Smart thermostat makes dumb security mistakes

doctorow · 2014-09-24 19:00:38 UTC

fuzzyfungus · 2014-09-24 19:03:39 UTC

The ‘Internet of things’… because SCADA didn’t turn out to have any security problems, so it’s clearly ready for a rollout to the the public at large.

LockeCJ · 2014-09-24 19:46:26 UTC

http://thethingsystem.com/

Don’t open ports to stuff inside your network. This is why we have things like VPN.

Unfortunately, “open port(s) in firewall” is just seen by most people as that thing they do in order to get their stuff working.

digitalArtform · 2014-09-24 19:55:30 UTC

I’m not surprised. I never trusted that guy.

SpunkyTWS · 2014-09-24 20:52:06 UTC

He’s too much!

Boundegar · 2014-09-24 21:45:39 UTC

shaddack · 2014-09-25 01:27:29 UTC

That depends. Each is for a specific purpose. A VPN is not automatically secure (actually, a lot of supposedly secure system, e.g. that nuke plant, got wormed because of contractors’ VPNs), and a portforward is not automatically insecure (if the device it is forwarded to is not holey like a sieve).

Re the video, the comparison of the remote control with the Apple TV one clearly shows the disadvantages of Apple TV - no way to enter text, apparently other than painful cursoring around. Classical Apple; what they insist you want is easy, but if you stray away from their vision it is a sleek white plastic hell.

LockeCJ · 2014-09-25 15:17:48 UTC

Absolutely. I was being deliberately provocative. However, the person who goes through the trouble of setting up a VPN is more likely to take care of their credentials, and the entity providing the software for the VPN is more likely to patch vulnerabilities than a random hardware vendor who slapped a web interface on a thermostat. Adding another layer of security is unlikely to make things less secure.

I’m not sure what the solution is. This vendor instructed its users to open a port that fairly uniquely identified them as users of this device. That’s obviously bad, as is their implementation of authentication in the web interface. I can’t really expect the vendor to properly document how a user would secure their network while also providing access to their device(s), and I certainly can’t expect consumers to hire these tasks out as that’s likely cost prohibitive. Education seems like a noble enough pursuit, but I don’t imagine most people even think about these sorts of topics until after some widespread breach happens. And even then, I expect their attention span on such matters is very limited. People have lives to live, after all.

shaddack · 2014-09-25 20:01:18 UTC

That’s not so certain. It can motivate you to trust that new layer, and if you rely on it too much, and there is a bug, you are a toast. Which you were before too, because there are other bugs you aren’t aware of, but you didn’t know it so you slept better.

I have a growing suspicion there is no solution.

doctorow · 2014-09-29 19:02:54 UTC

This topic was automatically closed after 5 days. New replies are no longer allowed.