Those of us who are interested in such stuff will be aware that the so-called Internet of Things has an awful lot of buggy, insecure cheap tat that can even be repurposed for use in botnets. At the same time, controlling things by the Internet is useful.
I would like to hear ideas from people who are working on projects to build secure stuff for home automation and the like. Currently I have been building a number of simple automation devices that have no Internet connection at all and do simple repetitive tasks - like watering the greenhouse.
As an example of what I mean, I am thinking at the moment of a way of remote controlling my boiler when I go away in winter that is effectively secure. Basically, I donât want a Nest type device that, if hacked, could do serious damage. I want something that lets me turn up the heating and heat the hot water a few hours before I get home.
My draft design uses a dumbphone, a microphone and a time relay. Calling the phone will turn on the heat for a period defined by the timer - probably 24h. There is no way to turn it off remotely or interfere with the thermostat. To check the house temperature, I am thinking of putting a thermometer with a large LCD scale right where one of my monitor cameras can see it. Thus the system is completely airgapped; the worst an attacker can possibly do is turn on the heating for a day. Once on, it canât be turned off except by the timer, so it wonât be possible to damage the boiler by repeated switching.
Now I know this is paranoid design but it is also rather simple and cheap and I donât have to worry about hacking.
Once I have this one going Iâll publish schematics if anyone wants them, and Iâd be interested to hear what other ideas people have had. For the electronics side I tend to use PICs which are grindstone reliable and which are running assembler on bare iron, but thatâs just me.
Iâm still learning about all of this, myself, but definitely see a lot of potential benefit to finding ways to control bits of my house remotely or automate them. I canât offer much, except that I am incredibly tired of reading daily articles on The Other Site panic-mongering about âThe Internet of Shitâ.
Well thatâs is Cory more than the site.
I love some of the remote and smart technology but 99% of it does not need to be accessed outside of the internal home network. Sadly we are going to need something that makes mirai look like it was a mere annoyance before it is taken seriously by the end users.
I remember melissa causing a stir at work way back when and my comment was we were lucky it just spamed mail and I had seen similar annoyances on mainframes a decade earlier but the general end user population still didnât get it till the next variant ILoveYou came and that nuked all their local hard drive data and anything on a mapped drive. Until the infection starts impacting the end users enmasse we are going to have what we have.
From what Iâve seen, so far most of the Internet of Things is the Internet of Shit. The best route seems to be what @Enkita is working on, where you roll your own rather than a complete solution off the shelf. A little like the early days of radio or home computers, I suppose.
I like the point that a lot of this home automation doesnât need internet access, or at least not the always-on, canât-change-your-password variety often on offer. The off-the-shelf stuff seems to be always rushed to market.
Iâm not into automating much â the condo I live in is too small for that â but I am working on getting all of my data platformed so backups and transfers are no-brainers. Nearly there.
Oh, absolutely, I should have clarified. I pretty much assume anything Cory posts is going to be HuffPo-level hair-on-fire tabloid-speak thatâs either entirely made up or greatly exaggerated/misinterpreted.
Cory is correct on this issue. IoT is not ready for prime time. A lot of that has to do with the technology not being mature enough yet, but some of it has to do with the vendors themselves not understanding IoT. A gimmicky single purpose device thatâs incompatible with everything is not IoT, and neither is slapping WiFi on something that doesnât need it.
If Cory is guilty of anything, itâs nutpicking the worst of IoT and writing only about that. IoT has a long ways to go, and I wouldnât buy anything off the shelf that calls itself IoT, but as a hobbyist I like the concept, and like reading about other hobbyistsâ experiences with IoT.
Heâs correct in his details, yes. Iâm not arguing that heâs wrong in saying that the security of IoT devices is questionable and should definitely be treated carefully by consumers.
Declaring every single household item with wifi or networking built in as âInternet of Shitâ is the hyperbole part that I roll my eyes at.
Could be. We now live in a world where two superpowers, the US and the UK, have had recent elections swung by data scraping Facebook. The battle for privacy is beyond credit card hacking and camera hijacking. These IoS items just poke more holes into regular citizenâs defences. To me itâs less 1984 and more the dystopia William S. Burroughs described in Naked Lunch and elsewhere.
IoT is a good idea in theory. As always, itâs the implementation thatâs the issue.
The main problem with IoT is consumerism, where solutions-in-search-of-problems are marketed and companies put forth minimal time, effort, or money to properly update devices - as well as using them for rent-seeking and collection of personal data.
One thing I have reminded people about in Coryâs articles (and never gotten him to respond to) is that most Internet of Things have been and are open-source efforts of the maker community. It is only very recently that large corporations have begun to try capitalizing upon the open work that has already been done. Try doing a search on github.
Itâs an interesting point of comparison though: Phone phreaking was mostly about using tone control systems in ways that werenât secured because attacks from that direction werenât expected.
[Boundary case: the recent UK press âPhone Hackingâ was abuse of remote voicemail access on mobile via still-default PINs, because folks didnât know that remote access to voicemail was a thing. ]
Most of the the IoT system hacks are because the devices are based around embedded systems (usually Linux) that arenât patched or patchable, or sufficiently locked-down, and too frequently with default passwords that arenât required to be changed and with hard-coded âmaintenanceâ accounts and credentials.
The IoT issues are foreseeable, because in large part theyâre mostly the same as with every other Linux (or even Windows) system, but it costs more/is less âplug-and-playâ to enforce security, and test and roll-out remote system and security patching.
Like phreaking, most of the attacks arenât rocket science, but unlike with phreaking, they are absolutely predictable, preventing it just eats into the bottom-line.
Thatâs not to say that positive examples of well-made commercial IoT services couldnât be squeed-over, mind. The ideas are often great - and hey, âwe liked it and when we threw x/y/z attacks at it, it held up, so it looks safeâ would be a great review.
The worst they can do is turn the heating on for a day. However, I am looking at ways of whitelisting only permitted phones, if it isnât too inconvenient.
Yes, and heâs correct to be worried. Between the potential for millions of the devices to be hijacked and the potential for targetted hacking to turn the devices on their owners, the piss-poor security of these little Internet-facing systems is an issue that most consumers arenât aware of. I would prefer that he spent some time pointing out IoT devices that do follow best security practises, or at least ones that can be hacked/flashed into doing so.
When I move into my new condo I plan on doing some home automation (mainly lights, blinds, security dropcams and media stuff). Iâm already expecting to do a lot of DIY/open source tinkering and (on the consumer devices) security hole patching. Iâve come to the conclusion that a secure and highly configurable central router will be the best place for me to start, and that any IoT device I hang off of it will have to play nicely with it rather than vice-versa.
The IoT isnât ready for prime time yet. I get that, we all get that. But if thereâs a future for this, and if we will see very clear benefits once it is ready for prime time, how do we get it there? What do we as hobbyists need to do to move this technology forward?
What I donât get about Coryâs reporting is that he seems to pooh-pooh everything IoT as too complicated, too gimmicky, useless, etc⌠And a lot of it is, for reasons I mentioned earlier. But his criticism does not really come from a place of honest critique. He sees the privacy risks as so great that he will do whatever it takes to discourage the IoT, even if his concerns are baseless and not related to his main issues.
