back to article So you're doing an IoT project. Cute. Let's start with the basics: Security

The Internet of Things is going to solve climate change, fix our political system, and ensure that you can always find a parking spot. Some see a future of 15 billion connected devices. Now, just the tiny matter of deploying them. There's a long way between all IoT's utopian promises and the reality. We've never attempted …

  1. Chris King

    Am I the only person...

    ...who wants to smack IoT developers over the head with a copy of the OWASP Top Ten, wrapped round a large brick ?

    1. macjules

      Re: Am I the only person...

      Make sure it's an IoT-enabled brick,

      1. Chris King
      2. cream wobbly

        Re: Am I the only person...

        I hesitate to point out that if it's a brick, then it's *disabled*.

    2. John Smith 19 Gold badge
      Unhappy

      Am I the only person....who wants to smack IoT developers over the head with a large brick ?

      No.

      But calling them "developers" is putting most of them too high up the evolutionary ladder.

      "Code monkeys" is a more accurate description of the s**t they have produced so far.

      1. steviebuk Silver badge

        Re: Am I the only person....who wants to smack IoT developers over the head with a large brick ?

        Hipsters is another word for them also.

      2. macjules

        Re: Am I the only person....who wants to smack IoT developers over the head with a large brick ?

        I prefer "npm users".

    3. Pascal Monett Silver badge

      @Chris King

      Bud, as far as I'm concerned, you can wrap whatever the heck you want around that large brick as long as you only target IoT guys. I suggest a submarine.

      I'll even help you. With the wrapping and mostly the smacking.

    4. Michael Wojcik Silver badge

      Re: Am I the only person...

      The OWASP Top 10 (updated for 2017, kids!) is great, particularly in the associated resources on their wiki. But it's web-focused, even if many of the issues have non-web analogues. Many IoT devices have web interfaces, but not all, and that's not the extent of their problems.

      I'd suggest starting with the SANS Top 25 or the Howard / LeBlanc / Viega 24 Deadly Sins. Then hit 'em with some actual software security theory and SDLC practices.

  2. big_D Silver badge

    The biggest problem

    Is that we are moving from a solid product world, where non-intelligent devices last decades, to an IoT world, where you may get 6 months support, if you are lucky.

    In industry, you are working on 10 to 20 year amortization timescales. Very little in the way of IoT is going to get support on that timescale.

    The same for consumer products, a fridge or TV is something you buy in decade timescales, yet you are lucky if you get security updates for your TV after 2 years... So, after 2 years, it either becomes a dumb-TV or a security risk.

    1. JohnFen

      Re: The biggest problem

      "yet you are lucky if you get security updates for your TV after 2 years"

      If you don't connect it to the network, you don't have to worry about whether or not you get security updates.

      1. cream wobbly

        Re: The biggest problem

        If someone else connects it, then you don't have to worry about it being yours.

      2. Ken Hagan Gold badge

        Re: The biggest problem

        "If you don't connect it to the network, you don't have to worry about whether or not you get security updates."

        Except that with the assumption of connectivity has come the assumption that the vendor can ship any old crap in the first manufacturing release and patch it later, so there is a fair probability that your TV won't work properly if you never give it a connection.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you don't connect it to the network, ...

          ... it might not make a difference, because it'll be programmed - regardless of your puny attempts to stop it - to form an ad hoc wifi mesh network with any other wifi'd up device it can find amongst your collection of neighbours, and it'll find a way out eventually.

          /tinfoilhat

          1. doublelayer Silver badge

            Re: If you don't connect it to the network, ...

            But they make it look like connecting it to the network will be helpful. That means that nuts like my parents, who had decided to test out some streaming services, tried to get the TV to stream them for them by having it connect to the network. Of course it didn't work, but now I have to find out how to get this thing back off the network. Somehow, my suggestion of giving them a raspberry pi that they could just connect an HDMI cable to was not seen as helpful.

        2. JohnFen

          Re: The biggest problem

          "so there is a fair probability that your TV won't work properly if you never give it a connection."

          In which case, the TV is not fit for purpose and should be returned.

      3. big_D Silver badge

        Re: The biggest problem

        @JohnFen as I said, after 2 years, it becomes a plain dumb TV... So why bother buying it "smart" in the firsrt place?

        I'd stick to buying dumb and adding cheap intelligent boxes where necessary.

        1. Dan 55 Silver badge

          Re: The biggest problem

          Thing is it's difficult to buy dumb now. You'll have a much easier time buying smart and not connecting it.

          1. Michael Wojcik Silver badge

            Re: The biggest problem

            Thing is it's difficult to buy dumb now.

            Yes. Last time I bought a TV, Target had only one non-"smart" model on sale, and only two of them in stock.

            You'll have a much easier time buying smart and not connecting it.

            I hear anecdotally that some models won't work unless they're allowed to connect on initial power-up and occasionally thereafter. While it might be possible to reduce how often it's allowed to phone home, or spoof its server (I'm betting many manufacturers fuck up certificate validation), that sort of thing quickly becomes onerous for experts and impossible for regular consumers.

            Appliance manufacturers have razor-thin margins, particularly at the low end. Data collection from "smart" devices is going to be very hard for them to resist.

          2. JohnFen

            Re: The biggest problem

            It's pretty easy to buy dumb. Just buy a monitor rather than a TV, and use an external box to provide the video to it. The external box can be as inexpensive as a Raspberry PI, or if you don't want to go that route, there are dozens of commercially available solutions.

  3. Doctor Syntax Silver badge

    "There's a perception that you can get any and all data and then think about it later. You need use cases."

    There's nothing new or specifically IoT related about that. It's just the magnitude of "all" that's changing.

  4. ratfox
    Gimp

    Nice guys finish last

    The problem is that if you take the time to solve the security issues and make sure that you don't access too much data, your project is one generation late to the market. Then you are fighting an uphill battle to grab customers who are all looking for the latest shiny and don't know – or care – about security issues.

    1. Doctor Syntax Silver badge

      Re: Nice guys finish last

      "The problem is that if you take the time to solve the security issues and make sure that you don't access too much data, your project is one generation late to the market."

      That's why regulation is needed to level the playing field. That way, if you don't solve the security issues you don't get to the market.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nice guys finish last

        I'm not a huge fan of regulations. Mainly because saying "Regulations" gets a lot of people up in arms.

        What needs to change is /liability/. We need decent data protection legislation, followed by punitive fines when there's a breach. Something based on the total number of deployed devices /with that vulnerability/ rather than just the number of people actually affected.

        Just making a 'best effort' should be a defence, at least at first. We don't want it to become economically unviable to sell computing devices. But it shouldn't take much to clamp shut the vast majority of weaknesses (hard-coded / universal default passwords, unencrypted data feeding home, overreaching data collection, etc). We don't need to make these things impregnable, just 'good enough'.

        Obligatory XKCD: https://xkcd.com/538/

        1. Dan 55 Silver badge

          Re: Nice guys finish last

          When good enough becomes the new normal, then we'll be back to square one as the standard will have been raised.

  5. Anonymous Coward
    Anonymous Coward

    A Message to the Consumer....

    ....paraphrasing Phil Knight....

    *** JUST DON'T DO IoT ***

    .....but no one is listening.....

  6. Anonymous Coward
    Anonymous Coward

    "After all, we're meant to be doing security by design and default, right?"

    I do in my solutions but someone really needs to tell the IoT device manufacturers, Security in some of those devices is very poor.

  7. Anonymous Coward
    Anonymous Coward

    I for one would like to say welcome to all the "disrupters" and "innovators" who were going to set the world on fire because they didn't need to listen to the more experienced people to the reality of how things are. Start reading the owasp top10, and then maybe someone can start to introduce security dev 101.

    One of the reasons some of the "old" companies were slow, was because secure well thought out products are hard and take lots of expertise. Not a copy of stack overflow and 10,000 java library dependencies that you don't understand.

    1. Ken Hagan Gold badge

      "Not a copy of stack overflow and 10,000 java library dependencies that you don't understand."

      Nor a light-switch implemented using wordpress, as we heard about the other day.

      ( https://forums.theregister.co.uk/forum/2/2018/06/22/security_failing_iot_schneier/#c_3549887 )

  8. Robert Helpmann??
    Childcatcher

    How do you solve a problem like IoT, eh?

    Some vendors solve it by sharing private keys across thousands of devices. That is the wrong answer.

    No, I have nothing to add to this, but it bears repeating.

  9. toby mills

    Regulation takes too long but companies do need to be held accountable for security across the board.

    Also large IoT networks are being deployed which will be redundant in a year or two because the tech will be out of date and obsolete.

    Its a wild west right now and a lot of money will be wasted until industry standards and regulations catch-up.

  10. Anonymous Coward
    Anonymous Coward

    At least I did one thing right.

    I had a IOT application I built a few years ago that had to be done fast and cheap (and you know the saying about what that does to quality.) Since I didn't have an unlimited security budget, I had to really decide what were the most important things to address.

    The biggest risk was not getting the data, so I developed a fall back communications channel so that if the devices couldn't "phone home" via DNS they used raw IP addresses instead.

    The second biggest risk was that someone would "poison" the data by sending valid looking but fake messages.Using SHA-256 and a secret dynamically changing salt value I signed each message to to ensure it was from a valid source.

    The signing scheme has not been tested by adversaries yet, but over the last two years the raw ip communication channel has kicked in several times and proved it's worth. I don't know if DNS servers were under attack or the carrier was just having an off day. But the data came through the backup channel each time.

    I'm sure given the time and resources I could have worked on mitigating 10 more important risks, but sometimes getting the first one or two is enough.

  11. Anonymous Coward
    Anonymous Coward

    " Security, meanwhile, has consistently been one of the largest inhibitors to rollouts."

    You misspelled: "Security, meanwhile, has consistently been one of the largest missing pieces of rollouts"

  12. Pascal Monett Silver badge

    IoT is going to be the poster child of "self-regulation"

    One of the basic tenets of capitalism viewed by right-wing Republicans is that the market is self-regulating and thus, should not be regulated.

    As far as IoT is concerned, that means that they view millions of people spending money on products that are not secure, are eminently hackable and can cause major disruption of private life as a perfectly acceptable consequence because the market will just "adjust accordingly".

    IoT is the "Unsafe at Any Speed" of the IT industry.

    It needs regulation, and it needs a global body to evaluate and approve stuff for selling.

    If we don't do that now, untold millions of people will suffer needlessly while crap-sellers stuff their pockets in what is surely a most immoral way.

    But it's legal, so Republicans don't care.

  13. A Dark Germ

    SECURITY has to be abstracted away from the user problem domain!

    https://www.switchedonscotland.com/ education only no sales at all.

  14. A Dark Germ

    oh and free PC Sudoku 17 puzzle

    https://www.switchedonscotland.com/sudoku17.php

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like