers that you can turn on remotely, WHY? Cookers have had that facility for decades, called a timer. I mean you have to put the bloody meat in the oven in the first place so you then set the timer.
IoT is yet another solution looking for a problem but managing to cause more problems than it will ever solve..
>>it has TWO, read em, TWO functions. On and Off,
For a bit of romance, it's sometimes useful to set something in-between...
The anger can be focussed far more widely than IoT. I don't want to go all hippy, but since consumer culture began, we've been buying crap we don't need. This is just one more insane example.
Also, security is not done well on PCs. So why would we expect it to be done well on IoT, which has huge platform constraints?
This whole thing was inevitable, like the next financial crash.
/> Hippy mode off.
For a bit of romance, it's sometimes useful to set something in-between...
For that, there's dimmer switches. Generally they cost less to buy and install than a couple of "smart bulbs". Been around for years and work very well and are totally secure from those outside of the house.
Valid points on the rest of your post.
This is not something that has obvious advantages until you try it. My friend loaned me a couple Phillips Hue bulbs and and aside from using a lot less power than dimmer switches, they are the best alarm clock I've ever owned.
I have them set to fade in the lights with an artificial sunrise (I get up about an hour before sunrise in the winter) and it is a lot less jarring than an audio alarm.
"IoT is yet another solution looking for a problem"
Oh, it's the solution to an existing problem alright. That existing problem being "how can we make even more money by flogging tat to novelty-addicted, boys-toys-buying idiot consumers?"
This is why I'm not excited by (e.g.) improvements in display technology any more. Sure, it looks nice, but at the end of the day its purpose will simply be to provide an excuse for the same aforementioned boys-toys owners to replace their 18-month old smartphone with a newer one to impress their tedious friends with. At least, until they get bored of it after a month and start thinking of their next smartphone upgrade.
"it has TWO, read em, TWO functions"
I don't wish to dilute your overall message (it was not I that downvoted!) but a lightbulb has a SINGLE function, with TWO primary* modes of operation, 'on' and 'off'. :)
*Other modes are available on suitably engineered products combined with the correct control device. E.g. adjustable brightness setting ;)
That's easy :
"Did you put in all that security stuff ?"
"Yup."
"Okay, ship it then."
As far as security is concerned, IoT makers are still in the process of finding out which book to read.
There is no IoT security standard, there is no International IoT Security Review Board, there is no joint effort, no announcement of intent, no nothing.
At this point in time, security has nothing to do with IoT and IoT wishes nothing more than things stay that way.
There needs to be something like MISRA for IoT and it needs to be now.
Not that that would stop cheap Chinese imports, but look, hey, here's a reason to buy our expensive Internet-of-Tat lightbulb... it won't look through network drives or proxy your entire LAN traffic to the dark web if someone sneezes at it.
MISRA's a marvellous concept on paper, but never mind cheap Chinese imports, does anyone at all outside MISRA pay any attention to MISRA *in their shipping products*? I know lots some big names send people along to participate in MISRA activities, I also know some of them aren't listened to when they get back to their day jobs, because the MISRA messages are incompatible with company strategy (ie because doing things right is believed to have an unacceptable impact on short term costs and timescales).
OK, I've said this before but it's worth saying again.
Security requirements should be built into UL testing. Add FCC declaration of conformity and CE.
I'm not sure about FCC declarations but CE is a matter of self-certification so it might need a few prosecutions for false marking before that would fully hit home but the principle would be established: if you want to get it to market, build in security from the first design stage onwards.
I'd hope that someone is working on a seriously low-bandwidth protocol for commanding functions that are not safety critical, like on and off or up and down for light-bulbs, over the mains wiring of a house. It would emphatically not be any form of "homeplug" Ethernet, both for security reasons and for power-consumption reasons. Cars have already explored this route (CANbus). There are automotive security issues (and they ARE safety critical) but AFAIK these all revolve around the master controller, not the bus interfaces on the light-bulbs.
Then, there would be a standard for competing gateway / control hubs, which might be linked to a LAN and which might occasionally be secure.
It might even happen some time in the 2020s!
"I'd hope that someone is working on a seriously low-bandwidth protocol for commanding functions that are not safety critical, like on and off or up and down for light-bulbs, over the mains wiring of a house."
I already have this at home. It requires simple devices, placed conveniently adjacent to the doors of each room although there are exceptions where the devices are located on the ceiling and operated by a length of cord. The devices have a simple toggle action.
There is no such thing as a completely secure system. Add to that many IOT devices are difficult if not impossible to upgrade makes security issues inevitable. But you can do a few things to make things safer.
Don't put the system on the Internet just because you can. My light controller is not on the internet you have to be on the local network to use it.
Change the default user ID and password. admin, admin will not fool anyone.
Keep your whole network upgraded. Two words, Weakest Link
Monitor your system. Security is a continuing issue not a one time event.
Look into security issues when upgrading your system. If you see security issues ask if the benefits outweigh the risks.
The Osram rep is lying when they say that flaws in zigbee protocols are "unfortunately not in Osram's area of influence."
Aside from the fact that zigbee can be heavily modified by Osram, way back in 2007 the DoE published a paper descibing how to secure a Zigbee network from replay attacks.
(links below)
They could have used the secure zigbee settings but just like their wifi management, they screwed it up.
(link
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Securing_ZigBee_Wireless_Networks.pdf)