RogerBW's Blog

Internet of Things 28 December 2015

This has been a year when "Internet of Things" devices became relatively mainstream. Oh dear.

I feel strongly about this because it has the potential to be done well, and isn't being. I already think in terms of headless clients where possible, and I've built various devices round Raspberry Pi and similar machines. But things sold as "IoT Devices" generally don't work that way. I have two basic problems with all this.

First is that they are typically closed platforms at best. Sure, you can have this device, but you can only control it from our smartphone app or web site. So you need an account with us, and we will track everything you do with the the thing we sold you. Or that you do merely in the same room as it. Did you not want to consent to that? Too bad, you can't use our device. Did you want to mix devices from different manufacturers? We will rewrite our code to stop you. If we decided not to encrypt our communications, you can't wrap them in a VPN tunnel or even rewrite the code to use HTTPS. If we get bored and stop providing the servers to make older devices work, you have to buy a new one.

Second is security. Well, this is the obvious one. By definition an IoT device must expose an IP stack. An IP stack can have bugs in it, and always does. If you're a sysadmin, think about how often you have to patch flaws, and then remember that most IoT devices are never updated. Remember all those Windows NT zombies? This is a whole lot worse.

What's worse, the code being written for these machines is not being security-checked by people who know what they're doing before it's released to the world. Often it doesn't meet even basic standards, like the Samsung smart-fridge that didn't bother to validate SSL certs, allowing man-in-the-middle attacks against any connection it made – such as a Google Calendar login to display your schedule for the day. Oops, there goes your Google password. SSL is hard! Time to buy some more eggs! And let's not even talk about the pacemakers (even if the main researcher did conveniently die just before revealing the details). Or the baby monitors. Or the dolls.

So what's to be done? Don't allow unmaintained devices into your life if they can talk to the outside world, or even your local network. If you aren't keeping it up to date with security fixes, is anyone? Do you trust them? Do you trust the people who are going to buy that company next week? If you can't change its behaviour, you don't own it - the company does. If you must put up with such a device, isolate it from the rest of the net and only allow it to talk to your own hosts, which may choose to pass on messages to or from the outside world. (A Raspberry Pi firewall for every Hello Barbie?)

And build your own if you can, or look for builders who know at least the basics of security. At this point there's so much garbage out there that even simply not having an easily-guessed default password will lift your device out of the mass of targets.

Yeah, I do actually want full control over the lights in my house from a single point, so that the last person to bed can command all of them off at the end of the day – or we can carry RFID tags so that lights come on when we walk into a room and go off when we leave. But I also insist on being able to get at the code that drives that, and to update the servers myself. I don't mind turning my home into a datacentre if I can admin the machines that live there.

What I want generically is not an Internet Thingy but a USB Thingy that I can connect to the Internet, via a real computer with real security, if I want to.

See also:
The Live Tracker

  1. Posted by John Dallman at 09:49am on 28 December 2015

    I actually don't feel much need for more connectivity, certainly not at the price of doing sufficient sysadmin. So my default reaction to "IoT" is "no".

    British Gas tried to sell me remote controls for my heating, but could not provide any kind of written description: if you didn't bite immediately, their only fallback was a visit from a salesman. So either they're aware enough of the limitations of their product to be avoiding providing information that can be used against them, or, more likely, they have no more awareness of the security issues than an ant on a pavement does of the network of roads.

  2. Posted by RogerBW at 07:24pm on 28 December 2015

    I like sysadminning, and don't mind doing more of it at home, as the marginal effort per machine is minimal. But I really don't like having boxes I can't keep secure.

  3. Posted by Owen Smith at 08:40pm on 28 December 2015

    I'm much more towards John Dallman's camp. I really do not feel any need for internet connected light bulbs, fridge etc. Burglar alarm perhaps, but frankly it texting me if the alarm goes off would probably be more useful because I'll notice sooner so I can drive home to check. And I loathe sysadmin at home, I make every effort to minimise how much of it I have to do. I'm probably 6 months overdue for a round of updating on my Raspberry Pi DNS cache, but as it doesn't have any incoming ports allowed to it by my router's firewall I'm generally a bit lax about it.

  4. Posted by Owen Smith at 08:51pm on 28 December 2015

    My Freeview PVRs are an example of "can't be updated". They run some 6 year old (or maybe older) linux, and connect to the internet to run BBC iPlayer. The third party firmware expands on this by providing remote scheduling, a web epg and video streaming, and many other features which I value. But the third party software can't update the underlying linux with security fixes, the linux is so old it's out of general support. They do their best, the box always connects out and doesn't have incoming ports open, and they did include an updated kernel that has iptables in so people can do some firewalling on the box if they don't turst their broadband firewall. But still, despite a very active third party software package scene it is effectively unsupported as far as basic security fixes go. If a huge exploit happened I'm sure they do something, but there's no proactive security updates. And that's on a piece of kit where I know what the situation is and I can telnet into (no ssh alas).

    My Sony TV has a lot of internet connectivity built in. But I have no idea what any of it does (in terms of internal architecture and security issues), and I don't need or value any of the features, so it isn't connected to my network. I connected it once when it was new to update the firmware, and provided it continues working I shall never connect it again. I basically only use it as an HDMI monitor anyway for the Freeview PVRs and blu ray player.

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 3d printing action advent of code aeronautics aikakirja anecdote animation anime army astronomy audio audio tech aviation base commerce battletech beer boardgaming book of the week bookmonth chain of command children chris chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup covid-19 crime cthulhu eternal cycling dead of winter doctor who documentary drama driving drone ecchi economics en garde espionage essen 2015 essen 2016 essen 2017 essen 2018 essen 2019 essen 2022 essen 2023 existential risk falklands war fandom fanfic fantasy feminism film firefly first world war flash point flight simulation food garmin drive gazebo genesys geocaching geodata gin gkp gurps gurps 101 gus harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo 2019 hugo 2020 hugo 2022 hugo-nebula reread in brief avoid instrumented life javascript julian simpson julie enfield kickstarter kotlin learn to play leaving earth linux liquor lovecraftiana lua mecha men with beards mpd museum music mystery naval noir non-fiction one for the brow opera parody paul temple perl perl weekly challenge photography podcast politics postscript powers prediction privacy project woolsack pyracantha python quantum rail raku ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs ruby rust scala science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance the weekly challenge thirsty meeples thriller tin soldier torg toys trailers travel type 26 type 31 type 45 vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1