Stopping IoT devices ending up in botnets

In 1x78 we discussed ways of preventing IoT devices from being compromised. We’ve also taken the question to Twitter, and got a bunch of suggestions:

https://twitter.com/sortova/status/794513626237374464





So… would these work? Are there other approaches? What do you think?

Why do you invite Bryan Lunduke to the Bad Voltage podcasts?
He will be better off on a Preppers podcast or a Conspiracy podcast…
He really ruins Bad Voltage and takes over the whole episodes with his paranoia and luddism.

1 Like

At one point I got the feeling @jonobacon was going to tell him to sod-off.

I mean, Bryan’s not entirely wrong, he just gets a carried-away and I want to hear what the other’s have to say too without all the interruption.

I feel @bryanlunduke is being a a little put upon here. I know he is a big boy and can speak for himself, and I’m sure he will, but not everyone out there in internet land has our best interests at heart and we need to be vocal, and active, about it

I can’t see the point of an IoT toaster, and I honestly thought the presenters were making it up for comic effect, but they do exist as do IoT coffee makers: Why?

I do not want to come across as a luddite here, I wouldn’t have a job without computers – mainly embedded, but we do need to question what legitimately needs internet access and what does not.

For example my website: “my.handsome.horse” (Not it’s real name) runs of a Raspberry Pi and provides a forum Private messaging service and live Web-cams for myself and the other owners of horses on the land we share. This seams to me to a a valid IoT thing to have as it gives me confidence my horses are OK. Last night was bonfire night here in the UK and a lot of pets are scared by the loud noises from the fireworks so being able to see they are fine brings peace of mind.

On the other hand why does my toaster need to be internet aware? I can’t leave bread in it overnight as it would go stale so at most I save a few seconds in that I could get up put bread in my toaster, go and have my morning shower, use my phone to start the toaster then go down stairs and eat my toast. Is this worth it?

I agree with @bryanlunduke here, to a extent, We should seriously question why any device should be internet connected, only connect if we have a valid reason, and where we feel justified in giving a device internet access we must ensure its as safe as possible: As few ports open as needed, limit ability to run code other than that necessary to perform the function needed, etc.

Here are my ideas:

http://blog.gerv.net/2016/03/an-iot-vision/
https://blog.gerv.net/2016/10/no-default-passwords/
https://blog.gerv.net/2016/10/security-updates-not-needed/

Gerv

2 Likes

So you can see your toast browning in real-time using a VR headset! Isn’t that everyone’s dream?! And then it can automatically FB message your kids that breakfast is ready, and direct them to a Google Form asking what they want on the toast so your IoT fridge and IoT pantry can move those items to the front and request re-stock from Amazon when necessary.

Seriously though, just because you don’t want an internet toaster doesn’t mean enough other people don’t legitimately want one to justify selling them.

IKR?

(My post must be longer than THERE WE GO FINALLY)

1 Like

Excellently put.

Oh, it’s ok. I’m used to it. Just wait a few weeks… got a few things coming up that people are going to be massively opinionated about.

YES!

Hiya,

First post and everything, but I think something that everyone is overlooking here is the low-level protocol (TCP/IP). The problem is the global address space. As Stuart pointed out, with IPv6, every host is potentially addressable on the global internet. This is the problem behind virtually all of the large-scale internet attacks of recent years.

An alternative is RINA, which that WIkipedia link explains a lot better than I can. It aims to address lessons learnt by a few decades of a TCP-IP-based internet and apparently allows for seamless adoption from the current state of affairs. The only thing is that adoption needs to happen at some point. And who are the people that can implement it? People like us, of course!

Cheers

Jerry

Basically, I think that your desire, @gerv, for

is directly contrary to manufacturer’s desires to (a) collect your data so they can monetise it and (b) not sell devices which can then be controlled by other people because then they can’t lock you in. Let’s leave aside fairness for now (it is the most important point but doesn’t actually motivate businesses) and instead try to look at this economically. Imagine that a device costs, say, £100. Included in that is some level of monetisation of your personal data which is harvested by the device, some level of lock-in which makes you more likely to buy future devices from this company and not some other company, and some money saved by not having to put in extra effort to open source the code or comply with someone else’s standard and so on. So, a device which does not collect your personal data to monetise it, does not lock you in, and does have extra development effort to comply with a previously existing standard would cost more: maybe £130. Would consumers buy the £130 “privacy++” model of this device in preference to the £100 “privacy–” model? Manufacturers in general think “no”. Maybe we can convince them otherwise, by demonstrating that people actually do value privacy, and putting a dollar number on that value…

1 Like

@sil: then maybe what we need is to force this on companies; that is, develop an open source router into which you can put device “profiles” which say “ah, that’s a FooCorp thermometer - I’m going to block the requests to a.b.com because that’s it selling my data, but allow downloads from c.b.com because those are updates. And it’s not going to be able to contact anywhere else, just in case it gets hacked.”

I may be missing something about this idea. Why would anyone buy this router? Its marketing model is “a router like any other except that some of your devices won’t work with it”, which means nobody’s gonna buy it. Anyone who understands that it stops evil.com’s devices from working because they’re evil wasn’t gonna buy a device from evil.com anyway, right?

I certainly think that an end goal like this is a good idea. But we have to teach people that their privacy is important first. Basically every privacy-protecting thing available today starts by saying “privacy is important: that’s an axiom” and then, having taken that as read, builds something which provides it to people who already believe. But that’s not the hard thing; the hard thing is helping peolpe understand why it’s important. (This is, as noted previously, something I’d truly love to see Mozilla take a lead on.)

Bruce Schneier: Regulation of the Internet of Things
https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html

–jeremy