Tuesday, September 12, 2017

The Internet of Things is Haunted by Demons

This is just a quick note to get you to read Cory Doctorow's Demon-Haunted World. We all know that the Internet of Things is infested with bugs that cannot be exterminated. That's not what Doctorow is writing about. He is focused on the non-bug software in the Things that makes them do what their manufacturer wants, not what the customer who believes they own the Thing wants.

In particular Doctorow looks at examples such as Dieselgate in which the manufacturer wants to lie to the world about what the Thing does:
All these forms of cheating treat the owner of the device as an enemy of the company that made or sold it, to be thwarted, tricked, or forced into con­ducting their affairs in the best interest of the com­pany’s shareholders. To do this, they run programs and processes that attempt to hide themselves and their nature from their owners, and proxies for their owners (like reviewers and researchers).

Increasingly, cheating devices behave differ­ently depending on who is looking at them. When they believe themselves to be under close scrutiny, their behavior reverts to a more respectable, less egregious standard.
Doctorow's piece provides many examples, but a week later he provides another, seemingly benign example. Tesla provided some of their cars with an over-the-air temporary range upgrade to help their owners escape hurricane Irma. They could do this because:
Tesla sells both 60kWh and 75kWh versions of its Model S and Model X cars; but these cars have identical batteries -- the 60kWh version runs software that simply misreports the capacity of the battery to the charging apparatus and the car's owner.
And it would be a crime to upgrade yourself to use the battery you bought:
[Tesla] has to rely on the Computer Fraud and Abuse Act (1986), which felonizes violating terms of service. It has to rely on Section 1201 of the DMCA, which provides prison sentences of 5 years for first offenders who bypass locks on the devices they own.
It is easy to see that the capability Tesla used could be used for other things:
The implications of this are grim. A repo depot could brick your car over the air (and it would be a felony to write code to unbrick it). Worse, hackers who can successfully impersonate Tesla, Inc. to your car will have the run of the device: it is designed to allow remote parties to override the person behind the wheel, and contains active countermeasures to prevent you from reasserting control.
Doctorow concludes:
The software in gadgets makes it very tempting indeed to fill them with pernicious demons, but these laws criminalize trying to exorcise those demons.

There’s some movement on this. A suit brought by the ACLU attempts to carve some legal exemp­tions for researchers out of the Computer Fraud and Abuse Act. Another suit brought by the Electronic Frontier Foundation seeks to invalidate Section 1201 of the Digital Millennium Copyright Act.

Getting rid of these laws is the first step towards restoring the order in which things you own treat you as their master, but it’s just the start. There must be anti-trust enforcement with the death penalty – corporate dissolution – for companies that are caught cheating. When the risk of getting caught is low, then increasing penalties are the best hedge against bad action. The alternative is toasters that won’t accept third-party bread and dishwashers that won’t wash unauthorized dishes.
Just go read both of his pieces.


  1. Today's example of the demons in the Things is HP's surreptitious re-deployment of their lock-in that ensures their printers won't use non-HP cartridges.

  2. There's a flaw in Amazon Key that's common to many WiFi-connected Things in the Internet:

    "if you flood the camera off the wireless network with deauthorization packets – and an attacker doesn't need to know your Wi-Fi password to do this – it effectively freezes the equipment and prevents the door from being locked."

    So Amazon's delivery driver can get back into the house unseen and steal stuff without being seen on video.

  3. What could possibly go wrong?:

    "One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password."

  4. "[Nicole] Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby.

    "The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."

    From Oscar Williams-Grut at Business Insider.