FTC Has Serious Concerns About IoT Security and Privacy (onthewire.io) 41
Trailrunner7 quotes a report from On The Wire: The Federal Trade Commission has sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices, saying that while many IoT devices have tangible benefits for consumers, "these devices also create new opportunities for unauthorized persons to exploit vulnerabilities." One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven't contemplated those processes either. The FTC said the lack of available updates is a serious problem for consumers and businesses alike. "Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices," the FTC comments say. In early May, the FTC issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security patches.
No kidding (Score:4, Insightful)
Or ad blockers. Or the ridiculous piece of crap that Samsung makes that already enables MiTM attacks. https://www.schneier.com/blog/... [schneier.com]
Comment removed (Score:4, Funny)
Re: (Score:3)
ctl-alt-flush
then enter the PIN
oh wait - the PIN was supposed to go AFTER or BEFORE the flush?
damn.
where's my abacus. fuck this shit.
Decoupling (Score:2, Interesting)
Decouple the software and hardware manufacturers from each other by defining lots of open, roalty-free standards and interfaces. It will work. Maybe.
Re: (Score:2)
Re: (Score:2)
The standards exist. However professional builders want to lock your smart house in their own software packages and DIY-grade want to lock you into only buying their brand (DLink, Philips, Honeywell, GE, ...). It's hell trying to find something that interoperates correctly across brands even if they support a standard like ZWave.
Air-gap (Score:4, Informative)
Proper setup for IoT: wired networking (via powerline is probably the easiest), no WAN access. Vulnerabilities can still be exploited, but the attacker has to be inside your house to do it. A compromised PC could be used to stage an attack, but if they're compromised your PC they can control the devices directly if those are the targets and if the PC's the target they don't need to compromise the devices at that point.
For the wireless fans, I have bad news: there isn't any safe way to access IoT devices over WiFi. The connectivity-at-a-distance nature and lack of interface to configure encryption/authentication keys on the devices makes it inherently impossible.
Re: (Score:2)
I have what I think is a fairly proper setup. If you want access to camera's thats wired with VPN access. You could get on my zwave network and what look at thermostats and dimmers? Sure you could turn the lights on but nothing more mischievous that costing me some money, you could see when I'm moving about and what temperature etc. Wifi you could know how much propane is in my grill and that network deadends. Primary security is hardwired it keeps my insurance guy happy, I've got some RF in that if yo
Re: (Score:2)
The big threat isn't that, it's a vulnerability in a server program on the zwave network that provides data from the devices that can be exploited to let you execute code on that device. Now you can load a program onto it that, rather than doing it's normal job, can connect to any of the PCs that can see that data. The PCs will see an internal connection which bypasses the router's firewall and quite possibly the PC's individual firewall if like most people you've told your PCs they're on a home network and
Re: (Score:2)
Thus my I'm sure somebody could come up with an attack that jumps from one of these networks through vera or openhab to get further up the stack statement. And why both of those have very little access to anything. I would frankly be far more worried about somebody getting into one of these cloud connected HA controllers I picked gear specifically that will work without an internet connection.
May not? (Score:4, Insightful)
"businesses may not have an incentive to support software updates for the full useful life of these devices"
Make mandatory by force of law and there you have your incentive.
Re: (Score:2)
How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.
Re: (Score:3)
How are you going to enforce this? The majority of "smart" devices are shipped directly from China and don't even have things like manuals, English text or UL listings let alone up to date software. I've seen some heavy duty equipment even that have 200W lasers ship with an aquarium pump and software that runs only on XP with Windows 95 compatibility.
Then perhaps it's time we stop importing cheap SHIT that fails to meet basic standards.
Since price trumps all for the ignorant masses, I guess we'll have to wait for those trillion-dollar class-action lawsuits. You know, because those are sooooo worth it to consumers in the end when we receive a free coupon for a month's worth of light bulb monitoring service.
Re:May not? (Score:4, Insightful)
"How are you going to enforce this? The majority of "smart" devices are shipped directly from China"
The same way things like that are enforced in EU: no seal of approval? can't be legally imported. For things that are imported by a trader in USA, you go after the trader. For things that are imported by an end user, that's what things like TTIP *should* be: government-to-government agreement that this won't happen or the seller will be fined by its domestic country..
Re: (Score:2)
"Do you need the government to wipe your butt?"
This is a democracy. I *hire* the government to wipe my butt.
Is someone deliberately posting this stuff? (Score:2)
https://slashdot.org/comments.... [slashdot.org]
Seriously it's meaningless bullshit, STOP.
Vald concerns by the FTC (Score:1)
Unlikely people would buy a Samsung's TV if they knew about this, but Microsoft has a virtual monopoly we can't avoid. Time for the FTC to stop these repugnant companies for abusing their do
IoT: The Gift That Keeps On Taking (Score:5, Insightful)
IoT is a nightmare already and is bound to get worse. None of these manufacturers take security seriously, it's all just "Hey, lets make our $gadget internet connected and brag about it!".
Most of the "benefits" are marginal or meaningless, and I can guarantee you that this whole IoT shitstorm is going to get worse- much worse- before it gets better. If it ever gets better, that is.
You think you got vulnerabilities coming out of your ass now, just wait. You ain't seen nothin' yet.
Re: (Score:2)
variety is the spice of life
Hack and screw around with voltage regulation, and you could start a fire.
Hack a fridge during the day and shut it off for a few hours. Turn it back on so the consumer doesn't notice its become a food poison death trap.
If you think IoT doesn't require a security baseline, you're being ignorant of the dangers.
Security is an afterthought (Score:2)
It's very rare that security is considered in an MVP. Some simpler types of IoT devices (typically send-only), that rely more on the cloud back-end, may have better luck by improving the security of the cloud-based compon
Where is the outrage for smartphones?!? (Score:5, Interesting)
So the FTC is suddenly concerned about updating software or firmware for IoT devices. Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?
Humans carry around their lives in smartphones these days. Needless to say, having my "vulnerable" light bulb hacked isn't going to have the same impact as rooting my phone.
Believe me, I like the attention IoT security is perhaps finally receiving, but talk about priorities...
Re: (Score:2)
Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?
Sure.
It doesn't exist because the vast majority of smartphone buyers simply don't care. Many expect to replace their phone every other year or so (or more often as the devices get broken), and most of the cost-conscious don't care because in practice the security issues don't affect them. Sure, in theory their old, unpatched devices are horribly unsecure, but in the real world nothing bad actually happens because of it. The real problems that affect users are things like SMS fraud and ransomware, which ha
Correction: (Score:2)
Correction: any rational person has severe concern about security and the ridiculous "IoT".
What is this thing you call... computer? (Score:1)
“IoT devices are capable of collecting, transmitting, and sharing highly sensitive information.”
"these devices also create new opportunities for unauthorized persons to exploit vulnerabilities."
“The massive volume of granular data collected by IoT devices enables those with access to the data to perform analyses that would not be possible with less rich data sets,”