Bruce Schneier on the coming IoT security dumpster-fire


These concerns are not new. You can find articles going back 10+ years talking about the poor security of Internet-connected home automation devices. It’s only been in the past couple of years that the BOM for these has become so cheap that suppliers can mint these devices by the truckload for pennies.

This is not a dumpster fire (god, I am so sick of this analogy). It’s more like one of those underground coal mine fires that burns for decades.

Creating cool Internet connected devices is easy. These days someone even marginally technical with little electronics knowledge or experience to slap together a wi-fi connected dohickey that monitors the temperature of their home, sends you a text if you leave a window open, or turns your lights off/on for a tiny cash outlay and some copypasta code. It’s seriously easy, you guys.

What’s hard is security. It’s hard to get right. It’s hard to use. It’s hard to implement. User experience sucks. It costs real time and money. It’s a discipline that very few are truly expert at. Governments, corporations, financial institutions – organizations with millions or billions of dollars spent to ensure proper security are still getting hacked all the time. Do you think some cheapo device with the computing power of a calculator watch built for pennies will be able to do any better?

Remember how everybody used to connect to the Internet without anything like a firewall? Remember how you could take down Windows NT machines remotely by constructing a specially crafted SMB packet? Security is an always evolving thing and almost always takes a back seat to the sexy user-facing stuff.

Not saying it’s right or defensible but it’s unsurprising and typical.


Yes. Burning the typical contents releases all kinds of volatile compounds and particulates, plus it stinks. Add to that the heat damages the finish accelerating rust shortening the service life of the dumpster.

I’ve been places this was the only sanitation program and it’s nasty.:stuck_out_tongue:


I had one once, inadvertently.
It was all Styrofoam.

Yeah… it wasn’t good.


It’s in the zeit. There’s no escape.

I blame the GOP.


Aren’t they all?


It seems like LAN-only access is the only way to safely network things. Unfortunately, most devices depend on some external service to fully work and as far as I know, making devices globally accessible will never decrease your attack surface.


… and we all know how awesome this is when the service pull the plug.

Not to mention this is often marketed as a feature.

LAN-only access is definitely safer (as long as someone doesn’t penetrate your LAN from a poorly secured Wi-Fi AP or router, obviously) but far less sexy.


What do you need, or use, really need, I mean, which needs to be connected outside a LAN. Or even be connected?

  • Phone
  • Computer / laptop / (mail/web) server
  • Sometimes electricity and other meter depending on country. …

Please add to the list, thinking over here.


Security cameras, maybe? The one in a million chance that you think “oh shit freezing temperatures are coming, I need to remotely raise the temperature on my thermostat so my pipes don’t freeze”. I have some SmartThings devices at home and I sometimes remotely check their status to see if I left a window open, or get a notification if a door that should be closed is opened while I’m away.

Other than the thermostat example (which while nice in theory I just don’t see as something that would have any use outside of a marketing video) these are also all “read only” things.


The security of the network is the responsibility of the administrator. The “trick” is to be the best admin of your house that you can, rather than trusting those duties to slick opportunists who try to sell stuff to you.

As I keep saying with each one of these articles, it is not an IoT problem, it is a consumerism problem. Why does @doctorow waste time emphasizing commercial offerings rather than secure DIY solutions? Who knows?


Apart from that, I am kind of serious. Really want to make a list of things which need to be ‘connected’ outside the reasonable (haha) save home /LAN environment. Name it a morbid interest of an older person. :wink:


I do also, need to, sometimes a while away. But why not for example use Sms?


This is nice in theory but really hard in practice.

To have a responsible plan for security you need to understand what things do and how they work and so many Internet connected devices these days are largely “black boxes”. You can do the best you can to admin your house but if you want it to be usable and not your full time job to administer you have to make some trade-offs and more often than not it’s security that takes a back seat. The acronym “WAF” short for “wife acceptance factor” is used a lot in tech circles when designing solutions for simplicity (yes, I am keenly aware that it’s a sexist term, don’t shoot the messenger :)).

Most people just say “fuck it, I’ll make sure I’m using WPA2 on my wireless network and make sure my router has a properly configured firewall” which is great and will hugely reduce your attack surface. Most people don’t think “hey, about that UPNP stuff that allows multiplayer to work on my Xbox” and the other myriad convenience features that exist today that make things easier but ultimately reduce security.

Consumerism pays the bills here.


I don’t think he’s wasting time, as these are the devices that most people are going to have. You’re not going to find a person in every household capable of setting up networking themselves, let alone securing stuff.


No buts - it is nice AND hard. Is “really hard” actually more difficult than putting up with having one’s alarm clock, coffee maker, and thermostat used for data mining and targeted advertising by CNN/Target/Nabisco?

Or, perhaps the bills/consumerism cycle is simply how to get the average person to short sell the controlling interest in their own lives.

By far, most of the IoT I have seen on the net are DIY projects. The selection dwarfs commercial offerings and has for years. That’s part of why the emphasis on the problems of the consumerist angle puzzle me. Most of the players are not the companies who he refers to as if they are the ones who define IoT.


If you’re having a new house built for you, I imagine you have basically full control over anything that doesn’t violate the building code, the law, and (if applicable) homeowner association rules. If “dumb” appliances are still available, and avoiding “smart” appliances is important to you, put a clause mandating the use of dumb appliances in the contract you negotiate with the construction company.

But yeah, if you’re purchasing an existing house, replacing existing smart appliances with dumb appliances could be expensive.


Would it help if he term used was embedded systems? It seems like you are not using IoT in the way it is currently used by most.


There are other solutions to those problems that don’t give access to your home’s systems to anyone with an Internet connection. A neighbor and/or friend with a spare key for emergencies, for instance. Now I understand that there are some circumstances where that’s not an option (a remote vacation cabin up in the middle of nowhere, for instance.) But there are a lot of circumstances where it is, and I’d prefer the KISS approach where applicable.


Why would it? I use IoT as in “Internet of Things”. As in “networked household appliances and infrastructure”. How does it seem that I am using it differently? It seems to me that we are discussing the same thing, but apparently disagree about who the principle actors are.

Aren’t those the kinds of IoT things Cory often writes about?


Okay, so not the devices then, but who’s producing them. Is your expectation that corporations aren’t moving ahead with IoT?