Bruce Schneier on the coming IoT security dumpster-fire

I love watching the frequent clash between boingboing editorial stances (IoT is a security dumpster fire) and the boingboing store (buy this shiny new IoT junk!)

1 Like

My perception is that they seem to be latecomers, who tend to offer compromised versions of things one can find on github in five minutes. I wouldn’t consider their rent-seeking, DRM, or harvesting of user data to be any sort of progress. But I am sure that they like to go “ahead” and get more sales, to generate wealth for themselves rather than the community of users.

1 Like

Correct. The commercial industry caters to exactly the sort of people that don’t use github.

2 Likes

We have a version of that around here. Two versions, in fact. One version just (or “just”) sends usage data to the company. The other basically controls your AC. If it gets really hot, they can turn customers’ AC compressors off during peak usage to prevent brownouts. Contractors have been known to install these without the homeowners’ permission. The company could use their offshore cash to construct more infrastructure, but that would eat into CEO bonuses.

We also get letters every month, berating us if we happen to use more electricity than our neighbors. I wonder if the whole neighborhood gets them (we’re all “above average”).

1 Like

This is simple with an old dumb thermostat. Set it to a temperature low enough that you never expect it to occur during the time you are away, but above freezing. A setting of, say, 10 deg C will keep your pipes from freezing with no thought or intervention from you.

Bingo. Get to know your neighbours. A few years ago we went away for two weeks. A day after we left I realized that we had left before dawn and forgotten to switch off the porch light. An email to our next-door neighbour, asking her to go and unscrew the bulb, solved the problem. In this case she didn’t even need a key.

1 Like

Right. Exactly. That worked so well in stopping the crapification of hand held power tools during the late 20th century. Home Depot doesn’t carry plastic crap from China that breaks 11 days after the warranty expires because we – the consuming public – put our collective foot down and refused to buy any of it. The success of our fight as this crappifying effort expanded through the end of the prior century is why the secondhand trade in mid-century tools is so feeble.

People commonly buy appliances after their prior one stopped working. They take what they can get, at an under-staffed big box store, on Saturday afternoon, hoping to install it and have it working to some weak approximation of correctly… before they need to go back to work on Monday.

1 Like

2 Likes

The first paragraph was /s

2 Likes

In my experience, you can still get good tools and whatnot. They just aren’t cheap. I don’t know if they were 40 years ago but the do exist.

1 Like

Stinky, but on the other hand contained. Kind of a wash.

One safeguard: unless they start putting prepaid cellular links in them, you’ll always have control over whether a given device can get access to your internet.

If they ever make it so adequate functionality cant’ be obtained without internet access for the device, I’ll likely pass on buying it.

2 Likes

You left out “deliciously crispy”.

2 Likes

The basic calculus is A) “connect thing to Internet” or B) “don’t connect thing to Internet.”

The benefit of “A” is it’s remotely updatable, the downside is it’s remotely exploitable.

For a product like a smartlock there is marginal benefit for remote exploitation. You need to be nearby to break in and gain any value from your exploit.

For a product like a bank account there is a huge benefit for remote exploitation. You can transfer funds to anywhere in the world.

Going back to the smartlock, any exploits can be patched over the air when connected to the Internet. Consumer products which don’t update automatically, don’t get updated. Automatic updates like the kind found in Google Chrome are a huge win for everybody. It tightens the OODA feedback loop between defender and adversary, keeping the defenders ahead. The traditional locksmith industry can’t “patch” their physical locks and paper over vulnerabilities when they emerge.

The direction of the industry should be to move away from non-patchable systems (5 pin metal house keys) to patchable ones (2048 byte digital, cryptographic keys.)

So yes, the fear mongering is: “IoT devices give new means of attack to adversaries”, however they also give new means of defense to friendlies. Schneier usually presents a balanced view, but I felt this piece for Motherboard was unusually one sided. A smartlock can send you a message when someone is forcing entry, a dumb one can’t.

The old system is broken and trying to remove the Internet from these Things is no more the answer than trying to remove the Electricity from our household appliances when we started down this road a hundred years ago. Electricity provides a huge quality of life improvement. Adding Internet (or more accurately adding “access to information”) should too. Products which don’t deliver on the promise rightfully should be ripped apart, but attacking a category of devices which are trying to perform better by leveraging “access to information” seems silly to me.

We must have read very different articles. I saw primarily a statement about how industry has little incentive to address security issues in IoT devices, not an overall panning of IoT devices themselves.

4 Likes

My point about IoT panning is addressing a trend generally and in the comments to this article specifically such as the exchange between @enso and @hmclachlan.

My point about the piece being unbalanced still hold. Very broadly, I would say Schneier’s article’s general point is “IoT products are opening us up to terrible attacks, the likes of which we can’t imagine yet” - a point which, by itself, I agree with, but feel is unbalanced to say without also mentioning that “IoT products are securing us from both old and new classes of attacks.”

I would also say the industry does have incentive to address security issues, but it’s not so noble as “Let’s make secure products!” – it’s an incentive to make something as secure ‘enough’ as the application warrants so it is not a broken experience in the same sense that a casual ship builder wants to make a boat that will float ‘enough’ for the desired application. A functional mindset but one that needs work and is becoming easier to change day by day.

I don’t think the evidence is there that manufacturers are making products secure ‘enough’ for their application. The example Schneier brings up of home routers is a good one. Many ship with a fair number of security flaws. More importantly, most people have them longer than the manufacturers produce firmware updates. The question about durable goods like refrigerators is a good one as well. Do you expect smart fridge manufacturers to continue producing updates for 10 to 15 years? General trends in tech don’t support the notion that manufacturers will take it upon themselves to do so without prodding.

I am curios about the notion that “IoT products are securing us from both old and new classes of attack.” Do you have examples that bear that out? Do they compensate for all of the extra attack surface that means we are getting to a point where a hacker can pivot from an un-patched toaster?

2 Likes

My sole, first, and final contribution to this nonsense.

5 Likes

The evidence is in the products very existence. A boat which does not hold water sinks and does not exist on the market. A boat which holds water until breached will still sell. The ‘enough’ for their application is the difference between a polyethylene kayak and a belt armored destroyer - a $30 TP-Link and a $1500 Cisco MR72. The TP-Link may have a backdoor accessible over telnet when reset but it still supports WPA2 - for certain applications it is ‘enough’. Schneier goes into a lot more depth on what constitutes ‘enough’ security in Liars and Outliers - spoilers: he doesn’t argue for perfect security.

I am not a fan of smart fridges.

As for IoT products providing additional security - I mean yes - see my first post where I bring up intrusion detection but I can throw in a few more. A smoke detector’s job is to let you know the house is on fire - it does so by notifying you - traditionally by sound - but if you are out of range it can be made better by notifying you by smartphone - it’s an extension of reach for a product that is designed to protect you from a very old class of attack - Fire.

For automobiles there was a trend in the 2000’s to shift to non-Internet connected electronic keyfobs that detected proximity and would unlock when you touch the door handle - a new class of attack emerged that allowed one to replay these signals to simulate being close to the door with the keyfob using simple 433MHz repeaters to unlock doors for cars that were parked in the driveway while the owners slept inside - by making these keyfobs smarter one makes them more secure by preventing unwanted access when positional data, motion data, or other factors don’t communicate intent to unlock by the owner - thereby preventing a very new class of attack.

In these three instances - yes, they do compensate for the additional attack surface - the products in question don’t need to communicate with untrusted peripherals and in fact only communicate to other products with the manufacturer’s signature. This approach is not without problems - but that was not your point.

I find that to not be a persuasive argument. Consumers have very few ways to compare the security of competing products. A product being marketed and sold is not a defacto guarantee of security.

The TP-Link may have a backdoor accessible over telnet when reset but it
still supports WPA2 - for certain applications it is ‘enough’. Schneier
goes into a lot more depth on what constitutes ‘enough’ security in Liars and Outliers - spoilers: he doesn’t argue for perfect security.

Who determies for which applications that is “enough” security. See my comment above about consumers having little ability to compare. How many purchasers would know about the backdoor, or what that even means to them?

I would like to point out now that I am not arguing for perfect security, it’s just currently set at a very low bar. There is plenty of evidence that IoT devices are being rushed to market without a lot of thought being put into the security aspects.

In regard to Schneiers books, I’ve read every one from Applied Cryptography on.

Good points on the intrusion detection and fire systems, but my question still holds regarding attack surface. How many of these devices sit safely firewalled off with no ability to connect into them, but allow outbound connections? How many of them are currently sitting on poorly protected wifi routers? Is it up to the consumer to configure them correctly?

If they self configure, how many of them use things like UPNP to punch holes in the firewall configuration without the owners awareness? I’ve seen “security” DVR systems that had default hard coded passwords and remote exploits that could bypass the security do this to open ports to the outside world.

The car fob example is a case where improvements can be made, but all of the suggested improvements can be made without connecting to the Internet, so it’s not necessarily germane to IoT.

3 Likes