
ANY i.o.t
Device should be consigned to the bin, the entire concept is fundamentally flawed...
Researchers have developed a proof-of-concept worm they say can rip through Philips Hue lightbulbs across entire cities – causing the insecure web-connected globes to flick on and off. The software nasty, detailed in a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF], exploits hardcoded symmetric …
I beg to differ.
If it has a known protocol and if it is BEHIND a firewall and talking only to MY GATEWAY - I am all for it.
I have been fighting with the dishwasher for the best of today. It is having a hissy fit and claiming it has "water issues" which I cannot diagnose properly because I cannot interrogate its damn microcontroller and the codes on the front panel are not sufficiently informative.
I would have loved it being connected as long as it is not going anywhere outside my network - this would have allowed me to ask which of the 3 sensors in charge of the damn filling is at fault (reed counter for water volume, water fill cut-off or water level) while it is running through its tests. All of it without getting off my desk a couple of floors above it.
I don't think every I.o.T device is fundamentally flawed.
A lot of their current implementations are flawed from a security point of view.
I can see a point of internet enabled monitoring and control of several things in my house.
Lighting, heating and security all seem pretty useful to me.
The Philips implementation of shoving the IoT electronics in the lamp seems pretty silly and expensive to me. Also I wouldn't use Zigbee. But putting the IoT electronics in the ceiling rose, if properly done, seems like a good idea to me.
An internet enabled fridge or freezer that tells me its getting too hot is useful if it stops me throwing lots of food away. Although I have never saw the point ( or how it is sensibly achievable ) of a fridge that would automatically order food and drink so it can be restocked. I ( well my wife ;) ) want to be in charge of food purchases, not some flippin' fridge.
A cooker, clothes-iron or other fire risk item that could tell me remotely its still switched on could be useful. I don't know how many times I've wondered if something has been left switched on when I have left my house. Maybe I'm a bit OCD, and should get help ;) I guess I could just check manually ...
I really don't see the great advantage of the NEST single thermostat controlling an entire house's heating, But individually controlled rooms with different temperatures set looks useful to me. Especially if some rooms can be left at a low just above freezing temperature because the normal occupants of the room aren't in the house. The Honeywell EVO home looks useful, but way too expensive.
IoT toasters, kettles well they really are pointless.
Of course all these things need to be done securely, especially if home security systems are included.
Currently way too many IoT things seem to be insecure.
Along with the cost, this is what stops me from currently bothering ...
"An internet enabled fridge or freezer that tells me its getting too hot is useful if it stops me throwing lots of food away".
More than 27 years ago I bought a freezer that made a loud beeping noise if it got too warm. I believe it utilised a revolutionary device called a "thermostat".
Come on now, don't be shy. In the words of Delia,
Lets be having you.
To be honest, this is just another can in the supermarket sized can of worms that IoT is these days.
A Marketing answer to a question that has not been asked or if it has, it has not been properly considered in any way shape or form before the implementation.
IMHO, all IoT and I mean ALL should come with at very least, a health warning. At best, they should be removed from sale ASAP and all current owners told to disconnect them from the internet NOW.
Naturally, this won't happen so we will see this type of vunerability demonstrated more and more.
Eventually, a botnet will be constructed that could threaten the whole internet. Not just DDOSing a few targets but the whole thing. Then where would we be eh?
Perhaps it might be a good thing. Because the sudden inability of the Millenials to listen to their latest bit of (c)RAP or R&B (Not proper R&B in my eyes but that is another debate entirely) that they would normally stream (stupid idea IMHO) might spur some reaction.
As a boring old fart/old fogey/IT Dinosaur (who still has the puched card stack for his first program), I will do my bit and not even purchase anything that it IoT enabled.
I wonder what Donald will make of this when all the .gov sites are taken down.
Perhaps it will be 'build another golf course and hotel complex'? {joking}
As a curmudgeon, may I be the first to say... I told you so.
Following the infinite monkeys theory it had to happen sometime.
"As a boring old fart/old fogey/IT Dinosaur (who still has the puched card stack for his first program), I will do my bit and not even purchase anything that it IoT enabled."
So what happens WHEN (not IF) EVERY lightbulb on the market is "smart," candles are nowhere to be found and they ban lamp oil as a fire risk?
To answer your question about what happens when all lightbulbs are 'smart'.
I will just pull up the drawbridge, disconnect the WiFi. no WiFi then no Internet connection for those so called 'smart' but actually dumb devices. I will also make sure that I buy up bulbs that are not smart before they go off sale.
Remember that if your lightbulb can be connected to the internet, how difficult would it be to add a Microphone and ... you can get the rest. Think of all those hours of Nooky that the FBI will have to listen to before they hear the words 'F*** Trump'...
As my 'Leccy' is supplied overhead, I have a good supply of Candles and a generator. We lost power for 7 days in the great storm a few decades ago.
Even if you disconnect YOUR WiFi, what's to stop someone else setting up one from outside your premises that your devices can nonetheless reach, and indeed they may be able or even REQUIRED to do so as a Whispernet, which you'd have no ability to turn off unless you'd like to live TEMPEST-style with no windows.
IoT devices could be hardwired, then they wouldn't need wifi.
Although some people have a pathological fear of cat-5 cabling and alarm-signal cables.
As an ex-electrician, amateur electronics tinkerer, professional computer programmer I get hours of enjoyment running cat-5 and alarm-6-core-signal cables everywhere around my house. I do realise I'm a bit odd in this respect, but my home-brew IoT will not be susceptible to Wifi attacks. ( although the mice might chew through the cables )
My wife might leave me over all the money I've wasted on cat-5 and other cabling, but that's another issue ...
Even if you disconnect YOUR WiFi, what's to stop someone else setting up one from outside your premises that your devices can nonetheless reach, and indeed they may be able or even REQUIRED to do so as a Whispernet, which you'd have no ability to turn off unless you'd like to live TEMPEST-style with no windows.
I'd open up the bulb and cut the antenna. Not possible to open it up? High enough induction current will fry it anyway. Plus the added bonus of returning it just before warranty expires -- can't open it up, can't prove I did anything nasty.
So what happens WHEN (not IF) EVERY lightbulb on the market is "smart," candles are nowhere to be found and they ban lamp oil as a fire risk?
You have obviously not been to a 3rd world country (where nothing works properly, even without the aid of the Internet): People learn to ignore the problems, and just get things done.
What will Donald do when all the .gov sites are taken down ...
I guess he'll want to build a IoT firewall and get the IoT industry to pay for it.
Although he really will not have any idea what it is or if it is achievable, so then he'll just unleash the red necks in a modern day luddite revolution to destroy all the IoT devices in the US at least.
I'm not wishing this , just saying ...
They only really do lights and healthcare. The Philips badge for TVs and AV licensed to two Asian companies, so less connection to that stuff than Argos has to Bush (Argos decide which Chinese/Turkish stuff to stick the Bush badge on).
Semiconductors spun off as NXP and now getting extinguished for the IP by Qualcomm, I mean bought.
No idea who does the kitchen stuff that used to be Philips, the tumble driers, fridge, freezer, washing machine.
In 1926 they only made light bulbs and diversified into Valves (tubes) then Radio. They were once the largest Consumer Electronics in Europe.
Whilst there are currently an awful lot of people who deserve some serious punishment <remoan>(including 52% of the UK voting population)</remoan>, possibly the stocks, pillory, branding irons, the whole mediaeval thing, really the people at the front of the queue should be the spam-for-brains idiots who get away with 'designing' these IoThingies. There is more to industrial design than 'Alright, Mr. Wiseguy ... if you're so clever, you tell us what colour it should be."
Its worth noting the authors write in their conclusion that "The main problem is in
the insecure design of the ZLL [ZigBee Light Link] standard itself", yes the attack was possible due to a leaked key in the Philips implementation, but the underlying standard is poor to start with, and there are some 1000+ ZigBee certified devices on the market from various makers.
You can get foil coverings for windows too. One of my company's new offices had it - to stop being dazzled in the new all glass modern building.
We had to deploy our own bloody femto box to the site because nobody could get a phone signal....
So yes, perfectly possible to have a sexy looking emcon building :)
To be fair, the Hue (and others of a similar function) do have a place - they are certainly not the "solution to a non-existant problem" a lot of the Internet of Tat stuff is. As a mood setting appliance they are useful - as a utility light, not so much and I'd use a normal light bulb attached to a switch.
That they've turned out to be insecure by design is a bit of a black mark for Phillips.
Now it is IoT light bulbs, before that it was other IoT 'things'. Just how long before all those government mandated 'smart' meters are in line to become another plaything of the script kiddies?
Maybe, instead of the GSMA insisting IoT is more than vapourware they should be insisting on tight security for the devices.
Shesh what kind of third world mud hut do you live in?
So you can change the colour and brightness of your kid's bedroom and dim it for his night light.
So your hall lights come on as you move through the house, but only if its dark and very dimmer after midnight.
So you can dim the office light from working to movie time without getting up.
So you can set timers on your lights for when you are away (don't want the burglars tripping in the dark do we).
So your lights turn off if nobody is in the room, along with the heating in that room. No point heating the toy room when nobody is in there.
Seems the safest thing in relation to this security issue is to have your neighbours at least 400m away from your house.
"This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product"
Well, yes. Because one of those standard cryptographic techniques would appear to be key reuse. Even if the key isn't vulnerable to side-channel attacks or other hardware extraction, sooner or later it is going to leak from the manufacturer.
Key reuse in IOT becomes less acceptable with cost, lifetime and number for each SKU. Given the cost and expected lifetime of the bulbs, using the same key for even a few hundred items appears somewhat negligent.
is that misbehaving light bulbs would (will?) be a very visible but not really damaging manifestation of the current inherent flaws in the IoT concept. It should become obvious to both consumers and politicians that something is dreadfully wrong, and each group can in its own way apply pressure to those who peddle both the concept and the hardware. The possible reputational damage to Philips (or whoever has the use of the name) ought to be sufficient for remedial action to be more or less inevitable, and it might just wake the politicians up sufficiently for them to realise that legislation will have to be enacted to enforce a much greater degree of user protection*.
I think we have to be realistic and accept that the IoT, daft as it is, is with us and is likely to spread considerably before anything is done to make it anything even resembling secure. Televsion advertisements for one system or another are becoming more commonplace, and (sadly) there will be an awful lot of people who fall for the idea that their lives will be more complete and rewarding if they can fiddle about with their domestic appliances using their fondleslabs some distance from home.
Their gullibility is breathtaking; to (slightly) misquote H L Mencken Nobody ever went broke underestimating the intelligence of the public.
* How effective this can ever be is uncertain, given that systems that are supposedly secure clearly aren't when subjected to a determined attack.
"The chain reaction will die in city areas where less than 15,000 of the globes are used"
So, not really an issue then. I doubt there's actually a single city that has that many IoT lightbulbs, let alone that many of a specific brand. Hacks that rely on there being a significant number of vulnerable devices in close proximity are best aimed at devices that actually sell in significant numbers.
That's not to say work like this isn't worth doing; the more people point out how stupid it is to have hilariously insecure internet connections controlling basic needs like lighting and heating, the better. It's just that this particular attack is less "everyone's lights are about to go crazy" and more "fortunately most people aren't stupid enough to buy this shit yet".
Read the paper!
"Since the Philips Hue smart lights are very popular in Europe and especially in affluent areas such as Paris, there is a very good chance that this threshold had in fact been exceeded"
The number of 15,000 comes from an estimated radius of 100m for each ZigBee device and the area of Paris being about 105 square kilometers. Infecting 15,000 will give a critical mass capable of infecting all the lights - though it is possible that infecting just one would be enough.
The concept is good as a concept, but every implementation so far proves to be bad. Even worse, nothing will change until someone actually exploits a massive hack and shuts down an entire city/traffic network/airport/hospital/... Once we figure out that securing will be a. extremely expensive, b. make IoT devices going offline all the time thus crippling it functionality and c. does not provide 100% security we are forced to accept to be pwned every now and then.
Actually in "A Deepness in the Sky" aliens (that is, us) try to take over a world (the alien world) by subverting the automation of the alien civilization from orbit.
One of the protagonists (Pham Nuven) also reminisces about an event in which he participated in a planetary police mission because the local fascist bastard govnmt had transformed all the gear from Furby to Phone into surveillance and enforcement tools.
Plus, Pham wins the day by using circuitry built surreptitiously into every nano processor since, like, forever, that only he knows how to control (because he is a survivor of another age) ... using hand gestures (see also: crazy prepared)
Who was the lobotomised idiot who thought it would be cute to use the internet to turn on a tea kettle. There is absolutely NO need to have any appliance connected to the internet.Communities have controlled light for decades using photo sensors and mechanical timers. And I had remote control for lights via the telephone since the 80s.
Remember, a net is just a bunch of holes connected by string and a cloud is just a bunch of holes connected by vapor.
This post has been deleted by its author