Data Shows IOT Security is Moving Backward
The security of IoT devices has been a running joke for many years, so much so that some researchers have given up trying to point out the weaknesses and get vendors to address the problems. Some vendors have pledged to do better and improve their development practices, but a year-long analysis of the security features in the firmware of 22 IoT device manufacturers found that not only are the vendors not making progress on security, they're actually going backward.
[...] The team wanted to see how IoT vendors were faring in adding standard hardening features to their firmware binaries, so it developed a special methodology that began with downloading available firmware updates from vendor websites, extracting Linux filesystems from the firmware, and then running each binary through the CITL's custom analytic tools. The dataset comprises more than 3.3 million individual binaries from nearly 5,000 firmware updates from 22 vendors, including ASUS, D-Link, Belkin, QNAP, and Mikrotik, and goes back as far as 2003.
What the team found is dispiriting, if not surprising: IoT firmware hardening is getting worse rather than better. Firmware updates are more likely to remove binary hardening features than to add them, and overall there hasn't been any trend in a positive direction for security in the 15 years covered by the CITL dataset.
[...] The CITL study looked for the presence of a number of possible hardening techniques, such as ASLR, non-executable stacks, and stack guards. These technologies are used to mitigate the effects of certain vulnerabilities and have been in wide use in the desktop and server worlds for many years. They have begun to make their way into IoT device firmware in the last few years, but the CITL data shows that updates often remove one or more of the hardening flags and some updates significantly reduce the overall security of the firmware. For example, one update shipped in 2017 by Ubiquiti for its UAP-HD line of wireless access points removed ASLR altogether and the presence of stack guards went from about 70 percent of binaries to virtually none.
[...] Although IoT devices often are associated with consumer applications, a tremendous amount of IoT gear finds its way into enterprise environments, as well, whether it's through official purchases or shadow installations by employees. Many of the firmware images the CITL study looked at are from networking devices, which are vital to enterprises and therefore quite valuable for attackers.
"We found major regressions in access points you would ship to enterprises by the crate. When you take these things in aggregate, that's a very soft target. It's a very low cost to find an exploit in those," Thompson said.
(Score: 5, Insightful) by Runaway1956 on Tuesday August 27 2019, @11:47PM (13 children)
What if we just accept that IOT is a "BAD THING"?
I still can't accept that it's somehow "good" for the manufacturer of my tools, appliances, and communications devices to spy on me. Or, my vehicle. Just sell me the gadget I need, nothing more, nothing less, and I'll go my way. It's going to be blocked at the router, anyway, so you'll never get the data you were hoping for - except maybe the car.
(Score: 5, Insightful) by Thexalon on Wednesday August 28 2019, @12:00AM (5 children)
I'm going to do my best to never buy an IoT device, and if circumstances force me to do so you can be sure it's not getting my Wifi password or a wired cable connection.
Of course, I suspect makers of Internet-connected crockpots are going to counter those efforts by making these things not even work properly if they can't phone home. In which case, these things are defective by design.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by c0lo on Wednesday August 28 2019, @12:38AM (4 children)
Get to DIY. If you don't know how, I hear S/N has some good EE people that can teach you (especially if you hire them)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by Thexalon on Wednesday August 28 2019, @12:53AM (3 children)
I could probably get somewhere with some tinkering, but that seems like an awful lot of work to put into something that shouldn't even exist in the first place.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Informative) by c0lo on Wednesday August 28 2019, @01:13AM (2 children)
Don't be so categorical.
I have a number of gizmos working as intended to make possible something I couldn't do otherwise - e.g. keeping a garden watered at over 200km from me, without wasting water (can't get enough of it) over many successive days with over 40C temperature. My design, my implementation, works well and I can keep my job and my garden, when without them it would have been an either/or choice between them.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2, Insightful) by Anonymous Coward on Wednesday August 28 2019, @01:44AM (1 child)
The point is, these devices should all run on Free Software and be fully controllable by the user. You should never be forced to use third party servers, and they should never spy on you. They should be freedom-respecting and privacy-respecting right out of the box.
(Score: 2) by c0lo on Wednesday August 28 2019, @02:03AM
Agreed with the second, the first is likely a consequence of it for mass-produced gizmos, but not a strong requirement for custom non-generalizeable circumstances resulting in an one-off implementation.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by c0lo on Wednesday August 28 2019, @12:35AM (6 children)
Like in "faith based lifestyle"?
What the heck has "security" to do with "spying on you"?
Would you feel better it the tool doesn't spy on you but every script kiddie can instruct it to kill you the first time you touch it?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Runaway1956 on Wednesday August 28 2019, @12:39AM (3 children)
You forgot that silly grin that seems to imply sarcasm.
There is no difference between the manufacturer spying on me, and some script kiddy instructing my devices to kill me. None. Both are immoral, unethical, unwelcome, illegal, intrusive sons of bitches. For that reason, IOT devices are blocked at the router.
(Score: 2) by c0lo on Wednesday August 28 2019, @12:56AM (2 children)
No grin necessary in that case.
Don't be that stupid, the outcomes of the two are too different to reduce them under the same category.
The fact that fire is good for keeping you warm and cooking your food doesn't make "keeping warm" and "cooking" the same.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Runaway1956 on Wednesday August 28 2019, @01:22PM (1 child)
Alright, lemme make this a little more clear.
Frigidaire wants to spy on me. Frigidaire is unsuccessful, because my Frigidaire products are blocked at the router.
Little Johnny Zithead wants to kill me for lulz. He reasons that if he can connect to my Frigidaire products, he can order them to - uhhhh - short circuit while I'm touching them? Anyway, Zithead fails, because my Frigidaire products are blocked at the router.
The outcomes of both cases are great big nulls. No difference, OK?
(Score: 2) by c0lo on Wednesday August 28 2019, @09:13PM
No difference to you. A big distance to "they aren't different at all"
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday August 28 2019, @01:46AM (1 child)
Maybe a little bit, because then at least the manufacturer of the device isn't being actively fucking malicious.
(Score: 2) by c0lo on Wednesday August 28 2019, @02:00AM
Well, indeed, a very heartwarming thought: you may still end a dead body but it will happen while having a better feeling (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by barbara hudson on Tuesday August 27 2019, @11:49PM (11 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1, Interesting) by Anonymous Coward on Tuesday August 27 2019, @11:59PM
I wrote this crap for years.
Do not trust it.
The ODM/OEM's will short list your hardware so fast your eyes will spin. Microsoft has a better patching process than 99.999999% of these companies. Forget ever seeing a patch for that OpenSSH bug. It will never happen. But hey all of the software is open source!
All of them want to lock you into some monthly contract. For something that would *easily* run your own hardware forever.
If they say 'for a low monthly fee' Just multiply it by 12 then by 10. Then say 'oh that would cost me blahblahblah over 10 years'. That number will be decently large. It usually shuts them up and they wander away for easier prey. But it is only 10 dollars a month. "oh 1200 dollars over 10 years assuming you do not raise the prices or are still in business, that seems excessive"
Then on top of that assuming they do not have 100% access to all of your data. (they do)
Do not walk away. Run.
(Score: 2) by c0lo on Wednesday August 28 2019, @12:44AM (9 children)
False, there's nothing inherently bad in IoT and "can't trust the operators" is not specific to IoT.
Counterexample: the IoT gizmos that you build, have control over and operate by yourself. Plenty of things that can be done with microcontrollers these days, I did some myself.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday August 28 2019, @01:37AM (3 children)
When people say IoT they exclude self-made, and mean mass market. This is partly valid, because the projected penetration in some markets makes /your/ interaction with /some/ IoT device(s) very probable, scaling with how much time you spend with others or 'out of base', and tons of variance eg. due to locations and who those others are, etc, but still. So from that perspective, your proof that some IoT devices (including selfmade) are free of the issues they take issue with, is fine, but independent of the fact that commonly problematic IoT devices may/are become/ing unavoidable.
They're kind of, techincally, wrong to exclude your devices from universal statements - aren't self-owned webcams IoT devices of an old order, ditto weather stations, etc? - but their mindset in this case is a very factory/urban mentality, where nothing is made or spent but money.
For the specific issue of security - do you update your remote devices' systems? If not, then corp penetrations are /very/ commonly a smart nerd planting a raspi or whatever and not updating it. I expect your defences in depth reduce your attack footprint to eg. maybe a weather data pull and hopefully you have retained their cert, etc. reducing it to someone (ha) compromising a weather feed to poison your input (hah).
But a thought, also: I hope you have water for your own needs siloed from this.
Finally, thanks for sharing about it here but more than that, thanks for /doing/ what you've done. Your garden surely thanks you with life, and random internet people are heartened.
(Score: 3, Informative) by c0lo on Wednesday August 28 2019, @01:55AM (2 children)
Abuse of terminology.
Doesn't make the IoT concept inherently good or bad. Pretty much as with the "hacker" term. I don't intend to give up so easily the fight for the meaning of the words , I'm glad that I'm not alone (e.g. hackaday.com)
I do. And the size of the garden is just at what I can afford given the most constrained resource.
Applied engineering is a good way to fend off the "post-truth society" myths; there is an objective reality that "delivers punishments" whenever one thinks her/his mindset and opinions (meh, more properly to call them "delusions") are as good as any others.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday August 28 2019, @01:04PM
Applied engineering, indeed - a term broad enough to include probably 80% of non-transportation calories spent hiking and camping. Or really, doing anything beyond consumption or pure entertainment. Constrained resources and insurmountable problems - of the type which Nature in particular is happy to provide, in particular - are the very best reality check. Even the insurmountable mosquito problem, though unpleasant, is a great reality check that even the air we breathe is full of things out for our blood.
(Score: 2) by slinches on Wednesday August 28 2019, @05:02PM
Language is what it is. Abuse of terminology means that there is a distinction that isn't being recognized in the language. If you want IoT to mean "network connected devices that have a primary function other than computing", then we need to have a term for the subset of those that phone home to servers outside the user's control that's better than "IoT". It has to be something that the device makers themselves won't object to, but clearly defines the distinction. Good luck.
(Score: 1, Informative) by Anonymous Coward on Wednesday August 28 2019, @01:48AM
PS - I don't advocate for shunning, but make note of barbarahudson's patterns. She cares about being inciting than insight, and - well, I refer you to https://en.wikipedia.org/wiki/On_Bullshit [wikipedia.org] and leave it to the community to mod her up when she deserves it, but hopefully only when she deserves it, not to default associate her brand with being a good actor.
Her post above exhibits the pattern: "voice a locally popular, but globally unpopular opinion in a way that will make people nod their heads." Where local generally is SN or /. populace, but can be narrower or wider. Watch for that pattern!
"Let's declaim our common values!" should get a +agree mod that doesn't bump total mod, but lets points be used and lets the receiver garner the social credit. We can't be rid of the social credit collectors, but we can have a system that allows them to participate without increasing the noise level so much.
(Score: 0) by Anonymous Coward on Wednesday August 28 2019, @07:06AM (1 child)
How come? Isn't the entire premise of IoT based around the premise of low-powered, always-on devices that use external servers for their processing (the I in IoT stands for Internet)? Doesn't that, by design, require a direct connection between a device inside your house of unknown capability and a server controlled by an unaccountable third party? How is that not inherently bad design?
Great, so it's an advertisement. How much market penetration do they have? Since it's probably less than 0.0001%, why do they matter in this discussion?
No, I'm with the GP on this. The entire premise of IoT is hostile to consumers, and I will not entertain buying one unless the server-side component is open source.
(Score: 2) by c0lo on Wednesday August 28 2019, @07:19AM
Don't be an idiot. A single counterexample of an internet connected device that's fully under your control is enough a counterexample for 'all IOT is inherently evil, by it's very nature'.
No assumptions on the market size are needed.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by barbara hudson on Thursday August 29 2019, @01:44AM (1 child)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by c0lo on Thursday August 29 2019, @02:51AM
I'm seeing two conditions, both of which can be false, and no 'code branch' to explain what happens in this case.
I use them. Their are designed and implemented by me and are using a server that I control - a computer at home, on a port that I allowed in the router, with a specific auth sequence on the server-side end of the protocol.
Are they safe? Not exactly, they work from an open field location, anyone knowing where will have physical access to them.
Since they aren't life critical, I don't care that much.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Funny) by takyon on Wednesday August 28 2019, @12:32AM (3 children)
The 'S' in "IoT" Stands for Security.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by PartTimeZombie on Wednesday August 28 2019, @12:38AM
If you're going to make the joke, I'm going to mod it Funny.
I don't make the rules, OK?
(Score: 3, Insightful) by DannyB on Wednesday August 28 2019, @01:26AM (1 child)
The "SH" in IoT stands for security hardened.
What doesn't kill me makes me weaker for next time.
(Score: 2) by c0lo on Wednesday August 28 2019, @02:39AM
No SHIoT! Seriously, none of it.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Acabatag on Wednesday August 28 2019, @04:01AM (2 children)
What the world needs is a lot more robust and user configurable egress control.
People shouldn't be running home networks with porous firewalls. IoT gadgets should be whipped dogs that people have control over because they have the gateways in place to stay in control over them.
It's a serious growth industry that needs to take off. It's also not something encouraged in today's environment.
(Score: 0) by Anonymous Coward on Wednesday August 28 2019, @05:07AM
That won't happen for the same reason IoT is insecure. Security is hard. Even the people who should know better routinely throw out securing things because it is too hard. The second someone hits a bump where their thermostat can't connect to Siri, their Roku won't stream Disney+, or they cannot access their Ring video, that egress filter will be turned off, permanently, and a bad review left wherever they bought it.
(Score: 0) by Anonymous Coward on Wednesday August 28 2019, @01:47PM
security: something you have.
most iot shit needs a controller.
iot shit has nothing, if lucky it has one button.
what would go a long way to make iot "securer" if it required a physical key, like a usb thumb drive formatted by the controller, to be physically carried to the iot device and left plugged in until the controller and the device trust each other.
but nooooo, it needs to be dumb, bordering and criminally st0pid user/customer safe, thus the iot device is broadcast discoverable, knows the cloud mothership controller (not managable by customer) via hardwired dns name and has a default password ...