Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet

If It Uses Electricity, It Will Connect To the Internet: F-Secure's CRO (theregister.co.uk) 308

New submitter evolutionary writes: According to F-Secure's Chief Research Officer "IoT is unavoidable. If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future, you will only buy IoT appliances, whether you like it or not, whether you know it or not." F-Secure's new product to help mitigate data leakage, "Sense", is a IoT Firewall, combining a traditional firewall with a cloud service and uses concepts including behaviour-based blocking and device reputation to figure out whether you have insecure devices.
This discussion has been archived. No new comments can be posted.

If It Uses Electricity, It Will Connect To the Internet: F-Secure's CRO

Comments Filter:
  • I don't think so. (Score:5, Interesting)

    by captaindomon ( 870655 ) on Wednesday June 21, 2017 @10:26AM (#54661229)
    I get his point - more things will be connected to the internet. But more things will also not be. The internet is a utility now, it's not just new and shiny. Sure, there will be coffee machines that are connected to the internet you can buy, but there will be a ton of people that don't want them and want a normal coffee machine. If you don't believe me, look at pets.com and the bubble burst. Seemed at the time that everything would be purchased through a web site. Sure, Amazon has some pet food sales. But people aren't ever going to stop buying dog food locally.
    • by UnknowingFool ( 672806 ) on Wednesday June 21, 2017 @10:31AM (#54661257)
      Let's take his own example: An Internet connected toaster. Why the **** would my toaster need to be connected? His point is that the toaster company would add Internet to my toaster regardless if I want it so they can collect analytics. I use my toaster twice a year. Even if I leave it connected, the data they collect will be of little use. If they really want to connect everything, I'll just leave things unplugged. Or not connect them to my home network. Or get another model that doesn't have a connection.
      • Re:I don't think so. (Score:5, Informative)

        by Jason Levine ( 196982 ) on Wednesday June 21, 2017 @10:35AM (#54661297) Homepage

        We use our toaster often, but unplug it when we're not using it. If our toaster was Internet-connected, would we need to wait for it to boot up before we could make some toast? Because if that's the case, I'll do what you do and buy a non-Internet-connected toaster or not connect it to my home network. (If the toaster requires Internet connectivity to make toast, it will be returned ASAP and I'd post a warning online to keep others from buying that model.)

        • His argument is that non-internet toaster won't be produced. The problem with that is that no matter how inexpensive that internet connection module gets, it still adds cost to what is the most basic of electrical devices around (AC Electricity directly connected to heating wires, a simple mechanical switch and spring). A toaster is actually a perfect example of a device that might be sold internet connected, but will never ever be ONLY sold as internet connected. And the simple reason is that internet conn

          • If the current direction continues, there will never be an Internet toaster. The bulk of consumer IoT devices lack the I in IoT. A device is not port of the Internet if it does not have an IP address. Until I can ping my toaster from across the planet, we do not have an IoT. We have an ioT, small "i" that is routed through a bunch of half-baked proprietary layers and protocols that is only then tunneled through the Internet to a proprietary cloud application. (Real) IoT, fusion and (real) AI have been
        • by AmiMoJo ( 196126 ) on Wednesday June 21, 2017 @11:08AM (#54661681) Homepage Journal

          How about a free toaster if you plug it in for at least 16 hours a day? And by the way it has a microphone and a screen showing adverts on it... And it etches adverts into the toast as well... But it's free!

        • If your smart-toaster is incapable of functioning without booting and connecting to the internet, it is poorly designed. Any smart device that isn't a good device first is going to be a failure no matter how many bells and whistles it has on top of it. About the only nice feature I can think of for a smart toaster would be to remind me the evening before to pre-load some bread into it so that it can start toasting it at a set time in the morning, or if its really smart after it knows that I'll want my toast
      • Let's take an even better example... my reciprocating saw (a.k.a. "sawzall") and other corded power tools.
    • Retail is dying. Get over it. That has nothing to do with the article. If you don't want an electric coffee machine then use a French press.

      • French Press's can be electric.

        Were you trying to make some sort of logical argument? If so, you need to start with logic.
      • by gnick ( 1211984 )

        If you don't want an electric coffee machine then use a French press.

        There's a middle ground between a French press and a coffee maker that tracks my brewing habits. No matter how prevalent these smart devices get, there will always be a demand for dumb ones. And where there's demand, there's supply.

      • Yes! Coffee is going to become scarcer due to Global Warming. Extract ALL of the goodness from the beans before it's too late.

        And you can use the residue to dissolve annoying relatives without leaving any forensic evidence.

    • Re: (Score:2, Insightful)

      by Opportunist ( 166417 )

      You assume that you have a choice to connect these things to the internet if you want to use them. Think again.

      The makers of such devices have a huge interest in you being connected to the internet. Mostly to send data to them. About you and your consumer habits. Do you have a faint idea how much it's worth to know when you watch TV, what you watch and when and how often you switch between channels? How you choose your TV shows? That's market research you can take straight to the bank. At the very least the

      • You assume that you have a choice to connect these things to the internet if you want to use them. Think again.

        Of course I have a choice, even if I have to enforce it by ripping out an antenna, putting the damned thing in a Faraday cage, or just sticking to the inevitable cheapest of cheap brands that won't ever spend the extra couple of cents to put the circuitry in.

      • Around here, people like to go to cabins at the lake to relax. These cabins often have no internet access, but the visitors still want toast, microwaves, refrigerators, etc.

        Companies that REQUIRE internet access for electric can openers are shooting themselves in the foot.
        • Then they will make it very, very, VERY inconvenient not to connect them to the internet, at the very least.

          The market for such devices is rather small, so given the "danger" of people buying them who could else be forced into giving up their data buying them and thus not providing data that can be sold for lots of money, it's unlikely that any maker of appliances would endanger his data harvesting for such comparably insignificant gains.

          • Then they will make it very, very, VERY inconvenient not to connect them to the internet, at the very least.

            The market for such devices is rather small, so given the "danger" of people buying them who could else be forced into giving up their data buying them and thus not providing data that can be sold for lots of money, it's unlikely that any maker of appliances would endanger his data harvesting for such comparably insignificant gains.

            That's where there's a niche-market for tiny cottage-industries. For example, I occasionally build custom vacuum-tube guitar amplifiers either for myself or acquaintances. Unless they can figure a way to incorporate IoT into the glass envelope of a 6L6GC, 12AX7A, or EL34. :P

            Strat

          • Who would willingly buy a product that purposefully makes things inconvenient for the user, or puts its makers' needs ahead of its primary function? Ask Microsoft how well that went over with the Xbox One with its "phone home once a day" requirement. Sony ate their lunch.

            Consumers will still have a choice, because all it takes is ONE manufacturer to realize that privacy might be a feature worth touting to gain an edge in sales over their competitors. The idea that there won't be a single product among th

    • by hey! ( 33014 )

      Individual businesses may fail, but businesses as a whole will keep trying until someone succeeds at getting their technological hooks into you. It isn't customer demand driving this, nor is it customer benefit (you can't be *that* naive). What's driving this is a fundamental fact of marketing: new customers are expensive to find.

      So when you as a customer are seeking a transaction, I as a marketer am seeking to parlay that transaction into a relationship. This is apparent if you look at something like a s

    • I get his point - more things will be connected to the internet. But more things will also not be. The internet is a utility now, it's not just new and shiny. Sure, there will be coffee machines that are connected to the internet you can buy, but there will be a ton of people that don't want them and want a normal coffee machine.

      His point was centered around the fact that you won't be even offered a choice in the future, thanks to Greed. No manufacturer will simply be satisfied with the one-time profit created from a "dumb" coffee machine. They will want many sources of revenue coming from aggregating their customer usage data and selling and re-selling it over and over again. Along with coffee subscription services, and accessories that report back to the infamous cloud when the carbon filter is dirty and needs to be changed/or

      • When it comes to products like food (pet or human), the almighty price tag rules...

        Yeah, hence the huge number of brands of dog food at $5 a can just because they've got a cute Yorkshire on them and the aisles of "natural" produce. There's a hole in that logic of yours somewhere.

    • Sure, there will be coffee machines that are connected to the internet you can buy, but there will be a ton of people that don't want them and want a normal coffee machine.

      Yes, but those people won't necessarily buy what they want, especially if the sticker price isn't any different (and computers are dirt cheap). They currently buy internet-connected TVs, you know. (And that's just the tip of the iceberg on people making sacrifices and tradeoffs. People do it all the time.)

  • by Opportunist ( 166417 ) on Wednesday June 21, 2017 @10:27AM (#54661233)

    Film at 11.

    He's probably right about the push towards having to be online, but I fail to see how an IoT firewall should mitigate it. Especially with the increasing use of IPv6, which means more and more IoT devices will try to get un-NATed access to the internet (and will probably also get their wish granted).

    Good luck trying to firewall that.

    Sorry, but no. If we want secure IoT devices, we have to demand them. And that means not buying the shoddy, insecure junk that's currently peddled. And I'm not even talking about any gimmicky gadgets from some Aliexpress shops, I'm talking about our "smart" TVs and other "smart" appliances made for dumb people.

    • by sinij ( 911942 )
      Problem is much bigger than security. Lets say I designed a very secure smart TV that I also regularly patch. The problem of this TV listening on my conversations and inserting ads into my feed remains.

      This why I think only legislative solution could work. We should have clear rights to our own data, so we can stop on-going theft of it.
    • by AmiMoJo ( 196126 )

      It's an IoT firewall with "cloud service", so basically their cure is to install another of the very things that makes it insecure in the first place.

    • by GuB-42 ( 2483988 )

      NAT is not a security feature. It is a workaround for the lack of IPv4 addresses.
      It just has the side effect of blocking some inbound connections, but if it is what you need, this can be done with a simple firewall rule, one that most home routers are likely to have enabled by default.

    • How about we just don't buy them at all, and let the whole 'IoT' fad die out, like Pogs and Spinners?
    • Especially with the increasing use of IPv6, which means more and more IoT devices will try to get un-NATed access to the internet (and will probably also get their wish granted).

      Good luck trying to firewall that.

      That's rather simple to do. Unless device manufacturers are going to provide their own Internet infrastructure, they will still need your Internet connection to do their nefarious deeds.

      Simply have a default I/O policy of Deny on your firewall, allow only specific devices to use your connection, and you're done. There is nothing magical about IPv6 in this regard.

    • He's probably right about the push towards having to be online, but I fail to see how an IoT firewall should mitigate it.

      +1.

      Firewalls were never more than a half-baked stopgap anyway, intended to band-aid over the problem that system design and implementation sucked (anti-virus is the same thing, but much, much worse -- we're getting that right with the mobile iteration, at least).

      The right answer is not to employ firewalls to block access to ports that shouldn't be open... the ports just shouldn't be open. Devices should only respond to packets they're supposed to respond to, and should encrypt and authenticate the conne

  • Just rip out the antenna so it can't try to get on your wifi or cellular networks. Bam, good old fashioned dumb appliance that will simply do what it was originally designed for instead of trying to integrate a billion little web marketing doodads on to a screen that shouldn't be there in the first place.

    • by EvilSS ( 557649 ) on Wednesday June 21, 2017 @10:41AM (#54661361)

      Just rip out the antenna so it can't try to get on your wifi or cellular networks. Bam, good old fashioned dumb appliance that will simply do what it was originally designed for instead of trying to integrate a billion little web marketing doodads on to a screen that shouldn't be there in the first place.

      "We're sorry, there seems to be a problem connecting to the internet. You will need to complete the WiFi setup before you can make your toast"

      • There will always be a market for basic, 'dumb' appliances and other things, because not everybody is rich, but everybody needs to live. So you don't get the shiniest new things; so what? A toaster needs to just be good at being a TOASTER. Or a coffee maker. Or a refrigerator. Or a dishwasher, clothes washer, clothes dryer, and so on. There will ALWAYS be companies that make basic, reliable things like that. Don't believe all this bullshit hype that 'everything is going to be a computer'. Not necessary. As
    • So sorry, the boot sequence could not be completed as ordered, for some odd reason the WiFi module doesn't come online and without, I don't start. But since you didn't modify or tamper with the device, you can of course return it for a replacement!

  • There's always a market for 'dumb' things, be it phones, tools, or appliances. Your choices may be far more limited if you don't want an IoT appliance, but you're not going to be forced to buy one. Someone will see an opportunity for non IoT items and sell to those people. That's the way the market works.
    • by sinij ( 911942 )
      This isn't as simple as that. If I can sell you a toaster that snoops $10 worth of data over its lifetime, then I can undercut dumb toasters by $10.
      • I bet many people will pay a little more to have a dumb appliance. Especially those who are security conscious.
        • by sinij ( 911942 )
          "Who are security conscious" are very niche market, as such only ultra-upscale offerings would be profitable. So a $500 'artisinal' dumb toaster.
      • Speaking of "isn't as simple"... If you undercut by any profit you'd make, you've incurred work that is completely unnecessary.
    • Yes. The question is, though, whether the market is big enough and whether licensing will allow it to exist.

      Imagine some company with an interest in heavy copyright enforcement establishes the next standard format. They could well demand that anyone who wants to use that format has to be connected with the internet so they can determine whether the content you try to view has been blessed by the DRM gods. No internet, no 16k smellovision for you. And no, making a TV that offers you to play it without the DR

      • I don't think they can demand internet connections for non-recreational devices. There are always legitimate reasons why a place might not have internet access. You might get away with that for game systems and the like, but not for every day devices.
        • by sinij ( 911942 )
          We thought OS integrity was sacrosanct, but here we are with Windows 10 spying on you. This too will change.
    • Artisanal toasters. Who knew?

  • I find it unlikely that my soldering will be part of the great IoT revolution.

    Maybe the power-outlet it plugs in to, though...

    • Wonder if going solar would help with this idea, or would "they" just try to mic/camera my solar charged battery.
  • Not in my house, it won't.

    • Not in my house, it won't.

      Better stock up on all the appliances you're going to need for the rest of your life, then. Because in a few years it's going to be very hard to buy appliances that don't connect.

  • I think he is overestimating how many people will pay a subscription to a cell plan (even at 5bucks/mon that is 60 bucks/yr X #IoT devices) and if the IoT maker opts for WiFi, who says I am going to give the IoT device the password? And if the device does not work without wifi, I'll return it.

    • And if the device does not work without wifi, I'll return it.

      And then what? Your argument is much like "If the Bluray player doesn't let me record the signal, I return it". Yes. You can. But you can't get one that lets you.

      It's by far not unlikely that you simply will not get any devices that give a shit what YOU want.

    • I think the concern doesn't quite lie in this area. The issue isn't that the device is going to cost more, it's that it's going to cost less. Why? Because they're going to mine your data for profit and show you ads.

      So a few manufacturers start making internet connected toasters that burn images (subscription or one-time-purchase?) into the kids' toast in the morning. Those get popular. Then one of them has the bright idea to burn an advertisement on one side, while burning the Disney characters on

  • After reading the article, I am looking forward to IoT sewage pump.
  • The guy undercuts his own point.

    His claim is that every device will have cheap telemetry installed to report whatever the vendor wants to know. Which isn't unreasonable.

    However, the avenue this telemetry uses is the question. "Such devices will not rely on home Wi-Fi systems, says Hypponen, rather undermining the principle behind the company's new Sense hardware." (They pretty much all use home wifi now.)

    Until then, it's not a terribly difficult process to look at your wifi and disable connections from M

  • Is this guy a troll or something? I've never heard anything so gods-be-damned stupid in my entire LIFE.

  • by slashmydots ( 2189826 ) on Wednesday June 21, 2017 @11:03AM (#54661623)
    Yay, headline-bait garbage! If you don't plug an ethernet cable into it or tell it your SSID and wifi password, then I guess there's no threat at all and they won't sneakily connect to the internet without your knowing and hack your whole house and OMG your whole family is gonna die ahhhh!!!
  • My brain and nervous system use electricity. Are those going to become computers and move online? I'm willing to consider it as long as the source is audited by multiple trusted parties.
  • In order to be online, I either have to a) plug it in b) configure it with my WiFi encryption or c) provide unencrypted WiFi. It can't get online unless I put it online.

  • We have seen several years already of adding connectivity for marketing's sake alone, and with some well known disastrous results. Problems come in two camps, only the first being security of cheap poorly designed widgets. The second is plain old functionality, which is what will ultimately keep IoT from becoming truly ubiquitous and ingrained.

    Even if (big IF) security was tied up with a bow, the utility side is a big one. Fly by night companies stop support for products and shut off servers within month

  • "If it uses electricity, it will be online."

    Like my metal detector's going to get any sort of connectivity signal A. out in the middle of nowhere desert areas and B. inside a mine shaft.

  • by knorthern knight ( 513660 ) on Wednesday June 21, 2017 @11:53AM (#54662099)

    Manufacturers are effing *CHEAP*. Yes you might be able to mesh network a device with a 2-cent chip. But you can't make a *SECURE* device for 2 cents. You'll get the usual idiot practices of hardcoded passwords being the same for all products of the same model, communicating by cleartext telnet. When bricked devices start being returned in droves, watch for manufacturers to change their minds quickly.

    Ditto for not operating when not connected. maybe Brickerbot can get some of these devices to transmit a random noise signal at max power. Eventually it'll become like wifi in my condo, where I can see 25+ neighbours' systems fighting over the same 11 channels. If it needs connectivity to work at all, a *LOT* of people will avoid it.

  • My soldering iron uses electricity but does not need to be connected to the internet.

    My drill uses electricity but does not need to be connected to the internet.

    My power saw uses electricity but does not need to be connected to the internet.

    My welder uses electricity but does not need to be connected to the internet.

    My flashlight uses electricity but does not need to be connected to the internet.

    My blender uses electricity but does not need to be connected to the internet.

    There are a _LOT_ of devices that

  • I already saw some website recently showing all kinds of sill IoT things. Don't remember where, but seriously useless silly stuff.

  • ...combining a traditional firewall with a cloud service

    So it's a device that is used to restrict the access between IoT devices and the outside world, but relies on a cloud service to operate? No thanks. I'll take a router that offers me two wifi networks, one for my computers/tablets/etc and one of all of the iToasters, has the ability to block one of those from reaching the outside world, and doesn't require someone else's website to configure it.

  • Devices may *want* to be or have the capability to be connected to the Internet, but w/o a CAT5 cable plugged into it, or a local WiFi password, it's not going to happen. If they try to use any near-by open hot-spots, I guess we can just put little Faraday cages around the damn things.

    If a device doesn't work w/o being connected to the Internet, then I won't buy it.

  • And those will begin to see that a device that cannot connect to the internet as an advantage and that will make sure they get that.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...