Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, ... “Governments are going to get involved regardless because the risks are too great. When people start dying and property starts getting destroyed, governments are going to have to do something,” ... The trouble is we don’t yet have a good regulatory structure that might be applied to the IoT. Policy makers don’t understand technology and technologists don’t understand policy. ... “Integrity and availability are worse than confidentiality threats, especially for connected cars. Ransomware in the CPUs of cars is gonna happen in two to three years,” ... technologists and developers ought to design IoT components so they worked even when they were offline and failed in a safe mode."Not to mention the problem that the DMCA places researchers who find vulnerabilities in the IoT at risk of legal sanctions, despite the recent rule change. So much for the beneficial effects of government regulation.
This post will take over from Gadarene swine as a place to collect the horrors of the IoT. Below the fold a list of some of the IoT lowlights in the 17 weeks since then.
Schneier pointed to cars as vulnerable, and indeed both the Nissan Leaf:
when Nissan put together the companion app for its Leaf electric vehicle—the app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan's APIs use to target the car is its VIN—the requests are all anonymous.and the Mitsubishi Outlander:
the Outlander uses wifi to connect the car directly with a smartphone, which is less secure and allowed Monroe to disable the alarm and then open the car. Describing the hack methodology and solutions, Munro speculates that the car’s insecure software system was probably a result of cost-cutting by Mitsubishi. “I assume that it’s been designed like this to be much cheaper for Mitsubishi than [the more secure] GSM/web service/mobile app based solution,”failed to include any security at all in their connected car systems. In both cases the researchers had to go public before the company admitted that they had a problem. This is not a good strategy:
Only one in four respondents to the survey could remember an incidence of car hacking occurring in the last year. That’s a dramatic drop from just a few months earlier, when a survey by the same firm performed just days after WIRED’s car hacking exposé in July found that 72 percent of ... consumers—were aware of the Jeep hack when asked about it specifically."Only" a quarter of car buyers remembered that Jeeps were hackable a year later. It'd take a lot of advertising dollars to be that effective. Among the authors commenting on the risks of connected cars were Jean-Louis Gassée, Jonathan Gitlin and Josh Corman at the Building IoT conference:
Corman zeroed in on our increasingly connected cars and medical devices as key targets. The consequences of mass compromising of connected vehicles, for example, would be confidence in vehicle manufacturers, transport infrastructure and knock-on effects at the GDP level.Speaking of medical devices, Cory Doctorow at BoingBoing reported on a paper in World Neurosurgery that discusses the dystopian security issues posed by brain implants. He also reported that Automated drug cabinets have 1400+ critical vulns that will never be patched.
Connected homes were equally problematic:. Thermostats:
More than 30 users of Hive, which is owned by British Gas, have complained their heating has been turned up to the maximum level by the iPhone app without their instruction, the Daily Mail reports.lightbulbs:
Matthew Garrett "bought some awful light bulbs so you don't have to." And you really, really shouldn't buy the iRainbow light bulb set: the controller box runs all sorts of insecure services, including an open WiFi hotspot that lets anyone into your home network.thermostats:
Nest in fact pushed out a buggy software update for its Learning Thermostat in January 2016 that led to some of the devices not maintaining temperature.home automation hubs:
The extraordinary decision of Nest to brick its $300 Revolv home automation hub has served as a wake-up call to the tech industry. Both customers and the broader internet of things (IoT) industry were appalled when Nest removed all support for the device, making it as useful as a tub of hummus, as one angry consumer memorably noted. The result has been a series of articles, blog posts and public discussions over how to ensure that the next generation of internet and smart-home products continues to work in an open environment and are not locked down to specific companies.entire home automation systems such as Samsung's SmartThings ecosystem - two separate vulnerabilities discovered by researchers at U. Mich provide the bad guys capabilities such as:
unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode.security cameras:
The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!and of course the home routers without which they wouldn't function:
the US Federal Trade Commission settled charges that alleged the hardware manufacturer failed to protect consumers as required by federal law. The settlement resolves a complaint that said the 2014 mass compromise was the result of vulnerabilities that allowed attackers to remotely log in to routers and, depending on user configurations, change security settings or access files stored on connected devices.all featured in the roll of dishonor. Were their manufacturers grateful for the help security researchers gave them in making their products less insecure? In some cases yes, in others they responded by hurling legal threats at the researchers.