back to article F-Secure's Mikko Hypponen on IoT: If it uses electricity, it will go online

Mikko Hypponen, chief research officer at Finnish security company F-Secure, spoke to The Reg at the launch of Sense, a consumer firewall device that aims to "secure your connected things". Hypponen says IoT is unavoidable. "If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future …

Page:

  1. Anonymous Coward
    Anonymous Coward

    They lock down everything and you will not be able to program it.

    I don't see that going down well with developers and hobbyists.

    1. John Riddoch

      Re: They lock down everything and you will not be able to program it.

      Correct, but an end user who only cares about email, browsing the web and watching some videos will be happy their files aren't getting encrypted by ransomware and their online banking credentials stolen. Meanwhile, the hobbyists & developers will avoid those devices and stick with full blown Windows, Linux or Macs.

      1. Prst. V.Jeltz Silver badge

        Re: They lock down everything and you will not be able to program it.

        these still have apps , therefore they are still vulnerable to ransomware.

        A lot less vulnerable i guess , but still vulnerable

      2. Orv Silver badge

        Re: They lock down everything and you will not be able to program it.

        I think Chromebooks are a good example of this model, actually. They can't be programmed by the average end user. There's a "developer mode" that allows programming, but getting into it requires some specific steps (well documented) and a data wipe, and it warns you each time you boot that you're in an insecure developer mode. So hobbyists still have the ability to tinker, but end users can't be easily tricked into unlocking their devices for malware.

  2. Missing Semicolon Silver badge
    Unhappy

    Freedome will be illegal in the UK

    Freedome is a simple defeat of the metadata logging already in place in the UK.

    As such, it contravenes the Snoopers Charter.

    1. Dan 55 Silver badge

      Re: Freedome will be illegal in the UK

      VPNs will be classed as a communications provider and have to cough up data in near realtime, like everyone else.

      1. Charles 9

        Re: Freedome will be illegal in the UK

        Even if they're based OUTSIDE the UK? How will they get past sovereign immunity?

        1. Anonymous Coward
          Anonymous Coward

          Re: Freedome will be illegal in the UK

          One possibility is blocking the VPN server IP addresses at the ISP's for any that don't play well with law enforcement. The way around that is a personal VPS providing your own VPN service. I'm seriously consiering that in replacement for my VPN and "Cloud Storage" currently provided by other companies. Even work out a bit cheaper here.

        2. Dan 55 Silver badge

          Re: Freedome will be illegal in the UK

          DNS block, IP block, DPI...

    2. Paul Crawford Silver badge

      Re: Freedome will be illegal in the UK

      Come now, the snooper's charter was only ever about catching the dumb and technically ignorant out there. Admittedly, that is most people.

      As for trying to crack down on VPN services that would end up as another pointless whack-a-mole game and seriously piss of business users. Of course the gov often dances to the red-top paper's stupid suggestions so there is a fair chance they would try, but again I suspect the real experts know your biggest risk are the local muppets who can buy knifes and rent a van, as we have seen recently.

  3. Anonymous Coward
    Facepalm

    "We can't avoid the IoT revolution by refusing to play part."

    Ohhhhh... yes we can !

    Because some people actually value their privacy...

    1. hplasm
      FAIL

      Re: "We can't avoid the IoT revolution by refusing to play part."

      Er, my router, my firewall rules...

      1. big_D Silver badge

        Re: "We can't avoid the IoT revolution by refusing to play part."

        Except that he is saying that in the future such devices won't use your network. Presumably they will have some sort of wireless radio for 2g/3g/4g/5g data, with eSIM and monthly costs...

        The only hope is not paying the monthly payments or somehow deaktivating the chip - and hoping that a lack of signal doesn't brick the device...

        My other half won't let anything IoT in the house (useless toys) and won't let anything (other than telephone or laptop) into the house with a microphone.

        1. Dan 55 Silver badge

          Re: "We can't avoid the IoT revolution by refusing to play part."

          Good luck with that. I can imagine that in five years max high end TVs which come with a microphone either in the TV or the remote will trickle down to all models.

          And it's difficult to tell before you buy because manufacturers don't make it clear it's got a microphone, they just say it does whatever their fantastic speech recognition thing is called, and that might cover an an app on a mobile paired with the TV too.

          1. Flywheel

            Re: "We can't avoid the IoT revolution by refusing to play part."

            I can imagine that in five years max high end TVs which come with a microphone either in the TV or the remote will trickle down to all models

            I agree, and I believe for that reason, (although not exclusively) a Neo-Luddite subculture will pop up everywhere, de-smarting your devices for a fee. I can also predict that there'll be some sort of alternative Tor-alike Internet connected via Mesh devices.

            1. Orv Silver badge

              Re: "We can't avoid the IoT revolution by refusing to play part."

              The best current analogy to this I can think of is On*Star in GM cars. And while there are people who disconnect the On*Star module, it's not a particularly common practice. In many cars it also triggers a check engine light, which is an automatic emissions test fail in some places, so it's more complicated than just cutting a wire.

        2. Anonymous Coward
          Anonymous Coward

          Re: "We can't avoid the IoT revolution by refusing to play part."

          " [...] and won't let anything (other than telephone or laptop) into the house with a microphone."

          Don't forget that any device with a speaker is potentially also a microphone.

        3. Anonymous Coward
          Anonymous Coward

          Re: "We can't avoid the IoT revolution by refusing to play part."

          @big-D,

          It is amazing what a pair of side cutters and a sharp pointed scriber can do to help personal security.

          1. Charles 9

            Re: "We can't avoid the IoT revolution by refusing to play part."

            "It is amazing what a pair of side cutters and a sharp pointed scriber can do to help personal security."

            It'll quickly become the most common way to brick your appliance AND void the warranty (on account of tampering).

        4. Charles 9

          Re: "We can't avoid the IoT revolution by refusing to play part."

          "My other half won't let anything IoT in the house (useless toys) and won't let anything (other than telephone or laptop) into the house with a microphone."

          So what happens when the inevitable happens and you need a new fridge and ALL of them are IoT-FORCED that brick if you disable or cage them?

          1. Richard Plinston

            Re: "We can't avoid the IoT revolution by refusing to play part."

            > So what happens when the inevitable happens and you need a new fridge and ALL of them are IoT-FORCED that brick if you disable or cage them?

            I'll buy a different brand.

        5. IsJustabloke
          Trollface

          Re: "We can't avoid the IoT revolution by refusing to play part."

          "The only hope is not paying the monthly payments or somehow deaktivating the chip - and hoping that a lack of signal doesn't brick the device..."

          Yes... that's the way it'll work...

        6. rnturn

          Re: "We can't avoid the IoT revolution by refusing to play part."

          Since we already refuse to pay a subscription for cable TV, it's not a big change in attitude for us refuse to buy products that come with a monthly subscription fee to use them. I'll find another way to make a couple of slices of bread crispy if it comes to the point that commercially available toasters need to phone home on my dime.

          1. TheVogon

            Re: "We can't avoid the IoT revolution by refusing to play part."

            "I'll find another way to make a couple of slices of bread crispy if it comes to the point that commercially available toasters need to phone home on my dime."

            It's coming. See https://m.youtube.com/watch?v=LRq_SAuQDec

      2. Charles 9

        Re: "We can't avoid the IoT revolution by refusing to play part."

        "Er, my router, my firewall rules..."

        BZZT! Their network chips, their rules, and they trump you because they're up the chain. And since it's a cartel up there, with plenty of network technologies covered by patents (and they're genuine hardware-based patents), good luck trying to roll your own network chips from scratch to get around them.

        1. Richard Plinston

          Re: "We can't avoid the IoT revolution by refusing to play part."

          > with plenty of network technologies covered by patents (and they're genuine hardware-based patents),

          Patents are intended to _stop_ other companies from competing. If one company holds a patent then no other company can use that mechanism without buying a licence and paying a royalty. You cannot force a company to use a patented mechanism.

          > good luck trying to roll your own network chips from scratch to get around them.

          If there is a market for devices that do not use those patented mechanisms then someone will build them, or import them from India.

    2. Anonymous Coward
      Anonymous Coward

      Re: "We can't avoid the IoT revolution by refusing to play part."

      "Since you can't secure the devices with software then you have to secure them from the network. I don't see any other way of doing it."

      I can: just don't connect them to the network. That will work for now.

      Unfortunately, you can already buy a complete system for under $10 which includes a 2G GSM modem:

      http://www.orangepi.org/OrangePi2GIOT/

      https://www.aliexpress.com/store/product/Orange-Pi-2G-IOT-ARM-Cortex-A5-32bit-Support-ubuntu-linux-and-android-mini-PC-Beyond/1553371_32802458477.html

      (and just for fun, it has an onboard microphone too. Not just a microphone input, an actual microphone)

      If your fridge comes with one of these, there's not much you can do, other than opening it up and chopping wires or taking out the SIM. F-Secure's firewall box will make no difference unless it comes with a mobile jammer.

      Of course, your home *network* is not at risk, but your *home* is - e.g. from people being able to work out from fridge door opening info whether you are on holiday and therefore safe to be burgled.

    3. Lars Silver badge
      Happy

      Re: "We can't avoid the IoT revolution by refusing to play part."

      What he wants to say, I think, is that we cannot deal with a problem by ignoring it.

    4. Mark 65

      Re: "We can't avoid the IoT revolution by refusing to play part."

      I don't understand his statement of

      <quote>

      Hypponen says IoT is unavoidable. "If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future, you will only buy IoT appliances, whether you like it or not, whether you know it or not.

      </quote>

      It either needs a connection, i.e. through my router which I will not allow, or it comes with its own communication method such as 3G/4G etc in which case his software is pointless. Either way no sale.

    5. Anonymous Coward
      Anonymous Coward

      Re: "We can't avoid the IoT revolution by refusing to play part."

      According to CCFKAC*, isn't that for "The Market" to decide (mythical as it may be)?

      Or is the New Credo now that "The Market" := What The Corp.s deign to supply and the Buyer has to buy?

      * the Current Credo Formerly Known As Capitalism

  4. israel_hands

    Mixed bag of bullshit by the sound of it.

    Not sure how "future-IoT" devices are going to be net-connected without going through the owner's home network so that part makes no sense. Is a cheap toaster going to come with an embedded satellite phone and airtime contract so it can talk to base? The fact he's hawking a product that categorically can't work against these phantom connected toasters (according to his own logic) makes even less sense.

    Also, the security of locked-down systems is far from perfect and I'm not holding my breath that MS will be able to do it properly. Most likely the'll succeed in crippling the ability for users to administrate their device properly while leaving enough security holes for priviledge escalation that an attacker can gain complete control.

    1. The Mole

      That's easy. A software 'sim card' connecting to a 5g network. 5G has some stuff designed in for IOT, presumably those sims would be locked to only talking to a specific set of servers and the devices only send small relatively infrequent messages and so the manufacturer just buys 'bundle' of messages to support the number of devices they have. In bulk this will just be a few pennies per year per device.

      1. Charles 9

        Nothing new. Recall the original Amazon Kindle and its "Whispernet" which ran on top of the AT&T Wireless network? Same idea here. If it can reach the air, it can connect whether you like it or not, and you can bet these devices will brick if you try to Cage them or destroy their chips and/or antennae. And if ALL the manufacturers are doing it, you'll be left with a Hobson's Choice: either bend over or start living backwoods-style cooking with an open flame and storing cold stuff with a self-built icebox.

        1. israel_hands

          It'll never happen. I get fuck-all mobile reception at home because of the local geography, plenty of people are in areas of poor/no coverage and sometimes networks are unavailable.

          One or two companies may make devices that auto-brick if they can't connect but the level of backlash they'd receive would mean everyone else steps away from that particular model.

          Additionally, there will be loads of companies that don't want to add a 5G + SIM + allowance into whatever tat they're peddling.

          I can't see this working in practice, although plenty of gullible twats will buy such devices, just not enough for it to mean everything with a plug gets all this crap bundled with it.

          1. Charles 9

            Whispernets are more tolerant. If you can do SMS, a whispernet should be fine. 5G low-bandwidth can use lower frequencies for greater range.

            The companies will act in cartel with the government's support. Any that try to break rank won't last long as that data represents repeat business, and there's no business like repeat business. Especially when the costs to add drops rapidly toward nil.

        2. Richard Plinston

          > And if ALL the manufacturers are doing it, ...

          ... then some business will start making stuff without it specifically for the market segment that wants low-tech.

          1. Scoured Frisbee

            The automotive market appears to disagree with your optimism.

            1. Richard Plinston

              > The automotive market appears to disagree with your optimism.

              I am not sure what you are thinking of. I can buy new cars that do not have 'connectivity', do not 'call home', do not have GPS even. I don't know of any car that limits what petrol it can use, nor where it is allowed to go.

              John Deere did produce tractors which could only be serviced by their agents, but there is a lot of push back on that, through the courts even.

          2. Mark 65

            If all manufacturers are doing it then a new one will appear that doesn't do it, provided that is what the customer base wants (rather than a few individuals). That is just basic economics. Don't even think that a major player wouldn't break ranks if it meant it could steal market share.

            1. Charles 9

              Without the cartel smothering them? One with the government's blessing? Don't be so sure.

    2. Flywheel

      Not sure how "future-IoT" devices are going to be net-connected without going through the owner's home network

      They'll use something like this:

      https://www.silverspringnet.com/solutions/smart-cities/smart-cities-street-lights/

      I can imagine cash-strapped Councils climbing over each other to get these installed for a small fee and a chance to monitor their council tax payers.

    3. Anonymous Coward
      Anonymous Coward

      "Not sure how "future-IoT" devices are going to be net-connected"

      Low-Power Wide-Area Network (LPWAN)

      See also: LoRaWAN

  5. Anonymous Coward
    Anonymous Coward

    Save me from the evil "Things"!

    It sounds to me like anti virus vendors have figured out Snake oil v2.0.

    1. Anonymous Coward
      Anonymous Coward

      Re: Save me from the evil "Things"!

      Right - protect from IoT buying another, cloud based IoT device??? Just slam a proper firewall in front of your router accepting outbound connections only from approved devices...

      1. Charles 9

        Re: Save me from the evil "Things"!

        Whispernets. Direct, unblockable connection. Try to cage them and they'll brick.

        1. Mark 65

          Re: Save me from the evil "Things"!

          Whispernets. Direct, unblockable connection. Try to cage them and they'll brick.

          Breach of Christ knows how many sales and consumer goods acts anywhere outside the US. Fit for purpose etc. Ain't gonna happen.

          1. Charles 9

            Re: Save me from the evil "Things"!

            Governments feel restrained. Even Germany wants in. Don't expect those Acts to stay up for long.

  6. AMBxx Silver badge
    Flame

    Fire risk?

    If I have to wrap my toaster in tin foil to stop it spying on me, is that a fire risk?

    1. Charles 9

      Re: Fire risk?

      Probably. Also probably give it a valid reason for bricking.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fire risk?

        If appliances brick themselves when there's no cellphone signal, a lot of people who live in reception dead-spots are going to have serious problems.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like