back to article If you're serious about securing IoT gadgets, may as well start here

Can we overcome the SOHOpeless security of the Internet of Things at the home and small business level? An Internet-Draft from Ericsson engineer Mohit Sethi suggests so. Sethi's ambitious proposal isn't destined for the hall of internet standards. Instead, it sets out a possible way to get IoT gadgets connected securely to the …

  1. Mayday
    Terminator

    Good idea in principle

    Getting manufacturers to comply is another story.

    "Too hard" and "afterthought" generally are the terms used when security for IoT devices.

    1. Rich 11

      Re: Good idea in principle

      Along with another important term, "cost". Any manufacturer who wants mass-market appeal is always going to have to keep an eye on competitors churning cheap chunder out of [insert alliterative country name here].

    2. Anonymous Coward
      Anonymous Coward

      Re: Good idea in principle

      Agreed. I've dealt with IoT devices ranging from sprinkler controllers to thermostats to DVR's to cameras to "smart" MoCA adapters to video streaming boxes. I've yet to see any that have the ability to interface to my main WPA2 Enterprise WiFi SSID backed by a radius server. As soon as IoT crap started showing up, I had to create at least one WPA/WPA2 - Personal SSID for them.

      Other than reconfigure their admin credentials (& hope they don't have undocumented other hardwired accounts I can't see), all I know I can in general do is

      (1) Have the SSID they log into have a MAC Address white list.

      and

      (2) Have the SSID they log into configured so that if the IoT device has to access the Internet then it can't access any computers, and if it does not need to access a computer then it's on a LAN/VLAN that is devoid of any computers/servers. In other words: (a) Be on a LAN/VLAN that no computers/servers are on. or (b) If the IoT device must see an internal computer/server, then have a firewall rule blocking it from accessing the Internet.

      1. Joe Gurman

        Re: Good idea in principle

        Nice to know I’m not the only one who still thinks MAC ID ACLs are a useful tool, despite their deprecation when any computer OS can spoof them. Now, if we could not get IoT manufacturers to put the MAC ID on the devices.

    3. Anonymous Coward
      Anonymous Coward

      Re: Good idea in principle

      If you don't trust the device security, you won't trust their RADIUS, EAP, etc. security as well. It's just more data sent and stored outside your local network.

  2. wobbly1
    Black Helicopters

    "This server could run on the wireless access point, or be an online service on the public internet run by the maker of the gadget."

    Therein lays the problem, I have been reducing the need for my custom built IoT systems to communicate with the internet, (in the main weather API calls) and replacing them with locally sensed data. outbound API calls are handled by one server and API responses are evaluated to ensure they conform to the expected response. The problem lays with the unending addiction of device manufacturers to have anything from your printer to the light bulb in the hall communicate with their backend servers. The reason is by and large to collect aggregatable data to sell on.Eliminating that extra income stream from manufacturers wold eliminate much of the attack surface. It was this "calling home" that lead me to build my own devices. relying on manufacturer to continue to secure your long ago bough IoT can opener requires trusting in the company to value your security over share holder value , the later being protected by law. . Got burnt by Synology obsoleting a recently bought NAS. If they do that with thick profit margins on a NAS box what hope for a sub £5 IoT device?

    1. Korev Silver badge

      >Got burnt by Synology obsoleting a recently bought NAS.

      Out of interest which NAS? I'm a pretty happy Synology owner and that concerns me! My NAS is no longer for sale on their website, but continues to be updated which is the important thing.

      1. wobbly1

        Synology DS209j It was when the security updates stopped i started building devices and branched out into IoT. Open Source NAS software gets updated and continues to be supported. my synology replacement costs about £50 based on a rock 64 sbc That's one advantage of not having shareholder value to consider ;)

        1. Korev Silver badge
        2. eldakka

          > my synology replacement costs about £50 based

          I went the opposite way as I'm replacing my old NAS. I built it myself, but I went silly with the components to future-proof and due to scope creep (maybe I can run some VMs on it for the additional services I usually run on my NAS, so yeah I'll put in 32GB ECC RAM...) and it's cost a heap - probably more than buying an off the shelf 8 or 10-bay NAS - but been interesting to do.

  3. Anonymous Coward
    Anonymous Coward

    Why not just embed an NFC tag in every IoT device and then have a smartphone app to read the tag and authenticate the device by some means to the home WiFi system? The router itself would need a secure element too, but these things are fairly cheap these days.

    1. fruitoftheloon
      Thumb Up

      @Thoguht

      Thoguht,

      indeed, howsabout folk that use iPhones???

      Cheers,

      Jay

  4. John Smith 19 Gold badge
    Unhappy

    "maintaining continuity of service and security if a vendor goes under,"

    Right there is why people should be concerned about IoT.*

    Mfg goes down pan, device is bricked, despite the only reason needing to talk to the server is probably to spy on you.

    *Along with the usual code monkeys who fling their s**t code onto the devices of course.

    1. Francis Liu

      Re: "maintaining continuity of service and security if a vendor goes under,"

      The solution fixes the security issues, but doesn't address the lifecycle issues of either vendor/middle-person/device.

      But that's ok.

      I'm not expecting one solution to fix everything. In fact, it's better this way. A solution that fixed everything would be some thick manual that IoT manufacturers couldn't implement.

  5. Drone Pilot

    While it's a good idea, I can't see it getting traction for a long time.

    *lots of rebranded Chinese tat won't use it

    *Philips et al might look into it as a "social responsibility" play but will drop it because

    **it's hard

    **Nerd is needed to implement it

    ***X and Y don't use it, why should we.

    I have a lot (100+) IoT devices in my home. Where I can't run custom firmware on them I run them in isolated networks.

    For one which "had to phone phone" I did a MITM "attack" and feed it back 303 and black-hole it. It's happy :)

    Options? When thin margins are pushed, there are very few options...

    1. Pascal Monett Silver badge

      I'm glad to know that you have the technical knowledge to handle your home network in all aspects. You do realize that you are part of the one-in-a-million club, don't you ?

      I know just enough about networks to ensure that I can connect my home computers to my NAS, keep a firewalled router to access the Internet, and have all connected PCs, laptops and tablets be able to print on the shared printer. Oh, and ensure that my wife can access the WiFi when she's somehow unconfigured her phone again.

      I'm pretty sure that there are a lot of people who don't even know what I know. They are the mass for which a solution must be found, because the blight that is IoT is only going to get worse. Any step towards a solution is a good one in my book.

      1. Mark 85

        Bingo!!! Give that man a cigar or whatever since cigars aren't politically correct. We techies often forget that Joe User hasn't a clue or the interest in learning this stuff. Anything more complicated than on "on" button won't sell.

        1. eldakka

          > We techies often forget that Joe User hasn't a clue or the interest in learning this stuff.

          The problem becomes when the only mechanism put in place caters for the lowest common denominator and us techies get stuck having to do it that way too.

          I mean, they say "at time of purchase you give to the manufacturer a passcode". Who does that? How is it done? I bet you $100 bucks that it'll be an interface on the checkout's screen, so the BestBuy or other minimum wage person ask you for the code then inputs it on your behalf. And since that's the only way the device will work, you have no option other than announcing to the other people in earshot what the code is, and having the checkout person enter it, possibly being saved in the store's system before going to the manufacturer, if you want to buy the device.

          As long as such a system were optional, I'd have less issues with it. But it won't be.

  6. Wellyboot Silver badge

    No simple security.

    Nobody cares more about your security than you do (ok, possibly your mum). All home routers* already provide a large number of services that the owner never touches so all that is needed is a decent GUI slapped onto the protocol and the owner to get into the habit of zipping their fly. I'm not confident on the last point given the rise in IOT doorlocks but at least for those who do there will be some benefit.

    Cloud based security will only be as good as the manufacturer wishes to pay for and many will simply buy-in the service to pass the buck, the resulting centralised systems then become a priority target for evil-gitsTM and TLAs

    *Yes, IOT & home routers are generally pants for security updates - that's the underlying problem here.

  7. Richard Jones 1
    WTF?

    Why?

    What does a cheap and insecure gizmo add to anyone's life? A thermostat that can be controlled from the far side of the world, but not from the same room if the internet, server, ISP or anything else falls over. So it is with the rest of the tat. The washing machine can message indicating its progress through the wash cycle, but why bother? I have no need for such fluff and it is a Wi-Fi not spot anyway, it is either washing or finished and if finished it needs an attendant on site. A time switch can turn on lights if I am not there, if I am there I have light switches. So it is with all the not much use functions. The TV could monitor our channel habits, but we almost always use a PVR as the real time or time shift tuner. As for using voice controls, I might have some movement issues, but I can still move and press buttons on a remote. People get paranoid about mobile security, but then invite a pack of uncontrolled spies to come in, one question, why.

    If there is a real need, do the job correctly, do not use something out of a Christmas cracker or worse.

    1. Rich 11

      Re: Why?

      The washing machine can message indicating its progress through the wash cycle, but why bother?

      I don't understand the appeal of mindlessly throwing so much technology at things which are simple and basic enough for human beings to run reliably on their own wetware. Once you know the wash cycle lasts fifty, sixty or seventy minutes (whatever it is for your machine) that's all you need to remember to be able to predict when it will be done. That's going to hold true for 85% of your household washing needs (more like 99.9% if you're a single bloke).

    2. Robert Helpmann??
      Childcatcher

      Re: Why?

      Two reasons I can think for all these IoT devices. First, it's a fad and manufacturers are afraid that if they don't include the latest and greatest, they won't be able to move their wares even if they implement it in much the same way as slapping a different color paint on it all. In fact, it wouldn't surprise me if we some day soon have IoT paint.

      Second, the idea that all this stuff can provide a real, automated household is an interesting and compelling dream. The problem is that there is no way to hold it all together without building it yourself. Most people want to get in their cars, turn the key and go. What they don't want to do is have to build it from scraps and spend all their time maintaining it. We haven't got a Henry Ford of IoT yet. We don't even have a Karl Benz.

      1. eldakka

        Re: Why?

        > Second, the idea that all this stuff can provide a real, automated household is an interesting and compelling dream.

        I have no problem with this dream.

        What I have a problem with is the way it is trying to be implemented. That is, introducing 'the cloud' into it all.

        There is no need for the cloud for home automation tasks. All that's needed is to use the internet for a communications medium between your in-home server that is managing everything, and whatever communications device you need to use to manage it or receive updates on.

        I do not want any management, automation, access, monitoring, security run in the cloud.

  8. Andy00ff00

    > I have a lot (100+) IoT devices in my home.

    I'm sure I'll regret asking, but why?

    > Where I can't run custom firmware on them I run them in isolated networks.

    Wouldn't you rather have a life?

    1. Mike 125

      why indeed

      >>but why?

      ...because 'can'. And will until something breaks.

      As for the current crop of IoT, they're basically Christmas Cracker novelties: fridges, lights, front door locks, toilet flush, etc. I'm sticking with tradition. Tradition works - we're going back to vinyl, (and VHS tape now I read, but that was also crap, so I'll skip that one!).

      I have just 6 Internet Things: a router, 2 phones and 3 laptops. And those alone cause enough problems.

      The idea that a vital, fundamental home device such as a lock requires a live connection back to the manufacturer just to work, is insane.

      1. Captain Hogwash
        Coat

        Re: Tradition works - we're going back to vinyl

        No sir. Tradition demands that you strike the Viol, touch the Lute, wake the Harp and inspire the Flute. Damn your vinyl to Hades, sir. It is nothing but a muck-spout. Aye sir and a fopdoodle.

        1. Mike 125

          Re: Tradition works - we're going back to vinyl

          >>Tradition demands that you strike the Viol,

          Hmmmm. I once Shook my Booty. Yea, you heard.

        2. Rich 11

          Re: Tradition works - we're going back to vinyl

          And don't forget to fondle the Bassoon.

      2. fattybacon

        Re: why indeed

        > I have just 6 Internet Things: a router, 2 phones and 3 laptops

        > And those alone cause enough problems.

        Only 6? You don't have a smart TV, a PVR, a Set top box, a games console or two?

        > The idea that a vital, fundamental home device such as a lock

        > requires a live connection back to the

        > manufacturer just to work, is insane.

        Yeah.... I think it hit home to me when all those pets died... (The Petnet SmartFeeder which had a 3rd party server go down rending the feeder useless.)

      3. eldakka

        Re: why indeed

        > I have just 6 Internet Things: a router, 2 phones and 3 laptops.

        Do we have a formal definition of IoT?

        I ask because I would not consider a laptop, a general purpose computer, as an 'IoT' device.

        I always view an IoT device as (usually) an appliance, a limited function device that needs internet connectivity back to specific vendor/product back-ends, to work.

        General Purpose devices that can work without a constant, or near constant, connection to the internet, that don't have a specific manufacturer/vendor frequent/constant required connection to, I personally wouldn't regard as an IoT device.

        But that's just me, and I know I'm weird.

        1. dajames

          Re: why indeed

          I always view an IoT device as (usually) an appliance, a limited function device that has been mis-designed so as not to operate without unnecessary internet connectivity back to specific vendor/product back-ends.

          FIFY.

    2. Anonymous Coward
      Anonymous Coward

      "I'm sure I'll regret asking, but why?"

      Can't you spot someone who's just impersonating Dilbert's Topper?

  9. Anonymous Coward
    Anonymous Coward

    Hadn't thought about Radius in quite a while. Nice approach, may even be useful. Certainly have the pieces.

  10. Pascal Monett Silver badge
    Facepalm

    "if the cloud service goes down, it'll likely take its gadgets with it"

    Won't be the first time. Just ask anyone who's ever had a music subscription - 99% of those are dead.

    Yet people still keep believing in convenience.

    Incredible.

    1. John Gamble
      Joke

      Re: "if the cloud service goes down, it'll likely take its gadgets with it"

      "Won't be the first time. Just ask anyone who's ever had a music subscription - 99% of those are dead.

      How often do you ask dead people about their music subscriptions? I find it generally doesn't come up in conversation.

  11. Roger Kynaston

    Radius/EAP/802.1x at home

    I look after a part of this at work (Radius infrastructure) and it is not trivial. I can't see being able to get an entire AAA system on home routers being a goer for reasons people have outlined above. BT struggles to get a stable NAT and firewall on their hubs after all.

    The principle sounds like a good one though if manufacturers can be persuaded to go along. I think that this might be an area for legislation though. Manufacturers could then be compelled to put a standards compliant authentication system in their toys and also be prevented from using it to harvest/sell personal data.

    I make no comment about an internet connected fridge though.

  12. Version 1.0 Silver badge

    Fix it at the Router

    We have a new WiFi standard coming - this is an opportunity. We used to just have a WiFi AP, then "security" promoted a "Guest Network" which is an automatic option on most Wireless AP's these days. Let's add an "IoT network" with direct outside access (rate limited) - this would work with all legacy devices and requires nothing from the IoT cheapskate manufacturers.

    It's not perfect but we could have this running tomorrow.

  13. Adrian 4

    iot mark

    There's also an effort to create a certification marking to show IOT devices have been designed with proper consideration of security and interopability.

    https://iotmark.wordpress.com/

    1. david 12 Silver badge

      Re: iot mark

      >https://iotmark.wordpress.com/<

      designed with ... security ...

      On a wordpress site :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like