back to article Sad reality: Look, no one's going to patch their insecure IoT gear

If you think ordinary people are going to look out for and apply firmware fixes to patch vulnerabilities in the Internet of Things, you're crazy. It's going to be down to manufacturers to secure IoT devices, Intel Security's chief technical strategist says, because consumers will cheerfully give away their security and privacy …

  1. Voland's right hand Silver badge

    Viva the Fruity Revolution

    'Consumers are ready to roll the dice with their privacy every time they buy a gadget'

    This is exactly why my household is not joining the admen financed, cloud driven IoT Revolution. Even if the IoT devices did not need any Internet connection to report data to the Cloud, the scumbags monetizing our dirty laundry will make them need one so they can leach of us.

    They have already reached the status of the AIs in the Hyperion Cantos. Hiding in the cracks between the worlds, leaching off us a tiny little bit every time we "move from A to B" (even if A to B is kitchen to the sitting room). It is only a matter of time until they invent the Ruby Crucifix and build the Pacem empire. It is also only a matter of time until they show their true face.

    This is why I build my devices myself thank you. I also teach my kids to do so. Initially from Razzies, nowdays from Bananas (both of them are equally closed source as far as the firmware/hardware goes, the Banana being significantly better in terms of build quality and performance and reliability under high load).

    1. Anonymous South African Coward Bronze badge

      Re: Viva the Fruity Revolution

      Well said.

      I prefer to stick all my things behind a good firewall. Or avoid things that leak security settings and information (like IoT doorknobs or whatever is used for security).

      It does not make sense to me to utilize something that can be hacked easily to gain entry to my house. Nah, I'll prefer to be old school and use a physical lock with a physical key. After all, these don't need electrical power to operate, will survive an EMP, and is not so easily hacked/bypassed if you use the right combination of hardware.

      1. Horned-Devil

        Re: Viva the Fruity Revolution

        "It does not make sense to me to utilize something that can be hacked easily to gain entry to my house. Nah, I'll prefer to be old school and use a physical lock with a physical key. After all, these don't need electrical power to operate, will survive an EMP, and is not so easily hacked/bypassed if you use the right combination of hardware."

        And somewhere on a locksmith's forum there will be a thread of 'how do people still use yale lock's, they are so easily picked...what they should be using is lock xxx with 27 pin capabilities etc'. You are aware of the risks you know and oblivious to those that you do not. The reality is that the general public will never know the risks they take with all the convenience features they have, be it in IOT or cars or locks or foods they eat. It SHOULD be mandated on the suppliers of all such products to be the experts and protect the public from themselves (with mandated firmware updates, avoiding ridiculous backdoors etc). How such a utopia could be achieved is sadly well beyond my ability to be able to dream up sadly...

        1. J. Cook Silver badge
          Paris Hilton

          Re: Viva the Fruity Revolution

          To be honest, all a lock is going to do is keep the drunks [inside|outside] and slow down the professional thief, who's probably already gotten in and made off with the valuables already. (or found that he's broken into the wrong home because there's nothing of useful value)

          1. Anonymous Coward
            Anonymous Coward

            Re: Viva the Fruity Revolution

            Hopefully the professional thief who breaks in will steal all the iot trinkets and gadgets first.

    2. Anonymous Coward
      Anonymous Coward

      All your IoT are belong to us.

      The way things are going, unfortunately the above will be true.

      At a minimum, put the things behind a NAT router, and if there's no reason for the IoT gizmo to talk to the outside world, add some firewall rules to the router to block the IoT's access to the WAN side. (e.g. Screw the cloud access for the cameras. Get off your lazy @ss & VPN into the network if you really need remote access to them)

    3. Anonymous Coward
      Anonymous Coward

      Re: Viva the Fruity Revolution

      The moment I find an argument for the first IoT device to enter my home is the moment I will install a separate subnet with an IPv6 capable firewall that removes any data in extensible headers.

      On principle, there is no way I will permit any device to communicate with a 3rd party without my explicit knowledge and permission, and without me knowing what the communication contains. This is also why smart meters will not make their way into my house without suffering mysterious damage (I love the remark "it's not as safe as I thought" :) ).

      Just say no. Just because some idiot declares it "must have" doesn't make it so.

      1. Anonymous Coward
        Anonymous Coward

        Re: Viva the Fruity Revolution

        "The moment I find an argument for the first IoT device to enter my home is the moment I will install a separate subnet with an IPv6 capable firewall that removes any data in extensible headers."

        And once that happens, they'll switch to Whispernets, and because we insist on windows, it'll be hard to Faraday Cage the entire home, besides which it probably wouldn't do squat to systems that find a way to use the mains line as an antenna.

    4. Anonymous Coward
      Anonymous Coward

      Re: Viva the Fruity Revolution

      Alas your kids will ignore your wise words and get the shiny things that their friends have. Before you know it they will be so deeply inserted into the fabric of your home your only recourse will be to abandon your home and family and live as a hermit on a remote island.

      1. Charles 9

        Re: Viva the Fruity Revolution

        "Alas your kids will ignore your wise words and get the shiny things that their friends have. Before you know it they will be so deeply inserted into the fabric of your home your only recourse will be to abandon your home and family and live as a hermit on a remote island."

        And even then they'll just get you with spy planes and satellites. You should see the amount of detail those sky spy cameras can pick up these days...

  2. Scott Broukell

    The Information Age

    Or should that be The Information Gathering Age. Yep, the vast majority of folk seem not to give a single jot. We all go about gathering information (pics, audio and video on our phones etc), and it all gets sucked up by the Great Information Hoovers, whether we allow it to be so or not. We all volunteer vast amounts of information and the volume will grow with the wider adoption IoT devices. We are all off on a long dark journey, following our information where ever it might lead us, down a rabbit hole constructed by marketeers, AI, VR and infomatic crazies. The worlds most powerful hardware is dedicated to this, sheesh!

    1. Patrician
      Unhappy

      Re: The Information Age

      ......"the vast majority of folk seem not to give a single jot"

      The vast majority of folk simply don't know, nor understand; they haven't taken an courses in IT or internet use, not even an "Internet for Dummies" course and they just haven't got a clue.

      Look at all the people shown on the BBC Breakfast News who've been conned by whatever the latest scam is. They've only been scammed because of ignorance of the systems they're using; and in a lot of cases it's wilful ignorance, I've lost count of the number of people that claim "I haven't got a clue when it comes to computers" ..

      1. CustardGannet
        Facepalm

        "the vast majority of folk seem not to give a single jot"

        ...unless someone wants to aggregate their pseudonymised medical information, in order to (hopefully) improve their life expectancy.

        In that case, it's out with the pitchforks ! Burn the witch !

  3. Dan 55 Silver badge
    Unhappy

    Inability to set tecnical standards, remove products, sue for negligence, anything

    Anyone can sell any old piece of tat which connects to the Internet and get away with it and now there's everyone's private data being siphoned and a zombie bot army waiting for instructions from the highest bidder/a nation state.

    Just what's the cognitive dissonance that prevents this being tackled by anyone who has the power to tackle it (governments)?

    1. Pascal Monett Silver badge

      Re: what's the cognitive dissonance that prevents this being tackled by [..] (governments)?

      Governments respond most readily to what the public wants. If someone in government really wants something to happen, he will attempt to drum up public interest in order to justify acting on it.

      So the problem is that people basically don't care, and nobody in government is being paid to care.

      Simple, really.

      1. The Man Who Fell To Earth Silver badge
        WTF?

        "Governments respond most readily to what the public wants."

        Name one.

        1. Brewster's Angle Grinder Silver badge
          Pirate

          Re: "Governments respond most readily to what the public wants."

          "Name one."

          The British government is busily cutting off all our arms and our legs in order to satisfy the public's demand for Brexit.

          1. MachDiamond Silver badge

            Re: "Governments respond most readily to what the public wants."

            They'll leave your legs and some way to some way for you to give them money. How else will you be able to stand in a queue all day to pay yet another tax?

            1. Charles 9

              Re: "Governments respond most readily to what the public wants."

              Why bother? Just direct debit them and be done with it. And if you insist on cash, they'll just garnish it from your employer, beneficiary, or whatever.

    2. Anonymous Coward
      Anonymous Coward

      Re: Inability to set tecnical standards, remove products, sue for negligence, anything

      "Just what's the cognitive dissonance that prevents this being tackled by anyone who has the power to tackle it (governments)?"

      The government is Big Brother. They WANT all that data exfiltration so that THEY can get their hands on it while still possessing plausible deniability. So basically, if you want to maintain your privacy, you're on your own as more eyes are trained upon you.

  4. Anonymous South African Coward Bronze badge

    This just sucks.

    1. DavCrav

      "This just sucks."

      So you decided against buying the IoT vacuum cleaner then? It can tell you how much skin you have shed in the last thirty days, with a handy chart to find out if your molt rate is changing. There's a little screen on the front that shows you advertisements for other cleaning products on offer right now, and it automatically orders a replacement filter from Amazon when yours gets clogged.

      I want to patent this just to stop it getting made for twenty years.

      1. Brewster's Angle Grinder Silver badge

        You missed the DNA analysis to find our who's been in your home and estimate their duration of stay. Want to know if your lover is cheating on you behind your back? Now you can tell.

        1. DavCrav

          "You missed the DNA analysis to find our who's been in your home and estimate their duration of stay. Want to know if your lover is cheating on you behind your back? Now you can tell."

          That would be functionality that was built into it, but can only be accessed if you upgrade the software for a special introductory price.

          1. Darryl

            Don't forget that you won't be able to activate your new vacuum until you've created yet another account on the company's servers, and probably installed yet another app on your phone.

            Then you'll have to hunt through obnoxious settings pages to turn off the automatic Twitter, Facebook, Pinterest, Linkedin, etc. etc. etc. updates that inform the world when you vacuum and what it found in your rugs.

            1. SImon Hobson Bronze badge

              > and probably installed yet another app on your phone

              And then, in the name of "usability" you find that instead of being able to push a button to turn it on/off, you have to remember where you left your phone, switch it on, unlock it, find the right app, wait while it connects with the vacuum, and only then can you turn it on. That is, if you didn't forget to plug your phone in, in which case insert another step of finding the charger, waiting till there's enough in the battery to turn the phone on, wait while the phone boots up, ...

              Much the same argument about lighting. I have a switch on the wall by the door. It doesn't move around at random, I can't misplace it, it never needs batteries charging, and it works (in human perception terms) instantly - I switch it on, room gets lighter, I switch it off, room gets darker. Even my octogenarian mother can cope with the humble light switch.

          2. Anonymous Coward
            Anonymous Coward

            "Want to know if your lover is cheating on you"

            Not if your lover is cheating you with an IoT, robotic lover, no DNA... Only Google or Amazon will know, then.... but check what kind of lubricant is on order...

      2. MachDiamond Silver badge

        Don't forget an instant analysis on any skin conditions you may have with instant ads based on the tests. Dry skin? let your vacuum cleaner send your results to Amazon's computer and they'll send you the ideal lotion. It will likely be a counterfeit of the name brand, but at least you didn't have to go through all of the trouble of finding and ordering it yourself.

  5. Anonymous Coward
    Anonymous Coward

    This:

    "Just what's the cognitive dissonance that prevents this being tackled by anyone who has the power to tackle it (governments)?"

    Money. Lack of concern. Lack of leaders with the faintest idea of IT security.

    Thats what.

  6. Anonymous Coward
    Anonymous Coward

    Culture change required

    There's a much more fundamental culture change required.

    The common approach to "secure" security-related code is to run static analysis tools on the code once it has be written in an attempt to detect potential security issues (e.g. buffer over-runs, use after free). Unfortunately, trying to do this on code that wasn't designed to be secure is likely to be frustrating (lots of false-positives) and incomplete (due to decidability issues within the checks required).

    What needs to be done is:

    1) Implement a proper software development life cycle;

    2) Introduce a set of security requirements up-front and trace these through to the code;

    3) Adopt a coding standard that prevents security defects from being introduced during coding (rather than trying to weed them out at the end).

    Basically, if you want security you need to be doing what's been done in safety-related projects for decades. The underlying causes of security and safety defects are the same - undefined and unspecified behaviours within the language used. Unfortunately, the security community often think "their" problem is unique and they are often failing to draw on the knowledge, experience and expertise that exists within the safety community (who are quite happy to share!).

    1. Stoneshop
      Holmes

      Re: Culture change required

      1) Implement a proper software development life cycle;

      2) Introduce a set of security requirements up-front and trace these through to the code;

      3) Adopt a coding standard that prevents security defects from being introduced during coding (rather than trying to weed them out at the end).

      Very sensible, very ambitious and totally unlikely to be implemented by the average Chinese tat vendor, who would rather add some more utterly pointless features, beefing up the feature list, than spend even two-and-a-bit microyuan on security.

      In short: good luck with that.

    2. Charles 9

      Re: Culture change required

      OK, now how do you get those expensive requirements through the board, who likely have escape plans in place so really don't care about legal ramifications?

    3. Naselus

      Re: Culture change required

      I think you missed:

      0) Determine whether there is the slightest actual benefit to connecting the thing to the internet in the first place.

      No one actually needs an IoT hair dryer. Robot vacuum cleaners also don't really need to be hooking into my wifi so I can order a quick dusting round the house from Tahiti - a simple timer command is more than sufficient.

      In fact, there's not a massive amount of stuff in the average consumer's household that genuinely NEEDS to be IoT. I can see the justification for the refrigerator that orders food for you, or for the heating system that can be controlled remotely. Other than those two? Not much.

      IoT could be of huge benefit to many industrial and commercial enterprises - self-ordering supplies have been a great boon for the printer industry, after all, and as the article notes it could have big benefits for oil refineries and the like. These applications will require stuff to get past IT professionals who understand and give a shit about security. Let's just leave it to that, shall we?

      1. Anonymous Coward
        Anonymous Coward

        Re: Culture change required

        Easy enough. The seller gets into the Big Data thing, which they need to remain a going concern (existential threat, so nothing is taboo).

        As for selling it to the customer, two words: safety feature. Just say it can summon the fire department if it ever catches fire while no one's home. You can do the same for most home appliances and simply point to the nightmare scenario of coming home to ashes.

      2. MachDiamond Silver badge

        Re: Culture change required

        Naselus, I don't see the need to remotely control the HVAC system remotely nor do I want the refrigerator ordering food for me.

        I find a programmable thermostat more than sufficient to keep the home cozy. I'd hate for some people having a bit of fun to turn the AC on full blast for an entire day. The electric bill would be frighting. The same goes for heating.

        What happens if I go off Greek yogurt and the fridge keeps ordering more? Some days I want one thing and other days I want something else. I much prefer to go to the market and shop for food in person. From a selection standpoint, if many people shopped online and purchased the products they already know, pretty soon that's all the online shops will carry in stock. I often take a flyer on things I find that look interesting. Staple items I pick up as needed when I'm out and about. I can always pick up a liter of milk at the petrol station when I'm on my way home. And again, what do you do when somebody orders a side of beef to be shipped to your home? If the store puts up screens to catch unusual orders, they may delay the order you did place for a dinner party or group cookout until you find their notice in your spam folder.

  7. Adam 1

    wait

    Hello Barbie does what? Oh right, different products.

  8. Vinyl-Junkie
    Facepalm

    Otherwise intelligent...

    ...users are still stupid when it comes to anything IT related.

    In other news, the Pope has not changed religion and bears are still using forests for toiletry purposes.

    Next.

  9. You aint sin me, roit

    "non-geeks have shown little interest in the security of their IoT gizmos "

    I'm not so sure that this is true. Take the iKettle - it's password protected, consumer thinks "I'm safe". Why should a "non-geek" imagine that it is actually an insecure gateway to their network? Particularly when the manufacturers themselves didn't.

    If manufacturers provided honest information about the security of their products then people wouldn't buy them! If you buy a kettle you don't expect your network to be at risk. If you buy a DVR you don't expect (and probably would be totally unaware) that it is being used for DDoS. You might, however, think otherwise if you were told the truth.

    The problem with security is not that non-geeks don't care, it's that manufacturers don't care.

    1. Tim Wolfe-Barry

      Re: "non-geeks have shown little interest in the security of their IoT gizmos "

      Couldn't agree more.

      Responsibility here has to fall on manufacturers and, since much IoT stuff is for utilities, regulators.

      If, to take an easy example, my electricity company want to move me to a "Smart" meter, then it should NOT be my responsibility to ensure that the dumb thing is secure and maintains my privacy adequately both to the Internet as a whole *and* to the supplier.

      For consumer gadgets and whizz-bangs there should be some minimum standard (akin to the CE mark on electrical and/or wireless devices) that certifies a level of compliance and security. Of course that won't stop the criminally negligent (or simply criminal), but it would give responsible manufacturers a standard to comply with and enforcement authorities something to work with, like when you find toys painted with lead

      1. Charles 9

        Re: "non-geeks have shown little interest in the security of their IoT gizmos "

        "For consumer gadgets and whizz-bangs there should be some minimum standard (akin to the CE mark on electrical and/or wireless devices) that certifies a level of compliance and security. Of course that won't stop the criminally negligent (or simply criminal), but it would give responsible manufacturers a standard to comply with and enforcement authorities something to work with, like when you find toys painted with lead"

        Thing is, nice guys finish last in this world, and the bad guys have gotten the knack of cutting and running down to a routine, so the law doesn't really scare them anymore. Plus, all else fails, they can hide behind China, who's already notorious for not caring how much they knock down the West (it's their way of waging war without waging war, after all).

    2. Mark 85

      Re: "non-geeks have shown little interest in the security of their IoT gizmos "

      The problem with security is not that non-geeks don't care, it's that manufacturers don't care.

      I think the manufacturers do care... they care that truth doesn't get out. If it did, they would either have to do something productive about security or watch the bottom line go to hell.

      1. Charles 9

        Re: "non-geeks have shown little interest in the security of their IoT gizmos "

        Or they can just disappear and pop up again under new names six months later somewhere no one knows about them.

  10. Mage Silver badge

    akin to the CE mark on electrical and/or wireless devices

    I hope much better and that CE is reformed as:

    1) Most national governments / regulators don't police what is sold

    2) Makers often dishonestly choose wrong category

    3) Makers leave out parts after approval (see 1)

    4) Too much self certification.

    The idea of CE is good, implementation bad and made worse by antics of individual Governments and Regulators who then dishonestly blame EU.

    Fines are also too low.

    I can see no hope at all for regulation of security on IoT as many already are not designed well enough to meet SOGA "fit for purpose" and/or last 2+ years. Many with CE marks don't in reality meet RFI standards in normal operation, they use special test settings and scenarios to pass.

    Technically EU Data protection laws, CE and SOGA *ALREADY* cover IoT security issues. But no-one with the money is interested in a court case against the makers. Governments and Regulators won't as they favour Big Corporates over Consumer (c.f. Ofcom's actions on Ethernet Power adaptors, Mobile roaming, BT, Sky's EPG costs etc.)

  11. Anonymous Coward
    Anonymous Coward

    While equipemnt maker won't mess too much with a gorilla like Exxon...

    ... they will be very tempted to get everything they can from from you, and even what they can't.

    The industry fashion is devices must be able first to collect data and send it to the mothership, and security must knee to this need. They also need to be cheap to produce to "maximize shareholder revenues", and again security must knee to it - until law fill fine any security beach enough that shareholder will change their mind about security....

    1. Charles 9

      Re: While equipemnt maker won't mess too much with a gorilla like Exxon...

      "until law fill fine any security beach enough that shareholder will change their mind about security...."

      And then the firm will just vanish like a mirage, taking the shareholder's money with them to some place outside the reach of extradition. IoT is the new shell game, and the shysters here are experts.

  12. TeeCee Gold badge
    Facepalm

    Gosh, really?

    Who Could Possibly Have Seen That Coming?

    Oh yes, everyone with more technical knowledge than yer average grapefruit, apart from the rabid IoT evangelists...

  13. Jason Bloomberg Silver badge

    Dumb versus too smart by far

    There's no point in making such sensors too smart, he said. Instead they simply need to know whether to open or close and need no root access or extra functionality that could be hijacked by a hacker.

    Sounds good but someone will note there's no security per se in that. If someone gets on the network they can open or close critical valves, and that's bad. So we probably need some sort of password or authorisation to accept open and close commands.

    And we can't have hard wired passcodes so we need a means of programming those, and resetting them should someone guess and change them. Maybe we need certificates and some way to revoke or update those.

    And thus it inevitably grows, more security and more potential attack vectors. I would love to know what Exxon's solution to this dilemma is.

  14. quxinot

    <Edit: Removed simplistic, but realistic idea because it's talking down a bit. Forgot where I was.>

    The fundamental problem is I think many of us don't want an IoT device if we can't control BOTH ENDS of the thing. No, you don't get to connect to [s]the cloud[/s] someone else's computer. You can connect it to mine, that'd be nice, and I'd start actually paying attention to your products then. If each device had a web interface (or came with the backend software that created a site after interpreting the information from the item), I could then just remote into my home server check on the status of my IoT doorbell washer. The security would become more my problem and less the manufacturer's problem, so I could go with whatever I felt appropriate. This would also open up the option to sell some horribly underpowered computer hardware in a pretty box with an easy interface on it for big profits. Personally, I've got a machine or two I could use, but the vast majority of common users would be happy to lock in with whomever. Then, you'd only have to patch that one application instead of each device individually, so the after-support would be easier (though, not really, as there isn't any after-support now, hard to beat that for ease).

    It's a potentially neat idea, IoT is. It's a shame it's being used for idiotic tat, and badly at that.

    1. Anonymous Coward
      Anonymous Coward

      No, the FUNDAMENTAL fundamental problem is that You Can't Fix Stupid, and the average consumer is of the "Attention Deficit...OOH, SHINY!" level of stupidity. You can just look at it in the Presidential campaign. The election's not being decided by hard-thought policy decision (head hurts, too much thinking) but sound bites. Machiavelli was right. Faced with that kind of opposition, it's not a matter of if but when the New Prince enslaves the population with bread and circuses and blows all the laws (ink on a page) away with no way to stop them because people are stupid by default.

  15. fidodogbreath

    IT products sold as consumer products

    consumers will cheerfully give away their security and privacy in the name of convenience

    A more accurate statement is that "consumers are unaware that they are giving away their security and privacy when they buy something to solve a problem." "Giving away security" implies that people are making a conscious (albeit naive) choice. With IoT, most people are not even aware that their privacy and security are on the table.

    People shop for gadgets the same way they shop for detergent and paper towels. The consumer assumption is that all of the products are safe to use, so they buy the cheapest one, or the one in the nicest box, or the one that goes with their decor. In most cases, they simply have no idea that they are purchasing an IT product that must be managed using IT skills.

    So, there's your problem.

  16. MachDiamond Silver badge

    It's more profitable to leave out security

    I recently read an article that showed an example of how much money it could cost to do proper security testing and how little it MIGHT cost to pay settlements after the fact.

    1) come up with a clever IoT device

    2) have it made in China under a wonky name with a throw away website

    3) after you make a pile of money, delete the web site and any trace of the company (which was a postal box in the Cotswolds anyway).

    4) change the physical appearance and add another "feature"

    5) create a new virtual company

    6) return to step 2

    Most people don't research products to see if the company has been around for a while and supports their products for more than 6 months.

  17. MachDiamond Silver badge

    Gateways

    I'm finding it interesting that many automobiles are being hacked through their entertainment systems. It makes a tiny bit of sense to give your car stereo access to your music library or online music account, but to then have that system connected to the steering and brakes is a problem. I haven't seen that these "connected" systems can be positively turned off.

    Keen Labs in China just posted a video on YouTube showing an exploit of the web browser on Tesla cars that let them create all sorts of mayhem. The person in the target car was asked to search for the nearest charging station, a common task. The other researchers were able to get in the middle and take over the many of the car's systems. Both the dash and center displays were hijacked and the owner could not access the touch screen. They also had people in the security company's office 12 miles (km's?) away apply the brakes on the car. This is just like putting 2 deadbolt locks on the doors and then leaving a large ground floor window open with gun sitting in plain view for a criminal to use.

    The perfect quote is from Jurassic Park, "Just because you can doesn't mean you should." That always comes to mind when I read about new tech such as IoT. Lots of it is interesting and fun, but not particularly useful in the way it's being marketed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like