Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Study: Firmware Plagued By Poor Encryption and Backdoors

Soulskill posted about 2 months ago | from the how-the-sausage-is-made dept.

Security 141

itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.

Sorry! There are no comments related to the filter you selected.

Of course (4, Interesting)

charronia (3780579) | about 2 months ago | (#47657961)

But really, who's going to hack your fridge?

Re:Of course (3, Interesting)

Rinisari (521266) | about 2 months ago | (#47657997)

The manufacturer, so that it breaks, and we have a reason to go buy another expensive one or get it repaired.

Collusion, I tell ya!

Re:Of course (1)

MarkGriz (520778) | about 2 months ago | (#47658117)

"so that it breaks"

Manufacturers have been "hacking" your appliances to break prematurely long before the transistor was even invented

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658661)

"so that it breaks"

Manufacturers have been "hacking" your appliances to break prematurely long before the transistor was even invented

And as a CEO in our disposable society, the board of directors would fire you if you insisted on using quality components that made your products last decades instead of months, all while trying to remain at a competitive price point.

Ain't nobody got time for that shit. There's bonuses to be paid out this quarter, so you get the manufacturing ball China. Let's roll with the cheap shit.

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658389)

>The manufacturer, so that it breaks, and we have a reason to go buy another expensive one or get it repaired.

I hope you're making fun of the paranoia that's so common here and not just part of it.

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47659183)

I think the term you're looking for is "planned obsolescence [wikipedia.org] " so, don't be a dick about it.

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658011)

Well, who is going to update the firmware on the fridge every month?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658709)

Well, who is going to update the firmware on the fridge every month?

If in the end your fridge is running some kind of rediculously popular OS (Android, iOS, etc.), consumers would already be in the habit of updating like devices, so it would be trivial to wake up to an alert one morning on the fridge display stating an update is available.

Which would probably be at least once a month...

And that's of course not including all those fridge apps you downloaded...

Re:Of course (2)

Opportunist (166417) | about 2 months ago | (#47658037)

Oh c'mon, at least skim TFA, I don't even expect anyone on /. to read it anymore, but at least click the link and look at the pretty pics.

This ain't about fridges and petty crap. I guess I needn't explain why being able to hack and modify the firmware of a CCTV can be quite interesting, or do I?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658085)

Poorly written summary. Anyone writing a summary on /. should know that "Internet of Things" opens up this kind of discussion.

Re:Of course (1)

Jeff Flanagan (2981883) | about 2 months ago | (#47658403)

You can't blame the summary.

Anyone who's been here for more than a couple of days knows that the summaries are often extremely misleading.

Re:Of course (1)

khellendros1984 (792761) | about 2 months ago | (#47659521)

...But they'll still become the sole basis of at least half of the comment threads.

Re:Of course (4, Insightful)

gstoddart (321705) | about 2 months ago | (#47658211)

This ain't about fridges and petty crap

It's not specifically about fridges, but it points to the widespread terrible security practices, and how a single vendor who makes the underlying stuff can basically destroy security for all of it.

As you add more and more stuff with the same vulnerabilities, the scope of the problem just gets magnified.

So, your internet connected CCTV, your smart TV, your notional smart fridge, and from the sounds of it possibly even your router ... these are all subject to vulnerability through their weakest links. And it sounds like there's a lot of weak links.

As long as these companies have a culture of lax security and other terrible practices like this, this problem isn't going to go away.

Re:Of course (2)

mlts (1038732) | about 2 months ago | (#47658339)

The problem is that bugtastic firmware is just a sign to the "good enough" race to the bottom that plagues a lot of industries.

Secure firmware upgrades are not rocket science. If a device doesn't have to be connected to the Internet [1], a SD card [2], a routine for signing firmware, and having an atomic transaction based upgrade process (so the upgrade either 100% completes or gets rolled back... no in between states) will solve this. Of course, some way to revert or roll back would be useful. Perhaps a "version 1.0" firmware burned into a ROM as an absolute failsafe.

For Internet connected devices, a mechanism similar to above coupled with SSL/TLS and a failsafe way of checking hosts for updates. Since this is a separate mechanism from Web browsing, the SSL/TLS certs can be signed with a non-standard CA (although I'd not self-sign them just in case the cert got compromised on the server.) Then, it can basically do a wget on the firmware image, then pass it on to another mechanism for checking the signature and flashing the new firmware.

[1]: If one questions that if -has- to be connected to the Internet or not; it doesn't need it.

[2]: SD card specifically. Not a USB port, as USB devices can present themselves as many other items than just a drive. SD cards are hard to use as a base for intrusion. Well, harder than USB, IEE1394, or other general use protocols that allow a device full DMA access.

Re:Of course (1)

Cramer (69040) | about 2 months ago | (#47659309)

Right, because bugs in the cannot-be-replaced version 1.0 firmware will never come back to haunt you. (read: force it to fallback to 1.0, and bob's your uncle.)

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658375)

Soooo . . . I SHOULD update the firmware on my fridge? //stubbornly refuses to click on link

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658093)

Botnet of things, it's already happening with DVRs. Who's going to check that their fridge isn't DDOSing sites or serving porn?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658353)

Ill take a serving of porn if your fridge is stocked?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658383)

oh i am sure that is many a geeks dream for their fridge to serve both beer and porn.

Re:Of course (1)

riis138 (3020505) | about 2 months ago | (#47658119)

I am going to change the shape of your ice cubes! BOOM!

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658137)

The guy who'll extort money for a repair out of people. Already have there been reports about TV sets displaying to pay an amount of money in bitcoin to somebody to get your TV working again. It was even in the local news here dat police had to tell people not to pay but instead let a professional repairshop handle it.

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47659205)

...dat police...

DAT police? What the hell have Sony got to do with this?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658161)

Gee, I don't know... Anyone wanting to pwn your home network with a compromised server inside your firewall?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658173)

Possibly someone who needs a launching pad for attacks against the rest of ur internal network.

The problem here is not updates.
The problem is that these things shouldnt need to be updated. They should be built properly to begin with.
But this is what happens when profiteering goes unpunished.

These companies that make insecure products, should be held liable for any damages that result.
And clauses within the EULA that absolve them of liability, nullified.

Backdoors in products need to be made outright illegal, and should be prosecuted with extreme prejudice.

Re:Of course (1)

gstoddart (321705) | about 2 months ago | (#47658179)

Once you have IPV6, with no (supposed) need for firewalls, everything connected to the interweb, and widespread terrible security ... I predict your fridge will be hacked as quickly as an unpatched Windows XP box hooked up to the internet.

People will try to have anything, and when the device manufacturers are this slack about security, it will get hacked simply because it's there.

I've always thought the internet connected fridge was a stupid idea, for these exact reasons.

With the laundry list of terrible security in the summary, you pretty much have to assume most things are fairly vulnerable.

Re:Of course (3, Informative)

Lazere (2809091) | about 2 months ago | (#47658213)

Once you have IPV6, with no (supposed) need for firewalls.

Why does somebody always have to trot this out? IPV6 does not mean no need for firewalls. It means no need for NAT. These are not the same thing. Please, please stop spewing this crap.

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47658289)

Please note the use of (supposed)...

He is trying to say, that this idea is part of the corporate agenda.... to give them end to end connectivity to all ur stuff 24/7/365.
It makes their backdoors more effective, and easier to aggregate control en masse.

Personally, IRL , I try to tell ppl, "Smart" devices are for dumb ppl.

Re:Of course (1)

gstoddart (321705) | about 2 months ago | (#47658495)

Why does somebody always have to trot this out?

Because every time IPV6 comes up, people say "you won't need a firewall", which I've always assumed to be crap, and which is why I put "supposedly".

Because my reaction is always "no way I'm running without a firewall".

I still think the "no NAT" thing is stupid. I don't want devices with a globally unique ID, because the marketing assholes any everybody else don't need to know "this is Bob's fridge".

Re:Of course (1)

Lazere (2809091) | about 2 months ago | (#47658565)

Probably, you won't even see NAT go away as ISPs are still going to want to charge for each IP they give. I have a feeling, at least on the residential side, that things will stay exactly as they are, just with an IPv6 address instead of IPv4.

Re:Of course (1)

Charliemopps (1157495) | about 2 months ago | (#47658891)

Why on earth would you ever use IPv6 on an internal network?

Re:Of course (0)

Anonymous Coward | about 2 months ago | (#47659897)

So that when the company gets purchased (or you just create site-to-site VPN for parts of your network to another company), you won't need to re-number your entire network because both of you were using same IP addresses in your network.

Re:Of course (1)

rahvin112 (446269) | about 2 months ago | (#47659441)

Considering the smallest recommended handout is a /64 which includes as many addresses as there are in IPv4 total there should never be a problem with the number of addressable IPs you receive. If ISPs try to hand out a /127 address to customers they'll lose many of the auto-routing functions of IPv6 that keep the router tables small and raise their own costs. My bet is they won't give you a static IP without a charge, but you will be given that /64 address and you won't be buying packages of IP addresses.

Re:Of course (1)

WaffleMonster (969671) | about 2 months ago | (#47659531)

Because every time IPV6 comes up, people say "you won't need a firewall",

IPv6 capable consumer routers have SPI (Same as NAT - no incoming connections) except without resorting to packet mangling or dangerous ALGs.

I don't want devices with a globally unique ID, because the marketing assholes any everybody else don't need to know "this is Bob's fridge".

If not turned on by default, enable IPv6 privacy extensions on the fridge console next to the designer ice cube shaper display.

Vendors have thus far proven themselves incapable of providing "connected" products not intentionally designed to maximally violate your privacy or otherwise place you at mercy of vendor operated "cloud service".

The second Bob's fridge connects to the Internet expect it to immediately call home with a complete inventory, share it with the vendors "partners" and serve ads for good measure. This is the reality of "IoT" the reality the marketeers are clamoring for anyway.

You might think IPv6 is scary but at least it restores the network of peers allowing for credible deployment and management scenarios whereby end users have any chance at all of avoiding being treated as string puppets.

Re:Of course (2)

vux984 (928602) | about 2 months ago | (#47658221)

Once you have IPV6, with no (supposed) need for firewalls

Um... you'll still need a firewall. You just won't need a NAT gateway.

Of course (0)

Anonymous Coward | about 2 months ago | (#47658259)

Who would not? If its connected to internet it can be used to many nasty things. Spam relay, ssh router, dns ddos slave, etc.... So better question is who would not hack your fridge?

Re:Of course (1)

Aristos Mazer (181252) | about 2 months ago | (#47658641)

http://www.cbsnews.com/news/ha... [cbsnews.com]
China embedding chips in electric kettles and using the other appliances in the home to pry into home networks on the off chance that you're someone worth hacking.

Beyond that, hacking someone's fridge is a great way to be irksome to someone you don't like -- I've come home to a failed fridge after a week-long trip and it is definitely not pretty.

Re:Of course (1)

flyneye (84093) | about 2 months ago | (#47658951)

Well...now, lessee...an out of date linux kernel...I'll go out there on a limb and guess it was an OpenMOSIX kernel. That seems about the right timeframe. A cluster computing platform, brilliantly simple. Just think of all those appliances donating spare cycles and ram to a money making scheme by the vendor, selling super computing time on your appliances and bandwidth.

O.K. that's my vote for what this is rally all about.

Re:Of course (1)

crioca (1394491) | about 2 months ago | (#47659547)

Was literally having a serious work discussion about hacking fridges yesterday. There are a few ways internet enabled fridges could be hacked for profit or for "the lulz"

1. The fridge could be used for pivoting> into your network [wikipedia.org]

2. If the fridge is able to automatically purchase food for you, the payment system could be abused

3. If the fridge is able to automatically purchase food for you, the ordering system could be abused.

4. It could be used to disable the cooling system

5. It could be used as part of a botnet

But the main issue is the potential for brand damage; All it takes is for one overblown headline like "Hackers can use X Manufacturer fridges to Y your Z" to go viral and your company is out millions of dollars in sales.

And forget patches (1)

Rigel47 (2991727) | about 2 months ago | (#47658005)

Your typical "internet of things" plastic garbage will have firmware updates released by the manufacturer for three to four years after which you're on your own. Which, to the point of the article, is not to say you have a secure device at the outset.

You'd think by now some consortium would self-assemble to devise best practices and certifications. In all likelihood it will have to be non-industry parties that do so as the last thing Samsung, et al, want is another hassle to eat into their razor-thin margins.

Re:And forget patches (1)

0x15e (961860) | about 2 months ago | (#47658237)

I would say three to four years if you're lucky. I wouldn't expect most plastic garbage to have updates for more than a year after release, assuming there are any updates at all.

Re:And forget patches (0)

Anonymous Coward | about 2 months ago | (#47659043)

>updates
>at all

Self signed-certificate?? (1)

ruir (2709173) | about 2 months ago | (#47658007)

Is it bad or good? At least the NSA cant sniff the traffic so easily.

Re:Self signed-certificate?? (1)

xxxJonBoyxxx (565205) | about 2 months ago | (#47658087)

>> "Self-signed cert = At least the NSA cant sniff the traffic so easily"

I hope you're joking, but in case you're not, reread the part about the published "private RSA encryption key." That means that ANYONE who watches an SSL/TLS session get established with that key could decode the session's traffic. And more bad things...

Re:Self signed-certificate?? (0)

Anonymous Coward | about 2 months ago | (#47658195)

Getting a signed certificate for an embedded device may cost more than manufacturing the device... per year. Not going to happen.

Re:Self signed-certificate?? (1)

ChadL (880878) | about 2 months ago | (#47658965)

That depends on the use case. Take for example a printer which is using TLS to encrypt documents sent to it and scans from it to the computer. In the case of a single self-signed CA its just snake oil as far as security as anyone could take the self-signed certificate from the FW image and MiTM the connection.
If, instead, the printer created a random self-signed certificate on first boot and the printer driver asks the user on a certificate change 'printer xyz appears to have changed its fingerprint, did you perform a factory reset?' (and on new printer add just save the certificate from the new printer on first use).
The above change would change the snake oil to some meaningful level of security (not 100%, but most likely the first setup isn't going to be MiTM'ed). Additionally if TLS isn't using forward-secrecy then a certificate shared across all devices allows anyone to decrypt logged traffic to/from any of these devices by extracting the key from the manufacturer provided fw image rather then having to hack it out of the physical device itself.

Yes, much of this is unrealistic (2)

Anonymous Brave Guy (457657) | about 2 months ago | (#47659053)

Getting a signed certificate for an embedded device may cost more than manufacturing the device... per year.

It's actually worse than that, because you don't even have a fixed target to price up. You have to consider how long a certificate needs to be valid for, the longer the more expensive but if it's not enough for the working lifetime of the device people are going to get upset. There's also the risk that a link in the certification chain could disappear, which is presumably more likely the longer the certificate lasts. For serious equipment running on corporate networks you might also have to consider letting them install their own certs backed by their own in-house CA, which introduces overheads of its own for your technical implementation. And none of this matters for devices that aren't going to be available from a machine with Internet access, because then there's no way to verify certs signed by the major public CAs anyway.

But the AC's basic point is sound. There are genuine concerns being raised here, but there's also a degree of FUD. If you see "10 year old Linux kernel" and assume "security flaw", you're the guy embedded software developers hate. That's not because they don't like criticism, it's because what really happens is they get a report back from some suit in the sales team saying a customer ran a "vulnerability scanner" and it flagged something based on a simple version check or other heuristic and that "vulnerability" must be fixed before you can get the sale. When they point out that patches have been applied for all known vulnerabilities that are relevant to their system and ask the sales guy what actual vulnerability the customer is concerned about, all they get back is crickets.

Then you get someone from management being told by the sales guy who just lost his commission that the engineering team is incompetent, and wanting to know how much it would cost to upgrade the entire system to the latest Linux kernel. Manage gets told by engineering leadership about the cost, the time required to do the work, the time required for a complete regression test, and the risk of some regressions slipping through anyway because you're giving up tried and tested code and maybe being forced to change fundamental things like what kind of filesystem you're using on your internal flash storage. Somewhere around the point where the half dozen guys who normally work on the firmware for that product now need six more guys whose only job is to watch for every relevant update to any software component in the system, integrate it, regression test the results, issue the firmware update, and brief sales and marketing because reading a changelog is too difficult, the manager usually loses interest. It's a huge amount of wasted time and effort all around, for something that in many cases was never actually a real problem in the first place.

Re:Self signed-certificate?? (1)

Darinbob (1142669) | about 2 months ago | (#47659347)

Depends on what "self signed" means. Companies can definitely have our own root key and devices have certs that chain back to that, but the devices will not sign themselves. That is no less secure than relying on some third party root cert.

Re:Self signed-certificate?? (1)

Cramer (69040) | about 2 months ago | (#47659327)

The issue is that it's embedded in the firmware, which means it's the same damned certificate on every device. Hack it once, and every one of them is now hacked. (remember the issue with debian and sshd keys? there were only a handful of keys because they were generated with a guessable random number (seconds from boot) on the first boot.)

Not the same certificate on every device (1)

jsrjsr (658966) | about 2 months ago | (#47659691)

Not necessarily. The device could easily be loaded with a unique certificate in manufacturing. A quick search shows that Atmel [atmel.com] makes parts that would help enable this. I'm sure there are others. I expect the cost of this to continue dropping.

Re:Not the same certificate on every device (1)

Cramer (69040) | about 2 months ago | (#47659839)

RTFA. They downloaded the installable firmware images for many devices and found a self-signed certificate in some of them. That is not a per-device-unique anything. Every device loads the same blob, and has the same certificate. They aren't even competent enough to get the device to generate it's own certificate. (which could have it's own issues, but at least it has a chance of being different from any other device.)

The beginning of the "internet of things" (4, Insightful)

Opportunist (166417) | about 2 months ago | (#47658063)

It will be like the internet of humans was. Everyone will be in a gold fever. Everyone will want to join the train and everyone just HAS to get with the latest fad and have a sock drawer that has some kind of internet connection. Every petty, crappy, useless gadget will need to have some sort of internet access.

And of course the manufacturers will deliver it. Everything and their dog collar will be online.

Then the first people, I'd predict some geeks with a rather odd sense of humor, will start to piss people off by "talking" to their fridge and telling it to put some milk bones and condoms on the next shopping list, just to make your friends wonder about your ... private life should they get their hand on it.

And given time, someone will come up with a way to abuse the whole shit not just for fun but also for profit. And only THEN we'll stand there and ask why oh why security has not been a core topic right from the start because that should have been obvious... and it probably was.

It was just way cheaper to ignore it. And as long as people buy it (who will react just like the very first person in this thread, i.e. "who's going to hack your fridge?"), why bother with security? Security costs money and it's no selling point. So... to the crapper with it.

Quit with the idiotic "internet of things" meme (0)

Anonymous Coward | about 2 months ago | (#47658167)

It makes you sound stupid. Servers are things. Desktops are things. Laptops, tablets and phones are things. We've always had an "internet of things". That it's going to get into smaller devices is not in question. What is in question is manufacturers supposedly will bother putting a mini server in your toilet roll to spam you with ads and measure your bowel health. Ain't gonna happen. It's not economical.

Re:Quit with the idiotic "internet of things" meme (0)

Anonymous Coward | about 2 months ago | (#47658189)

It makes you sound stupid. Servers are things. Desktops are things. Laptops, tablets and phones are things. We've always had an "internet of things". That it's going to get into smaller devices is not in question. What is in question is manufacturers supposedly will bother putting a mini server in your toilet roll to spam you with ads and measure your bowel health. Ain't gonna happen. It's not economical.

That ring you're wearing is connected to the internet.

Re:Quit with the idiotic "internet of things" meme (1)

Lazere (2809091) | about 2 months ago | (#47658275)

Anything is economical if people are willing to buy it for more than it costs to make. There are already internet connected fridges and dog collars and cars, what they make internet connected next is only a matter of what people are willing to buy? Internet connected toilet paper? I bet you can get some health nuts on the bandwagon. Idiotic seeming gadgets will be internet connected, and there's nothing you can do about it. The biggest question is, are we going to pay attention to security now, or wait until it's too late? Also, he said "internet of things" because that's the idiotic term the industry/media has chosen for this particular fad. He could use something different, but everyone already knows what it means, so, why bother? That's how language works. Deal with it.

Re:Quit with the idiotic "internet of things" meme (1)

redeIm (3779401) | about 2 months ago | (#47658343)

That's how language works. Deal with it.

Dealing with such toxic bullshit only ensures it will spread around more, even if only slightly. I'd rather point out why it's garbage.

Re:Quit with the idiotic "internet of things" meme (1)

Lazere (2809091) | about 2 months ago | (#47658387)

It's not toxic. It's stupid. In a generation, if it's still around, it'll sound less stupid. If it's still around after that, it'll just be a normal part of the language.

Re:Quit with the idiotic "internet of things" meme (1)

redeIm (3779401) | about 2 months ago | (#47658585)

It's toxic garbage. I reject numerous ridiculous terms, regardless of how long they've been around.

Re:Quit with the idiotic "internet of things" meme (2)

Belial6 (794905) | about 2 months ago | (#47658863)

Exactly. Consider how stupid "Movie" sounds. It started out a lot dumber sounding than "Internet of Things".

Re:Quit with the idiotic "internet of things" meme (2)

grcumb (781340) | about 2 months ago | (#47658829)

That's how language works. Deal with it.

Dealing with such toxic bullshit only ensures it will spread around more, even if only slightly. I'd rather point out why it's garbage.

Yes, but the entire article is low-brow drivel. I have no idea why this was the source they chose to link to (though it might go a long way toward explaining the tone and content of Slashdot's discussions these days...). I mean, check out this para:

The murky world of firmware sometimes makes it hard to figure out which products might be affected. Manufacturers often rely on tools and development kits that are widely used across industries, so the flawed firmware can end up in product sold under lots of different brands.

It's hard to know whether this 'writer' even teh English. But worse, the content is almost anti-information. What the fuck is a 'murky world'? People use generic toolkits? Sold to more than one company?! Who is this Adam Smith and where do I get his pamphlets?!?

Worse, the author[*] is implying that this is somehow an inherent flaw that might prove to be a fundamental difficulty. In truth, it's an aspect of software development that has been there since the very first computers existed. And what's more, we know how to fucking deal with it. Instead of massaging the conscience of halfwit managers, maybe he could have offered a bit of illumination concerning the decades of precedent for dealing with software quality, and explaining how these principles can (or cannot) be applied to firmware.

The thing that drives me toward despair is that the article - the whole publication - is clearly aimed at corporate decision-makers.

---------------
[*] With apologies to all real authors everywhere.

Re:Quit with the idiotic "internet of things" meme (1)

Opportunist (166417) | about 2 months ago | (#47658297)

Seems like I spent too much time with the marketing goons lately... I hope I'll recover soon. :)

But seriously, you know the buzzword and I doubt that we'll get rid of it anytime soon. It's like the cloud, just worse, because, as you point out, it makes no sense really.

What matters now, though, is that we know what we're talking about. Maybe "the internet of everyday items" simply didn't have as much zing.

Re:The beginning of the "internet of things" (0)

Anonymous Coward | about 2 months ago | (#47658183)

why the fuck does your fridge need to be connected to your sock drawer and flesh light

Re:The beginning of the "internet of things" (2)

Opportunist (166417) | about 2 months ago | (#47658299)

Need? What kind of outlandish concept, how does "need" come into the equation when we want to make people buy crap?

Re:The beginning of the "internet of things" (0)

Anonymous Coward | about 2 months ago | (#47658235)

Previously a "smart refrigerator" was a concept and would release for $15,000 http://www.gizmag.com/go/1132/ [gizmag.com]
Today, for $150 and a piece of double-sided tape you can augment ANY refrigerator to have a voice- or scan- activated internet-connected shopping list.
Even if the iPod comes down to $50, people still wont tape them to their fridge.

In other words, either technology is pervasive, cheap and secure enough. Or it is concept and niche.

really? (4, Insightful)

Nicola Zandonà (3783027) | about 2 months ago | (#47658069)

The point is, who really need a connected fridge?

really? (0)

Anonymous Coward | about 2 months ago | (#47658187)

connected fridges were cool ten years ago. I have connected, programmable light-bulbs. what bridge have you been living under? :P

Re:really? (1)

Ichijo (607641) | about 2 months ago | (#47658321)

In fact, who really needs a fridge at all? We got along just fine without them for thousands of years.

Re:really? (1)

The Technomancer (3649405) | about 2 months ago | (#47658477)

Need? Nobody. Being able to auto-generate a shopping list based on the contents of your fridge and cupboards, or order said list for delivery from Safeway/Amazon Fresh/etc.? Timesaver. Hacking someone's smart fridge to order random embarrassing things as a prank? Priceless.

Re:really? (1)

Anonymous Coward | about 2 months ago | (#47658813)

Auto-generate a shopping list based on the contents of fridge and cupboards? I don't know about anyone else, but from week to week, season to season, the contents of my fridge vary wildly based on what's locally in season and the random recipes I choose for the week. My eating patterns aren't exactly predictable unless you hack my random recipe selector.

Re:really? (1)

Belial6 (794905) | about 2 months ago | (#47658881)

About a s priceless as smashing the window of their car. Ha Ha. Vandalism isn't new just because it is "on a computer".

Re:really? (0)

Anonymous Coward | about 2 months ago | (#47658507)

I kind of do, for when I go to the store, and I have no idea what's in it. Bascially a simple webcam would work, if it could see everthing. But there is no way it could. It would need a rfid chip for everything in it , down to each egg and piece of fruit, and left over. But that won't work either. So its a great theory, the need is there (for me), but there isn't a solution that fits the need. So, no popular connected fridges.

Re:really? (0)

Anonymous Coward | about 2 months ago | (#47658817)

I kind of do, for when I go to the store, and I have no idea what's in it. Bascially a simple webcam would work, if it could see everthing. But there is no way it could. It would need a rfid chip for everything in it , down to each egg and piece of fruit, and left over. But that won't work either. So its a great theory, the need is there (for me), but there isn't a solution that fits the need. So, no popular connected fridges.

The RFID problem stands under the assumption that vendors wouldn't simply start labeling ALL products with RFID chips.

And why wouldn't they?

Who are you going to buy your food from, the local store that still makes you write shit down or remember it the old-fashioned way, or Amazon, who will RFID-label all your food for you? (as long as you buy from them)

Perhaps the one who will RFID all your food for you will be the one you rent your fridge from. Yup, leasing appliances. Smart fridges might be a fun new thing to go shopping for every few years.

"Internet of Things" (1)

Anonymous Coward | about 2 months ago | (#47658091)

worst new term since 'the cloud' and 'hashtag'.

Re:"Internet of Things" (1)

Russ1642 (1087959) | about 2 months ago | (#47658139)

It's hella lame.

Re:"Internet of Things" (2)

Darinbob (1142669) | about 2 months ago | (#47659361)

Unfortunately, I'm sort of being put into this area now. But this term covers so much stuff, a lot of which has existed before the term existed. The stuff that's eye rolling are bluetooth enabled devices that talk to phones, that's not really the internet of things. But something like a stoplight could be internet of things, if it reports back when a bulb has burned out; it's a thing, it is on some private network, and it is something not traditionally networked in the past. Similarly, smart meters, traffic monitors, and so forth.

Going to need MUCH better firewalls (3, Interesting)

BaronM (122102) | about 2 months ago | (#47658165)

I can't ever see secure firmware becoming the norm given the economics of consumer goods, so I think we're going to need much better firewalls than what we see in SOHO routers currently.

Port/address level control is spectacularly insufficient when everything runs on port 80, and nobody is going to spend time mapping out specific source/destination pairs for everything (The washer can talk to the dryer. The washer can talk to my smartphone. The dryer can talk to my smartphone...)

I'd like to see something like a home-PKCS standard where:
1. Any IOT device requires a client certificate supplied by the router
2. The router drops any traffic not signed by a recognized client certificate
3. The router's signing key must be kept on a seperate USB drive, and the WAN port is locked out if the USB drive is inserted.

To set up a new device on your home network you would:

1. Insert USB key into the router (WAN port shuts down)
2. Generate a new client certificate for the new device (push button "a")
3. Install the certificate on the new device (push button "b" on router and also on device within 60 seconds, enter PIN, something automated like that)
4. Remove USB key from router (WAN port comes back up)

The router will now pass signed traffic to/from your new device. Traffic not signed? No talking to IOT devices for you.

Yeah, key management sucks, but I bet it could be fairly easily automated for home use. It would take more thought and detail than I've outlined above, but should be doable. Unfortunately, that would require that everyone agree to follow the same standard for home-PKCS, and I can't see that happening either.

Plus cheap devices would have the crypto implemented badly, plus you wouldn't be able to turn on the microwave from your office, so on and so forth.

Never mind, I give up.

Re:Going to need MUCH better firewalls (1)

Anonymous Coward | about 2 months ago | (#47658175)

Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit. I'll laugh when people buy all these expensive appliances only for malicious people to find ways to fuck with them.

Re:Going to need MUCH better firewalls (2)

BaronM (122102) | about 2 months ago | (#47658223)

Well, yes, that actually IS a better idea.

OTOH, if an IP-connected hot-water heater is the only kind on the market next time I need a new one, I'd prefer to have the 'securing it' worked out in advance, because I'm sure not going to do without.

Re:Going to need MUCH better firewalls (1)

Lazere (2809091) | about 2 months ago | (#47658361)

Most important things, like water heaters (and cars), need to be robust enough to function without internet, else they'd have lawsuits on their hands. You could, I don't know, not connect it to the internet.

Re:Going to need MUCH better firewalls (1)

sconeu (64226) | about 2 months ago | (#47658381)

Well, you could, you know, NOT CONNECT the IP enabled water heater to the Internet.

Re:Going to need MUCH better firewalls (1)

0123456 (636235) | about 2 months ago | (#47658577)

Well, you could, you know, NOT CONNECT the IP enabled water heater to the Internet.

Except, in the future, the only way to set water termperature will be through a web interface, and you'll need it connected to download firmware updates so it doesn't explode due to a random memory corruption bug causing it to leave the gas on all day.

Re:Going to need MUCH better firewalls (1)

Carnildo (712617) | about 2 months ago | (#47659757)

Fortunately, a water heater is simple enough that you can rip out the "smart" electronics and replace them with the sort of thermostat-and-relay circuit that almost everything uses right now.

Re:Going to need MUCH better firewalls (1)

chihowa (366380) | about 2 months ago | (#47658689)

Well, you could, you know, NOT CONNECT the IP enabled water heater to the Internet.

What if that's not a choice, either?

With SuperWiFi 4.0 "IoT edition" (TM), all of your appliances create a mesh network and find a path to the internet !!!

or

"I'm sorry sir, your water heater won't operate until it's able to register with the activation server. Please remove the foil from its antenna."

Do these scenarios really seem too far fetched or unlikely?

Re:Going to need MUCH better firewalls (0)

Anonymous Coward | about 2 months ago | (#47658949)

Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit. I'll laugh when people buy all these expensive appliances only for malicious people to find ways to fuck with them.

Uh, better yet, why don't you just give up now on this ignorant notion that you will be left with a fucking choice in the future.

You better start accepting the fact that as a consumer, you will be used and abused wherever there is revenue to be made. We will build the ever-living shit out of IOT devices.

And if you don't like it, stop eating the fucking cheese, mouse.

Who moved m -- Make your own damn cheese (1)

tepples (727027) | about 2 months ago | (#47659767)

And if you don't like it, stop eating the fucking cheese, mouse.

It'll still be possible to get off your duff and make your own damn cheese [amazon.com] , won't it?

Doesn't really solve the problem (2)

Anonymous Brave Guy (457657) | about 2 months ago | (#47659125)

Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit.

That's a good idea, but it doesn't solve the problem for devices that actually do have good reasons to be connected: streaming media players, IP-based phones/faxes, consoles with multiplayer games, and so on. Many of these devices are connected to household networks these days, both to access the Internet and to communicate for legitimate reasons with other devices also on that home network. The devices themselves or other devices on the home network may store sensitive data. They may also have sensors, and while cameras and microphones are the most obvious risks, less obvious things like accelerometers in mobile devices and GPS can also create huge security/privacy holes.

Sooner or later, we're going to have to confront the implications of connecting all of this stuff together, and we're going to need a more sophisticated strategy than "just don't do it", because a lot of the time doing it is very useful but also dangerous without proper limitations.

Re:Going to need MUCH better firewalls (0)

Anonymous Coward | about 2 months ago | (#47658219)

That provides little to no security with all the hardware backdoors these manufacturers place "accidently".

Re:Going to need MUCH better firewalls (0)

Anonymous Coward | about 2 months ago | (#47658331)

You've just described a `solution' that could never, ever emerge from the world of slap-dash firmware development without giant, gaping holes in both the provisioning process and cryptography. Schlepping x509 certs around via USB drives is not feasible. Neither is adding USB PHYs to things that don't otherwise need one.

About the best you can do here is the bluetooth and/or wifi model; put a button on a switch/router that blesses some new device when someone physically presses it. Anything more involved will a.) fail to be comprehensible to 99% of the users b.) leave too many ways for firmware writers to screw it up c.) cost too much.

Re: Going to need MUCH better firewalls (0)

Anonymous Coward | about 2 months ago | (#47658801)

Did I not conclude with "Never mind, I give up"? :)

Re:Going to need MUCH better firewalls (1)

Belial6 (794905) | about 2 months ago | (#47659147)

Honestly, the answer is that the devices should just not be directly accessable at all from the internet. There should be a server that is secured, and the devices should be accessed by the server.

Paring could be done via NFC. A small 'Key' passed over the 'pairing' pad of the server and any devices could sync them all to the same cert. If for some reason it is believed the cert is compromised a new $1 'Key' can reset every device and the server to a new cert.

Simpler than the wifi and bluetooth models, and for the most part, there is only one device that has to have complex iron clad security.

Companies scheme for profit, news at 11. (0)

Anonymous Coward | about 2 months ago | (#47658267)

I stopped getting shocked when i hit my first billion-device vulnerability. I now have several.

Kick me, harder (0)

Anonymous Coward | about 2 months ago | (#47658285)

Still want to buy logic chips from China and Taiwan?

Crowdsource it (1)

joh (27088) | about 2 months ago | (#47658459)

We really need a program that offers bounties for finding such vulnerabilities and backdoors. Put a tax up for companies selling networked devices, pay bounties from that when a third party finds something and pay the money back to the respective companies after a year or two when nobody finds any vulnerabilities in their products. This would make actually putting some effort into secure products commercially viable while giving good hackers a way to earn their living in a good way. Win-win.

Right now we're rewarding companies that sell shoddy products while driving clever and well-educated people into the criminal underground. This actually is the worst setup one could think of. Make a sane, well-regulated market out of that and things will improve quickly while at the same time creating careers for people who deserve it.

here's the reason, expert opinion (1)

Anonymous Coward | about 2 months ago | (#47658469)

This is commonly because the guy who originally set up the image, knew how the code worked, and designed the thing was laid off years ago. The people hired on to maintain it afterwards never figured out how it worked or how it was put together, their goal was just to keep things running. I was recently laid off at a job where I had bothered to take the time to learn how the original image for a device was created and recreate it from scratch so that we wouldn't be left behind and could upgrade. The guys remaining there don't know, care, and cannot recreate the firmware image. If managers would attempt to keep their well-learned staff, give them incentives to stay, not lay them off randomly for short-term gains, and promote documentation then this wouldn't happen.

326 Back Doors? (0)

Anonymous Coward | about 2 months ago | (#47658575)

Sasha Grey is intrigued . . .

What's wrong with a 14 year old kernel? (2, Insightful)

bobbied (2522392) | about 2 months ago | (#47658737)

If it works on the hardware in question, what's wrong with that? Sometimes being newer isn't better, it's just newer.

I don't see this as a huge problem for embedded systems.... Unless it's something like a firewall or a router that lives on the internet, then it *might* be worth looking at. If it's something like a media player or printer on your private network, who cares? (unless you are member of the tin foil hat society).

Re:What's wrong with a 14 year old kernel? (0)

Anonymous Coward | about 2 months ago | (#47659819)

This

We routinely run kernels on products that may have been new or only a year old or so on new products we make, but as far as updating a kernel on an old product that NEVER happens. Once you have a baseline OS thats stable that rarely changes unless something drastic needs to be fixed. The other issue with updating the kernel is driver support. If your using chips from a vendor that has long since stopped supporting the version of the chip your using, you dont have much choice but to stick with the kernel version they originally designed for and thats it

Also as you said, rarely would a kernel upgrade even buy you any improvements on an embedded system

YUO FAIL IT (-1)

Anonymous Coward | about 2 months ago | (#47658781)

RAM) for about 20 very distracting to bben the best, Fuck The Baby paper towels anyone that thinks Lost its earlier To its laid-back

i was going to argue engineers vs. programmers (1)

NemoinSpace (1118137) | about 2 months ago | (#47658843)

But in this case it seems they are in perfect agreement when it comes to deciding whether any money or effort should be put into upgrading your kernel on your vcr with the blinking 12:00

Thank God not all things are connected to the net (0)

Anonymous Coward | about 2 months ago | (#47659293)

This reminds me of my brand new Roland Gi synthesizer and how out-dated the firmware is on it. Thank God it isn't able to communicate.

That's correct. In 2015 Roland still doesn't offer any form of transferring files via USB or ethernet in their synths. Besides a LCD that looks like a solid-state screen taken from a 1980 pinball machine this firmware is ancient.

In addition to only recognizing 99 files on a USB drive (FAT format only) it won't recognize folders. That's right! You can only have 99 files and they all have to put into the root of the USB device. It brings loads of fun trying to have MIDI tracks to play along with as you can't sort them other than alphabetic order.

While the device will send and receive MIDI commands through a USB cable there's no other ability to do anything else.

I'm shocked that this company is even in business. My 7 year old Yamaha PSR has better software than this and it cost 1/10th the amount.

Idiots and their "BSP"s (2)

nyet (19118) | about 2 months ago | (#47659679)

The reason embedded device kernels never get updated is because the source code for them is on some SOC vendor's way out there fork of some ancient kernel that nobody with a clue actively develops for anymore.

And the vendor (say, TI) had hired a bunch of clueless interns to write the "BSP"s (old acronym from the binary blob obsessed asshats at vxworks et al) for their SOCs and the cluster of shoddily designed peripherals crowbarred into the SOC.

And those interns wrote code so toxic and broken that no sane kernel developer would ever have accept any of their garbage into any mainline kernel tree.

So there are all these embedded devices out there with kernels from the 90s, and it would take time (and expertise) that none of the vendors have (including the SOC suppliers, like TI) to merge the changes into something even remotely contemporary.

All of this because the requirements for these embedded projects (dictated by clueless PHBs) is only "linux support" not "mainline kernel support", so SOC vendors (like TI) just don't have the incentive to develop SOC peripheral driver code suitable for mainline inclusion.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?