back to article The S in IoT stands for security. You'll never secure all the Things

I was one of the first people to use an Internet of Things (IoT) device. It was Carnegie-Mellon’s Computer Science Department's Coke machine*. True, I didn't need to check on it since my school, West Virginia University, was 77 miles from CMU, but I thought it was really cool back in the day is that I could see what was what …

  1. Anonymous Coward
    Anonymous Coward

    There is an S

    I doesn’t stand for security. Amusingly, and not to be cruel to the author, but go back and read this noble rag’s own coverage of the rise of the IoT s—storm.

    Both in the articles and the commentary, this was foreseeable and foreseen.

    We literally told them so. We never stopped. We pointed out that once the crap shipped we would be stuck with it online and causing problems till it ended up in a landfill. That could take decades.

    Welcome to the future you chose by ignoring us. We told you this would happen. Have a nice day.

    1. steelpillow Silver badge

      "We should have seen this coming"

      All too many of us Reg commentards did.

      But there is also an L in IoT, for "La-la-la" with your fingers in your ears.

      And it's not just the firmware, the older and cheaper hardware is also insecure by design. Secure from the ground up is still rare.

      Why I still refuse a smartmeter to this day.

      1. CountCadaver Silver badge

        Re: "We should have seen this coming"

        Yep you and me both, even in the face of non stop "offers" to pay less with a smart meter from the multi appendged energy supplier.

        Uhhh no pass on time of use spot pricing, rather not wait till 0230 to be able to afford to turn anything on thanks....

    2. Michael Strorm Silver badge

      Re: There is an S

      I was ready to cut and paste the " We should have seen this coming" quote and say much the same thing, but it didn't surprise me that others like yourself got there first.

      There's nothing in this article that your typical Register reader hadn't already known the better part of a decade ago. Not the fact that the industry didn't care and that it would happen anyway.

      1. Michael Strorm Silver badge

        Not sure if that was autocorrect or just me...

        Correction; "Not the fact that" -> "Nor the fact that".

        Also, while I'm here, just to clarify that I don't disagree with the article per so so much as the idea that the audience here didn't already know that or that "we" (the readership, or those in the industry in general) are somehow to blame when countless people *have* been warning about this sort of thing and the actual problem was that those who wanted to sell the boys-toys-tech-loving masses cheap (or not cheap), gimmicky tat (*) didn't care about it and still won't until it becomes a major problem and they start getting penalised for it.

        (*) Repost (not mine):-

        Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future!

        Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.

        1. Michael Wojcik Silver badge

          Re: Not sure if that was autocorrect or just me...

          That's the thing. It's irrelevant (aside from the small satisfaction of being proved right) that many of us were warning about the dangers of IoT from before that term was even coined. Manufacturers were also aware. They didn't care. They knew perfectly well that a lack of security wouldn't significantly affect profits, whereas with their often razor-thin margins, any efforts to improve security would.

          The market won't fix this. Security vulnerabilities are an externality for consumer-device manufacturers, medical-device manufacturers, and the others responsible for this mess. If we want the situation to improve, we'll need regulation.

    3. hedgie Bronze badge

      Re: There is an S

      Were I a lady, I'd have changed my name to "Cassandra" a long time ago.

      1. Michael Strorm Silver badge

        Re: There is an S

        Is there a version of that myth where they *do* believe everything you say, but are fated to somehow not give a toss regardless?

        1. Sherrie Ludwig

          Re: There is an S

          Is there a version of that myth where they *do* believe everything you say, but are fated to somehow not give a toss regardless?

          Yes, those are politicians.

  2. Will Godfrey Silver badge
    Unhappy

    As I've said before

    The only smart thing here is between my ears - and that's getting a bit debatable!

    1. simonlb Silver badge

      Re: As I've said before

      Until there is a robust, secure by default, vendor agnostic, fully certified IoT protocol adopted as an industry standard, IoT stuff will continue to have crap security and I will avoid it like the plague.

      The industry seems very keen to band together to create 'standards' where they can make money off them, but when it comes to security the cost is too high. Is it though? If the industry creates the necessary protocol - and vendor agnostic is a critical feature here so there is no phoning home going on - and ignore the cost of creating it, people will be happy to consider buying devices which use that protocol, knowing that it is inherently secure, low risk and they can mix-n-match devices with no issues. Long term, that is better for the industry than the complete shit show we currently have.

      1. Anonymous Coward
        Anonymous Coward

        Re: As I've said before

        There have been several attempts. It's difficult because very few IoT devices have a UI to enter a password into, and all certificate systems assume Internet access to verify the chain back to a small number of "security" vendors.

        They have all failed because almost all IoT companies fall into two camps (with a fair amount of overlap):

        A) Cheap as possible. Stick some modules together. If it seems to vaguely work, ship it.

        B) Vendor Lock In. The key requirement is that the customer be forced to buy everything from the same vendor, with an annual subscription that can be increased at a moment's notice. Everything else is secondary.

        End user security isn't even on the list.

        1. simonlb Silver badge

          Re: As I've said before

          And this is why we need that protocol. If it is done right, and made as secure as possible whilst being very feature rich, designed so that the implementation cannot be screwed up and adopted as an industry standard, people will naturally buy any kit using it. The differentiator here is that even though these devices will be vendor agnostic, the companies who provide well designed, reliable and competitively priced IoT stuff using the protocol will create their own market share as there will always be people who trust one vendor over another even when the functionality and security of another vendors kit is exactly the same. Or to put it another way: How many Reg commentards on here have a go-to company for specific items? This is no different.

          1. Anonymous Coward
            Anonymous Coward

            Re: As I've said before

            That's fancy talk, but sorry, at its core, it's BS. You can't design a /protocol/ in a way that could make its /implementation/ secure. The former describes what gets in and out of the box. The latter are the innards of the box. Those can be anything. They can be MS-DOS. They can be an imp with a brush. They can be anything as long as they accept and emit the protocol properly.

          2. Anonymous Coward
            Anonymous Coward

            Re: As I've said before

            As someone mentioned smart meters up the thread and you're raising the idea of a secure-by-design protocol, the Great Britain Companion Specification (GBCS: https://smartenergycodecompany.co.uk/download/52047) is a reasonable place to start for what one might look like. Role based access control depending on who asked the device to do something, device based access control based on which device asked another device to do something, PKI based message verification, network encryption at two levels.

            It's long, fairly complicated and full of geeky goodness.

            Anon, because I work in the industry.

            1. Anonymous Coward
              Anonymous Coward

              Re: As I've said before

              GBCS was definitely a solid design, but it's now about 10 years old, and there may need to be a review/update?

              The things that help support GBCS, though, are the testing and approvals that go with devices.

              Also anon as I work in the industry.

              1. Anonymous Coward
                Anonymous Coward

                Re: As I've said before

                Apologies but I'm not quite following you. The last version of GBCS (4.3) was released in November 2023, isn't it already getting the continual updates that you're suggesting it should have?

  3. Flocke Kroes Silver badge

    Some smart devices have strong security

    Some manufacturers have put significant effort into ensuring products become non-functional if the purchaser stops paying a monthly fee. Securing against someone with physical access requires skill, attention to detail and firmware updates to patch vulnerabilities. That monthly fee is absolutely necessary to fund ensuring customers cannot do what they want with their purchases.

    1. Pascal Monett Silver badge
      Stop

      Re: Some smart devices have strong security

      I'm not sure you're describing security there. To me, that sounds much more like simple lock-in.

      It's a security for the vendor, to be sure, but it secures the vendors financials, not my security.

      1. b0llchit Silver badge
        Megaphone

        Re: Some smart devices have strong security

        It's a security for the vendor...

        Mission accomplished... Who cares about the "consumer"? They are just plebs to extract money from.

        (truth and sarcasm unite in this one)

      2. doublelayer Silver badge

        Re: Some smart devices have strong security

        Admittedly, some of the most successful locked-in devices are also quite secure as a result because the manufacturers go to a lot of effort to make sure that I can't break in if I bought it which also keeps out most others. It just means there's a different reason that I'm not buying it.

  4. Pascal Monett Silver badge

    IoT ? Not for me

    But I'm not going to go dissing on hospital stuff. I'm very happy that we have hospitals, insecure as they are. The people who are there want to help, they really do. You have to want to help when you're paid so little for saving people's lives, or even just making them slightly better. As I am getting on in age (60 is an asteroid that is looming ever larger on my horizon), I think that, if push comes to shove, I will gladly accept an insecure pump or whatever if it gives me more years to be with my family.

    Yes, I would definitely prefer that medical thingamajigs be secure, it would certainly be reassuring, but I think I can stand the insecurity if my life is on the line.

    But in my house ? Never.

    I can get my fat ass of the couch and go for the dumb, stupid, secure switch.

    1. Jonathan Richards 1 Silver badge
      Alert

      Asteroid? was Re: IoT ? Not for me

      60 orbits of our star counts as a metaphorical asteroid now? That one flew by more than a decade ago for some of us! I quite agree, I'm not going to insist on a security audit for the beeping hospital gear should I ever need it, but it's still depressing that the manufacturers never consider that anyone but angels of mercy will ever have access to the devices they make. Also agree about 'home automation'; the smartest wireless thing around here (excl. mobile phone, I guess), is the mouse I'll now use on the SUBMIT button.

  5. Groo The Wanderer Silver badge

    I would never want to buy even so much as a so-called "Smart TV"; I stick to computer monitors. The poor history of all TV vendors in regards to patching and maintaining their sets is horrendous, with the products going out of support far sooner than I'd expect a TV to actually die.

    And no wonder. Once the product is sold, the revenue stream dries up. And if you're going to get such poor and short lived maintenance for a TV costing hundreds or thousands of dollars, how much do you think they're going to put into maintaining your security on your fridge or washing machine?

    I cannot imagine any security-conscious IT person owning "smart home" components at all!

    1. I could be a dog really Silver badge

      Yeah, but try finding a decent size "non smart" TV or monitor these days with a decent WAF (wife acceptance factor). A monitor will indeed get you a non-smart device - but then it won't have a Freeview tuner so scored a WAF of zero. Once a tuner is included, then I've not found anything other than the smallest sizes that aren't "smart".

      1. Aleph0

        As for me I've solved by never giving my smart TV the Wi-Fi password. Since it was demanding to be connected to the Internet for initial configuration, plugging in an Ethernet cable for the ten minutes it took made short order of that, and it has been a satisfyingly dumb TV set ever since.

        1. Snake Silver badge

          We needed a new 'monitor' for use with our security cameras so we bought a new smart TV. I do like the fact that it Chromecasts, I can use also use it to display product images when talking to clients.

          So I put it on the Wifi network.

          Then I remembered the spying and the security issues.

          So I've blocked all inbound and outbound internet access ports. Still get intranet casting but no external feed. Simple.

      2. Groo The Wanderer Silver badge

        There aren't standalone tuners available? I doubt that. I doubt that very much.

  6. Captain Hogwash Silver badge

    They are risky

    But using only those that can be controlled locally, putting them on their own subnet and denying internet access to everything on that subnet goes some way toward mitigating the risks.

  7. Anonymous Coward
    Anonymous Coward

    No wonder my smart rocket powered roller skates keep disconnecting from the bluetooth steering controller at the worst possible moment.

    -Wyle E Coyote

    1. b0llchit Silver badge
      Thumb Up

      ...and explodes in the process of reconnecting.

  8. Doctor Syntax Silver badge

    But you do have to admire the way they hang in the air for a full second before falling when you go over a cliff edge.

  9. Anonymous Coward
    Terminator

    Internet of Things (IoT) devices

    Low cost hardware made in China running hacked together untested software based on someones school project.

    1. Ken Shabby Bronze badge
      Alert

      Re: Internet of Things (IoT) devices

      A shit-ton of that about, and it ain’t all IOT

  10. martinusher Silver badge

    Shouldn't be a problem

    The issue seems to be forklifting too much code into things that don't need it. Most programmers seem to be focused on customer level code, what could be called "bells and whistles" rather than spending time to get to exactly what a particular unit needs and how to customize the software so it has those facilities and nothing else. Here it doesn't help that Marketing invariably demands that products phone home so the demand external communications capability from products that shouldn't need them. I don't have many IoT like products but the ones I do have need me to have an account on a manufacturer's website to get the thing configured and often to use it. This might make good business sense for someone but its a nonsense from the security and reliability perspective -- it introduces all sorts of potential weaknesses and points of failure into what should be a simple remote control. I've had things rendered useless by manufacturer's insistence that I have 'an account'.

    Adding layers and layers of security isn't the way to go. My smart devices need to dumb -- they should have just enough smarts to do their job, no more, no less. I do not expect them to be able to be readily upgradeable, especially silently over the air, and I don't expect them to be able to execute code in any form that wasn't part of their firmware.

  11. Gene Cash Silver badge

    Had to kill my smart thermostat

    It was useful for things like when I went away, I could remotely turn the A/C or heat back on an hour or two before I was going to be home.

    The schedule was nice too. I could have the A/C and heat on minimum the day I was in the office. And a different schedule on the weekend

    Plus if I was going to get up early, I could click on the heat 20 minutes beforehand.

    However the app was crap. It kept going "WELCOME TO YOUR NEW THERMOSTAT. LET'S SET THINGS UP" and deleting all my programming and preferences.

    It had half a dozen "don't show this again" that it completely ignored.

    So it was a great idea ruined by a shit implementation.

    And I assume they took the same level of "care" in the security.

    Now it's all pissy that it's disconnected and is constantly flashing demands to be hooked back up to the mothership, and of course the front panel UI is deliberately crippled. (it has to be deliberate, nobody can do a thermostat UI that bad by accident)

    This was a Honeywell, so I guess advancing past a simple round dial is beyond them.

    I've bought an Ecobee, but it's going to be in the box a while before I get around to it.

    1. CGBS

      Re: Had to kill my smart thermostat

      Venstar Color touch line. All local API for Home Assistant and still has an option for their cloud service if that's ok with you, or neither as you can use the touch screen to put in schedules, etc...

    2. Altrux

      Re: Had to kill my smart thermostat

      My smart thermostat is now similarly, and intentionally, in dumb mode. It was good for a while, but a classic case of good hardware ruined by cr*p software. The app kept crashing and messing everything up, so the stat's magic "mothership" box was decommissioned and it now operates as a manually programmable stat, nothing more. Good enough for us - better, in fact, given the above stories!

  12. CGBS

    Sure IoT security is non-existent, but who really believes that if there were secure, well made IoT devices that they would be able to sell a single unit? Consumers, both corpo, government and individual, would look at the price tag and just keep looking until they came to the same insecure, half baked, or pre-installed with Chinese back doors (or all of the above) options they buy now. Blah, blah, blah the 6 of us who would pay don't matter. Like it or not, at this point it has been made painfully obvious most people don't care that everything they do is tracked and sold or that the crappy smart blender is using more bandwidth than their computer. All that matters is that it is cheap (for consumers to buy and corpos to consider being hacked an acceptable cost of doing business) and has a phone app.

    1. theOtherJT Silver badge

      You are of course right that people don't care. That's not terribly surprising, because to most of them none of what we commentards would warn them about sounds like words in any language they speak. I've found it painfully obviously when talking to various members of my family about IoT things that they simply do not understand any of the things I'm telling them, and don't believe the things they do understand because "They wouldn't be allowed to sell this if that was true!"

      I've had more than one family member tell me exactly that, and it really gets to me because that's exactly how this should work, but doesn't. There needs to be a law that says you - product vendor - are legally responsible for meeting these minimum security standards and if you don't you pay huge damages. People who are used to simple electronics that have a kite mark of some kind on them to prove that they're "safe" just assume that there's some equivalent for IoT devices, when in fact, there isn't. It's the only way that people who don't understand, and don't care to understand, the actual problem can be kept safe.

      There's a reason that you find a little label saying "This device must not cause harmful interference" stuck on pretty much all electrical equipment these days. Someone had to legislate for that because until they did we had a bunch of cobbled together electronic crap out there that fucked up everyone's TV and radio signals as soon as it was turned on - but of course the people who bought it had no idea why and probably weren't even aware that it did. Legislation is the only answer here.

    2. Claptrap314 Silver badge

      That's not entirely fair. The average consumer has NO way to measure security. They might feel vaguely uneasy about the state of things, but where do they turn?

      And why should they pay 20-25% more for a product feature they don't understand?

  13. chuckufarley Silver badge
    FAIL

    It's the little things...

    ...like turning off security features to make the kernel smaller (how many distros used in IoT turn off apparmor?), or not locking down TCP port 23 (telnet), or even warning users that are trying to use ssh over an unencrypted connection (all implementations ever).

    The low hanging fruit here is really low. Yet a neophyte or an overworked admin either won't know or care.

  14. nijam Silver badge

    Smart devices aren't actually smart of course... unless you're comparing them with the people who buy them.

  15. Michael Strorm Silver badge

    "more than 5 trillion - that's trillion with a T"

    You *absolutely* sure that's correct? That would work out at 625 devices for *every* human on the face of the planet, and I suspect it's not quite that high just yet.

    1. F Seiler

      Re: "more than 5 trillion - that's trillion with a T"

      No. The source which the author linked says 1.6 trillion us$ market predicted in 2025, not number of devices.

      1. Michael Strorm Silver badge

        Re: "more than 5 trillion - that's trillion with a T"

        The same linked source one that includes that claim ("predictions imply that by 2025, this amount will rise to approximately 1.6 trillion [USD]") *does* specifically state a couple of sentences earlier that

        > "According to the research, there are currently (*) over 5 trillion gadgets that have access to the internet."

        So that (unlikely) claim certainly was in the original article.

        (*) Presumably as of shortly before April 2023 when the article was published.

        1. F Seiler

          Re: "more than 5 trillion - that's trillion with a T"

          Haha. Interesting and thus upvoted. I admit i only scanned the introduction for the number. That sentence about 5 trillion devices probably meant to say 5 billion devices, because yeah almost 1000 per person worldwide is not very plausible.

    2. NIck Hunn

      Re: "more than 5 trillion - that's trillion with a T"

      It's absolutely not correct and a few seconds' thought makes that obvious. If it's connected, it's likely to use some form of wireless, unless we believe there are trillions of cable connections. The volume wireless technologies are Bluetooth, Wi-Fi and cellular, each of which ship mid billions per year. Only a small percentage of those are IoT applications, so we're probably still shy of Ericsson's original prediction of 20 billion by 20020. (As a comparison, around 8 billion USB cables are shipped per year, so not even wires come close to the trillions.)

      The authors of the report seem to have confused revenue with numbers of devices, and assumed that a prediction made in 2007 would become reality once the prediction's date of 2020 had been reached. It's seems to be a sad case of academics who have grown up on PowerPoint and never question a number if it uses the correct font.

      1. You aint sin me, roit
        Trollface

        Re: "more than 5 trillion - that's trillion with a T"

        I dunno... a few thousand nanobots in each jab of covid vaccine will get you there.

        Dormant for now, just waiting for the 5G activation signal.

  16. ComicalEngineer

    After our dishwasher broke recently (over 5 years old and decided to stop washing with a small of burning insulation) we looked for a new one.

    Wow! Do I really need / want a dishwasher connected to my wifi and phone via an app?

    No I damn well don't. Higher cost, more things to go wrong and risk of being hacked.

    We bought one of the few dishwashers currently available that doesn't require an internet connection.

    The IoT seems (to me) to include a lot of pointless junk doing stuff that nobody needs. OK, I get that you may want to turn your heating on an hour before you get home on a cold day, but did you know that you can get a *smart* cat litter tray? Home fragrance dispenser? Alexa enables smart toilet with auto heated seat and built-in speakers?

    And there really is a *smart* toaster. Thankfully it didn't make production.

    https://www.indiegogo.com/projects/toasteroid-app-controlled-smart-image-toaster#/

  17. wojo

    A little of the other side, no doom & gloom

    Those medical devices running Windows? Not exactly an IoT thing. Many of them are large systems costing north of $500,000.

    And the IT staff knows about deprecated OSes.

    That's why those old Windows systems are walled off with access to only the network traffic they need to have.

    Security may not be in the device, but it is around it.

    1. Mr D Spenser

      Re: A little of the other side, no doom & gloom

      And it is not just the Windows based medical devices that are walled off, pretty much any device used in direct medical care walled off from the non-medical devices. And typically the non-medical devices are also segregated from anything the public is allowed to touch. And it is good to remember that most CVE's are never exploited. The hole might be there, but getting to it with a reliable exploit is usually to much bother when a well worded phishing email will work.

      Also, sadly, the IoT devices that are compromised the most are "security" devices. I would put wireless cameras and SOHO router/firewall devices with externally facing web interfaces at the top of the list.

  18. sqlrob

    /me Raises Hand

    > Would it surprise you to know that 19 percent of medical IoT units run on no longer supported versions of Windows? I didn't think so.

    It absolutely and totally surprises me. I expected high 60s at least.

  19. CatWithChainsaw
    FAIL

    Maybe, just MAYBE...

    Your toilet doesn't need an Internet connection. I mean somehow ancient Romans made it work.

  20. Locomotion69 Bronze badge

    IoT-CC

    And then there is one category in IoT that is even worse - IoT with "cloud connectivity".

    When the cloud service is lost, your "smart" device instantly becomes a paperweight;

    Your cloud credentials can be hacked/stolen without you noticing;

    Your device is spying on you - some devices have this "feature" by design;

    Terms and conditions can change overnight;

    "Updates" pushed and installed;

  21. Greybearded old scrote
    Mushroom

    I see your medical devices...

    ... and raise you this.

    The last I heard the Royal Navy's "boomer" submarines were running on XP based Windows for Warships. Still, at least the 100s of meters of sea water they hide under most of the time prevents any crackers' access attempts.

  22. PaulHayes

    Security in IoT isn't non-existent at all. It's just hard to find secure devices in a sea of insecure, cheaply made devices. All too often people will buy whatever the cheapest thing they can find is and then start asking or complaining about security afterwards. Yes everything available should be made in a secure fashion with secure-by-default principles applied but in the real-world this will never happen and the only way to control the security of what you buy & deploy is to be asking these questions before making your order.

    The soon to be enforced PSTI Act might help but I doubt it will make much difference, I can't see how the UK gov can possibly have the resources to start going after millions of Chinese companies and their importers & distributors. Hopefully it'll help to educate the importers and distributors to at least ask the right questions.

  23. Stuart Castle Silver badge

    There is an old saying, the more they complicate the plumbing, the easier it is to block up the drains.

    I'm all for giving internet access, where it is both justified and required.

    But, too many devices have (or require) it.

    Take, for instance, doorbells..There is no reason that even "smart" doorbells require internet access. There is no reason your ring doorbell couldn't store it's video on a local server. Perhaps offering remote access via the cloud *as an option*.

    Or kitchen appliances. There is no need for app controlled kitchen appliances. I like things like Smart lights and heating etc. But it is handy if you can turn your heating on so it's warm when you get home. The same with lighting. Any kitchen appliances, at some point while using them, you will need to physically interact with them, even if it's just to load or unload the appliance.

    All devices that connect to the internet can potentially be a security problem. It's one thing if your devices are made by a large company with a good record of supporting their products a for a long time, but how many IoT devices are being built by a cheap, noname manufacturer who is going to stop supporting the device with updates pretty much before it leaves the factory? That said, even the large, known manufacturers have been known to stop support quickly.

    Any out of date device is a security problem.

    To mitigate the effects of this, I'd like to see, where feasible to do so, an option on every smart device that enables you to use it on a local network with NO internet access. Your CCTV system and any "smart" doorbells can store video on a local server. Your smart TV can stream video from a local server.

    Yes, that would be difficult for your average joe to manage from technical point of view, but, TBH, it's not beyond the abilities of the big tech manufacturers to develop servers that can do this in a standard way and are easy to set up and use. They just aren't willing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like