back to article Internet of So Much Stuff: Don't wanna be a security id-IoT

Michael Dell, chairman and CEO of Dell Technologies, last month announced a $1bn investment in IoT R&D over the next three years. What does $1bn buy you in IoT? A new IoT division, to be run by VMware’s CTO Ray O'Farrell, a bunch of new IoT-focussed projects including Project Iris - an under wraps RSA security development - …

  1. steelpillow Silver badge
    Devil

    (And now for) something completely different?

    "IoT is something completely different and therefore requires different thinking when it comes to security." — really?

    A client device is just an "idiot savant" T with another idiot (possibly also savant) mucking around with its input devices. Strip away the second idiot and what has really changed?

    1. Warm Braw

      Re: (And now for) something completely different?

      There are some differences, but they're not differences in technology. They're things like:-

      Scale and reach: if you can potentially turn off the electricity of millions of people or spy on the most basic details of their lives;

      Retail model: consumers who have bought things expect them to work without further intervention for several years, but consumers who have not yet bought things expect something better and shinier than was available last week;

      Support model: unlike businesses, consumers are not generally in the habit of employing staff to manage their technology or continuously paying support contracts.

      Given that entire hospitals and manufacturing plants can already be shut down fairly easily, it's pretty clear that there needs to be different thinking when it comes to security for present systems. If we can fix that, then IoT is just an incremental change. If we can't, we can't fix the IoT problem either.

    2. smudge
      Holmes

      Re: (And now for) something completely different?

      Indeed. And also:

      "There is a growing awareness that IoT security is not like traditional cybersecurity,"

      Identify threats and vulnerabilities.

      Determine likelihood of risk events happening, and impact if they do.

      Implement cost-effective countermeasures.

      Continually monitor and repeat/update as necessary.

      My invoice is in the post.

      1. Charles 9

        Re: (And now for) something completely different?

        Threats and vulnerabilities constantly changing.

        Low incidence may not mean much if high consequence. Is one in a billion worth anarchy over an entire city?

        Due to the scale, no countermeasure may be cost-effective.

        Same with the monitoring costs. Likely cheaper to fix leaks when and as they appear instead of trying to prevent them, a la Unsafe At Any Speed.

  2. Anonymous Coward
    Anonymous Coward

    -$$$-

    That's all these companies care about. But, it isn't Windows-Vista 'sticker' time anymore Dell... There are real stakes now. The fallout and looming lawsuits will kill IoT corps. We need a whole new paradigm for security and IoT testing that just doesn't exist yet... But once upon a time it was Wild-Wild-West 1.0 whenever you bought a Lambo-tractor or an Edison light-bulb. It took decades to get certifications and testing bodies to make products safer. Stop trying to shortcut the process hiding behind legalese!

    1. fidodogbreath

      Re: -$$$-

      If the typical consumer can't get a new IoToy to work out of the box in 60 seconds -- without reading, or even looking at pictograms -- then they will return it. Returns cost money. Hence, the market consists of shedloads of web-enabled crapware with no encryption and a hard coded admin password of 1234, that's easy for the average bear to set up.

      It's hard to fix that problem with government.

      1. Charles 9

        Re: -$$$-

        In other words, it's hard to make things very secure when the customers demand turnkey simplicity. Security necessarily involves hoop-jumping, but the customers already complain about dead bolts.

  3. Muscleguy

    What's in it for me?

    I look at the IoT offerings in the domestic sphere and they leave me cold. Am I really so infirm and disabled that I can't or can't be bothered to use a light switch or thermostat? Is coming home to a cold house and putting the heating on by opening the electrical cabinet just inside the door and hitting the heating advance such a terrible thing? I should note that I live in Dundee when I say this.

    Can i see the useful industrial applications for this? yes, but on a LAN, not on the net. Putting sensors on the net is just asking for trouble.

    I have a cousin who breeds pigs in the West Country. Back in the '90s he set up his porker breedery so that it was controllable from his next door abode. The pigs were fed automatically, watered automatically etc. etc. He did need to actually go in there. But he made himself do it because the cameras can't show everything.

    Back in the '80s during my Honours and PhD there was a plumbed watering system for the animals in the Physiology dept animal facility. Pipes ran along the racking with T-junctions feeding a pipe and ball plugged drinker in the cages. The problem was if the drink fitting failed either the mice went thirsty, bad, or it flooded the cage, very bad. I doubt I will forget the smell of wet mouse, sawdust and excreta overlaid with the smell of dead wet mouse.

    That got pulled out and the cages used individual bottles which almost never failed and if they did the mice didn't drown. Automation is all very well, but sometimes it is not the right solution.

    No modern mouse facility I have been in uses piped drinkers. They all use individual water bottles. Modern hi-tech forced draught (air con for individual cages) isolation racks still use water bottles.

    1. Anonymous Coward
      Anonymous Coward

      Re: What's in it for me?

      Central heating...I find it useful to be able to turn on/off up/down the thermostat in my 2nd home, as I'm there only sporadically. Why should I walk into a cold home when the technology enables me not to, or pay to heat up a home that nobody is in.

      Posted anonymously, because I know this post will make me look like a c***.

    2. Gene Cash Silver badge

      Re: What's in it for me?

      > Am I really so infirm and disabled that I can't or can't be bothered to use a light switch or thermostat

      No, but it's convenient, just like a TV remote control. It's nice to be able to up the heat on a cold morning before you get out of bed.

      Granted, when I got a WiFi thermostat, I wrote my own Android client that didn't go through their server. The protocol was mostly plaintext JSON strings

      1. fidodogbreath

        Re: What's in it for me?

        It's nice to be able to up the heat on a cold morning before you get out of bed.

        A $50 programmable thermostat can do that quite nicely. As an added benefit, it will not track you like a dairy cow with an ear tag, or participate in DDOS attacks.

        1. Charles 9

          Re: What's in it for me?

          No programmable thermostat I know can turn up the heat at just the right time if your up daily life (meaning your get-up time) is inconsistent. Having a remote-controllable thermostat is one thing. You just want to make sure it doesn't talk to a third party.

  4. Chronos

    IoM

    The very first priority should be shifting the focus from the needs of marketers to the requirements of the meatsack trying to use these devices. The vast majority of this traffic doesn't need to ever leave the local segment.

    In the case of those that do need to use the maelstrom of the Internet, there are certain design rules that should be followed. I wanted a vehicle tracker. I researched the various options from hideously expensive to cheap and shonky. All, without fail, required the use of some third party server, more often than not Google's maps crept in, leaked data like a sieve and kept quite a lot of numbers you probably didn't want them to keep.

    I ended up designing my own. STM32+SIM800+Neo6, simple firmware that opens a GPRS connection and uploads a JSON string to my MQTT server over TLS every three minutes if the vehicle has moved more than twenty metres then turns the GSM radio completely off. Simple, effective, private and secure. I can then use HomeAssistant to grab an OSM tile and display the location on a nice map.

    At no point does unencrypted data move out of my control. Nor is there any facility for communicating with the device over any public network - it talks, the server listens, then it says goodbye once a successful status message is received. It cannot be redirected, suborned, repurposed to carry out DDoS attacks or tricked into leaking data.

    Other IoT stuff here include a weather station, solar charge controllers, various light and socket controllers and the garage door opener. All are custom built, all have ONE job and none of them will even acknowledge the existence of anything but the intended control channels.

    The Unix philosophy works well in this arena and I commend it to my colleagues.

    1. ThatOne Silver badge
      Stop

      Re: IoM

      @ Chronos:

      > I ended up designing my own. STM32+SIM800+Neo6, simple firmware that [...]

      People (including me) would be willing to pay money for that device (and the others you mentioned too). Lots of people are looking for a secure alternative to the current IoT nonsense.

      Are you aware there is potentially money to be made out of them? Either by selling the finished devices to people from a different field of expertise, who can't reliably design/build such themselves, or by distributing the detailed plans and building instructions for those who know how to use a soldering iron.

      If you're tired of your day job and know some financial backer, don't hesitate! Automation without security or privacy issues will definitely attract attention among a certain population.

  5. Solarflare

    "So how much of the $1bn is Dell pumping into security? O'Farrell will not be drawn on specific figures or percentages, saying “security will definitely be a priority area for investment." It would be mad if it wasn’t."

    Why do I get the feeling that this is more a "We are setting aside money for a comms budget to best express the sentiment of 'we take security incredibly seriously' after our first inevitable breach"

  6. John Smith 19 Gold badge
    Unhappy

    How about "No PHB gives a s**t about security and everything about time to market"

    That's what I think is a big driver.*

    Let's be real f**king honest here. Historically it has taken actual deaths for industries to start seriously caring about safety, and it looks like IoT security will be another such issue. These are the sort of borderline psychopaths for whom "Carter Burke" in "Aliens" is a (flawed) role mode whose success is to be emulated.

    *Who then hire code monkeys too ignorant, or scared of them, or harassed, to find secure implementations of functions even when they exist and are too exhausted/lazy/stupid to implement from scratch when it does not.

  7. thx1138v2

    This says it all

    The "S" in "IoT" stands for security.

  8. JimboSmith Silver badge

    I was at a party for my Nephew who turned 10 and I talked a bit to one of his grandparents. The topic of connected heating came up as he was thinking of taking the plunge. Did I have any advice as to which system was better Hive or Nest? He seemed surprised when I immediately started talking about security and not ease of use. I explained that the system security was the thing I found most important. I was then forced to explain why someone turning your heating off when the temperature drops below zero is a bad thing. Doubly so when you're away and it causes your pipes to burst. I suggested going and having a play with them as I think they had samples of both in his local John Lewis. He's going to ask about how secure the different systems are and probably be a problem for a sales assistant.

  9. Anonymous Coward
    Anonymous Coward

    Network Policing Required

    From a public interest point of view, the most dangerous aspect is the Denial Of Service (DoS) potential of millions of unpatched internet cameras, temperature sensors etc.

    So what we need is a sort of Internet Police Service(IPS), which will identify subscribers with these devices. And we need a process to quickly notify internet subscribers of their pwned/DoSing device. Combined with a notification that their internet service will be turned off in two days if they do not remove the pwned device. In emergencies, turn off immediately.

    The IPS function could easily run on top of the existing TLA snooping infrastructure, which does much more complex functions already.

    On the consumer law side, equipment manufacturers should be required to offer security patches for a period of five years at least. Carry device where you bought it and have it patched there. That will pressure manufacturers to have serious auto-update built-in.

    1. Anonymous Coward
      Anonymous Coward

      Re: Network Policing Required

      And then it'll just be much cheaper to bribe the governments to look the other way. The general public is not as determined as they used to be unless it happens directly to them. People die, life goes on for the rest. Otherwise we'd be banning cars.

  10. Anonymous Coward
    Terminator

    The dangers of a monoculture ..

    As in nature the dangers in maintaining a monoculture is that when a virus comes around in infects your own crop. What's needed is multiple versions of hardware running multiple versions of the software. The providers could pick from a library of such hard/soft solutions. As in the API or ABI provides the same functionality but is different under the hood. Or the device re-configures itself at first boot to obfuscate the system. I call it inoculate ©.

    1. Anonymous Coward
      Anonymous Coward

      Re: The dangers of a monoculture ..

      But that has a trade-off. It makes it harder to diagnose problems when they DO hit because you have so many combinations. Meanwhile, a truly psycho individual would just sit on multiple exploits so as to hit them all at once.

    2. Anonymous Coward
      Anonymous Coward

      Not Really

      Even 10% of devices on the net pwned can create a DOS storm which can even bring down google. Devices must be patched or removed. Enforced by the state or by the internet providers/both.

  11. jake Silver badge

    I have a problem paying much attention to ...

    ... a bloke supposedly talking about security who doesn't know that "the great thing about standards is that there’s so many to choose from." is an Andrew S. Tanenbaum quote.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like