Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#367702 - 07/10/2016 23:55 Internet of shit, IoT category
K447
old hand

Registered: 29/05/2002
Posts: 797
Loc: near Toronto, Ontario, Canada
I presume most on here are giving the current and prior generations of 'internet of things' a fairly wide berth.

Articles and events such as these suggest that the primary defense would be to buy only expensive (high enough profit margins to fund ongoing updates) and properly supported hardware (and the embedded software within). This would seem to exclude the vast bulk of the marketplace offerings.

Are there hardening methods that can allow these IoT things (aside from dislike of the acronym) to be 'effectively secure' despite being genetically vulnerable? Otherwise, seems like the best defense is to not install these things, at all.

http://motherboard.vice.com/read/we-need-to-save-the-internet-from-the-internet-of-things

http://motherboard.vice.com/tag/Internet+of+Shit


Edited by K447 (07/10/2016 23:59)

Top
#367703 - 08/10/2016 00:51 Re: Internet of shit, IoT category [Re: K447]
snowcrash
journeyman

Registered: 11/07/2013
Posts: 65
I saw Schnier's piece on Motherboard and felt it was well written and reasoned save that he has hope that national and international laws can somehow contain this problem. I am not as optimistic.

I felt like the DDoS on Krebs was a signal event and not a good one. I took the opportunity to send something of an essay to my entire department. Short version: Look at what any amateur could do to screw up our Internet/Web never mind state actors; If you come to work on Monday and there *is* no Internet, don't be shocked.

A year or two ago I bought a Foscam outdoor IP camera for $99. I thought it was pretty good and took a moment to wonder how I might get a such a decent camera for so few dollars. Whimsically, I concluded that Foscam (home Taiwan? PRC?) was engaging in a systematic program of below-cost market dumping. The overall goal? To saturate the national Internet spaces of both PRC perceived enemies and friends* with market-dumped, controllable, security-impaired IP Cams, TVs, thermostats, and toasters.

Years ago, I probably would have thought that an Internet of Things was Way Cool. If you can't tell, I am a little less sanguine lately when it comes to Internet technologies and whatever promise they might hold for people in general.

Jim

* friends can become enemies in a New York second


Edited by snowcrash (08/10/2016 00:52)

Top
#367704 - 08/10/2016 16:33 Re: Internet of shit, IoT category [Re: K447]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14472
Loc: Canada
I like having devices connected to my LAN -- mostly of my own build/programming. But I'm not at all interested in anything that "requires" a cloud server. That's just asking for trouble.

There are some good implementations, eg. ElectricImp, but just about everything out there is the result of some clueless company attempting to DIY it, complete with back doors for convenience.

I tolerate Google because of my smartphone, but generally try to keep even that on the guest LAN rather than the trusted internal LAN here.

It's gonna continue to be chaos for some time, by the looks of things.



Top
#367705 - 09/10/2016 00:35 Re: Internet of shit, IoT category [Re: mlord]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
Originally Posted By: snowcrash
A year or two ago I bought a Foscam outdoor IP camera for $99. I thought it was pretty good and took a moment to wonder how I might get a such a decent camera for so few dollars.

Well, I'd say it's less that it's a nefarious plot and more likely that it's a piece of junk like all Foscam products, and built using dirt-cheap labor by a company that does no advertising.

Originally Posted By: mlord
I like having devices connected to my LAN -- mostly of my own build/programming. But I'm not at all interested in anything that "requires" a cloud server. That's just asking for trouble.

This. I don't use any IoT devices with cloud servers. The biggest advantage is better performance when in the home. I tried Wink for a while just to test it out, and hated the lag I got from my commands going out to the net before coming back and going to my lights. It seemed like a stupid design, and I didn't like that being in the cloud anyway.


At the moment, even if you're not concerned about the security aspects, the IoT is a complete mess of competing "standards" where everyone is far more interested in getting their piece of the pie.
_________________________
Matt

Top
#367706 - 09/10/2016 16:01 Re: Internet of shit, IoT category [Re: K447]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
A buddy of mine who's involved in a lot of IETF things is a fan of something called MUD (manufacturer usage description). Broadly, it lets a manufacturer set rules, like "this thermostat only ever makes TCP connections to the following three DNS names". A policy like that can then be enforced by your home router or whatever else.

I like this because it's simple, and because it's spiritually similar to Content Security Policies, wherein a web server can make statements like "my HTML will never have inline JavaScript". That's proven very valuable for the web.

Top
#367707 - 09/10/2016 16:58 Re: Internet of shit, IoT category [Re: DWallach]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5680
Loc: London, UK
Originally Posted By: DWallach
A policy like that can then be enforced by your home router or whatever else.


Assuming that your home router isn't completely riddled with security holes, of course...
_________________________
-- roger

Top
#367709 - 09/10/2016 17:12 Re: Internet of shit, IoT category [Re: K447]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
For better or for worse, one of the huge problems with the way the modern Internet is laid out is that IPv4 + NATs mean that the ISPs cannot readily make their own policies for what's going on inside your house. In a world with IPv6 and no NATs, then things would be better.

I suspect that some large number of home network use router/NAT boxes provided by the ISP and it's perhaps more unusual for people to buy their own, so at least that's some hope.

You could even hypothesize some sort of branding standard for future home routers and ISPs insisting that you've got a "certified" home router with some certain set of features.

Hey, we can dream, right?

Top
#367711 - 10/10/2016 00:32 Re: Internet of shit, IoT category [Re: DWallach]
K447
old hand

Registered: 29/05/2002
Posts: 797
Loc: near Toronto, Ontario, Canada
Originally Posted By: DWallach
For better or for worse, one of the huge problems with the way the modern Internet is laid out is that IPv4 + NATs mean that the ISPs cannot readily make their own policies for what's going on inside your house. In a world with IPv6 and no NATs, then things would be better.
...
I almost never see version 6 IP mentioned in reviews or even specs for IoT gear.

Top
#367712 - 10/10/2016 01:32 Re: Internet of shit, IoT category [Re: DWallach]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14472
Loc: Canada
Originally Posted By: DWallach
For better or for worse, one of the huge problems with the way the modern Internet is laid out is that IPv4 + NATs mean that the ISPs cannot readily make their own policies for what's going on inside your house. In a world with IPv6 and no NATs, then things would be better.


A lot of us see the lack of NAT with IPv6 as one very good reason not to use it. More specifically, IPv6 was designed for absolute tracking of everything and everyone on the internet. Eg. Cookies on steriods. Just say no.

Top
#367728 - 11/10/2016 01:45 Re: Internet of shit, IoT category [Re: mlord]
snowcrash
journeyman

Registered: 11/07/2013
Posts: 65
Originally Posted By: mlord
Originally Posted By: DWallach
For better or for worse, one of the huge problems with the way the modern Internet is laid out is that IPv4 + NATs mean that the ISPs cannot readily make their own policies for what's going on inside your house. In a world with IPv6 and no NATs, then things would be better.


A lot of us see the lack of NAT with IPv6 as one very good reason not to use it. More specifically, IPv6 was designed for absolute tracking of everything and everyone on the internet. Eg. Cookies on steriods. Just say no.


If you are using NAT you are just helping the terrorists!

... smile

Top
#367733 - 11/10/2016 13:13 Re: Internet of shit, IoT category [Re: mlord]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
Originally Posted By: mlord
A lot of us see the lack of NAT with IPv6 as one very good reason not to use it. More specifically, IPv6 was designed for absolute tracking of everything and everyone on the internet. Eg. Cookies on steriods. Just say no.


This is a perspective I've never really thought about, and it's worth considering in more detail. On the one hand, wouldn't it be nice if devices could just send packets back and forth, like in the "good old days" before firewalls and NATs? IPv6 has the potential to eliminate a lot of the hackiness of the current IPv4 world.

That said, I remember in the early days of home DSL and cable modems that some ISPs would try to say "you only get 1 device at home", and NATs were the way you told them to buzz off. You sell me bandwidth and get out of my way.

So what's the solution? I'm not convinced that NATs do much for privacy these days. Even if you're running all your traffic through SSL, there are all sorts of telltales that fingerprint your TCP stack, and your DNS activity, all by itself, is quite telling about who you are and what you've got going on in your network. IMHO, the solution to this isn't better technology to hide ourselves, but rather better regulation that says what ISPs can and cannot collect.

For example, AT&T Gigapower is now available in my neighborhood, but I've been resisting the upgrade because I'm not interested in their privacy violation engine, although it appears that in advance of Congressional hearings on related topics, AT&T just killed the program and now everybody gets a more traditional privacy policy. For now.

Top
#367736 - 14/10/2016 06:11 Re: Internet of shit, IoT category [Re: K447]
K447
old hand

Registered: 29/05/2002
Posts: 797
Loc: near Toronto, Ontario, Canada
Akamia finds IoT security flaws

... includes a Synology mention.

Top
#367918 - 29/11/2016 00:15 Re: Internet of shit, IoT category [Re: K447]
altman
carpal tunnel

Registered: 19/05/1999
Posts: 3457
Loc: Palo Alto, CA
So, as others have mentioned electric imp is in the business of making the best secure platform for people to build IoT devices on top of.

If you can determine that there's an electric imp in the IoT device you're looking at, I personally guarantee that that device is - at least as far as DDoS participation and interfering with your traffic or home network - totally trustable.

Whether the device actually does its job well is a totally different problem, but building a trustable, secure platform is absolutely what we've been spending years doing.

As for other devices: I personally would have a lot of trouble trusting most devices built on embedded linux these days. They can be secured, but pretty much nobody actually does secure them. This is rather a sad state of affairs frown

As for protecting yourself against IoT devices making your home network insecure: don't have any open ports on your router and turn uPnP off. Do not poke holes in your NAT/inbound firewall for arbitrary devices, because it turns out most of them will be exploitable.

Top
#367920 - 29/11/2016 00:51 Re: Internet of shit, IoT category [Re: altman]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31563
Loc: Seattle, WA
Originally Posted By: altman
and turn uPnP off


Hard to do if one wants to actually USE any of the internet-capable equipment one has purchased. Some things just won't work right without it.

I understand that this gets to the heart of why many IoT devices are security holes. But I'm also talking about things which should know better, like game consoles and such.
_________________________
Tony Fabris

Top
#368003 - 07/12/2016 13:48 Re: Internet of shit, IoT category [Re: DWallach]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Originally Posted By: DWallach
Originally Posted By: mlord
A lot of us see the lack of NAT with IPv6 as one very good reason not to use it. More specifically, IPv6 was designed for absolute tracking of everything and everyone on the internet. Eg. Cookies on steriods. Just say no.


This is a perspective I've never really thought about, and it's worth considering in more detail. On the one hand, wouldn't it be nice if devices could just send packets back and forth, like in the "good old days" before firewalls and NATs? IPv6 has the potential to eliminate a lot of the hackiness of the current IPv4 world.

That said, I remember in the early days of home DSL and cable modems that some ISPs would try to say "you only get 1 device at home", and NATs were the way you told them to buzz off. You sell me bandwidth and get out of my way.

So what's the solution? I'm not convinced that NATs do much for privacy these days. Even if you're running all your traffic through SSL, there are all sorts of telltales that fingerprint your TCP stack, and your DNS activity, all by itself, is quite telling about who you are and what you've got going on in your network. IMHO, the solution to this isn't better technology to hide ourselves, but rather better regulation that says what ISPs can and cannot collect.


I have to disagree here, Dan. I certainly agree regulation is important and desirable, but I would never trust it alone to solve a problem like this. This sounds to me like: "we do not need encryption but regulations that prevent Governments and anyone else to spy on people". wink

I am quite concerned about IPv6, as a matter of fact, and I'd much rather rely on technology to insure privacy, than regulation. I've been wondering - and hoping - that when IPv6 becomes finally widely deployed, NATing techniques of some sort are in fact available nonetheless. Also, I wonder, how would an IPv6 world actually work, otherwise? Would ANY individual purchasing internet access be assigned an IPV6 RANGE by the ISP? Would we have to worry about how many IPs we have available from our ISP (or any other authority) to insure we have enough to connect one more printer or IoT device in our homes? Would we have to change our home network IP space as we change ISP? Or, would we need to purchase our own IP space and have ISPs route to that once we subscribe (adding a lot more complexity)?
NATing of some sort would still be very useful, it seems to me, and almost unavoidable, not only for privacy, but to allow some individual freedom/flexibility in designing one's local network. I have not been researching much on this, so sorry if my concerns or assumptions are naive, but, what do you guys think?

P.S.: also, and here I may simply be ignorant as to how IPv6 differs from IPv4, but, isn't NATting a router-based (meaning device-based, vs protocol-based) feature? If I am correct, what would prevent routers to simply include as many NATting features as desired by consumers, whether IPv6 or IPv4? One would still be presenting one IP to the world, apparently originated from the router, regardless of whatever happens on this side of the home gateway. What am I missing?


Edited by Taym (07/12/2016 14:15)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#368004 - 07/12/2016 13:52 Re: Internet of shit, IoT category [Re: tfabris]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Originally Posted By: tfabris
Originally Posted By: altman
and turn uPnP off


Hard to do if one wants to actually USE any of the internet-capable equipment one has purchased. Some things just won't work right without it.

I understand that this gets to the heart of why many IoT devices are security holes. But I'm also talking about things which should know better, like game consoles and such.


I am sincerely curious as to what devices you refer to, here, Tony. I *never* had to use uPnP in my home network, and I do have plenty of network connected devices, from game consoles, to TVs, AV Receivers, and stuff I even forgot are actually taking an IP from my DHCP server (silly me) etc.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#368009 - 07/12/2016 18:56 Re: Internet of shit, IoT category [Re: K447]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31563
Loc: Seattle, WA
One example:

"NOTE: UPnP is required if you plan to use more than one console to play Destiny on the same network simultaneously."
https://www.bungie.net/en/Help/Troubleshoot?oid=13612

Another example is many media server programs.
_________________________
Tony Fabris

Top
#368010 - 07/12/2016 19:04 Re: Internet of shit, IoT category [Re: K447]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31563
Loc: Seattle, WA
There are also many examples of similar things where, in order to get something to work, you must either manually port-forward or use UPNP. And most folks wouldn't even know how to find the port forwarding settings on their router, they just want to play their network game they just bought for Christmas or use their media server they just set up or whatever. So the option to "turn off UPNP and use port forwarding instead" is not viable for anyone except the experts.

Some people see advice on the internet which says "turn off UPNP on your router to increase security", they do so, and then their toys stop working. So they turn it back on and leave it.
_________________________
Tony Fabris

Top
#368012 - 07/12/2016 19:37 Re: Internet of shit, IoT category [Re: tfabris]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Originally Posted By: tfabris
There are also many examples of similar things where, in order to get something to work, you must either manually port-forward or use UPNP.


Indeed.

I was not aware of cases where uPnP is *required* as the only option, though. Oh well. I guess personally that'd be a reason not to use such devices, but of course that is subjective. I just happen to deeply dislike uPnP.


Edited by Taym (07/12/2016 21:47)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#368014 - 07/12/2016 20:54 Re: Internet of shit, IoT category [Re: K447]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
From what I've seen, most new routers don't use UPnP or at least have it disabled by default. That's been the case with the last three routers I've installed at my home, and yet I have plenty of devices that are able to communicate with the outside world in a secure way.

I've only seen one [probably incomplete] list of devices that were hacked to launch that DDoS attack, and they all seemed pretty obscure.
_________________________
Matt

Top
#368015 - 07/12/2016 23:33 Re: Internet of shit, IoT category [Re: Taym]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31563
Loc: Seattle, WA
Originally Posted By: Taym
I just happen to deeply dislike uPnP.


With good reason.
_________________________
Tony Fabris

Top
#368167 - 05/01/2017 07:52 Re: Internet of shit, IoT category [Re: K447]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31563
Loc: Seattle, WA
I truly love Ars' choice of main headline for this article.
_________________________
Tony Fabris

Top
#368168 - 05/01/2017 09:51 Re: Internet of shit, IoT category [Re: K447]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5914
Loc: Wivenhoe, Essex, UK
I've heard that the S in IoT stands for security...
_________________________
Remind me to change my signature to something more interesting someday

Top
#368170 - 05/01/2017 15:07 Re: Internet of shit, IoT category [Re: tfabris]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
Originally Posted By: tfabris
I truly love Ars' choice of main headline for this article.

laugh laugh laugh

I've played with those fridges in Best Buy, with their gigantic Android interfaces. They seem to be running Ice Cream Sandwich or something, and the UI they place on top of it is a complete disaster. I'll be surprised if LG's phone team worked on this mess.

I truly do not understand the assumption that we all want to stand in the kitchen in front of our refrigerators, especially in an age when we all have much more powerful devices in our pockets that were designed by more thoughtful engineering teams.
_________________________
Matt

Top
#368173 - 05/01/2017 16:46 Re: Internet of shit, IoT category [Re: Dignan]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5680
Loc: London, UK
Originally Posted By: Dignan
I truly do not understand the assumption that we all want to stand in the kitchen in front of our refrigerators


But without new features, you won't buy a new fridge, and LG won't make any money, and everyone will lose their jobs. You don't want that on your conscience, do you, consumer?
_________________________
-- roger

Top
#368174 - 05/01/2017 17:19 Re: Internet of shit, IoT category [Re: Roger]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
Originally Posted By: Roger
Originally Posted By: Dignan
I truly do not understand the assumption that we all want to stand in the kitchen in front of our refrigerators


But without new features, you won't buy a new fridge, and LG won't make any money, and everyone will lose their jobs. You don't want that on your conscience, do you, consumer?

Heh. We don't even use all the features on our current fridge. It has an ice dispenser, yet we still open the freezer to grab ice from the bucket. Ice cubes have a tendency to block the little dispenser door flap open, so that warm air leaks into the freezer, melting the ice cubes in the bucket enough that they re-freeze together. So until they can figure out their existing features, I'm not overly interested in the whizbang features.

Top
#368177 - 06/01/2017 02:03 Re: Internet of shit, IoT category [Re: K447]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810

Top
#368178 - 06/01/2017 02:56 Re: Internet of shit, IoT category [Re: canuckInOR]
gbeer
carpal tunnel

Registered: 17/12/2000
Posts: 2665
Loc: Manteca, California
Ever notice you can't test the in door ice dispensers while in the store. If people knew how noisy the in-door dispensers are...
_________________________
Glenn

Top
#368179 - 06/01/2017 05:12 Re: Internet of shit, IoT category [Re: gbeer]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
Some of those dispensers are pretty bad, but ours works well.

Originally Posted By: gbeer
Ever notice you can't test the in door ice dispensers while in the store. If people knew how noisy the in-door dispensers are...

They're all noisy, so there wouldn't be much difference. I'd say they just don't want to run water lines to all of them and have them actually using the energy to make ice.
_________________________
Matt

Top