Internet of Things. Yet Another Gloomy Post.

Technically, I work with Things, as in the Internet of Things.

As outlined in Everything as a Service many formerly ‘dumb’ products – such as heating systems – become part of service offerings. A vital component of the new services is the technical connection of the Thing in your home to that Big Cloud. It seems every energy-related system has got its own Internet Gateway now: Our photovoltaic generator has one, our control unit has one, and the successor of our heat pump would have one, too. If vendors don’t bundle their offerings soon, we’ll end up with substantial electricity costs for powering a lot of separate gateways.

Experts have warned since years that the Internet of Things (IoT) comes with security challenges. Many Things’ owners still keep default or blank passwords, but the most impressive threat is my opinion is not hacking individual systems: Easily hacked things can be hijacked to serve as zombie clients in a botnet and lauch a joint Distributed Denial of Service attack against a single target. Recently the blog of renowned security reporter Brian Krebs has been taken down, most likely as an act of revenge by DDoSers (Crime is now offered as a service as well.). The attack – a tsunami of more than 600 Gbps – was described as one of the largest the internet had seen so far. Hosting provider OVH was subject to a record-breaking Tbps attack – launched via captured … [cue: hacker movie cliché] … cameras and digital video recorders on the internet.

I am about the millionth blogger ‘reporting’ on this, nothing new here. But the social media news about the DDoS attacks collided with another social media micro outrage  in my mind – about seemingly unrelated IT news: HP had to deal with not-so-positive reporting about its latest printer firmware changes and related policies –  when printers started to refuse to work with third-party cartridges. This seems to be a legal issue or has been presented as such, and I am not interested in that aspect here. What I find interesting is the clash of requirements: After the DDoS attacks many commentators said IoT vendors should be held accountable. They should be forced to update their stuff. On the other hand, end users should remain owners of the IT gadgets they have bought, so the vendor has no right to inflict any policies on them and restrict the usage of devices.

I can relate to both arguments. One of my main motivations ‘in renewable energy’ or ‘in home automation’ is to make users powerful and knowledgable owners of their systems. On the other hand I have been ‘in security’ for a long time. And chasing firmware for IoT devices can be tough for end users.

It is a challenge to walk the tightrope really gracefully here: A printer may be traditionally considered an item we own whereas the internet router provided by the telco is theirs. So we can tinker with the printer’s inner workings as much as we want but we must not touch the router and let the telco do their firmware updates. But old-school devices are given more ‘intelligence’ and need to be connected to the internet to provide additional services – like that printer that allows to print from your smartphone easily (Yes, but only if you register it at the printer manufacturer’s website before.). In addition, our home is not really our castle anymore. Our computers aren’t protected by the telco’s router / firmware all the time, but we work in different networks or in public places. All the Things we carry with us, someday smart wearable technology, will check in to different wireless and mobile networks – so their security bugs should better be fixed in time.

If IoT vendors should be held accountable and update their gadgets, they have to be given the option to do so. But if the device’s host tinkers with it, firmware upgrades might stall. In order to protect themselves from legal persecution, vendors need to state in contracts that they are determined to push security updates and you cannot interfere with it. Security can never be enforced by technology only – for a device located at the end user’s premises.

It is horrible scenario – and I am not sure if I refer to hacking or to proliferation of even more bureaucracy and over-regulation which should protect us from hacking but will add more hurdles for would-be start-ups that dare to sell hardware.

Theoretically a vendor should be able to separate the security-relevant features from nice-to-have updates. For example, in a similar way, in smart meters the functions used for metering (subject to metering law) should be separated from ‘features’ – the latter being subject to remote updates while the former must not. Sources told me that this is not an easy thing to achieve, at least not as easy as presented in the meters’ marketing brochure.

Linksys's Iconic Router
That iconic Linksys router – sold since more than 10 years (and a beloved test devices of mine). Still popular because you could use open source firmware. Something that new security policies might seek to prevent.

If hardware security cannot be regulated, there might be more regulation of internet traffic. Internet Service Providers could be held accountable to remove compromised devices from their networks, for example after having noticed the end user several times. Or smaller ISPs might be cut off by upstream providers. Somewhere in the chain of service providers we will have to deal with more monitoring and regulation, and in one way or other the playful days of the earlier internet (romanticized with hindsight, maybe) are over.

When I saw Krebs’ site going offline, I wondered what small business should do in general: His site is now DDoS-protected by Google’s Project Shield, a service offered to independent journalists and activists after his former pro-bono host could not deal with the load without affecting paying clients. So one of the Siren Servers I commented on critically so often came to rescue! A small provider will not be able to deal with such attacks. should be well-protected, I guess. I wonder if we will all end up hosting our websites at such major providers only, or ‘blog’ directly to Facebook, Google, or LinkedIn (now part of Microsoft) to be safe. I had advised against self-hosting WordPress myself: If you miss security updates you might jeopardize not only your website, but also others using the same shared web host. If you live on a platform like WordPress dot com or Google, you will complain from time to time about limited options or feature updates you don’t like – but you don’t have to care about security. I compare this to avoiding legal issues as an artisan selling hand-made items via Amazon or the like, in contrast to having to update your own shop’s business logic after every change in international tax law.

I have no conclusion to offer. Whenever I read news these days – on technology, energy, IT, anything in between, The Future in general – I feel reminded of this tension: Between being an independent neutral netizen and being plugged in to an inescapable matrix, maybe beneficial but Borg-like nonetheless.

7 Comments Add yours

  1. bert0001 says:

    yes … feeling the same tension. “Between being an independent neutral netizen and being plugged in to an inescapable matrix”, being a customer of both OVH and Hetzner, and two others, and not wanting to bow for the big centralized guys.

    1. elkement says:

      Hi Bert – I agree … and I wonder which hosting companies will still be here 10 years from now. In the old times, there were so many smaller internet access providers, and nearly all of them have vanished (in mergers). But in a sense even that part of history is repeating itself as there are lots of new mobile internet providers using the larger ones’ networks, just as the small wired providers leased lines before. Maybe we will still have lots of small hosting providers who buy their cloud storage from amazon, Google, or Microsoft…

      1. bert0001 says:

        I follow this discussion closely.
        Independent providers … you still can rent a rack at InterXion and connect to any tier1 provider right there. But it costs a fortune.
        From the smaller side … : I had our sony TV disconnected from the internet 1 year ago, because it was not listening to my firewall, … I don’t think it has a password that I can alter, only Sony staff (and all the relatives in the 6th degree of everyone who ever worked there) know the password. Now the TV got a little smarter using a raspberry and VU+.
        And then there is … as I read not so long ago on a darker page: “let’s make our own root servers – they won’t be able to make us unreachable anymore” :-/

  2. So, are you saying that the ability of my heat pump to communicate with Joanna’s iPhone simply provides a portal for the dark-side to enter my home network?

    1. elkement says:

      It depends on how your heat pump vendor and your installer implemented security. If an iPhone connects directly to a device, thus accessing its internal web server while the device does not even have an option to connect to the internet, then there is hardly any risk. If the device has an internet connection, risk is greatly reduced by not keeping default passwords. Unfortunately, the time-honored tradition of 0000 passwords for completely isolated devices has been carried over to managing internet connected devices.
      Risk is of course also lower, if the device is not really publicly available – like some of these hacked cameras – but in many implementations involving a vendor’s gateway the continuous connection of the device back to its mothership may effectively poke a hole into your firewall – to allow an inbound connection that technically isn’t inbound.
      If you had to register at the vendor’s portal for accessing your device, there is always a risk of the vendor’s central systems being attacked, rather than yours like in countless recent breaches, where Dropbox / Yahoo / LinkedIn etc. accounts have been hacked.

      One could argue if a thing on your local network is more at risk as any other computer or tablet on the same network: In the former case an attacker has more options as the operating system is not that locked down (due to the richer user interface) and a user can be tricked into clicking on stuff etc. In the latter case, systems are – are should be! – hardened better, but in contrast to a PC used in a typical way, it might be more difficult to deploy security updates (point of my post). Above all, the user does not notice easily if a thing has been hacked for a DDoS attack. Internet connection gets slow and the device itself might not be accessible, both of which can be attributed to countless innocent glitches.

      But now for the important question: So this means your construction project is finished and you moved into your new house? Congrats!!

      1. Your last statement was premature … we are not yet in! The temperature this morning was 37F and the heat pump in our RV (camper) is struggling to keep up. We’ve got a roof and windows in the new construction. No doors … and the heating units are still in their shipping wrappers! Joanna and I are preparing to be cold, cold, cold … until well into November.

        1. elkement says:

          Goog luck with the final phase of your project! You are going to really enjoy Christmas holidays in the new house then!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.