Internet of Lawnmowers ! WOOT !
Internet of Lawnmowers ! WOOT !
Internet of broken things! WOOT !
How are the next 10 billion devices going to connect to the internet of today, tomorrow? Having all of these gizmos talk to one another over your standard 2.4Ghz Wi-Fi is not going to happen, so how will all those gizmos connect to the wider internet, and how will we keep them all safe, happy and updated? The internet of …
...it's put next to the wrong piece of cutlery on the table. Never again will we have to suffer the insult the main course fork being placed on the outside of the appetiser fork. Thank our stars those days are finally behind us.
IoT is about inserting Internet connectivity to stuff that we're already using for dubious purposes. I'll pass on the fact that, apart from Wifi, Blutooth or video (for which we already have dedicated hardware that works satisfactorily), nobody has found anything remotely compelling to put into a IoT thing.
Now they state that updates are a requirement. I understand that security is something that every vendor would like to put at the top of the bullet list without paying a dime for, but is security really the kind of thing I want to see in a light bulb ? Is there no other way of defining the utility of a network-connected chair ?
Maybe security should be designed, not into the IoT thingamabobs, but into the router/switch/hardware that talks to them. Let me clarify : a light bulb may be able to talk over the Internet, but only if there is hardware from an ISP connecting the household to the Internet. Yes, I know about the WiFi Ethernet attempts. One thing at a time.
If IoT can only work with a hardware portal to the Internet, then it is those things that can handle the security. The router could very well be configured so as to 1) not allow general interaction from the Internet or the local network to the IoT thingies, and 2) handle updates from the Internet to a given IoTmabob, on condition that said update is properly signed and comes from the proper domain (no use BitTorrenting an update here).
Would that not solve a bunch of possible issues ?
Just wondering.
Maybe security should be designed, not into the IoT thingamabobs, but into the router/switch/hardware that talks to them. Let me clarify : a light bulb may be able to talk over the Internet, but only if there is hardware from an ISP connecting the household to the Internet. Yes, I know about the WiFi Ethernet attempts. One thing at a time.
If IoT can only work with a hardware portal to the Internet, then it is those things that can handle the security.
No no no no no no no no no no no no no! NO!!
Might as well not bother. We all know full well how (in)secure most routers are, and that only seems to be getting worse not better.
The only way to do security is design it in from the ground up. That requires protocols for shared interaction, time taken to research, develop and do things properly. Dare I say it even committees and working groups (argh!).
But no, have to rush to market with some pointless IoT-connected leaf mulcher just to beat the other guy who is also making a pointless IoT-connected leaf mulcher. Security by assumption someone else will deal with it higher up the chain is not security.
You might be happy enough for anyone to be able to turn on your lights and sky-rocket your electricity bill because you were reliant on your router to not let them into your IoT network. I doubt many other people would be so pleased.
"Security by assumption someone else will deal with it higher up the chain is not security."
This is precisely what people do when they rely on a government to ensure their security which one of the primary reasons for government's existence. They don't complain about it then, why the complaint now? ;-)
"IoT is about inserting Internet connectivity to stuff that we're already using for dubious purposes"
What "dubious purposes" are you using your stuff for?
Also, would it be too much to ask for this IoT crap to be IPv6 compliant from day one? I want to be able to get on the Internet, for any purpose, without finding I've been NATed back to the stone age because all the IPv4 addresses are in use by lawnmowers!
"Yes every lawnmower, toothbrush and toilet to have a unique IPv6 address and be individually accessible from t'internet with only a perfectly configured free modem from crap-cable-provider(tm) to secure it."
Well, *my* network is connected to a Catalyst 4506 switch routing internal traffic, appropriate firewall in between and a *real* router, configured by myself, to the crap-cable-provider(tm).
The negotiations to actually succeed in doing so was far less than negotiating with the Taliban.
Both, a regrettable experience in my real life.
Also, would it be too much to ask for this IoT crap to be IPv6 compliant from day one? I want to be able to get on the Internet, for any purpose, without finding I've been NATed back to the stone age because all the IPv4 addresses are in use by lawnmowers!
I think it would be better to have IoT devices run a non-routable protocol. It would seem to make more sense to have them all report to a local control device or server than to have to open a port in your home firewall (as if consumers are going to grasp this concept) for every stereophonic light bulb and smart toilet in our personal chateaus. Yes, this may provide a single point of failure for at least a class of devices in our homes, perhaps assuming that devices involving security are controlled by separate systems than entertainment and similar, but also provides for a much smaller attack surface.
'What "dubious purposes" are you using your stuff for?
Also, would it be too much to ask for this IoT crap to be IPv6 compliant from day one? I want to be able to get on the Internet, for any purpose, without finding I've been NATed back to the stone age because all the IPv4 addresses are in use by lawnmowers!'
Televisions, well, some, are known to send out every spoken word within range of their microphones.
Don't worry about the lawnmowers. My straight razors already took up those IP's. The remainder was taken by my bathroom paper dispensers, toothbrush and socks.
"If IoT can only work with a hardware portal to the Internet, then it is those things that can handle the security. The router could very well be configured so as to 1) not allow general interaction from the Internet or the local network to the IoT thingies, and 2) handle updates from the Internet to a given IoTmabob, on condition that said update is properly signed and comes from the proper domain (no use BitTorrenting an update here)."
Because, given the wireless nature of it all, what's to stop an interloper: someone inserting THEIR router into your network, masquerading as yours, and hijacking your devices? How do you reconcile this problem while at the same time making it easy enough for Joe Computer-Illiterate to use?
Therein is a problem. I live in a subdivision here in the States and at any given time, I see 6 other routers on, 4 of which are wide open and unsecured. So, I install my shiny new wireless light bulb and it seeks a connection... Yes, I can get it to connect to my router, but what stops the other folks from connecting to it also? If the light bulb comes on "by itself" or via one of the other routers, I'd rip it out and forget about IoT. But what about other IoT things.. things that might be security related or health related?
At this point, any IoT coming into my house had best be cable connected or have some security associated with it that allow only me to talk to it. I hate to deal with the aggravation of some kiddie fiddling with my devices.
"Maybe security should be designed, not into the IoT thingamabobs, but into the router/switch/hardware that talks to them."
Bloody piss, have you never heard of not defining a default gateway or DNS servers to IP configuration?
Now, just *where* did I store those laser wearing sharks...
Screw it, the security droids will suffice.
Crunchy on the outside, soft in the middle has not not worked as a security model. The list of hacked routers actively in use as part of a botnet right now is in the millions and these are brand names, not off the boat unsupported junk. IT's time to put our game face on lest all our devices join the routers as well.
I'm sure the NSA will be delighted to collect from IoT manufacturers who have to find 20 billion primes to create the public key crypto required. Just hack each manufacturers keyspace database. Come on, you know they will.