Princeton Project Aims To Secure The Internet Of Broken, Shitty Things
from the Barbie-needs-a-better-firewall dept
Year after year, we're installing millions upon millions of "internet of things" devices on home and business networks that have only a fleeting regard for security or privacy. The width and depth of manufacturer incompetence on display can't be understated. Thermostats that prevent you from actually heating your home. Smart door locks that make you less secure. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death.
The list goes on and on, and it grows exponentially by the week, especially as such devices are quickly compromised and integrated into massive new botnets. And as several security experts have noted, nobody in this chain of dysfunction has the slightest interest in doing much about this massive rise in "invisible pollution":
"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
One core part of the problem is that IOT device makers refuse to provide much control or transparency over what their internet-connected devices actually do once online. Often the tools and device interfaces provided to the end user are comically simple, providing you with virtually no data on how much bandwidth your devices are consuming, or what data they're transferring back to the cloud (frequently unencrypted). As a result, many normal people are participating in historically massive DDOS attacks or having their every behavior monitored without having the slightest idea it's actually occurring.
To that end Princeton's computer science department has launched a research program called the IOT Inspector they hope will provide users with a little more insight into what IOT devices are actually up to. The researchers behind the project say they spent some time analyzing fifty different common IOT devices, and like previous studies found that security and privacy in these devices was a total shitshow. Sending private user data unencrypted back to the cloud was common:
Unfortunately, many of the devices we have examined lack even these basic security or privacy features. For example, the Withings Smart Blood Pressure Monitor included the brand of the device and the string “blood pressure” in unencrypted HTTP GET request headers. This allows a network eavesdropper to (1) learn that someone in a household owns a blood pressure monitor and (2) determine how frequently the monitor is used based on the frequency of requests. It would be simple to hide this information with SSL."
As were devices that immediately began chatting with all manner of partner services whether the user wants them to or not:
Samsung Smart TV: During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.
Again, user control and transparency is almost always an afterthought. Obviously, the creation of some unified standards is one solution. As is creating routers and hardware that alert users to when their devices have been compromised. Smarter networks and hardware are going to need to be a cornerstone of any proposed solution, the researchers note:
We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms.
Of course better standards are going to need to be built on the backs of a joint collaboration between governments, companies, consumers and researchers. And while we've seen mixed results on that front so far, efforts like this (and the Consumer Reports' open source attempt to make privacy and security an integral part of product reviews) are definitely a step in the right direction.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
If so many cars can be broken into (notably Audis and Volkswagens added to that list recently), why is this not being looked at more seriously?
I don't own or know most of the non-advertised functions of a modern car, so I have no idea how reliably the firmware or software on cars patch themselves when problems like this happen.
[ link to this | view in chronology ]
Re: Re:
I have hope for this market, unlike the general IOT market. Cars and their contents are usually insured, and the insurers will eventually catch on and demand better security (and demand higher rates for insecure vehicles). Home insurers may similarly push for improvements in "smart" door locks etc.
With baby monitors, blood pressure monitors, ..., the owners of those devices will never have any reason to file an insurance claim because of manufacturer negligence. "Regular" people have no insurance against DDOS etc., and the companies who have this insurance are unlikely to have baby monitors. So there's no incentive.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Remember the Prefix
[ link to this | view in chronology ]
Insecure Device Internet Of Things, was Re: Remember the Prefix
[ link to this | view in chronology ]
Unfortunately just sending this over an SSL won't fix that problem either. It's just security theater in this case. The reason being none of these devices are going to be using encrypted DNS either, or if someone's really on the ball, simply tracking IP addresses for the requests. Privacy is a tough nut to crack and requires layers rather than one silver bullet fixes everything (usually encryption is the one trotted out by the unwashed).
"We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms."
More hand wavingly vague goals with a few buzzwords to dazzle the press in their press release. The only way to fix this problem entirely is to make the people that have these devices responsible for any damage they create with reasonable responses and (mandantory) education once a problem has been identified. You also hold manufacturers legally responsible for any negligence on their part for privacy leaks and negligent software upkeep (proper firmware updates).
This is no different than licensing any other use case where use of a community resource carries dangers to the general public: automobiles, radio frequency use, public park use permits, large structure construction permits, parking permits, etc. If you want to use the Internet then you need to prove you can do it and not be a danger to everyone else on it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Just commenting
Who's to say if the devices know Brian or not?
[ link to this | view in chronology ]
does no harm to Brian Krebs. I think we need a stronger definition:
ensuring that the device does no harm to the person using it. For
instance, it must not be able to collect the user's personal data on
behalf of anyone else, such as the manufacturer.
To achieve this, the device must contain exclusively free (libre)
software that the users can replace (see
https://gnu.org/philosophy/free-software-even-more-important.html), or
else it must not be able to communicate over the internet except to
the user's own computer.
[ link to this | view in chronology ]
[ link to this | view in chronology ]