back to article If your smart home gear hasn't updated recently, throw it in the trash

When was the last time your smart thermostat, lights, hub, camera, or power socket was updated? If it was a while ago, you may want to think about chucking it in the garbage. That's according to DNS mage and security expert Paul Vixie, who has been using his status in the internet world to increasingly warn about the dangers …

  1. Adrian 4

    No chance

    I'm quite surprised the Kitemark still exists - I thought it had been superceded by CE marking.

    In any case, I can't see any government wanting to run acceptance testing of internet appliances. What would it need ? Sealed packet filters on PCs ? A ban on building any internet-connected device even in your own home ? Months of approval testing as for wireless products ?

    So the best we're likely to get is self-certification. I guess that could be coupled with a big stick if you self-certify and your product is then broken into and used for an attack, but can you see the big OS vendors opening themselves to this ?

    For all the recent horror stories about IoT-based attacks, they only exist because they're currently low-hanging fruit, easier to find and hack than the former targets, PCs. Regulation will cost too much and software quality will only ever be 'just good enough' - as it always has been in any other arena.

    If you want to protect the net against this sort of abuse, the net has to defend itself. You're never going to be in control of the endpoints, so it needs to be able to manage uncooperative endpoints. Perhaps by source address verification, probably by some other means that can also handle rogue ISPs.

    1. Anonymous Coward
      Anonymous Coward

      Re: No chance

      "I'm quite surprised the Kitemark still exists - I thought it had been superceded by CE marking."

      UL and CE are fundamentally different philosophies. The clue is in the names.

      UL is basically a safety test lab whose purpose was to benefit insurance companies - if your appliance catches fire and is not UL approved, your insurance may be invalid. It incidentally benefited end users who were able to buy stuff certified as being safer. UL testing is against standards recognised by UL, which participates in ISO and IEC but is not restricted to them.

      BSi kitemarking implied that goods were not only safe but met any performance criteria laid down in the relevant standards. Kitemarking is basically as good as the standard from that point of view. Crap standard, safe but crap product. CE marking is a declaration that something adheres to all the relevant standards that implement EU directives. Unless backed up by specific type approvals and quality systems, it just stands for China Export [this is a joke btw].

      Thus UL is in a sense commercial and CE is statist, except that manufacturers have considerable input into standards.

      UL or CE marking for IoT would imply that the manufacturers actually knew how to secure their products and could co-operate long enough to create standards. Holding your breath for this could result in attempted anaerobic respiration.

  2. quxinot

    Better still:

    Don't buy idiotic overpriced tat that requires an internet connection to any endpoint you don't also control.

    1. Steve Davies 3 Silver badge

      Or if you really, really have no choice

      but to buy something that has internet connectivity,

      Just don't connect it up.

      Just don't enter your WiFi password etc into the device.

      However, I would not put it past the bad guys (or spooks) to get their malware on the device before it leaves the factory.

      Then all they need to do is when the device is switched on, find the strongest WiFi signal and spend as long as it takes to crack the password and thus gain unfettered access to the internet.

      Keeping the supplier name in your access point is also a weakness. 'VM1234456' and 'BT234345567' are invitations to the hackers to exploit know weaknesses in these devices.

      As I write this, the more I am convinced that I will never buy a device that must be 'connected' in order to operate.

    2. Korev Silver badge
      Joke

      Uncontrolled endpoints

      Don't buy idiotic overpriced tat that requires an internet connection to any endpoint you don't also control.

      This would rule out most laptops and PCs from surfing the Internet :)

  3. Anonymous Coward
    WTF?

    Security expert?

    I admire and respect Vixie a LOT, he's a very sharp, very smart man. However calling him a security expert is kind of ironic, seeing that his BIND project has had a terrible security track record.

    1. Ole Juul

      Re: Security expert?

      In fact I think some of the focus should be shifted. As the article points out:

      the underlying issue remains the DNS itself

      The current DNS problems seem almost hopeless and not enough effort is put into solving them. Security holes in BIND are trivial compared to issues with the DNS system itself which are still going to facilitate abuse on the grand level that we've been seeing lately.

      1. Vic

        Re: Security expert?

        The current DNS problems seem almost hopeless

        The problem with DNS is actually quite easy to solve - it's just expensive.

        All we need to do is to phase out DNS over UDP - by turning off or firewalling the UDP responder - and get DNS clients to start using TCP by default[1]. This solves the problem of address spoofing[2], at the cost of significantly higher DNS traffic.

        Vic.

        [1] Current DNS clients will fall back to TCP if the UDP attempt is unsuccessful. That generally means a 20-second wait. If UDP becomes likely to fail, I can see the behaviour changing quite rapidly...

        [2] Address spoofing over TCP is pretty much impossible without co-operation from the spoofed address or the ISP providing it as you need the ACKs for the connection to progress.

  4. allthecoolshortnamesweretaken

    Throw it in the trash?

    Way ahead of you. Didn't buy it in the first place.

    1. joed

      Rule number 1 should be that all the stuff should have a kill switch for the smart/iot part that's non-essential for primary function. If I'm buying an appliance I may no longer have a choice to forego all the software BS tacked on (yet I'm inconvenienced by having to pay for it). Option to disarm the bloatware should be legislated manufacturer's responsibility (as most users outside design studios are perfectly happy with basic functionality and reliability)

      1. Charles 9

        No, it'll go the other way where killing the Big Brother circuit kills the whole thing, voids the warranrt, AND may put you criminally suspect for tampering.

        1. Kiwi

          No, it'll go the other way where killing the Big Brother circuit kills the whole thing, voids the warranrt, AND may put you criminally suspect for tampering.

          Lots of ways to "accidentally" fry a circuit without necessarily opening the case. The trick is making sure you only fry the appropriate parts of the circuit, rather than wholesale killing everything.

          Bypassing a lot of circuits isn't to hard, but if there is some way they can make things where killing the BB subsystem knocks the lot out, then you just disable what you can - could be breaking the antenna, or frying something in the received circuit or.. If it needs an inbound BB/IoS confirmation signal to work, then I don't need it anyway.

          And if you must open the case, proper tools to open it and close it and make it appear untampered are easy to come by, just about any $2 shop (or whatever cheap tat junkmarket you have over there) should sell it. I'd say a good number of commentards are well up with opening up stuff that's not supposed to be opened, without damaging the case.

          Where warrantys are concerned, many things these days seem to have warrantys that either are claiming the many ways there is no warranty, or the expire the moment the packaging is opened. Didn't fill out the warranty card and send it off? Well tough.. You claim you did send it? But we have no record of it, so your warranty is invalid! Also most IoS stuff is so cheap, it'd cost more to return the dead one then it would to buy a new one. (dead ones give you something to practice opening the case on as well!)

          As to criminally suspect..Ho hum. Who cares. So many of these things will be altered that keeping track will be difficult, chances of being prosecuted if caught are quite low, and even with risk of prison, for a must-have item (of which there are few really) I'd be prepared to take that risk.

  5. Anonymous Coward
    Anonymous Coward

    I suspect governments around the world are sitting back with a quiet smile until things get so bad that people (ok, big companies & media) demand they do something, whereupon they will declare the solution to be the banning of all access to the internet that is not authorised using an officially issued id.

    1. Charles 9

      In other words, the Stateful Internet, aka Big Brother.

    2. Kiwi
      Gimp

      whereupon they will declare the solution to be the banning of all access to the internet that is not authorised using an officially issued id.

      Not that long back we had dialup, people could build their own radio/tv transmitters easily, paper and decent printers were quite easy to come by.. People could "spread the word" easily. Then the internet came, and even more freedom of expression!

      But the more paranoid parts of me watch as TV becomes "digital only", although am/fm radio still is the same, paper is slowly disappearing, and decent printers that can do a long run and not cost the earth (and, it has been rumoured, printers leave ID'ing marks on the paper in some sort of specific dot pattern). And now we have hints of stuff like you suggest coming along.

      Even worse, the general populace will see it as "a good thing{tm)" - it'll help get all them nasty pedos and scammers and drug dealers and freedom fightersterrorists off the internet!

      Course, they will have to also learn to make sure they don't say anything potentially negative against the government, join the right online groups, vote for the government-mandated things, and remember who they're supposed to be hating this week, but they'll get used to it.

      Icon : My tinfoil is covered in black rubber to further protect me!

      1. Ogi

        > (and, it has been rumoured, printers leave ID'ing marks on the paper in some sort of specific dot pattern).

        Not a rumour, been confirmed since 2005. Some links:

        http://www.seeingyellow.com/

        https://www.eff.org/issues/printers

        https://www.eff.org/press/archives/2005/10/16

        Also, they tried very hard to turn off AM/FM, and replace it with DAB and DAB+. There was a hard switch off for analogue radio which was like the one for analogue video, but it was realised there were just too many devices out there for a sharp cut off like they did with TV.

        Don't worry, I am sure they are busy finding ways to get rid of radio as well. It might just take a bit longer.

  6. Phil Endecott

    Realistically, few people are going to follow this sort of advice and throw away products that, as far as they are concerned, are still working correctly.

    So what is the real-world solution, that allows the net to function smoothly despite billions of vulnerable devices being attached to it?

    1. jake Silver badge

      Fewer people even know Vixie exists.

      I'm firmly in the "don't buy useless over-connected[0] tat in the first place" camp.

      [0] To coin a phrase.

    2. Charles 9

      How do you survive skinny dipping in a raw sewer? Same situation.

      IOW, you can't. Eventually the Internet will become too polluted to use. From there, it's either the Big Brother Stateful Internet or back to the Sears catalog. Nothing in between.

  7. Anonymous Coward
    Windows

    Obviously...

    That's why I buy MSFT, they'll always be there for me!

  8. Brian Miller

    Preaching to deaf numpties

    All of this preaching to deaf numpties will be for naught.

    My landlord is a numpty, and I can barely get him to update his Windows PC. Will he be able to update an IP camera? No. Not no, but hell no. He's a numpty, does what it says on the tin.

    The only real solution is to ban IP ranges based on incoming attacks. That will prompt ISPs to filter out the individuals responsible for the problem. After all, how many ISPs ban bots in their TOS? If your network is violating TOS with malware, then it should be cut off from world+dog.

    1. Adrian 4

      Re: Preaching to deaf numpties

      I think that would be helpful to catch a single bot spraying out attacks. But a DDOS, especially using very common devices, might only need to send one attack from each of millions of devices. The originating ISP won't be able to detect it, and the target will have to send as many reports as it receives attacks, which isn't much help.

      1. Doctor Syntax Silver badge

        Re: Preaching to deaf numpties

        "The originating ISP won't be able to detect it, and the target will have to send as many reports as it receives attacks, which isn't much help."

        Change the emphasis a little. Tools such as Shodan enable the net to be searched for vulnerable devices. So instead of treating harbouring of attacks as the reason to blackhole ISPs, transfer attention to exposing vulnerable devices.

        1. Charles 9

          Re: Preaching to deaf numpties

          And if the devices are housed in uncooperative regimes?

          1. Kiwi
            Holmes

            Re: Preaching to deaf numpties

            And if the devices are housed in uncooperative regimes?

            It's common practice for Russia and China to be filtered out completely. You can whitelist IP ranges based on whatever you want, eg country you want to deal with, while blacklisting everything else. Only deal with UK customers? Then try to make it so only UK IP's can access your web site. If the UK becomes an "uncooperative regime" then you're SOL.

  9. Peter Prof Fox

    Given some instructions...

    I could take basic precautions to secure my mum's CCTV if there were some instructions. But the BT router doesn't come with any lock-down instructions for all unnecessary ports. I've no idea if I can disable UPnP. The camera presumably runs some *NIX, but how am I supposed to break into it without detailed, tested, instructions (and presumably credentials from somewhere). Now what? What if the instructions aren't for this model or brick it? So basically, even if I made the effort to check for the availability of updates and take the risk of a bricking there would still be a lot more security configuration left wide open. The bottom line is dubious benefit to me for hassle and risk. No thank you.

    Only the ISP is in a position to watch and make an intelligent (yeah right) assessment of unsavoury traffic originating from my home. Better late than never. Most claim porn/spam filtering incoming but what about outgoing nasty-packets? (Step one give this a catchy name that can appear on consumer sites. Maps? Spam backwards?)

    1. Charles 9

      Re: Given some instructions...

      And how many people STILL can't reprogram digital clocks (like on VTRs) after a power failure or being plugged in for the first time?

      1. Wensleydale Cheese

        Re: Given some instructions...

        "And how many people STILL can't reprogram digital clocks (like on VTRs) after a power failure or being plugged in for the first time?

        Scoff ye not. The microwave built into the kitchen of my abode around the turn of the century didn't follow the normal conventions for setting the clock. I had to refer to the instruction manual every single time the clocks changed.

  10. Griffo

    Legal Framework

    There are laws already (in this part of the world) that say that manufacturers must provide replacement parts for any product sold for X number of years.

    Why not simply extend those kind of laws that says that any software product must be patched for security flaws for X number of years after release?

    1. alain williams Silver badge

      Re: Legal Framework

      I received a recent letter saying that my car was subject to a recall; something about the air bag. My car is 6 years old.

      A lot of e-toys are made and the manufacturer quickly forgets about it, except to say that the next model is better and fixes problems in the previous version - that they did not tell us about when they sold it in the first place.

      If you are lucky you might get an update or two; but for 6 years or more ? If you get something to control your house lights it seems reasonable for that it continues to work for 20 years. When was your home last re-wired ?

      These things should come with product liability, as do cars, where they get safety & security updates for many years.

      It won't happen.

      1. Anonymous Coward
        Anonymous Coward

        Re: Product liability

        "These things should come with product liability, as do cars"

        The US, the UK, the EU and others already have product liability laws, and have had for some considerable time. They apply not just to cars. The question is - why is no one aware of them, and why is no one using them against stuff which is clearly defective by design ? [OK that's two questions]

        1. Charles 9

          Re: Product liability

          Because the manufacturers play shell games. Hard suing a company that vanished the night before the news got out.

  11. Number6

    The way to do IoT properly is to have a single server inside the firewall for all the devices to talk to, so that they're never directly accessible to the outside world. Then, if the owner wishes, he can open an access port in his firewall to that server from outside and hope that the server is not vulnerable. Having a bunch of different devices, all phoning home to different numbers, is a security nightmare but it's what we're stuck with until IoT people come up with a standard that allows someone to write a (preferably open-source) server to which they can all hook up.

    I have a bunch of IP cameras but they're actively blocked from talking outside the firewall here. At the moment I only have one device that talks out and at some point I'm going to see if I can reverse-engineer the protocol and roll my own server.

    1. quxinot

      ^ Exactly my theory as well. The problem is that it seems very difficult to get IoT objects that are controllable or customizable to that level. Their web interface usually includes three buttons, and hard coding for the phoning home behaviour. I'm sure that makes setup easier for most normal people.

      But seriously, the market for most of this crap is by geeks, for geeks. We are failing ourselves, here!

    2. Anonymous Coward
      Anonymous Coward

      That's the way you (and most of sensible users) would implement IoT. But most companies don't want to sell useful devices for *your* needs, they want to sell you the cheapest device that can still gather as much data as it can from you, and send them. Any useful feature is just needed to lure you into installing the device. Why Google killed the home hub it acquired? Google & C. want to be the hub, anything behind a firewall is bad. Sharing is caring, privacy is theft.

  12. William 3 Bronze badge

    They've never been updated.

    But then, I don't have any to update.

    A far better article would be why Iot shit is best avoided.

  13. Colin Millar
    Alert

    Throw i(o)t in the trash? - There's an app for that

    Believe it or not - an IoT trash can

    http://www.smart-qube.com/

    1. TopCat62

      Re: Throw i(o)t in the trash? - There's an app for that

      I wonder if their product is any better than their typo-ridden web site.

    2. Dan 55 Silver badge

      Re: Throw i(o)t in the trash? - There's an app for that

      Does it have a compartment you can fill.with I-o-Tat?

  14. Milton

    "Stifling innovation"

    To address just one point here, about Congress being "unconvinced" about regulation, supposedly because it would "stifle innovation" - I don't think it helps to pretend that these politicians are rational, honest people subject to weighing facts for the good of the nation.

    The "stifling" nonsense is just a figleaf. What the pols are really saying is "The lobbyists who pull my strings (i.e. corporates who contribute to my campaigns/provide 5-star 'fact finding' junkets etc) have a knee jerk reflex against any government regulation".

    If even one in 50 congresscritters steps back to assess the facts, understand that regulation of a level playing field is healthy and that this policy would be in *everyone's* long term interest, I would be astonished: the cash in pocket is what speaks.

    It's just another symptom of the disease which has done mortal damage to US, and western politics generally: money. When you let big money into politics, you can kiss goodbye to effective democracy and good government.

    1. Chris G

      Re: "Stifling innovation"

      @Milton exactly my thinking while reading the article, I am sure that also applies to other county's too. We can't allow the poor witless manufacturers to lower their profit margins can we.

      I have yet to find a piece of connected kit other than my PC or tablet and phone that can offer me a genuine life style improvement.

      Outside of industrial control systems most IoT is still in the answer looking for a question stage.

    2. Charles 9

      Re: "Stifling innovation"

      Well then representative government in general is fatally flawed due to the human condition to subvert any checks and balances you throw up. Law after all is at the core just ink on a page.

    3. Anonymous Coward
      Anonymous Coward

      Re: "Stifling innovation"

      >When you let big money into politics

      Care to show me when that was not the case after the Industrial Revolution got in full in swing in the US? Even as a lifelong Dem the issue is not the money per say as all it does is amplify a message (and is nearly impossible to legislate away). The problem is more the deregulation of the media conglomerates (where a few companies can own everything, including the clueless new kids on the block like Facebook) and a sustained effort to reduce public education funding since the Reagan era. Mission accomplished.

  15. Voland's right hand Silver badge

    Firewall them all, god will know its own

    Paraphrasing Arnaud Almaric: Firewall eos. Novit enim Dominus qui sunt eius

    Rule no 1 of the IoT subnet: What happens on the IoT subnet, stays on the IoT subnet. Any IoT gear that wants to go outside the house without going ACROSS MY GATEWAY under MY FULL CONTROL (emphasis on MY) needs to be attached to a chainsaw and that chainsaw used to gently bugger the vendor. Repeatedly. Starting with Google/Nest who initiated this idiotic architecture.

  16. Anonymous Coward
    Anonymous Coward

    Unluckily, that's exactly what the IoT industry (and not only) hopes...

    .... to sell you again and again the same device because it will never be updated.

    So the only useful line of defense is not to buy them in the first place. Especially if they don't work at all if not connected to the mothership.

  17. Anonymous South African Coward Bronze badge

    What about that you need to pass a basic computer course, like a drivers licence.

    Once you've got your PC licence, will you be allowed internet access.

    Of course you can have a PC without said licence, but you will not be able to connect to the internet without said licence....

    But that's just me dreaming.

    1. Charles 9

      It's also Big Brother to require a license to use something in the privacy of one's home. Are you really OK with police inspecting your houses for TV licenses?

  18. Anonymous Coward
    Anonymous Coward

    I have a smart lightswitch...

    .and I've never updated it.

    It has this clever function, If I press the top of the switch when it off, the light comes on. If I press the bottom of the switch when the light is on, it goes off.....but wait, here is the REALLY clever bit.

    If I press the top, when it's on, it stays on. If I press the bottom of the switch when it's off, it stays off.

    And best of all it still works if the wifi if not working.

    Smart huh?

    1. Phil O'Sophical Silver badge
      Coat

      Re: I have a smart lightswitch...

      I've got an even better one. It knows the state of the switch at the top of the stairs, and can automatically reverse its functionality depending on the state of the other switch. It doesn't even need a bluetooth connection to do it.

      1. dajames

        Re: I have a smart lightswitch...

        I've got an even better one. It knows the state of the switch at the top of the stairs AND the state of the switch at the other end of the hallway, and can automatically configure its functionality depending on the state of the other two switches. It doesn't even need a bluetooth connection to do it.

        1. This post has been deleted by its author

    2. Patrician
      Happy

      Re: I have a smart lightswitch...

      Then it's working wrong and needs a firmware update I'm afraid; everyone knows that Smart Light Switches should come on when the bottom of the switch is pressed and off when the top is pressed.

  19. This post has been deleted by its author

  20. Anonymous Coward
    Anonymous Coward

    Since IoT devices will continue to be made it is better to focus on which practices will make them securer, and particlualry, how to rediuce the bad practices at even long-term-orientated manufacturers.

    1. Charles 9

      "Since IoT devices will continue to be made it is better to focus on which practices will make them securer, and particlualry, how to rediuce the bad practices at even long-term-orientated manufacturers."

      And what happens WHEN, in the final analysis, the chief reason they're vulnerable is because they exist at all?

  21. Anonymous Coward
    Anonymous Coward

    Update update update

    Why would any sensible end user want to update anything regularly/frequently when it's just as likely that an update will make matters worse rather than improve anything?

    1. Missing Semicolon Silver badge
      Devil

      Re: Update update update

      Yes.

      Where have had too many cases where updates are used to remove functionality, instead of improve it (HP, Sony etc).

  22. Anonymous Coward
    Anonymous Coward

    Can someone explain the risk?

    OK, so I'm getting the message that IoT is bad from a security point of view. However, can someone explain (in a non-patronising manner, please) the risk with a device such a smart thermostat or smart socket where there's nothing open on my router to the outside world? As I understand, these devices work by instigating a connection to their home server whereupon data is exchanged up to the server and down to the device. This is in contrast to a device such as a camera exposing itself to the world by my setting up port-forwarding on my router whereupon anyone can attempt to connect to that camera. Assuming that my router is robust and the device isn't exposed by port forwarding, how a device behind the router be exploited?

    Thanks in anticipation

    1. Wee Heavy
      Happy

      Re: Can someone explain the risk?

      I am sure there are many other examples, but this one springs into me head:

      UPnP. If supported by your router, allows a UPnP compliant device (such as a webcam) to open a port through your firewall without any intervention by you. No need to poke about in your router to create the requisite port forwarding and firewall policies - the helpful device handles that for you. Contrast that with a normal outbound connection through a firewall which only allows related traffic back in (which is probably how it should work). A port opened via UPnP by an insecure device without your knowledge, effectively leaving it opened to the world seems to be the risk in a nutshell.

      Me, I disable UPnP on my routers or I buy ones that don't support the "feature" at all. I also see precisely zero need for a web connected thermostat, light bulb, door lock or toilet seat, so I don't buy any of that crap either.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can someone explain the risk?

      Think about what happens if a company goes out of business, the domain the IoT device connects to is hijacked, and the device is vulnerable...

      Anyway most of the issues today are about devices which are directly addressable from the Internet and have vulnerabilities easy to exploit.

  23. Anonymous Coward
    Anonymous Coward

    n short, until this giant IoT security mess is sorted out, people will need to look out for themselves. And that means that if the tech you have is not doing the right things, you have to consider getting rid of it.

    Actually, that's also true for privacy. From what I've seen from most governments, your rights come such a distant second to their desire to spy on you that they might as well not exist. Treat your personal privacy like you're on your own - because you are.

  24. Anonymous Coward
    Anonymous Coward

    Not going to work

    Unless people can be held responsible for buying and running unsecured shit and the consequential abuse for spam of DDoS I can't see this change, and that responsibility is near impossible to pin down.

    You choose: cynic or realist..

  25. jzl

    Not in the trash

    Use your local recycling centre.

    We're getting more and more throw-away by the day and all this internet of things nonsense isn't helping.

    1. Charles 9

      Re: Not in the trash

      Most are too toxic to recycle.

      1. Fred Flintstone Gold badge

        Re: Not in the trash

        Most are too toxic to recycle.

        .. and that's just the firmware..

  26. Charles 9

    How do you stop the fly-by-night companies who respond to legal trouble by vanishing?

    1. Anonymous Coward
      Anonymous Coward

      "How do you stop the fly-by-night companies who respond to legal trouble by vanishing?"

      In the early days, not sure if still applicable, a Certificate of Conformty (CE) declaration had the name of the responsible individual on it, and their signature.

      Imagine that, someone responsible for bringing a product onto a market for sale, actually being legally required to carry some actual responsibility *as an individual*, rather than any potential penalty being applied at faceless corporate level (and therefore being meaningless and worthless).

      Not that any individuals ever did get held responsible afaik.

      1. Charles 9

        "In the early days, not sure if still applicable, a Certificate of Conformty (CE) declaration had the name of the responsible individual on it, and their signature."

        And like I said, what happens when that individual in question ups and disappears as suddenly as the company he or she represents? And all the legal records and so on turn out to be false as well because no government has the Big Brother resources to check everything?

        1. Anonymous Coward
          Anonymous Coward

          And like I said, what happens when that individual in question ups and disappears as suddenly as the company he or she represents? And all the legal records and so on turn out to be false as well because no government has the Big Brother resources to check everything?

          Congratulations - you finally found something positive to do with all that snooping. Ironically, that should have been the purpose all long..

    2. BinkyTheMagicPaperclip Silver badge

      You get them to release their code in escrow, pay into a fund for future bug fixing, and have mandatory security testing *before* their product is released.

      They don't want to do that? Their product is not available for sale or import..

      1. Charles 9

        Try getting a legislature to pass that, though. At the worst, ALL the manufacturers could threaten to leave en masse (and take their tax money with them) since they'll be acting in a cartel to protect each other (see oil industry). Plus there's always the gray markets.

  27. BinkyTheMagicPaperclip Silver badge

    Forget, IoT, what about phones?

    IoT is relatively new, and not as widespread.

    Phones are a far bigger issue. One of Blackberry's selling points for their new Android phones is that security fixes are released on a timely basis every month. This should not be a feature, it is basic functionality that in a sane world would be heavily scored against if lacking.

    Instead, no-one does. Thereg and all other sites are busy yakking on about how great the camera is, or the brightness of the screen, instead of revealing that the manufacturer's last phone stopped being updated after 18 months, isn't rootable, and is now a security nightmare.

    It's ok, though thereg, keep being two faced by whinging about IoT whilst refusing to criticise phones, and telling people to use IPV6 whilst not offering an IPV6 website yourself.. That would cost money and advertising, wouldn't it? Exactly the same reason no-one is improving security, and consumers aren't about to chuck out any kit that still works from their perspective.

    Inbound firewalling will increase at ISPs, and mandatory updates and remote kill switches will increase. Microsoft have got away with it for Windows 10..

  28. Tatsky

    I'm Amazed

    I can't believe I am hearing so many "Don't buy it" or "throw it away" comments on the comments section of an IT/Technical new site.

    FFS we're supposed to be tech savvy people, but the attitude here seems to be "nope, we will never ever use IoT devices" fingers in ears, I can't here you.

    If people took that attitude when motor cars first appeared, we would all still be driving around with a man waving a red flag in front of us.

    There is at least 3 prongs of attack here.

    1) Improve the DNS system, and add filtering and security measures at ISP level. Boo hoo is ISPs complain, every other industry at some point needs to improve their systems to improve safety. Safety here is digital/online safety.

    2) Educate and Legislate so that products released to market at least follow some basic common sense security principles, like encryption for a start.

    3) Ensure that IoT devices and firmware updates are rolled up within mandatory product liabilities. In my industry our products are UL864 compliant in the states, and EN54 in the EU/UK. We must ensure that spare parts are available for 10 years after we cease production of a product line, and that includes our software updates.

    Granted, none of this is easy, but it's what we must do.

    In principle there is nothing wrong with IoT. Some devices seem plain ridiculous, but there are a lot of areas that IoT is useful, so rather than just trashing it and throwing the whole idea in the bin, maybe as an industry we should be working to improve the situation?

    1. dajames

      Re: I'm Amazed

      FFS we're supposed to be tech savvy people, but the attitude here seems to be "nope, we will never ever use IoT devices" fingers in ears, I can't here you.

      I don't think anyone is saying that. What some people are saying is that most IoT devices are poorly desiged crap, and that they won't buy those implementations of the device, and other people are saying that even the devices that aren't obviously crap when new become crap when exploits are discovered and the devices don't get updated, and it becomes too dangerous and/or antisocial to keep them.

      3) Ensure that IoT devices and firmware updates are rolled up within mandatory product liabilities. In my industry our products are UL864 compliant in the states, and EN54 in the EU/UK. We must ensure that spare parts are available for 10 years after we cease production of a product line, and that includes our software updates.

      Exactly. That's what people are saying: Don't buy the current rubbishy implementations of IoT devices, but maybe do buy their successors when it's clear that some thought has been put into the security design, and the manufacturers have some incentive to support the devices for a reasonable length of time.

      1. Charles 9

        Re: I'm Amazed

        "Exactly. That's what people are saying: Don't buy the current rubbishy implementations of IoT devices, but maybe do buy their successors when it's clear that some thought has been put into the security design, and the manufacturers have some incentive to support the devices for a reasonable length of time."

        And if that never shows and people STILL DEMAND IoT stuff while the manufacturers continue their shell games and bribe legislators to keep enforcement toothless?

    2. Alumoi Silver badge

      Re: I'm Amazed

      In principle there is nothing wrong with IoT. Some devices seem plain ridiculous, but there are a lot of areas that IoT is useful, so rather than just trashing it and throwing the whole idea in the bin, maybe as an industry we should be working to improve the situation?

      Hmm, let's see if we can spot a useful IoT device: lightbulb/switch, kitchen appliances, medical devices, cars, utilities meters.... Nope, nothing useful.

  29. BinkyTheMagicPaperclip Silver badge

    Logical conclusion if devices are unpatchable and blocked/remotely killswitched

    A new market in embedded proxies/firewalls (ok, technically it'll be a bridge), and an explosion in single use wireless access points (because most new devices are wireless). Take your dirty IoT device, plug its connection/wireless details into the MakeItClean proxy/firewall, and off you go.

    Of course if you're a gadget freak with multiple broken devices it may need multiple firewalls/devices - which are mostly the same, just programmed a little differently to work around the foibles in the broken IoT.

    Of course, quis custodiet ipsos custodes? Better make sure the firewall is bulletproof and patchable..

    Should be entirely doable, and potentially a lot cheaper than replacing an IoT device.

    1. Charles 9

      Re: Logical conclusion if devices are unpatchable and blocked/remotely killswitched

      No, because many won't work at all without being able to phone home, and that alone can provide the hole miscreants need: part and parcel. And people still demand them because they ACTUALLY USE them. Frequently.

      1. BinkyTheMagicPaperclip Silver badge

        Re: Logical conclusion if devices are unpatchable and blocked/remotely killswitched

        So proxy it so it connects to a *different* home, that is secure.

        1. Charles 9

          Re: Logical conclusion if devices are unpatchable and blocked/remotely killswitched

          Can't proxy a secure connection. You don't know the key.

  30. Mike 16

    Three thoughts

    1) Manufactures would _love_ legally mandated "updates", as most updates are one step forward (at most) for security and two steps back (at least) for privacy/ability to avoid being involuntarily monetized. Bonus points for when the update so cripples the device that you have to buy a new one.

    2) The Snoopers of the world (Comey and May, for a start) are similarly all for it, with that "killswitch" idea as a bonus.

    3) UL and CE are a start, other than the oceans of crap out there with counterfeit labels.

  31. Kiwi
    Holmes

    Vixie has argued that a future solution would be to make network operators liable for any attack traffic that goes across their system, bringing the internet in line with other systems like money transfers. Unsurprisingly, ISPs are not excited about the idea.,

    See icon.. Hmm.. Open terminal, ssh sherlock@theregister.co.uk - now if I was to type that into my system I could be considered guilty of attacking El Reg - trying to access a system I have no right to access. If ISP's were liable..

    But lets say for 10 years I've been administering certain servers via SSH, maybe have scripts to semi-automate the login process (I'm not talking about saved passwords here, but something that might say open tmux and log in to half a dozen systems I monitor). Now suddenly I am not responsible for those systems (eg fired), but from habit type the URL or run the script, maybe even try to log in before I realise my mistake... Many on the other end would see this as an attempted attack.. Making the ISP's liable would mean that even an innocent mistake costs them money. Could also be mis-typed URL's/IP's and so on as well, as I was doing recently - someone would've seen a lot of attempted access recently because for some reason I was transposing a couple of digits in an IP I've used for a while.

    "Throw it away if the company goes out of business."

    I call first dibs! Especially on that off-brand 100" TV that you're throwing out because the company isn't around. And anything else I might find useful. All will go to a very deserving charitable cause!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like