Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Weekend Geek: Keep Your Internet Away From My Things
The Internet of Things (IoT), basically, is the connection of electronic devices not normally used for computation to the Internet. The definition of IoT also includes devices that aren’t necessarily connected directly to the Internet, but communicate with each other via a wireless network that’s in turn usually accessible from the Internet.
Take modern home security systems such as those offered by Xfinity. This kind of system allows you, for example, to go on the Internet while you’re at work and access systems in your house remotely — to lock or unlock doors, turn lights on or off, or view the feed from security cameras. Other IoT devices in your house might let you change the thermostat setting or check food inventories in the refrigerator. IoT also allows devices to act on their own or interact with each other: For example, your refrigerator could be programmed to detect when you’re running out of milk, eggs, or Guinness Stout, and automatically place orders over the Internet to restock itself. Self-driving cars will probably make heavy use of IoT technology. Infrastructure can be modified to provide information about traffic jams, dangerous road conditions, or bridges in danger of imminent collapse, and then automatically apply the brakes or reroute self-driving traffic.
Normally, I’m fascinated with technical progress, but I have strong misgivings about IoT. I may be risking my geek card here, but I’m much more concerned about the cyber security implications than excited by all these new gee-whiz applications.
Presumably, anything you could do remotely, hackers could do as well. Nowadays, when you connect a computer to the Internet, the malware attacks and intrusion attempts start almost immediately. I’m running a firewall and several anti-malware programs, yet several times a year I still need to go on a manual search-and-destroy mission to get rid of some evil piece of rat-ware infesting one of my computers. I update Windows and my protective programs regularly, but it seems they are always a step behind the latest threats.
If computers are vulnerable to hackers and malware, IoT devices will be vulnerable as well. What kind of protective software will all of these new Internet-connected devices have, and how foolproof will it be, given that big corporations and the government can’t even prevent their databases from being hacked? Imagine having no heat in your house until you can remove the latest Russian Trojan from your Internet-enabled thermostat. Imagine a hacker in China turning off your refrigerator, or a burglar with an iPad unlocking your front door. There have even been cases of baby monitors being hacked to spy on babies and their parents. In some cases hackers even yelled at the babies to wake them up, just out of malice apparently.
So far, none of this has bothered me too much, given that I have the power to prevent it from affecting my life. After all, if you don’t want your personal belongings (other than computers and smartphones) to be part of the IoT, you can easily opt out: Just don’t get an Internet-enabled security system or baby monitor; don’t buy that Internet-enabled toaster or nose-hair trimmer.
But when you leave your home, you’re no longer in full control of your environment, and your life may be in the hands of Internet-connected equipment whether you like it or not. It appears that hospitals and medical device manufacturers have jumped on the IoT bandwagon too. You might want to think twice about checking into the hospital after you read this recent article from Wired magazine about drug infusion pumps used to feed controlled dosages to patients in hospital beds:
The new vulnerabilities would allow attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. And because the pumps are also vulnerable to the previous library vulnerability [security researcher Billy Rios] disclosed, an attacker would be able to first raise the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert.
The IoT revolution is here, and trying to stop it now would be a bit like standing by the expressway yelling, “Get a horse!” at passing traffic. Besides, there are a lot of applications that sound really promising. But I don’t intend to be an early adopter. Presumably, as the technology matures, security will catch up, but I expect the situation to get worse before it gets better.
So what’s the solution?
Published in General
Not talking about a firewall. There are some things that should not be connected to the Internet at all. For example, critical control systems in a nuclear power plant have no connection whatsoever to the Internet.
One additional thing you can do to protect yourself is set up two accounts with different passwords:
In newer versions of Windows you don’t even need to switch accounts, when you try to do something that needs elevated privileges (like install or update software) it will pop up a special dialog asking you for the admin account password. If you ever see this dialog pop up for no apparent reason it means something is trying to install itself w/o your permission and you can cancel to prevent it.
Actually, on this computer I use the administrator account for everything. The user account was completely useless. According to the permissions it should have had full write access to files, but it did not.
I’m not sure this really protects you much. A Chinese or Russian hacker doesn’t care if your devices are connected to the Internet via cables or wifi, in either case you are connected to a global network of millions of computers, any of which can potentially exploit a vulnerability in your devices.
Well my other recommendation would be to switch to a Unix-based system (such as Mac OSX or Linux) where the permissions are more straightforward and manageable. :-)
Still, I always run as a user account on my Windows boxes and haven’t seen an issue like that. Which version of Windows are you running?
Windows 7 Professional, SP1.
You wouldn’t need devices connected to the Internet to benefit from such a system, when a home server would be sufficient.
The danger isn’t that devices are networked. The risk comes from what they are networked to.
With just a little know-how, there’s little reason not to have a wee Pentium III server in a closet somewhere running liteweight Linux and open source networking software.
Toasters are not nuclear plants.
Well, mine isn’t…
It matters a great deal. Wireless networks are orders of magnitude less secure than wired, as you cannot attack a network you cannot see. Wireless networks theoretically allow an infinite amount of eavesdropping, wired networks are much much harder.
Look up the term “wifi pineapple” just for starters.
Some of us have greater toasting needs than others. I prefer to toast an entire city at a time, rather than a mere few slices of bread.
Skip already replied to this pretty well. WiFi is definitely more vulnerable, even when well-secured. That doesn’t mean that hard-wired is not vulnerable, just that one is not going out of one’s way to be in harm’s way.
It’s important to understand the threat model: what type of attacks and attackers are you trying to defend against?
A wifi pineapple is a device for intercepting traffic at public wifi hotspots. When someone tries to connect their phone or laptop to the free wifi at Starbucks, they might actually be connecting to a wifi pineapple in the backpack of the hacker sitting at the next table. Definately a threat to understand and take precautions against.
The key point to understand, though, is that a wifi pineapple or similar device has to be in physical range of a wifi network. If you have a home wifi network, potentially a neighbor or a hacker in a van parked outside could break in.
However you are completely protected against the millions of potential hackers in China, Russia, North Korea, Nigeria, and so forth by the simple fact that they are way, way out of range. A Russian hacker with a wifi pineapple has to first board an airplane, fly to your city, rent a car, and park in your driveway to use it to hack into your network. It’s much more likely he’ll try an attack technique that works from his basement.
I would tend to disagree with him there. I have my home wifi network set up to use WPA (Wi-Fi Protected Access), which means I have to enter a rather long password on all of my devices the first time they connect to it.
The older WEP protocol has known weaknesses and should be avoided. You definitely should not set up an open wifi network that anyone can connect to without a password, that I agree is asking for trouble.
Of course nothing is 100% secure. If the NSA parked outside I suspect they could break into my network eventually — though frankly it would be a lot easier to just wait until I go to work, pick the old-fashioned (non-IoT) lock on my front door, sit down at my computer desk and hack in directly.
My old netbook has Win 7 Starter and I always run as a non-admin. I took a quick look at the permissions and realized I nearly always save files to my user folders (e.g. “My Documents”), it would be very odd if a user did not have write access to their personal folders.
I take it there are some other shared or system folders where you need write access?
P.S. You are quite right to worry about wifi pineapples and similar devices, I don’t want to sound like I’m dismissing that concern. Every time you connect to an open wifi hotspot at Starbucks, McDonald’s, or the airport there’s a serious risk that someone else there could eavesdrop on your network traffic.
My point is that there’s a huge difference between a secure wifi network vs. an open, public wifi hotspot. It may be true in theoretical sense that you cannot make anything 100% secure, but a properly secured wifi network is an order of magnitude harder to penetrate than an open, public network. It’s like the difference between a house with bars on the windows and doors and a state-of-the-art home security system vs. leaving the front door wide open with a sign saying “welcome, please come in and help yourself!”
I couldn’t overwrite any files, anywhere, in any directory. I would import songs to iTunes, and couldn’t edit the titles or any other information because it would have overwritten the files. I could create files in Word or whatever but couldn’t edit them and save them again with the same filename. The files were not “read-only” and the user permissions indicated full rights. It was truly bizarre.
Not only that, but after I set up the administrator account, all the apps that I installed under the user account could not be run from the admin account, and I had to install them all over again.
Indeed. I do all my computing inside a VPN (virtual private network). Even on quite insecure networks I’m protected to the extent I trust my VPN provider.
WPA is broken too. It takes longer to crack than WEP, 8-20 hours depending on key length.
Sure you have to be in range to crack wifi, or you can crack someone else who is in range. In other words, my wifi security is somewhat limited by my neighbors’ security. That is a sobering thought, as available networks include “netgear” and “dlink”.
Why would cracking your neighbor’s wifi help someone break into your devices? Are your devices set up to connect to any available network?
I’ve been looking at VPN providers lately, any you would recommend (or recommend avoiding)?
Joseph, the exercise is this: suppose a neighbor’s network is compromised, or a device therein, like a laptop. Said laptop can then be set to scan forand attempt to crack the WPA security of other networks in range. It is no issue for a computer to join multiple networks similtaneously. Once on it can then engage in the usual traffic sniffing and such.
Ok, fair point, that’s a possible attack vector. I still think it’s more likely that hackers will simply try to find weaknesses in your router, firewall, or browser.
I suppose it’s a matter of how much risk you’re willing to tolerate for the convenience.
So why would people want this? Regular people. I don’t really care about the security stuff. I’m just playing the odds there.
But what is the big benefit? Slight efficiency improvements? I can check to see that my house is not burning or watch my grass grow?
I’m having a hard time understanding the sales pitch here.
You’re not the only one. The old adage of “Just because you can do something, doesn’t mean you should do it” applies here in abundance. But there are cool things you can do too.
Drones – you can control drones over your home wifi, or over your cell link, just using a tablet or phone. Sure there are range limitations, but the implementation is cheap and you’ve got built in video capture in your hand.
Home entertainment. Recently had to replace my home theater amp. New one is all wired up. I can use my tablet like a remote, and configure all of the speaker settings from the tablet too, instead of fiddling with the menus and knobs. This amp can also stream music from my basement server (I ripped all of our CDs years ago, along with most of the kids movies). It also can play from Pandora, Spotify, and and a few others besides. Oh, and if the kids have it too loud, I can shut it off and lock them out.
I don’t know how many of you listen to “Coffee and Markets.” Francis Cianfrocca is a frequent guest. His specialty is internet security. They’ve discussed the IoT and its inherent security problems several times.
Podcasts provide the real solution: limiting bandwidth so much it’s not worth stealing. ;-)
I’m kidding. But I do find it funny how many people seem to love consuming the lowest-bandwidth medium available on the internet: human speech.
I get mine through my work (no secrets from my boss!), but Private Internet Access seems to be well thought of. That’s who I would go through if I needed to get my own.