The Internet Of Things Is a Security And Privacy Dumpster Fire And The Check Is About To Come Due
from the no-hyperbole-intended dept
If you’re a long-standing reader of Techdirt, you know we’ve well documented the shitshow that is the “internet of things.” It’s a sector where countless companies were so excited to develop, market and sell new “smart” appliances, they couldn’t be bothered to embrace even the most rudimentary security and privacy standards once these devices were brought online. The result is an endless stream of stories about refrigerators, TVs, thermostats or other “smart” devices that are busy hemorrhaging personal data, inadvertently advertising that sometimes the smart option — is actually the dumb one.
This systemic incompetence has now fused with a cultural disdain for more modern consumer privacy protections. The end result has been an obvious uptick in concern about how much data is now being collected by even childrens’ toys like Barbie dolls, something that last year’s Vtech hack illustrated isn’t just empty fear mongering. Convincing parents who already find technology alienating has proven to be difficult, as is attempting to craft intelligent regulation that protects kids’ playtime babbling from being aggressively monetized, without hindering emerging sector innovation and profits.
To that end, the Family Online Safety Institute and the Future of Privacy Forum held a presentation last week (you can find the full video here) where analysts and experts argued, among other things, that privacy policies need to be significantly simplified and modernized for an era where a child’s doll can profoundly impact the privacy of countless people. It has been, needless to say, an uphill climb.
And while this all is seen as kind of cute and theoretical when we’re talking about not-so-smart tea kettles or talking dolls, the amusement has worn off as the conversation has shifted to territory where incompetence or a clever hack can kill you (namely, automobiles). As Bruce Schneier notes over at Motherboard, this massive introduction of privacy flaws is a pretty big problem at scale, when appliances aren’t swapped out or updated often:
“As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never.”
And while mocking the internet of things has become a running joke, Schneier notes it quickly becomes less funny when you begin to realize that the interconnected nature of all of these devices means we’re introducing millions of new attack vectors daily in homes, businesses, utilities, and government agencies all over the world. Collectively these flaws will, no hyperbole intended, inevitably result in significant deaths:
“Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways. What might seem benign to the designers of a particular system becomes harmful when it?s combined with some other system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It?s simple mathematics. If 100 systems are all interacting with each other, that?s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that?s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging.”
At that scale, the argument that you didn’t embed useful security because “it was only a refrigerator” or you didn’t impose some basic privacy protections and guidelines because “it might hurt an emerging sector’s ability to make more money” start to lose their luster. Schneier tries to argue that the only way we can truly mitigate the looming risk is the involvement of an informed public and an accountable government:
“Security engineers are working on technologies that can mitigate much of this risk, but many solutions won?t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don?t match the interests of the people.
Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks. And while the White House Cybersecurity National Action Plan says some of the right things, it doesn?t nearly go far enough, because so many of us are phobic of any government-led solution to anything.
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can?t, and the political will to make it happen.
This is of course the part of the story where the author is supposed to inform you that with good intentions and enough gumption, government, the public and industry will come together and quickly nip this problem in the bud. Of course this particular post’s readership is painfully aware that the same government Schneier hopes will come to the rescue is too busy trying to embed its own problematic backdoors in everything under the sun while a large portion of it rushes to gut the funding and authority of any regulator capable of imposing basic privacy and security protections.
Said readers are also probably painfully aware that neither looming major Presidential candidate has shown the remotest competence in regards to technology or genuine cyber-security. That means it’s more than likely these unfortunate outcomes Schneier predicts will need to arrive before we’re collectively even willing to begin to take serious steps to address them. At that point the only certain outcome is that all of the players involved will be sure to shirk their own personal responsibility for the security and privacy nightmare they helped build. Still, for whatever it winds up being worth, we can’t say we weren’t warned.
Filed Under: bruce schneier, internet of things, iot, privacy, security
Comments on “The Internet Of Things Is a Security And Privacy Dumpster Fire And The Check Is About To Come Due”
“The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can’t, and the political will to make it happen.”
I’m sure President Trump will deal with it with a calm level head and certainly not declare war on China.
Re: Re:
Considering Hillary couldn’t care less about an ambassador and his staff I doubt she will care anymore about us peasants.
Re: Re: Re:
Anonymous Troll is stupid. Quelle surprise!
Re: Re:
Interestingly Donald Trump and Putin seem to get along whereas Putin seems to almost consider some of Obama’s actions an act of war. When questioned if Trump getting along with Putin may be considered a weakness and may signal to voters that he isn’t taking a tough enough approach with Russia Trump said that may be a good thing because we don’t need any more problems. Trump was also against the Iraq war. So perhaps the argument that Trump just wants to start wars everywhere might be a bit short sighted. Perhaps he wants to be discerning about how he chooses his battles. Choose his battles carefully but decisively, none of this wishy washy stuff.
and Trump isn’t saying he’s going to go to war with China. He’s saying he’s going to tax our imports from China because they tax our exports to China. I’m
not saying that’s a good thing but I think it’s important to properly discuss the actual issues and not the exaggerated hysteria.
Re: Re: Re:
Indeed, you may have a point there – he’s far more likely to sue them for tarnishing his spotless reputation.
Re: Re: Re: Re:
Yeah, Trump is off the deep end when it comes to his position on defamation reform.
Re: Re: Re:
The signal I get from Trump’s empathy toward Putin (and other strong-man “leaders”) is that Trump’s mentality is of the same sort.
Game recognize game.
Re: Re: Re: Re:
So can his alleged hostility toward China be that his mentality is not the same?
So if he wants to go to war with a country he’s hostile and just wants to start wars. If he doesn’t want to go to war with a country it’s because he has the same mentality as their leaders. Apparently he can’t win either way.
Re: Re: Re:2 Re:
I wasn’t talking about his ideas about war. I was talking about the sorts of leaders he expresses admiration for.
Re: Re: Re:3 Re:
I think there is a difference between finding common ground and expressing admiration for.
I’m not saying that I think Trump is a good candidate. Neither is Hillary. I’m just saying that we should be more specific about our criticisms instead of having these vague criticisms that because he found common ground with Putin that means he agrees with Putin on everything due to having the same mentality. I think that’s an overly broad statement.
Re: Re: Re:4 Re:
It looks to me like he’s expressing admiration more than just finding common ground. And not just for Putin, but for a number of strong-arm authoritarians.
People have already died
Civilians are already being used as beta testers and dying as a result; just look at Tesla’s autopilot. No, it wasn’t a security flaw, but much more serious. So to think anyone will get excited by refrigerator security is far fetched.
Personally I don’t want smart devices because their main use is going to be monitoring me and marketing to me. Now if they are smart in useful ways, I might be interested.
For now, if I have to get a smart device, I will not be hooking it up to the internet or any apps. I will use it like a dumb device.
Re: People have already died
I don’t really think it is fare to try and throw Tesla under the bus like that. For one thing, Tesla is open about autopilot being just what you said “beta”. It also is clear that autopilot is not fully “automated driving”.
Blaming autopilot for crashes is a lot like blaming your cruse control for speeding. They are both there to make things easier for you, but if you set your cruse control for 55 on the highway and don’t adjust when you reach a town, that is on you.
When a car is built that you don’t control and instead a computer fully drives it for you. That is when you can then point fingers at the computer. If your told before hand that your beta testing a driving system and you die, that is on you.
Re: Re: People have already died
and this is partly why I’m against the FDA telling me what medications I can and can’t take. Just because a medication or naturally occurring unadultrated herb with naturally occurring ingredients (ie: without the FDA attempting to regulate the ingredients and quantity of those ingredients within the herb. A good example is red yeast rice and lovastatin which has not been shown to be harmful and even if it can be harmful it’s my individual risk to take) isn’t proven to our FDA’s perhaps arbitrary standards doesn’t give them any right whatsoever to tell me I can’t even try it and that someone can’t sell it to me. They have no right. As long as everything about the potential treatment is communicated to me (the risks, the studies, what we know about it, what we don’t know about it) it is my risk to take. If I have side effects or if it’s not working I can always stop taking it or change my dosage on my own. That’s how medicine should work. The FDA shouldn’t try to regulate medicine on such an individual level because something doesn’t work on a mass clinical scale for everyone. That prevents medicine from being individualized and good medicine should be individualized because everyone is different. Everyone has different genetics, eats different foods, and is exposed to different environments. This one sized fits all standard the FDA tries to make all medicine fit into is not helping.
and really part of the reason the FDA regulates these herbs is because they can compete with pharmaceutical sales and the FDA, like the rest of the government, is all about forcing people to pay higher prices in the name of corporate profits. Sure the dietary supplement industry makes money as well but there is more competition there so there is less concentration of profits due to restricted competition.
Re: Re: People have already died
I am trowing Tesla under the bus. The car is only partly doing the driving and I doubt that Tesla is fully educating their buyers as to what the car will do and what they must do. Even worse, who is going to educate the second hand buyers? We are not ready yet to let people ignore the road while they play Pokemon thinking the car is going to do it all for them.
Re: People have already died
“No, it wasn’t a security flaw, but much more serious.”
Yes, it was — it was a human driver failing to actually drive.
That was exactly the same sort of thing that happened when cruise control was first introduced and there were idiots who thought that it meant they could stop being drivers.
Re: Re: People have already died
“Yes, it was — it was a human driver failing to actually drive.”
Blame the victim. Classic.
“That was exactly the same sort of thing that happened when cruise control was first introduced and there were idiots who thought that it meant they could stop being drivers.”
Yeah, I remember those old jokes. They were jokes, son, jokes.
Re: Re: Re: People have already died
Where am I blaming the victim? The guy was supposed to be driving the car, and failed to pay as much attention to doing that as was required. That’s placing the blame in the correct place.
Nobody ever claimed that the car could drive itself. In fact, Tesla specifically said otherwise — even going so far as to say so in a warning screen you had to acknowledge before using the feature.
“They were jokes, son, jokes”
The jokes were exaggerated versions of the effect (like the old tale about the guy driving an RV and getting out of the driver’s seat to make a sandwich or some nonsense).
But there were actual cases that were less egregious than the jokes, where people overestimated what cruise control could actually do and paid less attention to driving the car as a result.
Re: Re: Re:2 People have already died
Well, let’s just avoid the apparently questionable worth of the “joke” example and point at some users of GPS navigation.
I am hardly the world’s biggest Musk/Tesla fan, but i don’t see Tesla particularly to blame for that accident from what i’ve read.
Re: Re: Re:3 People have already died
“Some users” of paper maps as well?
Re: Re: Re:4 People have already died
If they drive off cliffs and stuff because the map was wrong.
Re: Re: Re:5 People have already died
“If they drive off cliffs and stuff because the map was wrong.”
Why only cliffs? I don’t see the distinction.
Re: Re: Re:6 People have already died
Oops, I missed the “and stuff” part of your reply. So, people who have to died due to navigational errors using paper maps (and there have been many) where “idiots” and presumably got what they deserved as a consequence. Gotcha.
Re: Re: Re:7 People have already died
i never use maps. i rely on intuition. if you let a map lead you astray then, yes, you deserve what you get.
Re: Re: Re: People have already died
“Blame the victim. Classic.”
The victim who was watching a DVD while zipping along at 90 MPH instead of noticing the broad side of an 18 wheeler? Yes, we’re blaming that dumbass. Maybe in the next life, he’ll keep both hands on the wheel and his eyes on the road.
Re: Re: Re:2 People have already died
“The victim who was watching a DVD while zipping along at 90 MPH instead of noticing the broad side of an 18 wheeler?”
Who would that have been? Because those aren’t the facts in the case being discussed. Link, please. Or are you just making crap up?
Re: Re: Re:3 People have already died
The NTSC found that he was speeding at the time of the crash. He was going 74, not 90.
http://www.bloomberg.com/news/articles/2016-07-26/florida-driver-in-fatal-tesla-crash-using-autopilot-was-speeding
The DVD thing is speculation. A portable DVD player was found in the car, leading to the speculation that he was watching it, but to the best of my knowledge there is no evidence indicating that it was actively being used at the time.
http://www.reuters.com/article/us-tesla-autopilot-dvd-idUSKCN0ZH5BW
However, the basic fact is that he was supposed to be actively driving the car and failed to notice and avoid a semitrailer in his path.
The only way I can see that the Tesla system could be considered at fault is if it steered him into the truck when he was trying to avoid it — but literally nobody is asserting that’s what happened.
Re: Re: Re:4 People have already died
“The NTSC found that he was speeding at the time of the crash. He was going 74, not 90.”
Then it sounds like some made up crap. The NTSC also said that it does not appear that his speed was a factor.
Tesla needs better trolls.
Re: Re: Re:5 People have already died
Are you accusing the NTSC of making stuff up? Based on what?
“The NTSC also said that it does not appear that his speed was a factor.”
That’s correct. He was speeding by 9 MPH. That was unlikely to be a big factor on the face of it.
Re: Re: Re:6 People have already died
Are you accusing the NTSC of making stuff up?
No, the person who said he was going 90.
Re: Re: Re:7 People have already died
Ah, sorry, I got confused!
IoT Means The Western Nations are Easy Targets
Bad State operators love the Internet of Things. With so much economic dependence on IoT, the United States and Western Nations are easy targets for those wishing to do harm.
Who needs a traceable EMP blast to wipe out infrastructure when you can just use a few lines of code to achieve far more devastation on a vastly higher scale.
I’d recommend not using electronic locks, not using any appliance type device connected to the internet but I’d be laughed at because so-called convenience takes priority or long term thinking, security mindfulness and privacy.
Re: IoT Means The Western Nations are Easy Targets
It’s actually freaked me out since before connected automobiles, the over-reliance on electronics and code. It sucks that eventually you will not be able to buy dumb cars, or TVs, or whatever. And it seems open architecture general-purpose computing could be dying also. Creepy.
Re: IoT Means The Western Nations are Easy Targets
What’s wrong with electronic locks?
Just because it’s electronic doesn’t mean it’s connected to a network, let alone the internet.
I have stand-alone electronic locks on 2 external doors. The PINs have to be coded individually on each lock, and the RFID tags need to be associated separately on each lock.
I won’t buy any IOT devices. I hear a better version with real security is in the works. Problem is, it’s not compatible with current stuff. Just throw all stuff you have away, and replace it with the NEW stuff in the future!!!
The security of these things are so weak. Baby Monitors that connect to the internet, the security is a joke!!! Door Locks, Camera’s, etc. All these things people can easily gain access to, to get into your house. Spy on what you’re doing, etc. No thanks!!!
Re: Re:
“Just throw all stuff you have away, and replace it with the NEW stuff in the future!!!”
Yeah, ain’t it beautiful?
Re: Re:
I have some security cameras at home.
I can access them from the internet.
First, I have to establish a VPN between my remote device (laptop/phone/computer) with my router, using both a certificate and a (16-character) password. Once I have established this VPN, upon access the DVR that the cameras are connected to, requires another authentication step, a username-password pair, whcih can only be accepted coming via the VPN tunnel.
Now while anything connected to the internet has a level of security vulnerability, this is pretty secure.
Perhaps the issues you have are to do with products that require connection to services that are outside your control?
Re: Re: Re:
I have some security cameras at home.
I can access them from the internet.
Well, we’re just talking about your cameras. The internet does not revolve around you. We’re talking about IoT in general.
Re: Re: Re:
Yeah i wouldn’t really call that IoT, although you could technically, maybe, they aren’t necessarily a part of the same “innovation” culture.
Although all those cams with the ActiveX controls are still pretty hilarious.
“…And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never.”
Love Bruce. I do.
Um. Yeah. The whole point is that you are now going to have to buy a new refrigerator on a mobile phone cycle or too bad, no updates. All that hinky advertising is to get you to buy things. A refrigerator company is not in the business of keeping you safe, it is in the business of selling you refrigerators. Just as a software company isn’t in the business of keeping you safe, they’re in the business of selling software. Period.
Why don’t we all just be honest with ourselves and just update the standards to state everyone is required to buy everything all over again every year.
Re: Re:
I can see it now:
“Samsung has detected that you have placed unlicensed food items in your refrigerator – would you like us to place an Amazon Prime order for DRM-approved produce, or would you like to purchase the Farm-to-Table expansion that allows you to keep non-RFID tagged foodstuffs?”
Sounds like we need a systems engineer to step up and dictate how everything will be allowed to interconnect with IoT.
Too bad the government has caused so much mistrust of itself.
Re: Re:
A good starting point would be to get rid of dependencies on third party servers, and control device via a home server. The home network could be segmented, like provide a home only WiFi network, accessible to the control server, but not directly over the Internet. That way, only one server needs to be secured if external control of the home is required.
A WiFi network with no direct connection to the public Internet, but only via the Control server, would greatly reduce security risks. It would also eliminate dependencies on servers that could be switched off, and improve privacy by eliminating data harvesting.
The Idea that every intelligent device in a house connects to the public Internet pose huge security risks, as well as risks of device being bricked whenever their manufacturers decide to end of life a product.
Re: Re: Re:
I have a firewall. It restricts both inbound AND outbound connections. My smart devices can play amongst themselves in my home, but if they want to talk outside it…. they must sit up and beg to their master.
Mind you i’m a security engineer…so the router has ACL’s the FW has ACL’s and the managed switch…has ACL’s. Yes its a pain to manage but it’s my responsibility to be informed and manage crap I buy. When you abdicate your responsibility you get what you paid for.
The average morons mileage will vary, and yes the manufacturers are abysmal at actually providing what their crud tries to do in an easily parsed form.
As for the driving car examples…. mechanical handbrake & if you take your eye’s off the road and your hands of the wheel….you get what you deserve.
Re: Re: Re: Re:
Keep your eyes on the road, your hands upon the wheel.
Keep your eyes on the road, your hands upon the wheel.
The future’s uncertain and the end is always near.
Easy fix
Companies get away with this in large part because they hide behind compelled contracts that say the customer “agrees” that nothing is ever the company’s fault, even when the company knew about it in advance and did nothing. Change the law such that, going forward, such one-sided contracts are illegal and the company is held to account for a minimal level of support, regardless of what the contact says the customer agreed. We already have that with product recall laws. Car companies have not found a way to “agree” away their responsibility to recall defective air bags, brakes, etc., so when they sell defective products, they later incur the cost of correcting the mistake. Set the “smart device” liability at the right level (some tuning may be required) and you get the same result: companies can do the job right the first time, or they can incur the expense of doing it right the second time.
Re: Easy fix
Care must also be taken to ensure that companies aren’t so afraid of the potential liability that they stop offering such goods and services altogether.
Re: Re: Easy fix
Mostly the culture of not being able to get away with ultra-cheap development and production needs to be changed. If everyone is playing on the same field, the forces of innovation will roll right on ahead. If they can’t, their service is probably so shoddy, pointless, and possibly dangerous that it really is better if it doesn’t make it to market. Businesses get away with externalizing far too many costs. It’s just not their problem, whether it’s awful IoT-ness, leaded gasoline, asbestos, pollution and environmental destruction, using limited resources for discardable items, or hiding from taxes that would pay to upkeep the infrastructure that allows them to do what they do in the first place. Sure, it can suck trying to fight the incumbent system as a startup, but that’s why there should be incentives to small businesses rather than giant breaks for megacorporations. But if all you are going to do is start up and then sell out, well, you’re kind of part of the problem.
Overly onerous, pointless, and ridiculous rules are always stupid. I think most people would like to avoid those. Which is why we should stop legislating and acting on belief, and be a bit more evidence-based culturally.
IoT
IdIoT ends in “IoT”.
“The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.”
Multiple people, eh? Well, ordinary people should be OK then, but the Three Faces of Eves types will be in serious danger….