The Internet Of Things Is a Security And Privacy Dumpster Fire And The Check Is About To Come Due
from the no-hyperbole-intended dept
If you're a long-standing reader of Techdirt, you know we've well documented the shitshow that is the "internet of things." It's a sector where countless companies were so excited to develop, market and sell new "smart" appliances, they couldn't be bothered to embrace even the most rudimentary security and privacy standards once these devices were brought online. The result is an endless stream of stories about refrigerators, TVs, thermostats or other "smart" devices that are busy hemorrhaging personal data, inadvertently advertising that sometimes the smart option -- is actually the dumb one.This systemic incompetence has now fused with a cultural disdain for more modern consumer privacy protections. The end result has been an obvious uptick in concern about how much data is now being collected by even childrens' toys like Barbie dolls, something that last year's Vtech hack illustrated isn't just empty fear mongering. Convincing parents who already find technology alienating has proven to be difficult, as is attempting to craft intelligent regulation that protects kids' playtime babbling from being aggressively monetized, without hindering emerging sector innovation and profits.
To that end, the Family Online Safety Institute and the Future of Privacy Forum held a presentation last week (you can find the full video here) where analysts and experts argued, among other things, that privacy policies need to be significantly simplified and modernized for an era where a child's doll can profoundly impact the privacy of countless people. It has been, needless to say, an uphill climb.
And while this all is seen as kind of cute and theoretical when we're talking about not-so-smart tea kettles or talking dolls, the amusement has worn off as the conversation has shifted to territory where incompetence or a clever hack can kill you (namely, automobiles). As Bruce Schneier notes over at Motherboard, this massive introduction of privacy flaws is a pretty big problem at scale, when appliances aren't swapped out or updated often:
"As more things come under software control, they become vulnerable to all the attacks we've seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won't work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won't work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never."And while mocking the internet of things has become a running joke, Schneier notes it quickly becomes less funny when you begin to realize that the interconnected nature of all of these devices means we're introducing millions of new attack vectors daily in homes, businesses, utilities, and government agencies all over the world. Collectively these flaws will, no hyperbole intended, inevitably result in significant deaths:
"Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways. What might seem benign to the designers of a particular system becomes harmful when it’s combined with some other system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It’s simple mathematics. If 100 systems are all interacting with each other, that’s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging."At that scale, the argument that you didn't embed useful security because "it was only a refrigerator" or you didn't impose some basic privacy protections and guidelines because "it might hurt an emerging sector's ability to make more money" start to lose their luster. Schneier tries to argue that the only way we can truly mitigate the looming risk is the involvement of an informed public and an accountable government:
"Security engineers are working on technologies that can mitigate much of this risk, but many solutions won’t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don’t match the interests of the people.This is of course the part of the story where the author is supposed to inform you that with good intentions and enough gumption, government, the public and industry will come together and quickly nip this problem in the bud. Of course this particular post's readership is painfully aware that the same government Schneier hopes will come to the rescue is too busy trying to embed its own problematic backdoors in everything under the sun while a large portion of it rushes to gut the funding and authority of any regulator capable of imposing basic privacy and security protections.
Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks. And while the White House Cybersecurity National Action Plan says some of the right things, it doesn’t nearly go far enough, because so many of us are phobic of any government-led solution to anything.
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can’t, and the political will to make it happen.
Said readers are also probably painfully aware that neither looming major Presidential candidate has shown the remotest competence in regards to technology or genuine cyber-security. That means it's more than likely these unfortunate outcomes Schneier predicts will need to arrive before we're collectively even willing to begin to take serious steps to address them. At that point the only certain outcome is that all of the players involved will be sure to shirk their own personal responsibility for the security and privacy nightmare they helped build. Still, for whatever it winds up being worth, we can't say we weren't warned.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bruce schneier, internet of things, iot, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm sure President Trump will deal with it with a calm level head and certainly not declare war on China.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
and Trump isn't saying he's going to go to war with China. He's saying he's going to tax our imports from China because they tax our exports to China. I'm
not saying that's a good thing but I think it's important to properly discuss the actual issues and not the exaggerated hysteria.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Game recognize game.
[ link to this | view in chronology ]
Re: Re: Re:
So if he wants to go to war with a country he's hostile and just wants to start wars. If he doesn't want to go to war with a country it's because he has the same mentality as their leaders. Apparently he can't win either way.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I'm not saying that I think Trump is a good candidate. Neither is Hillary. I'm just saying that we should be more specific about our criticisms instead of having these vague criticisms that because he found common ground with Putin that means he agrees with Putin on everything due to having the same mentality. I think that's an overly broad statement.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
People have already died
Personally I don't want smart devices because their main use is going to be monitoring me and marketing to me. Now if they are smart in useful ways, I might be interested.
For now, if I have to get a smart device, I will not be hooking it up to the internet or any apps. I will use it like a dumb device.
[ link to this | view in chronology ]
Re: People have already died
Blaming autopilot for crashes is a lot like blaming your cruse control for speeding. They are both there to make things easier for you, but if you set your cruse control for 55 on the highway and don't adjust when you reach a town, that is on you.
When a car is built that you don't control and instead a computer fully drives it for you. That is when you can then point fingers at the computer. If your told before hand that your beta testing a driving system and you die, that is on you.
[ link to this | view in chronology ]
Re: Re: People have already died
and really part of the reason the FDA regulates these herbs is because they can compete with pharmaceutical sales and the FDA, like the rest of the government, is all about forcing people to pay higher prices in the name of corporate profits. Sure the dietary supplement industry makes money as well but there is more competition there so there is less concentration of profits due to restricted competition.
[ link to this | view in chronology ]
Re: Re: People have already died
[ link to this | view in chronology ]
Re: People have already died
Yes, it was -- it was a human driver failing to actually drive.
That was exactly the same sort of thing that happened when cruise control was first introduced and there were idiots who thought that it meant they could stop being drivers.
[ link to this | view in chronology ]
Re: Re: People have already died
Blame the victim. Classic.
"That was exactly the same sort of thing that happened when cruise control was first introduced and there were idiots who thought that it meant they could stop being drivers."
Yeah, I remember those old jokes. They were jokes, son, jokes.
[ link to this | view in chronology ]
Re: Re: Re: People have already died
Nobody ever claimed that the car could drive itself. In fact, Tesla specifically said otherwise -- even going so far as to say so in a warning screen you had to acknowledge before using the feature.
"They were jokes, son, jokes"
The jokes were exaggerated versions of the effect (like the old tale about the guy driving an RV and getting out of the driver's seat to make a sandwich or some nonsense).
But there were actual cases that were less egregious than the jokes, where people overestimated what cruise control could actually do and paid less attention to driving the car as a result.
[ link to this | view in chronology ]
Re: Re: Re: Re: People have already died
I am hardly the world's biggest Musk/Tesla fan, but i don't see Tesla particularly to blame for that accident from what i've read.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: People have already died
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: People have already died
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: People have already died
Why only cliffs? I don't see the distinction.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: People have already died
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: People have already died
[ link to this | view in chronology ]
Re: Re: Re: People have already died
The victim who was watching a DVD while zipping along at 90 MPH instead of noticing the broad side of an 18 wheeler? Yes, we're blaming that dumbass. Maybe in the next life, he'll keep both hands on the wheel and his eyes on the road.
[ link to this | view in chronology ]
Re: Re: Re: Re: People have already died
Who would that have been? Because those aren't the facts in the case being discussed. Link, please. Or are you just making crap up?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: People have already died
http://www.bloomberg.com/news/articles/2016-07-26/florida-driver-in-fatal-tesla-crash-using-autopilo t-was-speeding
The DVD thing is speculation. A portable DVD player was found in the car, leading to the speculation that he was watching it, but to the best of my knowledge there is no evidence indicating that it was actively being used at the time.
http://www.reuters.com/article/us-tesla-autopilot-dvd-idUSKCN0ZH5BW
However, the basic fact is that he was supposed to be actively driving the car and failed to notice and avoid a semitrailer in his path.
The only way I can see that the Tesla system could be considered at fault is if it steered him into the truck when he was trying to avoid it -- but literally nobody is asserting that's what happened.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: People have already died
Then it sounds like some made up crap. The NTSC also said that it does not appear that his speed was a factor.
Tesla needs better trolls.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: People have already died
"The NTSC also said that it does not appear that his speed was a factor."
That's correct. He was speeding by 9 MPH. That was unlikely to be a big factor on the face of it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: People have already died
No, the person who said he was going 90.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: People have already died
[ link to this | view in chronology ]
IoT Means The Western Nations are Easy Targets
Who needs a traceable EMP blast to wipe out infrastructure when you can just use a few lines of code to achieve far more devastation on a vastly higher scale.
I'd recommend not using electronic locks, not using any appliance type device connected to the internet but I'd be laughed at because so-called convenience takes priority or long term thinking, security mindfulness and privacy.
[ link to this | view in chronology ]
Re: IoT Means The Western Nations are Easy Targets
[ link to this | view in chronology ]
Re: IoT Means The Western Nations are Easy Targets
Just because it's electronic doesn't mean it's connected to a network, let alone the internet.
I have stand-alone electronic locks on 2 external doors. The PINs have to be coded individually on each lock, and the RFID tags need to be associated separately on each lock.
[ link to this | view in chronology ]
The security of these things are so weak. Baby Monitors that connect to the internet, the security is a joke!!! Door Locks, Camera's, etc. All these things people can easily gain access to, to get into your house. Spy on what you're doing, etc. No thanks!!!
[ link to this | view in chronology ]
Re:
Yeah, ain't it beautiful?
[ link to this | view in chronology ]
Re:
I can access them from the internet.
First, I have to establish a VPN between my remote device (laptop/phone/computer) with my router, using both a certificate and a (16-character) password. Once I have established this VPN, upon access the DVR that the cameras are connected to, requires another authentication step, a username-password pair, whcih can only be accepted coming via the VPN tunnel.
Now while anything connected to the internet has a level of security vulnerability, this is pretty secure.
Perhaps the issues you have are to do with products that require connection to services that are outside your control?
[ link to this | view in chronology ]
Re: Re:
I can access them from the internet.
Well, we're just talking about *your* cameras. The internet does not revolve around you. We're talking about IoT in general.
[ link to this | view in chronology ]
Re: Re:
Although all those cams with the ActiveX controls are still pretty hilarious.
[ link to this | view in chronology ]
Love Bruce. I do.
Um. Yeah. The whole point is that you are now going to have to buy a new refrigerator on a mobile phone cycle or too bad, no updates. All that hinky advertising is to get you to buy things. A refrigerator company is not in the business of keeping you safe, it is in the business of selling you refrigerators. Just as a software company isn't in the business of keeping you safe, they're in the business of selling software. Period.
Why don't we all just be honest with ourselves and just update the standards to state everyone is required to buy everything all over again every year.
[ link to this | view in chronology ]
Re:
"Samsung has detected that you have placed unlicensed food items in your refrigerator - would you like us to place an Amazon Prime order for DRM-approved produce, or would you like to purchase the Farm-to-Table expansion that allows you to keep non-RFID tagged foodstuffs?"
[ link to this | view in chronology ]
Too bad the government has caused so much mistrust of itself.
[ link to this | view in chronology ]
Re:
A WiFi network with no direct connection to the public Internet, but only via the Control server, would greatly reduce security risks. It would also eliminate dependencies on servers that could be switched off, and improve privacy by eliminating data harvesting.
The Idea that every intelligent device in a house connects to the public Internet pose huge security risks, as well as risks of device being bricked whenever their manufacturers decide to end of life a product.
[ link to this | view in chronology ]
Re: Re:
Mind you i'm a security engineer...so the router has ACL's the FW has ACL's and the managed switch...has ACL's. Yes its a pain to manage but it's *my* responsibility to be informed and manage crap I buy. When you abdicate your responsibility you get what you paid for.
The average morons mileage will vary, and yes the manufacturers are abysmal at actually providing what their crud tries to do in an easily parsed form.
As for the driving car examples.... mechanical handbrake & if you take your eye's off the road and your hands of the wheel....you get what you deserve.
[ link to this | view in chronology ]
Re: Re: Re:
Keep your eyes on the road, your hands upon the wheel.
The future's uncertain and the end is always near.
[ link to this | view in chronology ]
Easy fix
[ link to this | view in chronology ]
Re: Easy fix
[ link to this | view in chronology ]
Re: Re: Easy fix
Overly onerous, pointless, and ridiculous rules are always stupid. I think most people would like to avoid those. Which is why we should stop legislating and acting on belief, and be a bit more evidence-based culturally.
[ link to this | view in chronology ]
IoT
[ link to this | view in chronology ]
Multiple people, eh? Well, ordinary people should be OK then, but the Three Faces of Eves types will be in serious danger....
[ link to this | view in chronology ]