SoylentNews is people
SoylentNews
Canonical, maker of Ubuntu Linux and its Internet of Things variant, has discovered the obvious – that people cannot be trusted to secure their connected devices.
Thibaut Rouffineau, evangelist for Ubuntu Core and the Internet of Things, admitted late last week that developers and IoT device makers know people seldom update the firmware of connected devices. But, he argues, they probably don't realize how bad the security situation has become.
The distro maker says it surveyed 2,000 folks about how they dealt with connected devices. It found that less than a third of respondents (31 per cent) installed updates as soon as they were available. Some 40 per cent never knowingly updated their devices.
"In other words, consumers are leaving their devices open to exploits and hacks, from DDoS attacks to invasions of personal privacy or theft of personal data," said Rouffineau.
Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility.
(Score: 5, Insightful) by bzipitidoo on Thursday December 22 2016, @01:49PM
That we have to jailbreak our own property is bull. That there are reasons to want to jailbreak devices is more bull. The walls of the walled gardens are insidious.
For example, my "smart" TV is corporate controlled and restricted to the max. The TV can surf the Internet, but has been artificially limited to only a few major websites such as YouTube, Hulu, Netflix, Amazon Prime, and about a dozen others all related to corporate controlled video. Definitely no Pirate Bay. Then it has "features" such as not only not blocking ads on YouTube, it does not allow the user to skip the first several seconds of an ad. The TV manufacturer controls firmware updates. Thing is programmed to download and install updates automatically if you have it hooked up to the Internet.
For another example, I have a Netgear router/modem (model N450), which I recently learned I do not control. I own the thing, I do not rent it. The firmware can be updated, but guess what? The owner can't update the firmware, only the owner's ISP can do that. Can the owner simply prevent updates? No. Recently, the ISP I'm with merged with another. As part of this merger, they switched to the other ISP's firmware for my device, and this caused problems. Since that firmware update that I was not so much as informed happened, the thing has to be reset every few hours, or the WiFi drops out and packets get delayed longer and longer, making Internet telephony unusable. That was 2 months ago, and they have done nothing to fix the problem they caused, haven't even acknowledged that they screwed it up. You know how corporate bureaucracies are.
Secure our Iot gadgets? Haha, they aren't even really our property! For those few of us who want to be "responsible", we first have to pry them loose from corporate control. First secure them from the kind of negligence monopolistic behemoths are wont to practice. To update is to risk them slipping back into corporate control. Never know when an "update" will actually be further restrictions. Remember that Sony removed Linux support from their Playstation 3 with an "update". Microsoft is another who has repeatedly abused the trust of their users in similar fashion. Remember how hard they made users work to stop Windows 7 and 8 from being forcefully updated to Windows 10.
I love these articles that blame us on the assumption that we actually control our own property.
(Score: 0) by Anonymous Coward on Thursday December 22 2016, @03:20PM
But that is what you are buying, a device that adds streaming capability to selected services. You are not buying a general purpose computer with a TV screen attached. If you want that, there are other solutions. The problem, with at least this specific example, is your expectation of what you think you should get. I doubt you would make the same criticisms of your "smart" refrigerator, but since your "smart" TV looks and acts a lot like a computer, you extend expectations onto it that you probably shouldn't.
(Score: 2) by bzipitidoo on Thursday December 22 2016, @04:15PM
> But that is what you are buying
It is not clear that the smart TV is crippled. It is obvious (to me and many others) that the smart TV is in fact a general purpose computer, preloaded with software/firmware. So why shouldn't it be able to view any website? Run any browser? I suppose it's possible that it has dedicated hardware decoders for various compressed video formats such as H.264, and only just enough memory to stream video and run a very limited interface. But I doubt that. I should think a smart TV has more hardware resources than dedicated firewall or router hardware, and it is possible to install Linux on them. It's definitely not lack of capability. Is the buyer supposed to believe and accept that the TV isn't capable, that it's a special purpose gadget, which is not true, and not even ask questions about why it isn't programmed with the ability to surf the entire Internet? That it's like an old dumb TV, only an incremental enhancement of those? Evidently so, or maybe they'd call it by some other name than "smart TV." A video cassette player can't play a DVD, as it simply lacks the physical interface, and everyone understands that. But this smart TV?
They don't make it clear just what is meant by "smart TV". Not the first time they've made a confusing mess of consumer electronics for entertainment.
(Score: 1, Interesting) by Anonymous Coward on Thursday December 22 2016, @07:24PM
Yeah, the "you know what you're buying" is such a crappy line of defense. It is the same line of thinking that initially had tethering your laptop to your phone costing $10 for the privilege (with no extra data), or selling $500 routers that simply had some software enabled. There is no logistical reason for such moves, just greedy profiteering.
(Score: 2) by Hyperturtle on Thursday December 22 2016, @04:29PM
That's too bad that you learned this the hard way.
I've learned myself to never buy a cable modem or dsl router that has a combination of services. Only buy a direct connection that allows you to hook the internet, and something fancy on your side. You can go all out on what you have on your LAN; if the ISP controls the internet connection then don't let them control your fancy device. Get a less expensive/specific purpose device for that.
You will never control the firmware on the router or modem that provides you the internet connection with residential broadband. Never. You can always control network device you connect to it, unless you buy something specifically giving it up to the cloud anyway. Then it's just a matter of having split up your loyalties to different masters.
I have a cable modem that I bought, not because I wished to own a cable modem, but because the rental fee for 10 months of use exceeded the cost of the best "dumb" modem I could buy at the time. It's paid for itself in the savings; the lease costs per month have only gone up. (I did have to return the previous modem back to the ISP, and get a receipt demonstrating this so that I did not pay for it indefinitely.)
Connected to that I have other stuff that I control; I even recently used some of that to block automatic telemetry from video card and solid state disk drivers... by installing these I agree to be spied on and my info shared with valued business partners? Sure, let me watch it try to connect so I can block it, thanks. What are they going to do to me? Not download updates without asking? Sounds like a fair trade to me.
It's not enough to set such limits per PC; and if I did it on equipment someone else managed... MS ignores the host file and windows firewall rules for the telemetry to their own stuff. AMD opened ports on the windows firewall to let itself talk and the preferences ignored my settings to "dont check for updates dont nag me"--it only stopped when I blocked its access.
New stuff will continue to do this; to exert control, you need something on your network that not only you control, but isn't dependent on the ISP or running on top of your desktop (or even a server that might allow things out due to various wizards). IoT stuff likely should have its own network segment so you can just turn all that off or greatly limit it without thinking much about it, and be able to do so without impacting your regular use network.
It may sound like a bit much, but viable options include DD-WRT on old consumer hardware; if you get too cheap it'll slow you down (slow radios or interfaces or cpu), unless you have the device act on the network as an appliance/tiny server, rather than in-line like a router or firewall (use it like a proxy or DNS server for filtering, or as an access-point with the same features enabled as well on the wired side, so that you get some additional use out of it).
That can do the trick quite inexpensively. The real issue is learning how to do it, and it might take time... but the good news is that you dont have to do it all at once. You can keep using what you have and migrate away from it, then treat the modem as a dumb device beyond your firewall.
(Score: 2) by bzipitidoo on Friday December 23 2016, @04:26AM
It's not that I didn't know there were risks. It's a judgment call. Is it worth my time to thoroughly investigate networking hardware? I really do not want to spend time on that. Should I have to, to avoid corporate control of my LAN? I should also spend time backing up my data, setting up anonymous browsing and file transfer services, keeping Windows on a tight leash and scanning for viruses, blocking spam, jailbreaking my tablets and smartphones, flashing Rockbox to my music players, hacking around DRM on inkjet cartridges and copy protection on DVDs, etc. I've tried to find broadband Internet service that's not enrolled in one of the more recent abominations from Big Media, the Copyright Alert System, but so far, no luck.
I do most of that crap, and I get tired of the endless battling in these long wars. I don't want to be a reactionary system admin, I have more interesting and positive work I wish to do, like keep up with the latest in software engineering. I still feel confident that the people will eventually win these wars. But it's been over 30 years now, and many vendors are still bedazzled over the whole idea of intellectual property, still think they're within their rights to lock up information, accuse the whole world of wanting to pirate their works, spy on their customers, demand ridiculous legal protections at great public expense, run absurd and insulting propaganda campaigns, and whine about the very laws of nature making DRM impossible to successfully implement.
When will this attitude ever change? I'd like to see the law enforcement badges and the scare language and propaganda banned from rental DVDs and all other video products. Most definitely, I wish we'd sanction companies who write unenforceable and overreaching EULAs, put a permanent end to that practice. Maybe precedent could be the case over the billboard in a predominantly poor part of a city warning voters that it was a federal crime to cast a vote under a fake ID, punishable by up to 10 years in prison. It was so obviously designed to scare voters away, and the courts ordered the billboard taken down.
We've made great strides in product safety. Manufacturers used to be a lot more cavalier about the dangers of their more dangerous products, too quick to blame it all on the customers whenever someone got hurt. Automobiles in particular have made huge advances in safety since the 1950s. Yet they remain one of the leading causes of early death. There used to be all kinds of use of radioactive materials before we understood the dangers of radiation. Now we don't use it casually-- no more radioactive watch dials! So I have hope.