Am I the only person...
...who wants to smack IoT developers over the head with a copy of the OWASP Top Ten, wrapped round a large brick ?
The Internet of Things is going to solve climate change, fix our political system, and ensure that you can always find a parking spot. Some see a future of 15 billion connected devices. Now, just the tiny matter of deploying them. There's a long way between all IoT's utopian promises and the reality. We've never attempted …
The OWASP Top 10 (updated for 2017, kids!) is great, particularly in the associated resources on their wiki. But it's web-focused, even if many of the issues have non-web analogues. Many IoT devices have web interfaces, but not all, and that's not the extent of their problems.
Is that we are moving from a solid product world, where non-intelligent devices last decades, to an IoT world, where you may get 6 months support, if you are lucky.
In industry, you are working on 10 to 20 year amortization timescales. Very little in the way of IoT is going to get support on that timescale.
The same for consumer products, a fridge or TV is something you buy in decade timescales, yet you are lucky if you get security updates for your TV after 2 years... So, after 2 years, it either becomes a dumb-TV or a security risk.
"If you don't connect it to the network, you don't have to worry about whether or not you get security updates."
Except that with the assumption of connectivity has come the assumption that the vendor can ship any old crap in the first manufacturing release and patch it later, so there is a fair probability that your TV won't work properly if you never give it a connection.
... it might not make a difference, because it'll be programmed - regardless of your puny attempts to stop it - to form an ad hoc wifi mesh network with any other wifi'd up device it can find amongst your collection of neighbours, and it'll find a way out eventually.
But they make it look like connecting it to the network will be helpful. That means that nuts like my parents, who had decided to test out some streaming services, tried to get the TV to stream them for them by having it connect to the network. Of course it didn't work, but now I have to find out how to get this thing back off the network. Somehow, my suggestion of giving them a raspberry pi that they could just connect an HDMI cable to was not seen as helpful.
Thing is it's difficult to buy dumb now.
Yes. Last time I bought a TV, Target had only one non-"smart" model on sale, and only two of them in stock.
You'll have a much easier time buying smart and not connecting it.
I hear anecdotally that some models won't work unless they're allowed to connect on initial power-up and occasionally thereafter. While it might be possible to reduce how often it's allowed to phone home, or spoof its server (I'm betting many manufacturers fuck up certificate validation), that sort of thing quickly becomes onerous for experts and impossible for regular consumers.
Appliance manufacturers have razor-thin margins, particularly at the low end. Data collection from "smart" devices is going to be very hard for them to resist.
It's pretty easy to buy dumb. Just buy a monitor rather than a TV, and use an external box to provide the video to it. The external box can be as inexpensive as a Raspberry PI, or if you don't want to go that route, there are dozens of commercially available solutions.
The problem is that if you take the time to solve the security issues and make sure that you don't access too much data, your project is one generation late to the market. Then you are fighting an uphill battle to grab customers who are all looking for the latest shiny and don't know – or care – about security issues.
"The problem is that if you take the time to solve the security issues and make sure that you don't access too much data, your project is one generation late to the market."
That's why regulation is needed to level the playing field. That way, if you don't solve the security issues you don't get to the market.
I'm not a huge fan of regulations. Mainly because saying "Regulations" gets a lot of people up in arms.
What needs to change is /liability/. We need decent data protection legislation, followed by punitive fines when there's a breach. Something based on the total number of deployed devices /with that vulnerability/ rather than just the number of people actually affected.
Just making a 'best effort' should be a defence, at least at first. We don't want it to become economically unviable to sell computing devices. But it shouldn't take much to clamp shut the vast majority of weaknesses (hard-coded / universal default passwords, unencrypted data feeding home, overreaching data collection, etc). We don't need to make these things impregnable, just 'good enough'.
Obligatory XKCD: https://xkcd.com/538/
I for one would like to say welcome to all the "disrupters" and "innovators" who were going to set the world on fire because they didn't need to listen to the more experienced people to the reality of how things are. Start reading the owasp top10, and then maybe someone can start to introduce security dev 101.
One of the reasons some of the "old" companies were slow, was because secure well thought out products are hard and take lots of expertise. Not a copy of stack overflow and 10,000 java library dependencies that you don't understand.
Regulation takes too long but companies do need to be held accountable for security across the board.
Also large IoT networks are being deployed which will be redundant in a year or two because the tech will be out of date and obsolete.
Its a wild west right now and a lot of money will be wasted until industry standards and regulations catch-up.
I had a IOT application I built a few years ago that had to be done fast and cheap (and you know the saying about what that does to quality.) Since I didn't have an unlimited security budget, I had to really decide what were the most important things to address.
The biggest risk was not getting the data, so I developed a fall back communications channel so that if the devices couldn't "phone home" via DNS they used raw IP addresses instead.
The second biggest risk was that someone would "poison" the data by sending valid looking but fake messages.Using SHA-256 and a secret dynamically changing salt value I signed each message to to ensure it was from a valid source.
The signing scheme has not been tested by adversaries yet, but over the last two years the raw ip communication channel has kicked in several times and proved it's worth. I don't know if DNS servers were under attack or the carrier was just having an off day. But the data came through the backup channel each time.
I'm sure given the time and resources I could have worked on mitigating 10 more important risks, but sometimes getting the first one or two is enough.
One of the basic tenets of capitalism viewed by right-wing Republicans is that the market is self-regulating and thus, should not be regulated.
As far as IoT is concerned, that means that they view millions of people spending money on products that are not secure, are eminently hackable and can cause major disruption of private life as a perfectly acceptable consequence because the market will just "adjust accordingly".
IoT is the "Unsafe at Any Speed" of the IT industry.
It needs regulation, and it needs a global body to evaluate and approve stuff for selling.
If we don't do that now, untold millions of people will suffer needlessly while crap-sellers stuff their pockets in what is surely a most immoral way.
But it's legal, so Republicans don't care.
Biting the hand that feeds IT © 1998–2021