I mean he did unplug network equipment and MiTM, if this isn't illegal it probably should be. I see ethernet cables all the time in things like hospitals and hotels, should anyone be able to simply unplug them and put their laptops in the middle?
Yes, anybody should be able to do that with no legal consequences. If you don't want to give people access to your network, don't provide them with a fucking port and cable explicitly designed for doing so.
Come on now, you really think people should be able to unplug cables anywhere they go? This could have major consequences at a hospital.
Edit: Completely agree Ska, no excuse for making it this easy. I'm just pointing out that just because it's easy to pick a lock or unplug some wires to MiTM doesn't mean it should be legal.
People shouldn't unplug equipment in a hospital without express permission, sure - they shouldn't do it in your home either.
If your security model relies on this, though, you have failed. Period.
It is maybe a little fuzzier in a hotel (should I be able to stream content to the TV from my device instead of paying you extra for a movie?) but similar applies.
Yes, if it's accessible, and nothing implies that you shouldn't - why not?
If a cable is not meant to be unplugged - there should either be a warning sign/message, a protection measure (even a nominal one, serving as a mere warning), or you shouldn't normally get access to it in a first place.
Obviously, there is common sense, too - you don't plug some working medical equipment, even though there may be no warnings - it's implied that it's commonly understood that disconnection would interfere with device's operation and endanger the patient. Or you don't suddenly turn off someone's PC at office just because the power outlet isn't covered by the table.
The door example is also misleading and plain wrong analogy. We're not talking about trespassing on others' property. When you rent a room, it's a common sense that you shouldn't steal the TV from it, but nothing tells you if some random Ethernet cable is some private network or just a WiFi replacement. It's the same as any other electrical socket (well, except it's a plug, not socket) - nothing implies that you can't use it, as long as you don't cause any damage to the property. If a rented room has a floor fan plugged in, I doubt you shouldn't be allowed to plug it out or even satisfy your curiosity and measure how much power it consumes. As long as you don't damage anything, of course.
There are too many people out there who want to plug in some odd lawmaking solutions (always, restrictions) that don't actually solve anything.
But what if you leave your door unlocked, or it isn't locked in a secure enough way?
Who is the guilty party?
Really, this is just social/legal understanding. It's unacceptable to open someone's door -- even if unlocked -- but acceptable (?) to wire yourself into someone's network if unguarded.
I feel like I'm missing out on a huge bulk of money simply because when I have ideas of "Internet of Things", I cant get over the security obstacles and cancel the ideas. If only I just didn't care (or didnt know) and just implemented whatever the heck brought in money from oblivious customers.
I wonder if the competition wouldn't just skip the security, then beat you on the price because you are paying lots of money for security experts. Most customers don't care about/understand security and your company fails.
Find a way to demonstrate the flaws in various products, aim for non-consumer markets. Businesses that have an actual motivation to have secure devices like the hotel in the article would be more inclined to spend the extra money, especially if it at least eliminated a trivially hackable configuration like, again, in the article.
Or you could just implement them as-is, earn a shitload of money and then enhance their security in the next version or with a firmware update once you'll have the luxury of investing in R&D. At least it's better if a security-wary entrepreneur implements them instead of someone who simply doesn't give a flying fuck.
It is either possible to do something securely and won't really take significantly more time, or it's not possible to do it securely at all, and no future update is going to fix it.
I think the parent post is talking about a design for security rather than fixing security bugs. A device or system designed without security in mind likely isn't going to get security as a priority at any point in its lifetime, or isn't going to be worked on by security minded folk. Any updates are likely going to be superficial, poorly implemented, or simply not a priority for the developers.
In regards to IoT devices, as the article is lamenting, many are designed with no security in mind and instead seem to be thrown together as quick as possible to achieve a function, without considering the implications that a security breach may have with said device. (e.g., IoT baby monitors, thermostats, home locking systems)
There's a difference in security issues due to programming bug vs insecure design.
If an application was created without security in mind in worst case it might require complete rewrite. In other cases it might be a whack-a-mole game.
For example compare ssh vs application that simply opens port and starts bash as root. You can use both to control your server, but if you want to add security it would be a lot of work (you could incrementally add authentication, encryption, maybe restrict user what s/he can do but there will be million and one ways to escape).
After fixing one issue after another without seeing the end you'll realize it would be less work to just rewrite it from scratch with security in mind.
Keep in-mind that we're talking about always connected devices. Firmware updates could be done remotely without the end user needed to do anything, except perhaps give his approval.
So we're back to a couple of comments above: suggesting that people actually upgrade firmware.
An opt-in switch is merely convenience for the incredibly thin % that bothers with this kind of thing. And that % will actually be informed enough to not opt in.
Come to think of it, that % will likely be informed enough not to buy this kind of device in the first place.
Opt-in just means nobody gets updates again. I realise this is more a techy audience but think of these things from the mainstream perspective. Especially when the tabloids and social network copypastes get the word out that hackers can turn your oven on or something if you enable updates
Tesla has a pretty vested interest in shit keeping working considering it's a pretty luxurious and high-profile product. The cut-price manufacturer of your $20 lightbulb or $300 fridge? Not so much.
The cheapest Chromebooks ship at $149 and have a pretty much unbrickable automated update flow that includes the firmware for the CPU and embedded controller(s).
It's not a matter of luxury, it's a matter of having people work on it who care.
Except when you're abroad on roaming cellular charges, and your three laptops decided that since your iPhone's personal hotspot is WiFi, it's time to download today's ChromeOS image version, because the one you had downloaded the night before was not good enough anymore.
Source: Chromebooks are awesome, and even with excesses like this, they're still the cheapest to operate by far.
Chrome OS tries to honor various DHCP server flags that state that the connection is metered. Unfortunately iOS doesn't seem to provide any such indication.
A comment in https://bugs.chromium.org/p/chromium/issues/detail?id=323010 claims that the BSSID is used for a "suspected" state, but that may not be enough to actually stop it from downloading updates, but I'm far from an expert in that domain.
In short, identifying tethering states with iOS seems to be hard.
You can determine whether the network is a Personal Hotspot heuristically. It is nice of them to have implemented private DHCP flags in Android, but if you routinely pull hundreds of megabytes without user interaction...
Then the opportunity is to convince customers why they should pay more for well-supported connected products. Easiest way is to make high-margin products.
That's the Tesla case. Or alternatively the Apple case. The vast majority of customers go with not that, and history shows you won't convince them the intangibles are worth it.
If you connected fridge can brick itself in such a way that it stops refrigerating things then it wasn't worth buying in the first place, especially for things like this where you could end up accidentally poisoning someone the failsafe in case of software failure should be switching to an old school circuit that just keeps things at a fixed temperature.
Sure, I'll tag along. Problem is in a few years you may not have a choice because all fridges will be Internet-enabled by default. It's already happening with TVs where 70% of new sets are smart TVs. And you know, personally I don't mind because if it bothers me too much I'd just make sure that the damn thing never gets online access but I doubt the average consumer could go in such lengths. So instead of moaning and bitching about it perhaps we, as a community, ought to think about ways to solve security issues. Otherwise the industry will just go ahead and build them no matter what.
There are way to build things so that this isn't a problem. Modularize.
It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.
My problem with this whole hatred of iot is that it's not productive.
it's a bunch of people commenting how the trend is dumb and how everything was so much better in the past. Nobody ever gives suggestions on how to improve it, or how to fix some of these issues, or even what they would like to see. It's always just "Who wants a wifi light switch anyway?" or "Oh great now my door lock can freeze".
> It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.
If it's so easy, why don't more companies do it? Why didn't Nest build their thermostats so that when the battery runs out, it reverts to a "dumb" thermostat instead of turning off your heat? http://www.theguardian.com/technology/2016/jan/15/bug-nest-t...
It's clearly more work to do it that way, as you'd need multiple "layers" of firmware/code which all need to communicate and run on their own, but i personally see that as insurance against the exact situation you are describing.
Nest is far from what i'd consider a good IOT company. They are the epitome of vendor lock in, proprietary and buggy code, and shitty support.
I'd consider Philips one (specifically whatever part of the company does Hue products; even with their recent base-station changes to only work with their bulbs). I don't think their base station has EVER crashed on me, not once. They made sound architectural decisions for the product as a whole - it's not some bloated Linux thing but it runs FreeRTOS and does only what it needs to. I have one of their push-button kinetic power light switches in my setup and I've forgotten that it isn't an old-school lighting setup most of the time. That's because of another good architectural decision - they had the sense to decide that simple RF code-sending to the base station was good enough for the switch, rather than trying to make the switch into some kind of Wi-Fi connected thing running a TCP/IP and web stack (did I mention the switch needs no battery or external power of any sort?). The system stays out of my way and just works when I want it to, while still allowing me to dig in and add-on cool automation where it's appropriate.
The thing I don't get with 'control everything with your smartphone!' is that people don't think about everyday use. It's like the people that design these products don't look at the actual, repeated use cases. Why would I want to pull my phone out of my pocket, unlock it, find the app I need, launch the app, wait for it to connect, hit the buttons I want....
(Even when I'm on Android and I can have an IoT control widget on my homescreen, that's still pulling the phone out, switching it on, unlocking it with my fingerprint, finding the page, hitting the button.... oops I forgot to turn Wi-Fi back on, better do that....)
I think IoT is great, but to do a great job at it you need to design the product with that in mind to begin with. The whole architecture of the product has to fit (see again, Hue). Sure, picking an Android tablet is easy, but why would you architect all that complexity? Why not a touchscreen device with a really simple real-time OS that does only what it needs to do?
I'm confident that this will all be self-correcting in the end. Consumers and 'the market' are smarter than we give them credit for. Certainly it takes a long time for them to react, but I think that when enough of the public is jaded by 'bad IoT' and the fad phase has passed, the actually good IoT products will survive and those companies that really think about their designs as a whole will be rewarded.
To be fair, most "dumb" thermostats still require an external power source to continue to operate.
Very few actually pull operating current from the 24v C wire if it even exists on the given system. If it doesn't, R (the switched 24v power for Heat and Cold signals) isn't guaranteed to continually have current. Only when your Heat is turned on (probably a standard toggle lightswitch on the side of your furnace) will there be current on the Rh line, and only when your AC is enabled (possibly a breaker shunt on the side of your house near the condenser unit in a small box) will there be current on the Rc line.
Nest tries to recharge it's battery by trickling the C wire, if available, and if not it will try to charge off of one of the R wires, either during normal operation, or it will try and "pulse" the heat signal to pull a little bit of current to keep going. Thermostats were designed at a time where they didn't even consume any electricity on their own. We're trying to retrofit computers into signaling system, not a circuit.
The GP is right: most new thermostats don't take power from the 24VAC line. That surprised me when my heat wouldn't come on one morning because the battery was too weak to pull in the relay for more than a few seconds. That's what I get for ignoring the "low battery" warning! All my previous electronic thermostats only used the battery as a backup.
In any case, are you really saying that using a toxic metal (mercury), or an imprecise bimetallic strip is really an improvement over a simple $10 electronic thermostat?
I should have been more specific by stating the difference between a dumb digital thermostat as I was describing, and a truly analog thermostat like the Honeywell T87.
A dumb digital thermostat is just a thermocouple and a relay, which you could rig together with very little EE knowledge and a weekend with an Arduino.
I think it's because it's so prevalent. If your car had a faulty AC unit, you wouldn't swear off all cars, because most cars don't have that problem. But I feel like we're all still waiting for an Internet of Things Thing to show up that's actually done right. And it's been long enough that if nobody has done it right so far, it seems like a distinct possibility that nobody ever will.
>And it's been long enough that if nobody has done it right so far, it seems like a distinct possibility that nobody ever will.
But it hasn't been that long at all, and there are people doing it right.
The problem is that they are expensive and don't offer the same amount of features that some people want.
Take the "traditional" smarthome networks like z wave and friends.
I have a z wave light switch that works as a lightswitch 100% of the time. I actually installed the switches before i had a controller for them.
Add a controller and you have a "smarthome".
Connect that controller to your wifi and you have the ability to control these things safely from within your own network using anything from a bash script to shitty iphone apps.
Connect that network to the internet through a firewall and an authentication system and you now can control all of that stuff securely across the planet.
If any one of those breaks, functionality is reduced. Internet is down, i can't control it outside the house. Controller goes down, i can't control them as groups or from within the house but still "remotely". But it will literally always turn on/off the lights when i hit the switch. I don't need to worry about the security of a cheap chinese zwave knockoff thing because the controller is that gatekeeper.
That's IOT done right.
But people don't want to pay the money for that, they don't want to pay an electrician to come out and install them across the whole house, they don't care about security or what happens when the internet is down, they want a light they can control from their phone for as cheap as possible as fast as possible. And of course when people are asking for a product, manufacturers are going to make it.
Indeed, I'm quite happy with my INSTEON system. They're stylish, high quality in wall switches, they have a very reliable (though unfortunately proprietary) communications protocol. The serial and USB adapters for them are easy to code for and there's a variety of third party control programs available. I'm writing my own actually. They also now have a cloud hub for people who want that sort of thing.
Under pressure in an interview, yesterday, I found myself saying "'The Internet of Things' is short for 'The Internet of Things you don't need, sending surveillance data you don't want, to people you don't know.'"
Nah companies want obediant placid fungible workers not free thinkering radicals. Even the hipster ones that let you work remotely and choose your own projects and stuff.
I argue to people that I'd rather have my photos on Googles servers than on the friendly local Dropbox clone.
Why? Because I know Google has systems in place to detect sysadmins browsing in data unrelated to their job and I know they have fired people over it even if was tought to have been done with good intentions.
Edit: as for tracking I wish they would up their game and stop providing ads for <insert eastern country here>-dating.<tld-of-the-day>
I wish they would take into consideration that I am happily married with more than 3kids, belongs to a subset of the population that has way less than 10% divorce rate and I might even be in the market for a new car at some point.
At the interview for my current job I was asked how I'd secure a remote service. My first response was along the lines of "Ask someone who actually knows about security, because I know just enough that I'd probably mess it up".
I worked for a startup and found cross site scripting vulnerabilities and other issues like GET urls for deleting things. I was told to leave it alone and not "waste my time" because we dont have a lot of users and we weren't popular. I cringe at the justification. Security should be a necessary skill. It shouldnt be something after the fact
I think they were right to tell you to leave them alone, but a better answer would be: "we'll add them to our backlog (or whatever way you manage issues or work), and get to them by X iteration". As long as you were really working on an MVP and not a version 1.x .
The problem is those things end up being forgotten or interfaced to in so many places that in the end they become un-fixable or won't be fixed to keep other stuff running.
I was thinking more of a throwaway prototype, but the answers on other threads convinced me it wasn't good advice, and I don't know what stage the OP's startup is.
That's technical debt, and it's hard to fix. A prototype, sure, it can have flaws, it's a proof of concept of feature X, not feature X SECURED. But then the release has to be a rewrite. If it's not, those flaws are more likely to become permanent. And when they do begin work on repairing their codebase, they'll spend several times the money and time to fix than if they'd spent some time early on. They'll also likely introduce numerous other issues in the process.
Ok, I'll clarify: I think they were right as long as it was a throwaway prototype. And the GET delete operations are probably a bad idea even for a prototype. I was thinking of a rewrite for release 1.x.
I don't have enough knowledge of the stage the OP's startup was to have answered, so I stand corrected.
These days, this is the kind of thing I negotiate up front. When they ask me how long something will take, I explain that they can have a prototype quickly, but only if they promise to throw it away as soon as the experiment is done. I explain that they can have me build a movie set or a real house, but that there's nothing in between. [1] And then I leave the choice up to them, explaining that it's really about their business judgement.
Generally people keep their promises on this, although sometimes it takes a little reminding. When they do, the business benefits are substantial. A good product person really benefits from doing quick, cheap experiments. And they also benefit from having a solid platform of high-reliability code for production use. But they can only get the benefits of both if they're careful not to mix the two.
I'm old and have been in this industry a long time, and I'm genuinely surprised on those oh-so-rare occasions when what you describe doesn't happen.
Prototypes-become-products is a trope much like _The Mythical Man Month_. We all nod knowingly when it is mentioned, we all know how it will turn out, and then we (well, management dictates that we...) turn right around and do the opposite.
I call this the "we don't do anything special" fallacy. They consider hackers to be something like in the movies where a team of slick black leather clad folks plan a digital heist, and why should a bunch of movie stars care about our little business.
In truth it's much much more like how Google just has computers trying to index every site on the internet that they can find. Most of the attacks these days are broad searching things, just testing every exploit they can against every site they can.
Also, seriously, Google will find and index those GET+DELETE non idempotent URLs and ruin their day.
Absolutely true! I have to tell people that many attacks just try every door to see if its unlocked. They are not movie plot-style targeted attacks. And such an attack can and do lead to data breaches!
This is why I absolutely believe and publicly talk about security being a matter of developer ethics. I have used my walk away power to get a company to do the security they needed in a similar, but not quite the same type of situation.
I build stuff like that - my approach is to limit capabilities to the absolute minimum, and anything that is not needed for function but necessary for debug/diagnostics stays on the device rather than going across the network. This limits the devices a fair bit - firmware update across the network with no local interaction is not allowed, nor is accessing the local data store. Want to email me and talk about this?
Absolutely - and for a light switch it's appropriate. As an example of a thing that needs internet to function, consider a heater controller that has a high power and low power mode depending on momentary cost of electricity - it fetches price data across the network, and it's important to log things like temperature at various points of the device for diagnostics. Now, it's very tempting to send the diagnostic data across the network, but this leaks usage information. It's also tempting to allow things like remote configuration, firmware updates and reading device memory for debug, but that can leak network access credentials or make the device a beachhead for access to the internal network. This is why any feature like that is to be avoided and, if present, needs to be activated from the device itself, not remotely. If you NEED remote control, see if you can limit its scope of functionality to the bare minimum, and consider who needs access to it - in the case of the heater controller, the provider of the pricing data doesn't need to know or control the state of the device, so there's no need to allow that on that connection. Where possible, make the device a CLIENT rather than a SERVER - have the device itself initiate connections, to an address that is entered by local interaction, rather than accept connections from anywhere. If you MUST break those rules and accept connections from anywhere, that's when you really need to spend a fuckton of effort securing every aspect of your device, client applications, and protocol.
Good point, seems like places get sold products that are smoke and mirrors. If they knew what was going on in the background they would be shocked. Best plan is to build up a big customer base with a smoke and mirror product and then sell out and hope you don't get sued.
Yes, I'm sure that the only thing standing between you and untold riches is your resistance to lax security measures in app-controlled sous vide machines.
The security risk in an app-controlled sous vide machine includes starting a fire that burns your house down.
- Sous vide normally uses a water bath at a controlled low temperature over a long period of time.
- Hike the temperature up past the boiling point, and the water is evaporated, allowing you to hike the temperature up to ignition points.
- Or, cycle the electronics fast enough to overload the power supply. If it isn't designed well, either the wall circuit blows or the power supply bursts into flame.
- In any case, the expectation of a long unattended cooking process means that human observers might not be in the loop.
It seems unlikely that the device received a UL certification without a simple thermal cutoff switch that is common even in low-end cooking appliances.
Even without deliberate hackers, the device needs to contend with software errors, running without water, or a stuck relay that could leave it boiling dry and overheating.
You just need to look at Therac-25 for a device which lacked hardware interlocks/cut-offs, had flawed/buggy software interlocks, and still received certification.
You mean I only need to look back 35 years to a professional medical device built when computer control was still very new and that wasn't intended to be operated by unskilled consumers, and wasn't certified by to be safe for home use?
Therac's often used as the "canonical" example, but there are more recent issues that stem from a lack of a physical interlock:
- VW's dieselgate (although that was intentional)
- Virgin Galactic VSS Enterprise crash
(yes, designed for a skilled operator, but still: no interlock on the brake)
- Pyranha Moulding's industrial oven [1]
- Hotpoint tumble-dryers catching fire [2]
Even without network connectivity, household products still get recalled for issues such as fire risk, because they lack things like thermal cutoffs, or the cutoff is in some way inadequate.
Perhaps 35 years ago computer control was still very new, but right now, IoT is very new, so there's a whole new world of mistakes to learn from, and the evidence is very clear: serious mistakes are being made.
Android/iOS is an interesting idea for a business.
They already have secure app distribution. A private channel in the Google play store or via app store adhoc.
Communication between the devices via a server should be possible at least using HTTPS but also private/public key encryption. Doesn't have to be an actual server just one of the devices in server mode.
The difference between you and the dunces building things like this hotel light system is that you know that there's a problem and will work to fix it. As the market matures, security will become more important. But the only companies with the chance to fix it will be the ones with substantial market share. And the people who will fix it best will be the ones, like you, thinking about security from the beginning. But that can only happen if people like you get in early and lay down the infrastructure in a way where security will at least be possible.
I am coming to the conclusion that these devices should be treated like every other URL on the web. It should have TLs with a proper cert, a global domain name, wifi, and access controlled by something well known like Openid/oauth. With native apps and CORS firewall traversal is solvable without special protocols and adaptors.
This is the unfortunate outcome of a bunch of factors.
OEMs moving to XXX over TCP protocols which have zero security by default and documenting this in the datasheets.
VAR installers switching to the newer products because CAT5 cable is cheaper and easier to pull than what they used to use.
The previous solution was just as insecure but harder to hack because you needed more specialised equipment.
I'm not sure how we are going to fix this without getting the OEM industry and the industry bodies behind xxx over TCP to understand that they need to bake a security model in.
I couldn't agree more. It shouldn't surprise anyone that cheap outfits are cutting corners on something optional.
Structural engineering solved these kinds of problems with building codes. While I'm not sure that's the answer here, I think most people would welcome guidance beyond "just put whatever devices you want on a shared network and hope for the best".
> Structural engineering solved these kinds of problems with building codes.
I'm guessing a lot of buildings and bridges had to collapse for codes to take hold. I hate to think about how many power grid shutdowns and crashing cars we will have to go through. Clearly the routine theft of personal data has not made enough of an impact to improve security.
Also, for the particular case of MODBUS over TCP, MODBUS itself doesn't have any security aspect (by design) it is a very simple byte read/write protocol really.
Just read over their FAQ. They claim that Modbus over TCP is an internet protocol. No where do they even mention security. I wonder how many devices are sitting on IPv4 addresses that are completely controllable over the net without a shred of security. Lovely.
> For example, you might know that Shodan crawls the Internet for industrial control systems (ICS). One of the most popular protocols in ICS is called Modbus that runs on port 502. At the moment, there are about 17,000 devices listening to Modbus on the default port. It turns out there are also 700 devices listening on port 503, again a one-off sort of situation.
Turning lights on at 3 a.m. is a nuisance. Knowing when lights go on and off can tell you when the people are not in their room - which could help if you wanted to break in and steal their stuff. Overall quite disconcerting how lax they are with security.
I think the implication was that some asshole can obtain photos of you sleeping by opening the curtains and switching on the lights in the middle of the night. A nuisance, sure, but also a massive violation of privacy.
I would say most hotels have a first floor with rooms.
I was at one recently where the "balcony" was connected by a small path to the pool, so it was purposefully easy to access.
>the implication was that some asshole can obtain photos of you sleeping by opening the curtains and switching on the lights in the middle of the night.
So, somebody is going to set up shop across the way, in what is probably another commercial building, commit a couple of crimes, all to take a picture of some random, likely unidentifiable person sleeping in a hotel bed?
Personally, I'm not very worried about that.
I mean, it's not like there aren't easier attack vectors for creeping on people in hotel rooms if you were so inclined.
You or I, probably not. But just this week Erin Andrews won a $55 million legal case where somebody had intentionally booked a room next-door to her hotel room, then modified the peephole to her room, in order to film her naked. Certainly, there's people intent on prying into the private lives of others.
Well, if lights (and the article mentioned TV) repeatedly goes on at 3 a.m. this ca give quite bad reputation to the hotel. A few bad ratings hat reservation sites can have a notable impact on the business.
Turning the lights on a 3am is a nuisance. Writing
while true; do turn_on_all_lights $IPADDRESS; done
is enough to ruin your night's sleep. Fighting with the lights that won't go off will probably pump enough adrenaline into your system to wake you up enough that you're not going back to sleep anytime soon.
And why not do that to the entire block of addresses you can reach, of course?
It's no "steal identity, rack up tens of thousands of debt" level of nuisance, but it's enough that some basic security is definitely called for. Given the capability of the devices on both side (i.e. we're not dealing with "embedded" 1MHz processors here), client and server side validation of SSL certificates on an SSL connection, combined with some basic physical security to detect that someone's pried the Android off the wall (this can be something like "seal" stickers; we're going for detection here more than prevention), would have had a pretty good cost/benefit ratio.
(Remember, the goal here isn't to make the security "perfect", merely to make hacking it more expensive than what is being protected, which in this case still isn't that much. Nobody's going to risk being physically fingered as the room that pried out the Android tablet just to screw with lights.)
Given the capability of the devices on both side ...
Your're not wrong, but the other point is they are swatting a fly with a sledgehammer. What wrong with a simple light switch for gods sake. Why would a hotel spend hundreds of dollars to do what a $2 device can do more reliably and securely?
There might be significant cost savings in the ability to power off a room remotely instead of having to send someone over when a guest checks out. I would be more worried about the tv, the faucets and air conditioning, though.
Also, some hotels manage to have the tv showing a welcome message when you enter.
Sure. I work in a large university building and can power up/down various systems from my desk for the same reason. But it doesn't require a full tablet computer in each room. These are simple network addressable devices on their own VLAN that allow me to (for example) create an interface that sends a string of commands like a remote control, provided I give proper auth. If you're a regular person in any of the rooms in the building, you can't easily gain access to the VLAN, much less connect to any of the networked controllers in the rooms.
As a result, I can shut things down from my office or set up schedules to do the same. I can monitor usage and save resources (lamp hours on projectors and lighting, etc)
The idea of using a full-on tablet computer is just silly and sounds more like something I'd do while tinkering at home and was looking for a use for some old phone or tablet sitting in a drawer. It's not something I'd put in any enterprise or commercial space.
I've been in many hotels that required the key card to enable power to the room. Some hotels used a simple switch activated by presence of an object in the slot. Many could detect if the NFC tag key was present, but not read the value. Only a few I have seen actually verified that the key was the right key.
I've seen those too. They're quite inconvenient because they actively prevent you from charging your phone or laptop while out of the room. They should leave some marked outlets enabled but usually they only do so for the mini-fridge. And of course "fancy" places build that into a cabinet.
I usually have someone's business card on me, so I'll stick that in the card slot so that I can head to dinner while stuff recharges or the room cools down (for places where the A/C is tied to the same switch). I have yet to see one that's anything more than a simple mechanical switch.
The one I ran into that did that had an outlet that would work when out of the room... in the bathroom, for a rechargeable shaver, presumably. So my laptop got plugged in there...
I think you are talking thousands not hundreds. They had to pay people to set it up, pay for tablets for every room, and pay for the control devices too.
while true
level = 0
while level <= 100
set all lights to level%
level = level + 1
sleep 5
sleep 120
set all lights to 0%
sleep 1800
The idea is to slowly raise all the lights from 0% to 100%, hoping that because it is gradual it will not wake the person. Then you turn them all suddenly off.
If that succeeds in waking the person, they will wake up in darkness, wondering what the heck woke them up.
More fun with lights: someone at Caltech once modified the wiring of a student's room and the adjacent bathroom so that the light switches in both rooms controlled the lights in both rooms. They they waited in the courtyard that the student's room and the bathroom both overlooked to watch the hilarity that they knew would ensue.
What happened was that the occupant of the room eventually went to bed, turning off his light. Then later someone went to use the bathroom, turning on the bathroom light (and so also the student's light). That woke the student, who got up, turned off the light, and headed back to bed. The guy in the bathroom shouts something, and a few moments later gets his pants under control and goes and turns the light back on and heads back to the stall to resume his business. Meanwhile, bed boy is shouting something and getting up to turn his light back off. What I'm told then happened is that the lights flipped on and off a few more times, with the time between flips getting smaller and smaller, until both guys are just standing at their light switch flipping it repeatedly, before they both go out into the hall to try to figure out what is going on, find each other, and figure it out.
Maybe it's worse: If these are really off the shelf tablets, presumably the camera can be turned on remotely. Though I'm sure the hotel would have put a piece of black tape over it, right?
Depends on how targeted the attack is. A hacker who is bored and is searching Shodan for what entertainment the IoT is offering might find GPS quite useful.
It's on a private subnet. You'd have to have some way to get onto the hotel's internal network. The one described in the post is being physically at the hotel. Now, there might be other ways, but this most likely isn't about to show up on shodan.
You're right that in this particular case it's not a problem. Nevertheless any type of device that can be connected to a network, will be connected to the internet. Someone somewhere will make it happen.
I doubt the hotel came up with this solution completely by themselves. Whoever installed it will probably install it elsewhere and it's only a matter of time until it goes badly.
Just let them. The sooner people realize that buying a cheap $35 smart watch, or embedding the cheapest Android tablets into walls, or turning off your heating completely after the battery in your smart thermostat dies... the sooner we'll be in a place where the security of IoT is actually considered, not only as important, but as crucial. Then, we can have nice things.
I'm amused by the use of Modbus. I worked on Modbus networking back in the 1980's at Modicon (a company that disappeared long ago that created the "standard"). Using a protocol invented before the internet to control devices on a semi-public network is insane.
The original Modbus was designed to communicate with factory devices controlled by logic controllers over serial and eventually over a custom token ring network. Modbus got moved to TCP at some point when I stopped paying attention. Modicon rejected TCP when I was there because the OSI model 7 layer network stack was going to be the next big thing.
Could be. I just spent some time on the modbus.org site. I haven't looked in a while. There is pretty much no mention of security though they claim that Modbus over TCP is an internet protocol.
Just because its CAN doesn't mean its actually air gapped. If there is a Linux box on one end for SCADA use or similar, then the path is IP -> Linux spl01t -> SocketCAN
Given a completely static authentication realm like the rooms of a hotel, Modbus over TCP over IPSec would work just fine, and be transparent to the application. That sort of sounds like a good reason to be using Linux (Android) controllers in the first place; maybe they just forgot to enable it (or let go the installing contractors before their job was done, as soon as everything seemed to be "working.")
Same here - I used modbus only a few years ago, as it worked well for reading analog signals from hydroelectric turbine monitors, into a Linux box that converted them to digital for reporting. I cannot imagine actually using it on a modern network.
I think if people actually knew the true extent of the debacle that industrial control protocols are, they would pass out. If you ever want nightmares, check out EtherNet/IP CIP protocol...
Of course, there are no security provisions whatsoever. If you can get a device on the LAN, you're golden. Every device, fully open to monitoring and control of every attached piece of equipment.
In the new world of inexpensive, battery powered LoRaWan to Ethernet bridges with tens of kilometers range, I can't even begin to imagine the industrial carnage we're heading for. A sufficiently funded attacker could find ways to implant remote monitoring andcontrol in virtually every facility, where they can get a minimum-wage cleaning staff member hired. That means -- pretty much every facility (short of military, perhaps).
I recently went to a LoRaWan workshop funded by my megacorp (a utility company). It felt like paying someone to try and sell you their stuff.
Anyway, what the LoRa did emphasize is that both the network layer and application layer are encrypted with different keys using AES. This means someone would have to compromise both layers to actually control the devices.
Buuut, given that both encryption keys are stored on the device, I bet someone will just walk up with a chip clip and read the keys right out of EEPROM and then the pretty lights will start.
Or they'll just hack the application servers. I've seen some really god awful pieces of software in use.
A vendor once told me "it's so easy to admin our device over the internet. Just go to 192.168..." And of course due to corporate politics we still bought that piece of shit.
Moteino (arduino-based wireless dev platform) supports LoRa if anyone is interested in digging into some current sub-$10 ISM transceivers and their capabilities. http://lowpowerlab.com/moteino/#lora it's also a great project to get started with arduino if you've never worked with it before. Really solid documentation.
People forget how reliable and secure things like hard-wired physical light switches and other natural interfaces (like paper books, etc.) are. There seems to be a vast ignorance about topics like reliability, interfaces, usability and design. Just because it's digital, it doesn't mean it's better - I'd argue for the contrary in many cases. I don't want to upgrade the firmware of lightbulbs, I just don't. Despite my affinity for them, I have more than enough computers surrounding me in my everyday life.
Everything you said, and also that the old analog devices are future proof.
For a trendy metropolitan hotel, with a design refresh cycle of 10 years at the most, the future might not matter. But people are wanting to put these devices in homes with a refresh cycle that should be more like 30 to 50 years. Big difference.
KNX, being one of the most sophisticated and proven building intelligent protocol, widely adopted in Europe.
If anyone interested, cross scan its default IP interface port 3671
and,
say German telecom ISP IP range (and there is CSV available on www),
with efficient penetration test tool like masscan, challenge it with 0x0205, look for 0x0206 on response.
Thousands of home and factories and commercial buildings welcome you with real time datagrams on all their switches/appliances/presences/sensors/cams/... Bonus point: writable!
I feel like the only thing that can fix this type of mentality is a line of products targeted towards annoying nerdy 13 year old boys-- the type of boy that a lot of us were. We need to make it easy for them to abuse security lapses in IoT products. When I was in middle school, I brought a universal remote to class and turned on the television set. Yeah, I know, I was a badass. But these kids will do much more.
The problem is that when a software engineer goes to the front desk of a hotel and complains about the security of the brand new Android-Powered Hi-Tech system that they just put in, the person working the desk thinks, "Haha wow! That nerd was a real Sheldon Cooper, like on the television!" and they don't care at all. If you live in a bubble where programming and computer work is black magic, well then of course it is completely inevitable that someone so nerdy and so smart would be able to hack everything on the planet. So they don't really think there's anything to be done.
When it's a group of annoying little 15 year olds that sneak out in the middle of the night to wake up all of your guests, it's a lot bigger of a deal.
Not sure why this is getting downvoted. This is a big part of what happened with internet security over the years.
Back at the dawn of time, less than a billion seconds from epoch, it was considered rude to exploit obvious security holes. People would actually track down casual hackers and get them in trouble. But once script kiddies came on the scene, it became a lost cause. Once it could be any 14-year-old idiot on the planet scanning your ports and exploiting your old, unpatched software, it became clear that tacit agreements and social pressure weren't enough. The burden of security began to shift to people who created the software.
"Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable."
Which takes us to this: "Any sufficiently advanced technology controlled by a miscreant is indistinguishable from a possessed object in a Stephen King Novel."
I can't wait until Random Q. Hacker can flood the lobby with blood from the elevators.
And if you wonder why the blood reservoir has to be connected to both the elevator shafts and to the Internet, I ask you this: who would want a dumb blood reservoir in their hotel? I mean, obviously you have to have one, but wouldn't you rather be able to query tank levels from your phone and automatically order refills online? Nobody wants to be the unlucky employee that has to go up there with a dipstick at midnight during a thunderstorm, right?
Stephen King magic I can handle, it's a particular Stephen Koontz tale of a mad computer nerd turning his town into cyborgs that concerns me. Great read! I think... was almost 30 years ago now....
yes i was also misled by the title. You read again, android in the text as well as in the title as if something to do with the android OS is responsible especially taking into account that the guy is a security developer at CoreOS.
* "I stayed in a hotel with Android lightswitches and it was as bad as you'd think "
Another title would be:
* "CoreOS security developer stays in a hotel, and hacks the light switches to.."
Having stayed at a similar (same) hotel don't even get me started on the guest experience. It took longer to familiarise myself with all the controls in the room than a normal stay in the hotel. Also really appreciated the slight glow all the tablets gave off at night...well they did until they got covered with cushions and gaffer tape!
This is why I don't understand the "Internet of Things." A light switch is a pretty effective solution to the problem; there seems little advantage to networking it. Ditto for a toaster, refrigerator, et cetera, et cetera.
Depends what you mean by "Building Automation." If you mean things like a thermostat to control my heating, sure that has been around for decades. However, it can be a very simple mechanical device. Even for the computerized ones, I see little advantage to networking it (at least compared to the disadvantages).
If, however, by "Building Automation," you mean networked computers controlling your lights and every other aspect of your environment, this is not the norm now, never has been, and I would hazard a guess that it won't be any time soon because the cost and complexity is not worth the marginal advantages. Yes, some elements are creeping in: particularly systems to shut off lighting and environment control in office buildings at night because the power savings are worth it, but those systems are relatively simple and closed. There is no need to connect them to the sort of network that is featured in the article let alone the internet at large.
Lighting systems are very common in the building automation industry but they're typically connected to physical switches. Placing a computer or tablet there doesn't really change things - this could have been hacked regardless of the end-user input. The core protocol Modbus/TCP has been available and easily hackable for decades.
Building Automation is exactly what your describing and it is the norm. It's common for schools, hotels, and commercial buildings to be "smart", with something like Modbus or BACnet connecting lighting, HVAC equipment, smart meters.
I will defer to you re: Modbus/TCP as it is outside my area of expertise. Even if these systems are "common," I would still claim that they are not the "norm" for the simple reason that I have been in buildings that were clearly "smart" buildings and ones that were clearly not, and the latter outnumber the former. However, even if it were the norm for commercial buildings, I was thinking far more generally and that may be the source of our disagreement. Automatic doors, for example, are the norm for major retail stores (as well as airports, et cetera), but they just don't exist in private homes. It would be expensive and serve no purpose, and that is how I feel about most "Internet of Things" devices [EDIT: and most "home automation" devices].
You want to have your lights come on at a certain time.
You want to add motion detection to lights turning on.
You want to attach light sensors to have variable intensity bulbs be brighter or dimmer depending on ambient lighting conditions.
You want your lights to turn on inside your garage when the garage door opens.
You want your front hallway light to come on when your door is opened.
You want to be able to check all the lights in your house at a glance to make sure you did not accidentally leave any on.
You want to have all your lights auto-off when your kids should be in bed.
And of course, most importantly:
You want to turn your house into a rave party, or an epileptic seizure inducing disaster, and I don't think there is actually a difference there.
Your networked toaster might have online profiles for how to optimally toast bread, bagels, rolls, etc based on the type of bread and they would be available on a per-toaster basis. Rather than just odd balling how you want your toast done, you could buy a toaster that has profiles with high ratings that will toast your bread to your exact desire with your given model of toaster.
For your fridge, it could have isolated temperature and humidity per compartment, give alerts when different foods are low in quantity / going bad, track the expiration dates of all your food, and have the same lighting features as your house lights.
There are plenty of applications of "smart" devices. The problem with the IoT is that once you put software in a device you need to be responsible for it, and I don't believe there is actually a single hardware manufacturer on Earth right now who is legitimately responsible for their hardware and respectful of their users (particularly their software freedoms in relation to that hardware).
None of these things sound like killer applications, and few of them require any kind of computational power let alone networking. There are much simpler ways of accomplishing the same things. That is my point; IoT proponents are adding unnecessary complexity for dubious gains. Some examples:
You want to have your lights come on at a certain time.
I can get a timer at a hardware store.
You want to add motion detection to lights turning on.
I can get a motion sensor switch at a hardware store.
You want your lights to turn on inside your garage when the garage door opens.
Yep. That happens with most existing garage door openers.
You want your front hallway light to come on when your door is opened.
I've never seen this implemented, but it could be done in a multitude of ways such as the motion sensor or a simple contact switch on the door itself.
I've long been interested in "home automation" stuff, so I'll give you a quick example of what I have at my house now that can't be done with timers/motion sensors from the hardware store.
There's keypad in the entrance to the kitchen, with buttons labelled "Bright" "Dim" and "All off". If you press Bright, all of the lights (sink, under-cabinet, range hood, and island) turn on 100%. Dim sets just the under-cabinet lights are on at 50% and island is 10%. Without this keypad, you have to walk to 3 different switches on opposite sides of the room.
There's also a keypad by the front door. It has an 'all off' button which is great when we're leaving, and as we also walk by it on the way upstairs, handy when we're going to bed.
The front door keypad also has a "Garage" button. It lights up red if the garage door is open (as we can't see the door from anywhere inside the house). Press it and it'll toggle the door to open/close.
That stuff is just simple scenes, but I also have some more complex things..
The outside lights go to 20% from dusk until midnight, then turn off after midnight. On top of that, at any time between sunset and sunrise, if the garage door is open, or if the outside motion detector sees motion they go to 100%, and once the door is shut or no motion is seen for a few minutes, they return to previous level.
At sunset, if none of the lights in the house are on, one of the lights in the kitchen and one of the lights in the living room turn on (to make it look like someone is home).
At ~midnight, if only the one kitchen light and living room light are on (and nothing else has been adjusted, indicating someone is home), turn the lights off.
At sunrise, turn off all lights. (This used to be 3am until we had a baby, then it was annoying because, well, crying baby + preparing bottle + 3am + lights suddenly turning off = ..not good).
At some point I will also set up a motion sensor in the front hall (or maybe a door open sensor), so if the outside motion is triggered followed by the inside motion (or door opening), the inside front hall light turns on. A bit tricky, since I don't want to happen if I'm just walking around the house (or leaving).
Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.
Btw, I can control this from a PC/phone, although I basically never do (the keypad/switch on the wall is always going to be faster). I could also set it up to work via internet, but I don't, because 1) there's an attack vector and extra security to worry about, 2) adjusting the lights while I'm not home is pointless, 3) I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.
Thank you. Genuinely interesting, and in my opinion, one of the few examples of the technology done right.
I would point out that the three different switches on opposites sides of the kitchen sounds more like an issue of poor switch placement (admittedly, a common problem) than anything crying out for automation, but the ability to control sets of lights with one button is intriguing.
I think the take-away is this:
> Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.
Which I contrast with: "Let's hook my toaster up to the internet because: Internet of Things!" which seems to be the prevailing attitude.
> I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.
Yup, this.
I built an automated heating system. It does all the right things at the right times. I never touch it; it has some graphs if I want to see what it's doing.
The shoddy consumer systems all have manual control and an app, because you just spent all that money, you want the warm fuzzy feeling of having an app to fiddle with.
I wouldn't pay a dime for most of those features, even if it worked perfectly. Where I can see the use is doing things remotely, as in when you're far away: locking/unlocking the doors, making sure the lights and appliances are off when you're traveling, turning on/off the heat remotely etc. IF you could do those things securely.
Too lazy to walk up to the light switch when I'm at home? Just no.
I don't see what this gains the hotel. You get an increase in complaints/request about not being able to turn on/off lights, etc. Standard light switches are dirt cheap and last years and everyone from age 2 up knows how to use them.
Is this solely to look "fancy"? If so, then at least get the tech right otherwise you look incompetent.
Hotels are under substantial competitive pressure to seem fancy. Fancy hotels can charge a lot more. Looking good is often more important than ease of use, as is demonstrated by every hotel alarm clock I've ever tried to set.
It's also partly our fault. Computer-y stuff has had poor usability for years. A standard tech response to bad user experience has been to tell people that they're doing it wrong, that they just need to learn a particular trick and it will all be great. So people often assume that when something is hard to use, it's probably their fault. Which means that a buyer of stuff like this can have a bad experience and wave it away thinking that the tech is just fine. After all, why would somebody sell a computer-controlled lighting system that is in practice worse in every way than regular switches?
"Is this solely to look "fancy"? If so, then at least get the tech right otherwise you look incompetent."
How many of their guests have thought it looked fancy? Probably a lot. How many of their guests have done something similar to what this guy did? Probably not so much.
324 comments
[ 76.2 ms ] story [ 1036 ms ] threadEdit: Completely agree Ska, no excuse for making it this easy. I'm just pointing out that just because it's easy to pick a lock or unplug some wires to MiTM doesn't mean it should be legal.
If your security model relies on this, though, you have failed. Period.
It is maybe a little fuzzier in a hotel (should I be able to stream content to the TV from my device instead of paying you extra for a movie?) but similar applies.
If a cable is not meant to be unplugged - there should either be a warning sign/message, a protection measure (even a nominal one, serving as a mere warning), or you shouldn't normally get access to it in a first place.
Obviously, there is common sense, too - you don't plug some working medical equipment, even though there may be no warnings - it's implied that it's commonly understood that disconnection would interfere with device's operation and endanger the patient. Or you don't suddenly turn off someone's PC at office just because the power outlet isn't covered by the table.
The door example is also misleading and plain wrong analogy. We're not talking about trespassing on others' property. When you rent a room, it's a common sense that you shouldn't steal the TV from it, but nothing tells you if some random Ethernet cable is some private network or just a WiFi replacement. It's the same as any other electrical socket (well, except it's a plug, not socket) - nothing implies that you can't use it, as long as you don't cause any damage to the property. If a rented room has a floor fan plugged in, I doubt you shouldn't be allowed to plug it out or even satisfy your curiosity and measure how much power it consumes. As long as you don't damage anything, of course.
There are too many people out there who want to plug in some odd lawmaking solutions (always, restrictions) that don't actually solve anything.
"If you don't want to give people access to your house don't provide them with a f*ing door explicitly designed for doing so."
Who is the guilty party?
Really, this is just social/legal understanding. It's unacceptable to open someone's door -- even if unlocked -- but acceptable (?) to wire yourself into someone's network if unguarded.
It is either possible to do something securely and won't really take significantly more time, or it's not possible to do it securely at all, and no future update is going to fix it.
In regards to IoT devices, as the article is lamenting, many are designed with no security in mind and instead seem to be thrown together as quick as possible to achieve a function, without considering the implications that a security breach may have with said device. (e.g., IoT baby monitors, thermostats, home locking systems)
If an application was created without security in mind in worst case it might require complete rewrite. In other cases it might be a whack-a-mole game.
For example compare ssh vs application that simply opens port and starts bash as root. You can use both to control your server, but if you want to add security it would be a lot of work (you could incrementally add authentication, encryption, maybe restrict user what s/he can do but there will be million and one ways to escape).
After fixing one issue after another without seeing the end you'll realize it would be less work to just rewrite it from scratch with security in mind.
Security is not a feature, it is a process.
Edit: Shoutout to Internet of Shit https://twitter.com/internetofshit
How does Tesla implement updates?
An opt-in switch is merely convenience for the incredibly thin % that bothers with this kind of thing. And that % will actually be informed enough to not opt in.
Come to think of it, that % will likely be informed enough not to buy this kind of device in the first place.
Tesla has a pretty vested interest in shit keeping working considering it's a pretty luxurious and high-profile product. The cut-price manufacturer of your $20 lightbulb or $300 fridge? Not so much.
It's not a matter of luxury, it's a matter of having people work on it who care.
Disclosure: I work with them. Much <3 :)
Source: Chromebooks are awesome, and even with excesses like this, they're still the cheapest to operate by far.
A comment in https://bugs.chromium.org/p/chromium/issues/detail?id=323010 claims that the BSSID is used for a "suspected" state, but that may not be enough to actually stop it from downloading updates, but I'm far from an expert in that domain.
In short, identifying tethering states with iOS seems to be hard.
Hence my shoutout to IoS! :)
Which might be quite a challenge with some devices when your neighbors drown you in free WiFi.
It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.
My problem with this whole hatred of iot is that it's not productive.
it's a bunch of people commenting how the trend is dumb and how everything was so much better in the past. Nobody ever gives suggestions on how to improve it, or how to fix some of these issues, or even what they would like to see. It's always just "Who wants a wifi light switch anyway?" or "Oh great now my door lock can freeze".
If it's so easy, why don't more companies do it? Why didn't Nest build their thermostats so that when the battery runs out, it reverts to a "dumb" thermostat instead of turning off your heat? http://www.theguardian.com/technology/2016/jan/15/bug-nest-t...
It's clearly more work to do it that way, as you'd need multiple "layers" of firmware/code which all need to communicate and run on their own, but i personally see that as insurance against the exact situation you are describing.
Nest is far from what i'd consider a good IOT company. They are the epitome of vendor lock in, proprietary and buggy code, and shitty support.
The thing I don't get with 'control everything with your smartphone!' is that people don't think about everyday use. It's like the people that design these products don't look at the actual, repeated use cases. Why would I want to pull my phone out of my pocket, unlock it, find the app I need, launch the app, wait for it to connect, hit the buttons I want....
(Even when I'm on Android and I can have an IoT control widget on my homescreen, that's still pulling the phone out, switching it on, unlocking it with my fingerprint, finding the page, hitting the button.... oops I forgot to turn Wi-Fi back on, better do that....)
I think IoT is great, but to do a great job at it you need to design the product with that in mind to begin with. The whole architecture of the product has to fit (see again, Hue). Sure, picking an Android tablet is easy, but why would you architect all that complexity? Why not a touchscreen device with a really simple real-time OS that does only what it needs to do?
I'm confident that this will all be self-correcting in the end. Consumers and 'the market' are smarter than we give them credit for. Certainly it takes a long time for them to react, but I think that when enough of the public is jaded by 'bad IoT' and the fad phase has passed, the actually good IoT products will survive and those companies that really think about their designs as a whole will be rewarded.
Very few actually pull operating current from the 24v C wire if it even exists on the given system. If it doesn't, R (the switched 24v power for Heat and Cold signals) isn't guaranteed to continually have current. Only when your Heat is turned on (probably a standard toggle lightswitch on the side of your furnace) will there be current on the Rh line, and only when your AC is enabled (possibly a breaker shunt on the side of your house near the condenser unit in a small box) will there be current on the Rc line.
Nest tries to recharge it's battery by trickling the C wire, if available, and if not it will try to charge off of one of the R wires, either during normal operation, or it will try and "pulse" the heat signal to pull a little bit of current to keep going. Thermostats were designed at a time where they didn't even consume any electricity on their own. We're trying to retrofit computers into signaling system, not a circuit.
The GP is right: most new thermostats don't take power from the 24VAC line. That surprised me when my heat wouldn't come on one morning because the battery was too weak to pull in the relay for more than a few seconds. That's what I get for ignoring the "low battery" warning! All my previous electronic thermostats only used the battery as a backup.
In any case, are you really saying that using a toxic metal (mercury), or an imprecise bimetallic strip is really an improvement over a simple $10 electronic thermostat?
A dumb digital thermostat is just a thermocouple and a relay, which you could rig together with very little EE knowledge and a weekend with an Arduino.
This is exactly the sentiment i was talking about though.
If you buy a car that had a faulty AC unit, do you just swear off cars altogether because "they all have shitty AC"?
Why do so many people like to bring up bugs/issues with poor iot devices and act like it is something that can't be improved or fixed?
But it hasn't been that long at all, and there are people doing it right.
The problem is that they are expensive and don't offer the same amount of features that some people want.
Take the "traditional" smarthome networks like z wave and friends.
I have a z wave light switch that works as a lightswitch 100% of the time. I actually installed the switches before i had a controller for them.
Add a controller and you have a "smarthome".
Connect that controller to your wifi and you have the ability to control these things safely from within your own network using anything from a bash script to shitty iphone apps.
Connect that network to the internet through a firewall and an authentication system and you now can control all of that stuff securely across the planet.
If any one of those breaks, functionality is reduced. Internet is down, i can't control it outside the house. Controller goes down, i can't control them as groups or from within the house but still "remotely". But it will literally always turn on/off the lights when i hit the switch. I don't need to worry about the security of a cheap chinese zwave knockoff thing because the controller is that gatekeeper.
That's IOT done right.
But people don't want to pay the money for that, they don't want to pay an electrician to come out and install them across the whole house, they don't care about security or what happens when the internet is down, they want a light they can control from their phone for as cheap as possible as fast as possible. And of course when people are asking for a product, manufacturers are going to make it.
http://motherboard.vice.com/read/smart-fridge-only-capable-o...
http://www.vgg.com/et/et_030701_TVCrash.html
Fifteen years ago. Wow, I love the way I gave Jini a shout-out.
Nothing in remote/automatic updates requires being brickable. Don't buy such a crappy fridge.
Or, call a serviceman to fixe it, just like you would today with dumb fridge.
What is worse, your data being sent to people you know or to people you don't know?
Why? Because I know Google has systems in place to detect sysadmins browsing in data unrelated to their job and I know they have fired people over it even if was tought to have been done with good intentions.
Edit: as for tracking I wish they would up their game and stop providing ads for <insert eastern country here>-dating.<tld-of-the-day>
I wish they would take into consideration that I am happily married with more than 3kids, belongs to a subset of the population that has way less than 10% divorce rate and I might even be in the market for a new car at some point.
In fact I would even tell them if they asked.
Smart, connected things? Yes, maybe.
Smart things connecting over the Internet to a corporate cloud? Hell no.
At the interview for my current job I was asked how I'd secure a remote service. My first response was along the lines of "Ask someone who actually knows about security, because I know just enough that I'd probably mess it up".
You need to do it right from day #1.
I don't have enough knowledge of the stage the OP's startup was to have answered, so I stand corrected.
These days, this is the kind of thing I negotiate up front. When they ask me how long something will take, I explain that they can have a prototype quickly, but only if they promise to throw it away as soon as the experiment is done. I explain that they can have me build a movie set or a real house, but that there's nothing in between. [1] And then I leave the choice up to them, explaining that it's really about their business judgement.
Generally people keep their promises on this, although sometimes it takes a little reminding. When they do, the business benefits are substantial. A good product person really benefits from doing quick, cheap experiments. And they also benefit from having a solid platform of high-reliability code for production use. But they can only get the benefits of both if they're careful not to mix the two.
[1] There is actually something between, but they don't want it: http://agilefocus.com/2009/06/22/the-3-kinds-of-code/
Prototypes-become-products is a trope much like _The Mythical Man Month_. We all nod knowingly when it is mentioned, we all know how it will turn out, and then we (well, management dictates that we...) turn right around and do the opposite.
In truth it's much much more like how Google just has computers trying to index every site on the internet that they can find. Most of the attacks these days are broad searching things, just testing every exploit they can against every site they can.
Also, seriously, Google will find and index those GET+DELETE non idempotent URLs and ruin their day.
Here is the professional ethics piece of a talk I gave last year to a developer meetup: https://www.youtube.com/watch?v=dj196NhPyWs&t=43m36s
- Sous vide normally uses a water bath at a controlled low temperature over a long period of time.
- Hike the temperature up past the boiling point, and the water is evaporated, allowing you to hike the temperature up to ignition points.
- Or, cycle the electronics fast enough to overload the power supply. If it isn't designed well, either the wall circuit blows or the power supply bursts into flame.
- In any case, the expectation of a long unattended cooking process means that human observers might not be in the loop.
Even without deliberate hackers, the device needs to contend with software errors, running without water, or a stuck relay that could leave it boiling dry and overheating.
Perhaps 35 years ago computer control was still very new, but right now, IoT is very new, so there's a whole new world of mistakes to learn from, and the evidence is very clear: serious mistakes are being made.
What could possibly go wrong?
The difference between you and the dunces building things like this hotel light system is that you know that there's a problem and will work to fix it. As the market matures, security will become more important. But the only companies with the chance to fix it will be the ones with substantial market share. And the people who will fix it best will be the ones, like you, thinking about security from the beginning. But that can only happen if people like you get in early and lay down the infrastructure in a way where security will at least be possible.
OEMs moving to XXX over TCP protocols which have zero security by default and documenting this in the datasheets.
VAR installers switching to the newer products because CAT5 cable is cheaper and easier to pull than what they used to use.
The previous solution was just as insecure but harder to hack because you needed more specialised equipment.
I'm not sure how we are going to fix this without getting the OEM industry and the industry bodies behind xxx over TCP to understand that they need to bake a security model in.
Lawsuits for damages, as usual.
Structural engineering solved these kinds of problems with building codes. While I'm not sure that's the answer here, I think most people would welcome guidance beyond "just put whatever devices you want on a shared network and hope for the best".
I'm guessing a lot of buildings and bridges had to collapse for codes to take hold. I hate to think about how many power grid shutdowns and crashing cars we will have to go through. Clearly the routine theft of personal data has not made enough of an impact to improve security.
http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b...
> For example, you might know that Shodan crawls the Internet for industrial control systems (ICS). One of the most popular protocols in ICS is called Modbus that runs on port 502. At the moment, there are about 17,000 devices listening to Modbus on the default port. It turns out there are also 700 devices listening on port 503, again a one-off sort of situation.
Probably over 20k by now
Or a camera equipped drone.
It made Tron look technically accurate.
So, somebody is going to set up shop across the way, in what is probably another commercial building, commit a couple of crimes, all to take a picture of some random, likely unidentifiable person sleeping in a hotel bed?
Personally, I'm not very worried about that.
I mean, it's not like there aren't easier attack vectors for creeping on people in hotel rooms if you were so inclined.
[1]: http://somerichasshole.com/
And why not do that to the entire block of addresses you can reach, of course?
It's no "steal identity, rack up tens of thousands of debt" level of nuisance, but it's enough that some basic security is definitely called for. Given the capability of the devices on both side (i.e. we're not dealing with "embedded" 1MHz processors here), client and server side validation of SSL certificates on an SSL connection, combined with some basic physical security to detect that someone's pried the Android off the wall (this can be something like "seal" stickers; we're going for detection here more than prevention), would have had a pretty good cost/benefit ratio.
(Remember, the goal here isn't to make the security "perfect", merely to make hacking it more expensive than what is being protected, which in this case still isn't that much. Nobody's going to risk being physically fingered as the room that pried out the Android tablet just to screw with lights.)
Your're not wrong, but the other point is they are swatting a fly with a sledgehammer. What wrong with a simple light switch for gods sake. Why would a hotel spend hundreds of dollars to do what a $2 device can do more reliably and securely?
Also, some hotels manage to have the tv showing a welcome message when you enter.
As a result, I can shut things down from my office or set up schedules to do the same. I can monitor usage and save resources (lamp hours on projectors and lighting, etc)
The idea of using a full-on tablet computer is just silly and sounds more like something I'd do while tinkering at home and was looking for a use for some old phone or tablet sitting in a drawer. It's not something I'd put in any enterprise or commercial space.
Though I wouldn't be surprised that the cleaning staff would "clean" it up if you weren't there. Might want to put out the Do-Not-Disturb sign too.
If that succeeds in waking the person, they will wake up in darkness, wondering what the heck woke them up.
More fun with lights: someone at Caltech once modified the wiring of a student's room and the adjacent bathroom so that the light switches in both rooms controlled the lights in both rooms. They they waited in the courtyard that the student's room and the bathroom both overlooked to watch the hilarity that they knew would ensue.
What happened was that the occupant of the room eventually went to bed, turning off his light. Then later someone went to use the bathroom, turning on the bathroom light (and so also the student's light). That woke the student, who got up, turned off the light, and headed back to bed. The guy in the bathroom shouts something, and a few moments later gets his pants under control and goes and turns the light back on and heads back to the stall to resume his business. Meanwhile, bed boy is shouting something and getting up to turn his light back off. What I'm told then happened is that the lights flipped on and off a few more times, with the time between flips getting smaller and smaller, until both guys are just standing at their light switch flipping it repeatedly, before they both go out into the hall to try to figure out what is going on, find each other, and figure it out.
I doubt the hotel came up with this solution completely by themselves. Whoever installed it will probably install it elsewhere and it's only a matter of time until it goes badly.
The original Modbus was designed to communicate with factory devices controlled by logic controllers over serial and eventually over a custom token ring network. Modbus got moved to TCP at some point when I stopped paying attention. Modicon rejected TCP when I was there because the OSI model 7 layer network stack was going to be the next big thing.
/deploying CAN bus without security
That if you have a box that can talk to network A and B, suddenly anything on A can talk to anything on B.
A CAN bus, or older modbus installs, would be airgapped by its very nature.
Using Modbus may be insane, but Internet Protocol (IP) predates it by 5 years.
Of course, there are no security provisions whatsoever. If you can get a device on the LAN, you're golden. Every device, fully open to monitoring and control of every attached piece of equipment.
In the new world of inexpensive, battery powered LoRaWan to Ethernet bridges with tens of kilometers range, I can't even begin to imagine the industrial carnage we're heading for. A sufficiently funded attacker could find ways to implant remote monitoring and control in virtually every facility, where they can get a minimum-wage cleaning staff member hired. That means -- pretty much every facility (short of military, perhaps).
Exciting times.
Anyway, what the LoRa did emphasize is that both the network layer and application layer are encrypted with different keys using AES. This means someone would have to compromise both layers to actually control the devices.
Buuut, given that both encryption keys are stored on the device, I bet someone will just walk up with a chip clip and read the keys right out of EEPROM and then the pretty lights will start.
Or they'll just hack the application servers. I've seen some really god awful pieces of software in use.
A vendor once told me "it's so easy to admin our device over the internet. Just go to 192.168..." And of course due to corporate politics we still bought that piece of shit.
Usually keys are stored in a part that is not accessible directly, think of SIM and bank cards. Actually lots of LoRaWan use SIM cards.
For a trendy metropolitan hotel, with a design refresh cycle of 10 years at the most, the future might not matter. But people are wanting to put these devices in homes with a refresh cycle that should be more like 30 to 50 years. Big difference.
If anyone interested, cross scan its default IP interface port 3671 and, say German telecom ISP IP range (and there is CSV available on www), with efficient penetration test tool like masscan, challenge it with 0x0205, look for 0x0206 on response.
Thousands of home and factories and commercial buildings welcome you with real time datagrams on all their switches/appliances/presences/sensors/cams/... Bonus point: writable!
Can anyone recommend a good reference / tutorial for learning basic network-fu in unix ?
The problem is that when a software engineer goes to the front desk of a hotel and complains about the security of the brand new Android-Powered Hi-Tech system that they just put in, the person working the desk thinks, "Haha wow! That nerd was a real Sheldon Cooper, like on the television!" and they don't care at all. If you live in a bubble where programming and computer work is black magic, well then of course it is completely inevitable that someone so nerdy and so smart would be able to hack everything on the planet. So they don't really think there's anything to be done.
When it's a group of annoying little 15 year olds that sneak out in the middle of the night to wake up all of your guests, it's a lot bigger of a deal.
Back at the dawn of time, less than a billion seconds from epoch, it was considered rude to exploit obvious security holes. People would actually track down casual hackers and get them in trouble. But once script kiddies came on the scene, it became a lost cause. Once it could be any 14-year-old idiot on the planet scanning your ports and exploiting your old, unpatched software, it became clear that tacit agreements and social pressure weren't enough. The burden of security began to shift to people who created the software.
Which takes us to this: "Any sufficiently advanced technology controlled by a miscreant is indistinguishable from a possessed object in a Stephen King Novel."
http://thefutureisastephenkingnovel.com/assets/player/Keynot...
And if you wonder why the blood reservoir has to be connected to both the elevator shafts and to the Internet, I ask you this: who would want a dumb blood reservoir in their hotel? I mean, obviously you have to have one, but wouldn't you rather be able to query tank levels from your phone and automatically order refills online? Nobody wants to be the unlucky employee that has to go up there with a dipstick at midnight during a thunderstorm, right?
https://en.wikipedia.org/wiki/Midnight_(Koontz_novel)
* "I stayed in a hotel with Android lightswitches and it was as bad as you'd think "
Another title would be:
* "CoreOS security developer stays in a hotel, and hacks the light switches to.."
Although I'm a bit disappointed mjg59 didn't play Blinkenlights with the rooms on his floor.
For those unfamiliar: http://blinkenlights.net/
Jarrod
Now get off my lawn!
If, however, by "Building Automation," you mean networked computers controlling your lights and every other aspect of your environment, this is not the norm now, never has been, and I would hazard a guess that it won't be any time soon because the cost and complexity is not worth the marginal advantages. Yes, some elements are creeping in: particularly systems to shut off lighting and environment control in office buildings at night because the power savings are worth it, but those systems are relatively simple and closed. There is no need to connect them to the sort of network that is featured in the article let alone the internet at large.
Building Automation is exactly what your describing and it is the norm. It's common for schools, hotels, and commercial buildings to be "smart", with something like Modbus or BACnet connecting lighting, HVAC equipment, smart meters.
IoT is an amazing, awesome, innovative and entirely new concept. Just like "The Cloud" was.
/s
You want to add motion detection to lights turning on.
You want to attach light sensors to have variable intensity bulbs be brighter or dimmer depending on ambient lighting conditions.
You want your lights to turn on inside your garage when the garage door opens.
You want your front hallway light to come on when your door is opened.
You want to be able to check all the lights in your house at a glance to make sure you did not accidentally leave any on.
You want to have all your lights auto-off when your kids should be in bed.
And of course, most importantly:
You want to turn your house into a rave party, or an epileptic seizure inducing disaster, and I don't think there is actually a difference there.
Your networked toaster might have online profiles for how to optimally toast bread, bagels, rolls, etc based on the type of bread and they would be available on a per-toaster basis. Rather than just odd balling how you want your toast done, you could buy a toaster that has profiles with high ratings that will toast your bread to your exact desire with your given model of toaster.
For your fridge, it could have isolated temperature and humidity per compartment, give alerts when different foods are low in quantity / going bad, track the expiration dates of all your food, and have the same lighting features as your house lights.
There are plenty of applications of "smart" devices. The problem with the IoT is that once you put software in a device you need to be responsible for it, and I don't believe there is actually a single hardware manufacturer on Earth right now who is legitimately responsible for their hardware and respectful of their users (particularly their software freedoms in relation to that hardware).
You want to have your lights come on at a certain time.
I can get a timer at a hardware store.
You want to add motion detection to lights turning on.
I can get a motion sensor switch at a hardware store.
You want your lights to turn on inside your garage when the garage door opens.
Yep. That happens with most existing garage door openers.
You want your front hallway light to come on when your door is opened.
I've never seen this implemented, but it could be done in a multitude of ways such as the motion sensor or a simple contact switch on the door itself.
There's keypad in the entrance to the kitchen, with buttons labelled "Bright" "Dim" and "All off". If you press Bright, all of the lights (sink, under-cabinet, range hood, and island) turn on 100%. Dim sets just the under-cabinet lights are on at 50% and island is 10%. Without this keypad, you have to walk to 3 different switches on opposite sides of the room.
There's also a keypad by the front door. It has an 'all off' button which is great when we're leaving, and as we also walk by it on the way upstairs, handy when we're going to bed.
The front door keypad also has a "Garage" button. It lights up red if the garage door is open (as we can't see the door from anywhere inside the house). Press it and it'll toggle the door to open/close.
That stuff is just simple scenes, but I also have some more complex things..
The outside lights go to 20% from dusk until midnight, then turn off after midnight. On top of that, at any time between sunset and sunrise, if the garage door is open, or if the outside motion detector sees motion they go to 100%, and once the door is shut or no motion is seen for a few minutes, they return to previous level.
At sunset, if none of the lights in the house are on, one of the lights in the kitchen and one of the lights in the living room turn on (to make it look like someone is home).
At ~midnight, if only the one kitchen light and living room light are on (and nothing else has been adjusted, indicating someone is home), turn the lights off.
At sunrise, turn off all lights. (This used to be 3am until we had a baby, then it was annoying because, well, crying baby + preparing bottle + 3am + lights suddenly turning off = ..not good).
At some point I will also set up a motion sensor in the front hall (or maybe a door open sensor), so if the outside motion is triggered followed by the inside motion (or door opening), the inside front hall light turns on. A bit tricky, since I don't want to happen if I'm just walking around the house (or leaving).
Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.
Btw, I can control this from a PC/phone, although I basically never do (the keypad/switch on the wall is always going to be faster). I could also set it up to work via internet, but I don't, because 1) there's an attack vector and extra security to worry about, 2) adjusting the lights while I'm not home is pointless, 3) I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.
I would point out that the three different switches on opposites sides of the kitchen sounds more like an issue of poor switch placement (admittedly, a common problem) than anything crying out for automation, but the ability to control sets of lights with one button is intriguing.
I think the take-away is this:
> Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.
Which I contrast with: "Let's hook my toaster up to the internet because: Internet of Things!" which seems to be the prevailing attitude.
Yup, this.
I built an automated heating system. It does all the right things at the right times. I never touch it; it has some graphs if I want to see what it's doing.
The shoddy consumer systems all have manual control and an app, because you just spent all that money, you want the warm fuzzy feeling of having an app to fiddle with.
Marketing is why everything has to be networked.
Too lazy to walk up to the light switch when I'm at home? Just no.
Is this solely to look "fancy"? If so, then at least get the tech right otherwise you look incompetent.
It's also partly our fault. Computer-y stuff has had poor usability for years. A standard tech response to bad user experience has been to tell people that they're doing it wrong, that they just need to learn a particular trick and it will all be great. So people often assume that when something is hard to use, it's probably their fault. Which means that a buyer of stuff like this can have a bad experience and wave it away thinking that the tech is just fine. After all, why would somebody sell a computer-controlled lighting system that is in practice worse in every way than regular switches?
How many of their guests have thought it looked fancy? Probably a lot. How many of their guests have done something similar to what this guy did? Probably not so much.
There used to be party lines in villages where the whole village could listen in to anyone's phone call.
Never mind the operator could also have a sticky beak.
Now if they can change your sound system to play Kanye West... that truly is a problem worth worrying about.