Weekend Geek: Keep Your Internet Away From My Things

June 20, 2015

IoT

The Internet of Things (IoT), basically, is the connection of electronic devices not normally used for computation to the Internet. The definition of IoT also includes devices that aren’t necessarily connected directly to the Internet, but communicate with each other via a wireless network that’s in turn usually accessible from the Internet.

Take modern home security systems such as those offered by Xfinity. This kind of system allows you, for example, to go on the Internet while you’re at work and access systems in your house remotely — to lock or unlock doors, turn lights on or off, or view the feed from security cameras. Other IoT devices in your house might let you change the thermostat setting or check food inventories in the refrigerator. IoT also allows devices to act on their own or interact with each other: For example, your refrigerator could be programmed to detect when you’re running out of milk, eggs, or Guinness Stout, and automatically place orders over the Internet to restock itself. Self-driving cars will probably make heavy use of IoT technology. Infrastructure can be modified to provide information about traffic jams, dangerous road conditions, or bridges in danger of imminent collapse, and then automatically apply the brakes or reroute self-driving traffic.

Normally, I’m fascinated with technical progress, but I have strong misgivings about IoT. I may be risking my geek card here, but I’m much more concerned about the cyber security implications than excited by all these new gee-whiz applications.

Presumably, anything you could do remotely, hackers could do as well. Nowadays, when you connect a computer to the Internet, the malware attacks and intrusion attempts start almost immediately. I’m running a firewall and several anti-malware programs, yet several times a year I still need to go on a manual search-and-destroy mission to get rid of some evil piece of rat-ware infesting one of my computers. I update Windows and my protective programs regularly, but it seems they are always a step behind the latest threats.

If computers are vulnerable to hackers and malware, IoT devices will be vulnerable as well. What kind of protective software will all of these new Internet-connected devices have, and how foolproof will it be, given that big corporations and the government can’t even prevent their databases from being hacked? Imagine having no heat in your house until you can remove the latest Russian Trojan from your Internet-enabled thermostat. Imagine a hacker in China turning off your refrigerator, or a burglar with an iPad unlocking your front door. There have even been cases of baby monitors being hacked to spy on babies and their parents. In some cases hackers even yelled at the babies to wake them up, just out of malice apparently.

So far, none of this has bothered me too much, given that I have the power to prevent it from affecting my life. After all, if you don’t want your personal belongings (other than computers and smartphones) to be part of the IoT, you can easily opt out: Just don’t get an Internet-enabled security system or baby monitor; don’t buy that Internet-enabled toaster or nose-hair trimmer.

But when you leave your home, you’re no longer in full control of your environment, and your life may be in the hands of Internet-connected equipment whether you like it or not. It appears that hospitals and medical device manufacturers have jumped on the IoT bandwagon too. You might want to think twice about checking into the hospital after you read this recent article from Wired magazine about drug infusion pumps used to feed controlled dosages to patients in hospital beds:

The new vulnerabilities would allow attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. And because the pumps are also vulnerable to the previous library vulnerability [security researcher Billy Rios] disclosed, an attacker would be able to first raise the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert.

The IoT revolution is here, and trying to stop it now would be a bit like standing by the expressway yelling, “Get a horse!” at passing traffic. Besides, there are a lot of applications that sound really promising. But I don’t intend to be an early adopter. Presumably, as the technology matures, security will catch up, but I expect the situation to get worse before it gets better.

So what’s the solution?

Published in General

Tags: cyber security, Internet of Things, Weekend Geek

Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 57 comments.

Become a member to join the conversation. Or sign in if you're already a member.

12 ›

Inactive
Ryan M
@RyanM

8:18 PM EDT ⋅ Jun 19, 2015

Yeah, I’m not a big fan. Joining your non-early-adopter parade.
- #1

Inactive
Ricochet
@SpicyFoodHiccups

8:40 PM EDT ⋅ Jun 19, 2015

I’m in no hurry to adopt the new technologies, either – and fear the day when I’ll have no choice but to buy an autonomous vehicle. (Unless it flies…otherwise I guess there will always be bikes…)

The problem is, other than keeping critical processes off of interconnected devices, I’m not sure there is a good solution. New connections and new complexities will always generate new vulnerabilities. What’s especially dangerous in the IoT space is that it’s treated as a sort of gold rush. It seems to me for companies both large and small trying to develop a new “thing”, being first to market is paramount. As a result, the implementation of proper security measures and rigorous testing procedures is often sacrificed to get something out the door.
- #2

Member
Arahant
@Arahant

10:59 PM EDT ⋅ Jun 19, 2015

I have all my intended Internet devices connected through a thing called cables. However, some of my newer computers have wifi capabilities. I just checked. I am in range of four wifi networks. None of them are mine. So, even though I don’t have a wifi network, someone could still hack in if I get a device, such as that Internet toaster.

In one of anonymous’s book reviews, he talked about a book of short stories. One of those stories involved an investigator with the Air Force, if I remember, who winds up on a spy case. It turns out that a Chinese hacker has been gaining info through a phishing/love scheme. The denouement involves the guy taking over his phishing victim’s house remotely and causing it to try to kill her to cover his tracks. I know far too much about computers and programming to think it couldn’t happen. I have no doubt there are gaps one could drive an oil tanker through. I don’t even want wifi in my home, but we aren’t given a choice anymore.

Oh, and I get letters from my ISP all the time saying how great it would be if I upgraded and they can provide me with a wifi modem.
- #3

Inactive
skipsul
@skipsul

11:08 PM EDT ⋅ Jun 19, 2015

At work we have Wifi for some of its conveniences, but it is on a segregated network so you cannot use it to access anything internally. I asked my tech guy about how to secure Wifi, and his response was “you can’t. Not really, unless you want to go through setting up a radius server and personally authorize every wireless device. That takes a lot of time. Otherwise, if you don’t need it, don’t do it.”

I’m a little less cautious at home, but only a little. But I’ll never network anything I do not have to. I do not need my thermostat, refrigerator, or home security open.
- #4

Inactive
skipsul
@skipsul

11:11 PM EDT ⋅ Jun 19, 2015

But cautions aside, the temptation is strong for businesses. I make and sell equipment to the utility truck industry, and these guys are demanding all sorts of doodads for tracking of their fleets. It goes well beyond mere GPS, they want to track actual mile by mile fuel expenditure while driving as they can claim a tax rebate on fuel burned when not on the road. They want to monitor times on sites for billing. They want the ability to lock out vehicles. They want, essentially, to spy on their workers and how they use their trucks (understandable when a new utility truck can cost $200k+). The next few years will be very interesting.
- #5

Member
Arahant
@Arahant

11:15 PM EDT ⋅ Jun 19, 2015

skipsul:But cautions aside, the temptation is strong for businesses.

Your customers basically want you to create their Internet of Trucks for them. That’s just business.
- #6

Inactive
Roberto
@Roberto

2:41 AM EDT ⋅ Jun 20, 2015

Spicy Food Hiccups:As a result, the implementation of proper security measures and rigorous testing procedures is often sacrificed to get something out the door.

You are being insanely generous. To describe IoT ( good Lord what a ridiculous phrase for this technology ) as merely insecure does not even come close. Saying such devices take security back to the go go days of the 90’s is being nice.
- #7

Inactive
SPare
@SPare

4:15 AM EDT ⋅ Jun 20, 2015

From my vantage point at a telco, IoT is a really interesting thing. After all, most of it isn’t going over WiFi, it’s being carried over cell networks. Obviously, we are doing whatever we can to capture our fair share of one of the last growth engines available for wireless. Contrary to what you might think from your cell phone bills, core wireless is now a pretty rapidly declining market. Almost all of the growth that we can find these days is coming from IoT. (btw, all of this is publicly available, if you read the investor reports).

For the time being, home applications on IoT are pretty frivolous. That they are also the biggest threats to your personal safety from hackers suggests that unless you value your time very highly, you’re going to be better off without it. For what it’s worth, I don’t know that any of the guys on our IoT team actually uses this stuff at home.

(cont’d…)
- #8

Inactive
SPare
@SPare

4:22 AM EDT ⋅ Jun 20, 2015

(cont’d)

The benefit to businesses, though, is large. As skipsul noted, the trucking industry is already well down the path, having been using more primitive versions for well over a decade. The other big applications right now are in refrigeration for restaurant chains and wellhead monitoring for Oil & Gas. Essentially, the best uses at the moment are in cases where you want to find out what’s happening to one of your distant resources in real time, so that you can fix things before they go really wrong. The advantage is that you can monitor all of this stuff centrally, dedicating the job to one guy who’s paid to pay attention, rather than it being a secondary thing for someone more locally who has a thousand other things to worry about. The business case for these developments are essentially in waste reduction/ insurance.

To my knowledge, the control feedbacks aren’t yet being built in, which does limit the potential for mischief. However, I would imagine that this is only a matter of time, since if you can control remotely, you can lower costs even further.
- #9

Inactive
dialm
@DialMforMurder

4:35 AM EDT ⋅ Jun 20, 2015

It’s a baffling dilemma without a doubt.

This could be a bit of an out-of-the-square suggestion, but couldn’t one perhaps maybe just… not buy these things?

Or can they already hack into our old brass door knobs? I dunno, I’m a little behind.
- #10

Member
user_105642
@DavidFoster

5:32 AM EDT ⋅ Jun 20, 2015

One of the railroads, I believe it was Norfolk Southern, was recently talking about their new dispatching and centralized traffic control. Not only does the system allow remote control of switches and signals and observation of where trains are on the network (abilities of CTC systems for a long time) and provide computer-assisted dispatching, it *also* allows key employees to observe the rail network status (switches, signals, and train positions) from home when they need to do so. The RR said that they can only watch, they can’t change anything directly.

But imagine that the system was hacked, and malevolent outsiders got control of the system. I don’t think they could cause accidents…the ultimate protection is under control of distributed interlocking systems…but they could certainly get the traffic into an unbelievable snarl.
- #11

Member
Misthiocracy
@Misthiocracy

6:02 AM EDT ⋅ Jun 20, 2015

dialm: This could be a bit of an out-of-the-square suggestion, but couldn’t one perhaps maybe just… not buy these things?

Like how people can choose not to buy compact fluorescent lightbulbs?
- #12

Inactive
Nick Stuart
@NickStuart

6:21 AM EDT ⋅ Jun 20, 2015

Misthiocracy:

dialm: This could be a bit of an out-of-the-square suggestion, but couldn’t one perhaps maybe just… not buy these things?

Like how people can choose not to buy compact fluorescent lightbulbs?

It will be for our own good. The refrigerator and pantry will lock themselves, and the computerized order taking kiosks at the restaurant and store will decline to take our order after the central planner’s computer decided we’d had enough salt, or fat, or calories, for the day.
- #13

Member
user_105642
@DavidFoster

6:36 AM EDT ⋅ Jun 20, 2015

“It will be for our own good. The refrigerator and pantry will lock themselves, and the computerized order taking kiosks at the restaurant and store will decline to take our order after the central planner’s computer decided we’d had enough salt, or fat, or calories, for the day.”

This was a parody when I wrote it. Now, it may be a forecast of the near future:

No Steak for You!
- #14

Member
Blue State Blues
@BlueStateBlues

Post author

7:10 AM EDT ⋅ Jun 20, 2015

Thanks to the Editor for that last bit of professional polish.
- #15

Member
Blue State Blues
@BlueStateBlues

Post author

7:13 AM EDT ⋅ Jun 20, 2015

SPare:For the time being, home applications on IoT are pretty frivolous. That they are also the biggest threats to your personal safety from hackers suggests that unless you value your time very highly, you’re going to be better off without it. For what it’s worth, I don’t know that any of the guys on our IoT team actually uses this stuff at home.

(cont’d…)

Frivolous. Yes, that’s the perfect word.
- #16

Member
Blue State Blues
@BlueStateBlues

Post author

7:14 AM EDT ⋅ Jun 20, 2015

dialm:It’s a baffling dilemma without a doubt.

This could be a bit of an out-of-the-square suggestion, but couldn’t one perhaps maybe just… not buy these things?

Or can they already hack into our old brass door knobs? I dunno, I’m a little behind.

Not yet, thank goodness. I still trust my home security to that 150 year-old invention of Linus Yale Jr.
- #17

Member
user_1152
@DonTillman

8:03 AM EDT ⋅ Jun 20, 2015

Blue State Blues: So what’s the solution?

What you’ve described sounds like an enormous business opportunity.

This would be a system that limits the type of data going out (so Dr. Evil can’t tap into your security cam) and the type of data coming in (so Dr. Evil can’t insert a virus into your Nest thermostat), all with encryption.

Round up some experts, get to work building a prototype, you’ve got yourself a serious startup company.
- #18

Inactive
Ricochet
@SoDakBoy

8:37 AM EDT ⋅ Jun 20, 2015

Don Tillman: What you’ve described sounds like an enormous business opportunity.

Yes, but is it an increase in productivity?

For trucking companies and perhaps for food service, I can see the advantages, but for the regular homeowner this seems like a gigantic time sink. I can see a few enthusiasts embracing this and the gradual phasing out of non-IoT refrigerators, cars, etc. Perhaps this will take place naturally, perhaps it will take place with a “nudge” by a regulatory agency.

If that happens, people will be spending weekends updating their Maytag Operating System, scanning their Toyota for viruses and backing up their home security system’s security system.

And the endpoint? We will be in the exact same spot we are now in, except that we will be spending our free time monkeying around with things that we never had to monkey with.

Oh, and while I’m at it: Get off my lawn!
- #19

Member
user_105642
@DavidFoster

8:52 AM EDT ⋅ Jun 20, 2015

One of the important potential benefits of IOT is the advance prediction of failure. For example, I recently had a basement sump pump fail. It would have been nice if low-cost sensors could have predicted the incipient failure, possibly via vibration analysis, temperature trends, etc.

Furnaces, air conditioners, generators, and refrigerators could all benefit from this kind of failure prediction.
- #20

Member
Arahant
@Arahant

8:59 AM EDT ⋅ Jun 20, 2015

david foster:One of the important potential benefits of IOT is the advance prediction of failure. For example, I recently had a basement sump pump fail. It would have been nice if low-cost sensors could have predicted the incipient failure, possibly via vibration analysis, temperature trends, etc.

Furnaces, air conditioners, generators, and refrigerators could all benefit from this kind of failure prediction.

Of course, by adding technology and complicating the systems, the devices have more built-in failure points.
- #21

Member
user_1152
@DonTillman

9:04 AM EDT ⋅ Jun 20, 2015

SoDakBoy:

Don Tillman: What you’ve described sounds like an enormous business opportunity.

Yes, but is it an increase in productivity?

For trucking companies and perhaps for food service, I can see the advantages, but for the regular homeowner this seems like a gigantic time sink.

No, IoT will be a huge quality-of-life improvement.

The Nest smoke detector lets me check to see if my house is on fire while I’m away. And will call the fire department automatically. That’s a mighty compelling case.

An IoT lawn sprinker system would know not to wastefully water my lawn if it’s already raining. Or if it had just rained recently. Or if it’s going to rain soon. Heck, it can analyze the rainfall over time and add the exact amount of water to maintain a nice lawn with maximum efficiency.
- #22

Inactive
Gödel's Ghost
@GreatGhostofGodel

9:04 AM EDT ⋅ Jun 20, 2015

No IoT will be getting anywhere my life when things like this date to 2013.

The simple fact of the matter is that today there are two kinds of software: the kind whose failure doesn’t matter at all, and the kind whose failure results in absorbable losses for those running it.

Toyota killing someone results from thinking they have the second kind of software concerns when they’re actually in the currently infinitesimal third category: software necessary for modern civilization to function. Embedded systems in cars are obvious (and make the Toyota story that much more shocking—sorry, folks, but we actually do know how to develop proven bug-free software, and to not do so when human lives are at stake is clear criminal negligence). But it’s easy to expand the category—just ask yourself what would be part of the catastrophe of an EMP strike.

Now google Sergey Bratus, Meredith Patterson, and “weird machines” and see if you ever feel comfortable turning on a machine with a microprocessor ever again.
- #23

Inactive
skipsul
@skipsul

9:25 AM EDT ⋅ Jun 20, 2015

david foster:One of the important potential benefits of IOT is the advance prediction of failure. For example, I recently had a basement sump pump fail. It would have been nice if low-cost sensors could have predicted the incipient failure, possibly via vibration analysis, temperature trends, etc.

Furnaces, air conditioners, generators, and refrigerators could all benefit from this kind of failure prediction.

Yes, but at what cost? A new sump pump is pretty cheap. So is putting in a 2nd pump as backup, with a battery backup. No security risks there.

Though to argue the other side of it, my company has patents on the operation of DC motors – patents which include all manner of tricks to prolong motor life and reduce failure. No reason these same tricks could not work on AC motors too – the trick isn’t so much monitoring vibration or temperature as it is in monitoring current draw. When these things fail, the usual failure mode is expressed in abnormally high current draws, or none at all. Temperature is a lagging indicator – by the time a motor gets hot enough for a sensor to detect it, the motor is usually past the safety point.

What you should do is make such a system “dumb” – that is just shut off and throw up a flag during failure. No network inputs, only outputs – that’s how you secure it.
- #24

Inactive
skipsul
@skipsul

9:28 AM EDT ⋅ Jun 20, 2015

Don Tillman: The Nest smoke detector lets me check to see if my house is on fire while I’m away. And will call the fire department automatically. That’s a mighty compelling case. An IoT lawn sprinker system would know not to wastefully water my lawn if it’s already raining. Or if it had just rained recently. Or if it’s going to rain soon. Heck, it can analyze the rainfall over time and add the exact amount of water to maintain a nice lawn with maximum efficiency.

But you need to keep such systems as closed loops. For security, you only allow outputs, no outside inputs. A smart sprinkler is great (and they are out there) – but you have to mitigate against meddling. Same with your smoke detectors. Allow traffic out only where needed, and keep the inputs limited. Your smoke detector does not need to receive traffic or messages.
- #25

Member
Blue State Blues
@BlueStateBlues

Post author

9:34 AM EDT ⋅ Jun 20, 2015

Don Tillman:

SoDakBoy:

Don Tillman: What you’ve described sounds like an enormous business opportunity.

Yes, but is it an increase in productivity?

For trucking companies and perhaps for food service, I can see the advantages, but for the regular homeowner this seems like a gigantic time sink.

No, IoT will be a huge quality-of-life improvement.

The Nest smoke detector lets me check to see if my house is on fire while I’m away. And will call the fire department automatically. That’s a mighty compelling case.

An IoT lawn sprinker system would know not to wastefully water my lawn if it’s already raining. Or if it had just rained recently. Or if it’s going to rain soon. Heck, it can analyze the rainfall over time and add the exact amount of water to maintain a nice lawn with maximum efficiency.

I am not denying that there are advantages. But there are some things that are too critical and should be protected from Internet meddling.
- #26

Member
user_1152
@DonTillman

11:03 AM EDT ⋅ Jun 20, 2015

skipsul:

But you need to keep such systems as closed loops. For security, you only allow outputs, no outside inputs. A smart sprinkler is great (and they are out there) – but you have to mitigate against meddling. Same with your smoke detectors. Allow traffic out only where needed, and keep the inputs limited. Your smoke detector does not need to receive traffic or messages.

Exactly! Which is why I suggested in comment 18 that there will be a huge demand for an IoT Firewall product.

Blue State Blues:

I am not denying that there are advantages. But there are some things that are too critical and should be protected from Internet meddling.

Exactly! Which is why I suggested in comment 18 that there will be a huge demand for an IoT Firewall product.
- #27

Member
Ricochet
@ArizonaPatriot

11:14 AM EDT ⋅ Jun 20, 2015

The second Battlestar Galactica series did a good job presenting the dangers of hacking in a complex, interconnected system.

MINOR SPOILER ALERT

For those who didn’t see the series (or forgot), the Cylon bad guys were able to shut down virtually the entire Colonial military — battlestars, Vipers, and all — with a computer virus. The controls just went dead, and the Cylons wiped them out.

Only the Galactica, which was literally being turned into a museum, survived because of its antiquated, disconnected computer system.

[And yes, I mean literally, the Galactica was going to be a museum like the Midway in San Diego or the Intrepid in New York. I think that there was a funny point about one of the launch bays having been turned into a gift shop.]

MAJOR SPOILER ALERT

I know, in fact it was not just the Galactica that survived. It turned out that one modern battlestar, the Pegasus, also survived the Cylon attack. I don’t think that the show offers any explanation of how the Pegasus overcame the Cylon hacking (but it doesn’t show up for a couple of seasons, as I recall, so maybe the writers thought that we would have forgotten the hacking problem).
- #28

Member
user_1152
@DonTillman

11:18 AM EDT ⋅ Jun 20, 2015

Arahant: Of course, by adding technology and complicating the systems, the devices have more built-in failure points.

Indeed… but then again, look at the way automobiles are built these days; some crazy number of microprocessors, all interconnected, drive-by-wire, and all of that with any failure being potentially deadly.
- #29