The Internet of Things will host devastating, unstoppable botnets


#1

Originally published at: http://boingboing.net/2017/04/12/forever-day-bugs-2.html


#2

There is no future in consumerism.


#3

#4

Just remember the S in IoT stands for security.


#5

Gosh, that sounds awful.


#6

So how do we deal with this? Expecting the companies that build and program all this shit to shape up is identical to doing nothing. Seems to me like you need several things to materialize:

  1. Global regulations that have the authority and means to control what devices can and can’t interact with networks.

  2. A set of strict standards and testing regimes (similar to safety and emission standards like UL, CE, etc.) that every device must pass before it can be put on the market.

  3. A mechanism for disabling or at least flagging devices that have been made obsolete by revisions to standards (which will need to be updated frequently).

Yeah…we’re doomed.


#7

Most IoT is devised by groups and individuals for non-commercial purposes. The usual corporate knuckleheads have only recently been trying to get in on the action, exploiting ideas developed earlier by others. I think that the solution is to not let them buy their way into the scene. Promote more maker activity by those who aren’t eager to cut corners for profit.

Not really. Or, I should say - only if you want to be. Know who your friends are!


#8

Some enterprising hacker vigilante should direct a DDOS attack against the manufacturers of the devices in the botnet. Turn their own shitty products against them.


#9

This is all very reasonable. We don’t, as a rule, allow unvaccinated children in our schools. Maybe we shouldn’t allow insecure processors on our internet. It’s probably going to take one really major catastrophe to get things rolling, but the only thing missing is the will.


#10

But will there surely be consumerism in the future?


#11

Lessee…the only things we have wired to the Internet are two PCs, one lappie, and two gaming systems. I have to open the garage manually, set the thermostat manually, pick up the remotes - except for the one for my TV, because it broke and I’m too lazy to program the cable remote.

I always think of cartoons from the first part of the 20th century depicting various versions of “The House of the Future” with the appliances all going nutty when I stuff about the IoT somehow doing the same.


#12

argh! auto play! (by reflex I closed the tab. and only came back because I like the BBS.)


#13

Cunk is right. IoT problems are the result of multiple re-enforcing problems. There is no single fix. We need to make progress on multiple fronts. Progress is possible. But it will take time and work before we have wide-spread understanding and effective action.

The kinds of things that will improve the IoT problem include:

  • International rejuvenation of consumer protection standards. Manufacturers must be held accountable for dangerous defects in their devices. Even when the sale is across national boundaries.
  • We must force the US government to reverse it's nasty habit of levying corporate fines, instead of seeking criminal punishment for corporate crimes that threaten public health and safety. Corporations don't make decisions. People make decisions. We need to return to holding corporate officers criminally accountable when they attempt to destroy or injure the rest of us.
  • We must adopt a more consistent understanding of the "First Sale" doctrine. We need to consistently apply the rights and responsibilities of ownership to all our internet connected devices. There should be no question that we are responsible for our internet connected devices.
  • We must understand that connecting to the internet effects everybody. We must accept that our internet-connected devices can effect everybody. We must accept responsibility to properly configure and maintain our devices.
  • We must allow our ISP's to act for the good of ourselves and our communities. We must require them to properly handle abuse reports. We must require them to properly pass abuse reports to the owners of internet connected equipment. We must require them to disconnect misbehaving internet equipment if an abuse report doesn't result in timely mitigation.
  • We need to assert our rights of ownership for all devices that can connect to the internet. We must demand that internet connected devices adhere to the minimum features required for ownership. If a device fails to meet these minimum standards, we need to feel fear and revulsion. This is a long term cultural change. Eventually, we should fear and distrust devices that lack critical internet safety features, like we fear and distrust an un-insulated electrical extension cord.
  • We need to widely understand that all internet connected devices must include three fundamental, independent, non-bypass-able, owner controlled bits of functionality: An on/off switch; A "connect/disconnect from the internet" switch; An "enable/disable code changes and configuration" switch.
  • We must demand that all our internet connected devices support owner supplied and modified code and configuration.
  • We must update copyright law to aggressively mitigate orphaned code. We need to understand that code is orphaned, once disclosed vulnerabilities and exploits are not promptly addressed. When code is orphaned, ownership (and full code publication) must quickly pass to the community.
  • In order to enable the previous point, we should require the Copyright Office to escrow source code before granting extended (beyond a few weeks) copyright protection.
None of these steps will individually address the IoT problems. But as we make progress on all of them, the IoT problems will be reduced to more manageable levels. An we will also regain control over our other "smart" devices as well.

#14

Oops! :confounded:


#15

Great. A communications network derived from something that was designed to survive all-out nuclear war will be destroyed by toasters and fridges. And there are people who think that irony is dead.


#16

Depends if we can take all our waste products and reconstitute them on a molecular level into new things… If so, then maybe not.


#17

I installed FlashStopper last week. No more autoplay for me!


#18

I remain optimistic on this. On the one hand:

  • Our society requires rapid, successful transportation and communication. We have almost completely transitioned to a Just In Time (JIT) economy. There are no big stockpiles of resources and goods. All elements of our society depend on tight, reliable links between supply and demand.
  • For example, most of the deaths during the Hurricane Katrina debacle were not caused by the initial flooding. They were caused by the breakdown in transportation and communication.
  • ALL aspects of the US transportation and communication grids are dependent on the continued functionality of the internet.
  • If the internet suffers an extended outage, there would be massive numbers of deaths. During the first few days, there would be thousands of deaths. During the first few weeks there would be millions of deaths. During the first few months, there would be billions of deaths.
On the other hand, the internet is built and maintained by hordes of capable people. We can overcome almost any obstacle. Once the dying starts, we will come up with answers. They will not be pretty, but they should be functional.

#19

I was surprised to find out that IKEA, of all companies, shows some signs of “getting it” regarding smart device security. Here’s hoping that others follow suit.


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.