Hacking Consumer Devices

Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children’s bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child’s father unplugged the monitor.

What does this mean for the rest of us? How secure are consumer electronic systems, now that they’re all attached to the Internet?

The answer is not very, and it’s been this bad for many years. Security vulnerabilities have been found in all types of webcams, cameras of all sorts, implanted medical devices, cars, and even smart toilets—not to mention yachts, ATM machines, industrial control systems and military drones.

All of these things have long been hackable. Those of us who work in security are often amazed that most people don’t know about it.

Why are they hackable? Because security is very hard to get right. It takes expertise, and it takes time. Most companies don’t care because most customers buying security systems and smart appliances don’t know enough to care. Why should a baby monitor manufacturer spend all sorts of money making sure its security is good when the average customer won’t even notice?

Even worse, that consumer will look at two competing baby monitors—a more expensive one with better security, and a cheaper one with minimal security—and buy the cheaper. Without the expertise to make an informed buying decision, cheaper wins.

A lot of hacks happen because the users don’t configure or install their devices properly, but that’s really the fault of the manufacturer. These are supposed to be consumer devices, not specialized equipment for security experts only.

This sort of thing is true in other aspects of society, and we have a variety of mechanisms to deal with it. Government regulation is one of them. For example, few of us can differentiate real pharmaceuticals from snake oil, so the FDA regulates what can be sold and what sorts of claims vendors can make. Independent product testing is another. You and I might not be able to tell a well-made car from a poorly-made one at a glance, but we can both read the reports from a variety of testing agencies.

Computer security has resisted these mechanisms, both because the industry changes so quickly and because this sort of testing is hard and expensive. But the effect is that we’re all being sold a lot of insecure consumer products with embedded computers. And as these computers get connected to the Internet, the problems will get worse.

The moral here isn’t that your baby monitor could be hacked. The moral is that pretty much every “smart” everything can be hacked, and because consumers don’t care, the market won’t fix the problem.

This essay previously appeared on CNN.com. I wrote it in about half an hour, on request, and I’m not really happy with it. I should have talked more about the economics of good security, as well as the economics of hacking. The point is that we don’t have to worry about hackers smart enough to figure out these vulnerabilities, but those dumb hackers who just use software tools written and distributed by the smart hackers. Ah well, next time.

Tags: , , , , , ,

Posted on August 23, 2013 at 6:00 AM67 Comments

Comments

name.withheld.for.obvious.reasons August 23, 2013 6:28 AM

Thanks Bruce, a most timely set of comments. With the rise of the “Internet of Things” and the wide spread use of network enabled devices, the problem of reliability and usability continues to be an issue. As Barnaby Jack was to demonstrate, it can kill you. But, it also looks like hacking can kill you as well.

I lament the fact that the word hacker has been hijacked. I remember the days of going to Olson’s/Heath/Shack Electronics where hams (sometimes called hobbyists) met to share ideas, mod radios, and test out various changes or use different classes of amps on analog transceivers. Then, in the early 70’s everyone started looking at digital devices and computing (well before workstations or desktop computers). Not long after that the term hacker had surfaced (don’t remember the taxonomy) and basically referred to someone that resembled a ham radio hobbyist. Today the term hacker is associated with criminal activity and is no longer safe to use in mixed company. The term cracker, and I believe it refers to a “criminal” hacker, would be a more appropriate term to replace the much maligned hacker label.

Also upsetting is the specter (aka James Bond) associated with loading my own OS on a Kindle, but with the possibility of jail time for an act of doing nothing more than replacing the binary data on a device I owned, I could be held criminally culpable. I didn’t even query the JTAG interface–my reaction to this issue sucks. But, when I have to answer questions in a regulatory environment about “my” ethics I need to be clear that perverting systems (which is not the intent of the act) is not something I engage in–unless under contract while holding an umbrella of a legal release of liability.

And, having been a hacker (not a cracker) in my distant past (never malicious, illegal, or nefarious) I can say that I long for the days when reason and ignorance could not be consider synonymous.

Grahame Grieve August 23, 2013 6:39 AM

“Without the expertise to make an informed buying decision, cheaper wins.”

Uhh, did you buy one? Would you have bought a more secure one for twice the price? (or more?) I wouldn’t. Not a baby monitor. What’s the chance someone will waste their time hacking it? I figured that the guy hacked it by mistake thinking he was going after something else.

Putting that aside, how do you put a value on security, when you can’t really evaluate the risk, the likelihood, and the degree of protection claimed? And when some portion of the risk is not yours either… we have ample evidence from other areas (pick any safety thing) that neither the consumer nor the regulators can make rational decisions in this area.

Kevin An Auditor August 23, 2013 6:42 AM

Add Dishwasher: http://www.wired.com/dangerroom/2012/03/petraeus-tv-remote/

Maybe what it will take is a consumer panic. A very good blogger I read likes to point out that very rare, but highly publicized high impact incidents distort human gain/loss perception. The issue here is that the incidents have not yet seized the public’s attention.

There will be little or no action by manufactures or politicians until they perceive a benefit, and that would demand public awareness.

Firefox August 23, 2013 6:42 AM

Economics of good security … yes.  Bruce’s contrast between “a more expensive [baby monitor] with better security, and a cheaper one with minimal security” is false.  The price doesn’t tell you that an item is secure.  An expensive item can have just as bad security as a cheap one.

Security doesn’t have to be expensive, especially in mass-market items.  It only has to be designed in once.  The trouble is when it isn’t designed in, but pasted on afterwards.

For example, making every item with the same admin password should have gone out with the ark.  Many retail routers (for example) now come with a generated password that’s shown on the device’s label.  That’s not an expensive manufacturing process.  Although it’s not totally secure, it’s a lot more secure than sending out every box with password ‘admin’ and telling the user to change it in the paperwork that he won’t read.

zoli August 23, 2013 6:56 AM

yes, automated tools are more dangerous, so nothing has changed in this from Landwehr taxonomy 😎

Camilla August 23, 2013 7:05 AM

Having shopped for a baby monitor (about five years ago) I went through three models without finding one that performed its stated functions reliably. (I did need a model with two parent units, and wanted one without a camera, which narrows it a lot.) The Amazon reviews are a fine hall of shame… most of them seem to have 30% one-star reviews.

The failures were awful; these things would disconnect in the middle of the night and sound false-positive alarms, they would sometimes silently turn off at the slightest bump, one otherwise worked but trickle-charged the batteries until they were destroyed in a matter of days, one worked but had no volume control to squelch the AC noise at the nursery end.

I think that the camera ones are probably a little more reliable, because some of the goes-dead-silently failures are easier to detect. But, I don’t blame the consumer at all for making a security-poor choice, when the choices that let you just listen for the baby crying are so horrifically poor.

R2 August 23, 2013 7:48 AM

Without the expertise to make an informed buying decision

Capitalism is great in theory; it’s just that people aren’t good enough for it.

nw3227 August 23, 2013 7:48 AM

What evidence is there that the baby monitor was “hacked”? My wife and I had a similar issue about 25 years ago, when our baby monitor broadcast what we at first thought was our infant daughter crying. We went upstairs to find her sound asleep in her crib. It turned out we had heard the crying of the baby of our neighbors, whose monitor apparently broadcast on the same frequency. There was a switch on our monitor to choose a different frequency. Problem solved. Isn’t it at least possible that the Texas couple was overhearing the voice of an intemperate neighbor who also happens to have a baby?

Aspie August 23, 2013 8:01 AM

The thing is, it’s possible to use the electrical mains system in a house – which is usually on the same phase – as a communications network.

With the right frequences and only very low power would be needed I don’t think it could be hacked in to easily.

Wi-Fi is convenient but it leaks. I’m never comfortable talking even on a handy radio-phone which, I suspect, is only encrypted in very high-end models and even then probably not very well.

Camilla August 23, 2013 8:30 AM

@Aspie: our powerline bridge access points work great, even across a two-family house with separate power feeds (which is a use case that isn’t necessarily expected to work); they also see powerline devices from up and down the street. For our RF-unfriendly house (old, steam heat, noisy neighborhood) it seems to be the best way to paint wireless across it, but I think the local nature of it means the “hearing the neighbors” problem would be even worse without better security.

Also, a nice (and pretty standard) baby monitor feature is to have a vibrate mode, so that you can wear the monitor on your belt and be alerted when naptime’s over if you’re doing something noisy… local RF is a better choice for that than being tethered. It’s not like the suckitude of baby monitors is actually up against the limitations of RF… they just suck because the manufacturer can’t be bothered.

Ross Reedstrom August 23, 2013 8:38 AM

@nw3327 This was a relatively local story for me
here. From the details, it’s pretty clear that this was a malicious takeover. The verbal abuse was directed, and the camera panned to the parents when they entered, at which time the abuser began hurling verbal garbage at them. The only slightly positive thing was that the child wasn’t disturbed, since she happens to be deaf.

I agree that the level of effort to “hack” this device was probably negligible. However, I think you underestimate what sort of thing a “griefer” will do for jollies. This was pretty much the equivalent of going to the park at yelling obscenities at random people.

Layer_8 August 23, 2013 9:19 AM

@nw3227

…whose monitor apparently broadcast on the same frequency. There was a switch on our monitor to choose a different frequency.

That’s the point. There is no security because anybody (even without a baby) could buy such a device and test the few frequencies to spy on the room in your house … maybe to find out if you are at home or just leave the light on.

Clive Robinson August 23, 2013 9:24 AM

@ Bruce,

If you want to improve / add to the article then can I sugest you make mention of Smart Meters / appliances / implanted medical electronics.

These have little or no security, but unlike normal consumer electronics with their 18-36 month life expectancy these devices are going to have a life expectancy of atleast 16 times that and could easily be 25 times that.

And let’s be honest, who is going to want to have their chest cracked open to have their “full feature pacemaker” changed for a “security update”.

Likewise who is going to want to pay their utility company between 500 and 1000 dollars to have their smart meter changed every five years just because the utility company bought the cheapest meter on the market that “looked nice” to the droids in marketing.

But there is another issue we know is in the noise on the horizon but is definately heading our way.

Criminals use these little smart gizzmos to steal money from peoples bank accounts by bugging ATM card readers and keypads.

We know of atleast one case of a burgler “staking out” properties with these gizzmos.

It takes no leap in the imagination to realise that getting access to the baby alarm, fridge, TV or toilet can likewise be used to stake out properties befor robbing them.

The more smart devices we have the easier it is for the burglers and other criminals to stake us out, and it’s an odds on bet that when “remote meter reading” by utilities is more the norm then the various US TLAs such as the FBI will be dropping NSL’s on them as they currently do with the telcos like Verizon…

Chelloveck August 23, 2013 9:28 AM

It’s not that companies don’t care, it’s that security problems are outside the experience of the engineers involved in these products. Traditionally, embedded systems have either not had outside connections or were expected to be deployed in a secure area; say, behind the corporate firewall. Security usually meant physical security.

Take a security camera, for example. Typically it would have an analog video output to a monitor or recording device. Info security wasn’t an issue, because breaking into it involved physically tapping into the cable.

Then people wanted security cameras with IP connections, to use the existing infrastructure rather than running cable. Okay, that’s do-able. And since these are going to be used inside the corporate offices they’re already secured by the firewall, right? Maybe they could be hacked, but it would have to be an inside job and at that point the company has bigger things to worry about.

Then people got creative and saw lots of new uses for a remote camera that didn’t need additional infrastructure. They got put on insecure networks or connected directly to the big, bad Internet. But hey, who’d bother hacking some random IP camera?

Sound familiar? It’s the evolution of the Internet all over again. Back when the Internet was made up of a small number of peers everyone trusted one another. It was considered neighborly to run an open mail relay. Who’d abuse that? And if they did, you’d just call ’em up and ask them to stop. As more people got on there was a common feeling of, “Well, I’m a nobody. Why would anyone want to hack me?”

That’s where we are with this Internet of Things. The embedded engineers are learning the same lessons that the network engineers learned the hard way long ago. And pretty much for the same reason — deliberately malicious use just wasn’t part of the original threat model.

It will take some time for the embedded guys to get out of the mindset of purely physical security and “why would anyone bother with li’l ol’ me?” Fortunately they have the huge body of lessons already learned by the network guys, so they’ll have a leg up once they start to think about the threats inherent with being connected. Even more fortunately, embedded processors are getting beefy enough now that there are some spare resources to spend on security issues.

War story: About 10 years ago I had to implement an IP stack on a PIC microcontroller. I had 1024 bytes (bytes!) of RAM. That’s in total, for the entire system. Less than the length of a single packet. When you’re working in conditions like that there’s not a lot of room left over for robust encryption…

(And yes, the economics of security vs. features is another big issue. But that’s a different rant. 🙂

Darren Moffat August 23, 2013 9:34 AM

Some parts of the industry do have independent testing and available reports, for example Common Criteria and FIPS 140. However both are very expensive to perform, take too long (current delay for FIPS 140 queue is about 9months) and it is well known that they don’t improve the security of the final product much and in fact can reduce it in some cases because the evaluated versions don’t get security vulnerability fixes quickly.

bcs August 23, 2013 9:37 AM

If consumers truly don’t care then it’s irrelevant. Or more precisely, if it’s not irrelevant then consumers can be persuaded to care. All that essentially follows from the definition of relevant.

If this is truly important (and I think it is) then step one is to get the general public to care, and give them the means to act on it. I’m thinking some kind of voluntary labeling standard (sort of like labeling food as “organic”): if you pass these tests, you can put this logo on your box.

The thing that scares me with this kind of issue is that it’s a very short hop from “this is important even though nobody seems to care” to “this is so important that we should pass laws despite people not caring about it” and once we are passing laws because the lawmakers think something is important and not because the constituents do, we no longer have a “government by the people” and we start seeing similar laws about other other topics, (to pick an intentionally inflammatory example) the kinds of theology (theistic or atheistic) that parents are allowed to teach their kids.

Not Your Mother August 23, 2013 9:41 AM

The “market” won’t solve the problem? Oh, but the government will? Please …

This is like anything else: a bad thing has to happen (e.g. baby monitor being hacked), and then people have to respond. Whether “people” means “government” or “market” has nothing to do with it, except your personal political bent, which is quite evident in this article thanks …

The Market:
1. Bad thing happens.
2. Story spreads (news, Facebook, whatever)
3. Consumers make a decision not to buy that particular product (they could even optionally choose to ‘sue’ the maker, if it’s that big of a deal.

The Gov/Regulators:
1. Bad thing happens.
2. Story spreads.
3. Somebody lobbies a politician someplace to make a law/rule to prevent this from happening in the future.

With “The Market”, the suppliers will choose a way to satisfy the consumer’s security needs whilst still maintaining a profit, meaning the price of the good/service will still be appealing to the consumer.

With “The Gov/Regulator”, the suppliers are forced to do whatever the compliance regulations require, regardless of how expensive, applicable, or valuable they are. And if the consumer doesn’t want to pay for those … too bad. (Also, enter in all sorts of bad policy from companies who can only sell their security features by force through lobbyists, because the consumers don’t want them anyway.)

Saying that some Gov/Regulator will prevent future problems like this is very much akin to saying you have a solution for Turing’s Halting Problem: you have found some way to prevent any random input from ruining a consumer good. That doesn’t hold water, my friend …

Clive Robinson August 23, 2013 9:46 AM

@ AC2,

The “Internet Of Things” may currently be a solution looking for a problem but it’s happening for a couple of reasons,

1, Enhanced DRM.
2, Fast Market Analysis giving big revenue.

We already see TV’s, Settop boxes, Digital Video Recorders, Games Consoles and other Entertainment devices being required to be “Internet Connected” to function.

The temptation to make extra revenue by the manufactures is to great for them to resist especially when the extra components are less than a buck on the retail price.

Within ten years I seriously expect to see this “spy in the home” back channel IOT traffic to become as bandwidth stealing as SPAM is today…

And the traffic will as with CarrierIQ do an end run around any security protocols and deliver close to plaintext to a known series of IP addresses which will make the job of the likes of the NSA a doddle to Hoover Up without even having to get a warrant or NSL because it’s not “content” just “meta data”. Which can be analysed to see into all those very personal moments, such as how long you shower or sit on the toilet when you channel hop, put on the kettle for tea/coffee or pop a snack in the microwave.

Layer_8 August 23, 2013 9:49 AM

@ Clive Robinson

If the interval for logging power usage within the smart meter is configured small enougth it is possible to extract the time special devices, that are connected to the wall sockets, are turned on/off (like washer or heating or coffee machine or tv or computer) and with more effort you can identify even the tv program running at that time (because the shown picture correlates to the power consumption).

R2 August 23, 2013 9:52 AM

The Market:
1. Bad thing happens.
2. Story spreads (news, Facebook, whatever)
3. Consumers make a decision not to buy that particular product (they could even optionally choose to ‘sue’ the maker, if it’s that big of a deal.

See “The Apostle“.

I’m always skeptical of the motives of anyone who claims that litigation can replace regulation, because those who chant the mantra of “free markets” also want to make it impossible for individuals to sue corporations (cf, “tort reform).

Clive Robinson August 23, 2013 10:27 AM

@ Not Your Mother,

Unfortunatly seductive as it sounds your argument does not hold water any better than a bucket with no bottom or sides.

You only have to look at the Auto industry to see why.

Back in the 1950’s it had already set well in on a “race to the bottom” on safety features, accidents and fatalities statistics were rising faster than car sales profits.

Eventualy the Government could nolonger ignore the issue and the first of several safety laws came into being.

Well to cut the story short the direction of designers moved from “Marketing features” and “cost cutting” being in effect the only driving force to include mandatory safety features.

What this did was cause engineers to re-think designs and they rose quite easily to the chalenge and in some cases (SIPS, crumple zones etc) designed around the safety features from day one and actually reduced costs whilst upping safety.

This is not the only example, perhaps one of the most subtl is QA, manufacturing organisations had chased cost cutting down in the race to the bottom and found a very nasty world of hurt. What was killing them was the asymetric costs of delivering to market and returns of faulty items. Even a 0.1% rise in returns could wipe out the slim margins the race to the bottom had produced. The manufacturers were forced to think differently and found that amongst others the British Standards Institute was pushing Quality Control as a way of reducing manufacturing deffects. Most managers treated it with deep suspiscion as it involved not just an increase in costs but ceaded some managerial control by dictat.

Supprisingly the companies that went for QC heart and soul with senior managment driving it through, found that the additional cost was an illusion and trust in the employees produced not just better results but methods as well and defect rates went down significantly increasing profit and alowing sale prices to drop.

Some companies tried out QC not just on manufacturing but other business processes, one such was a large bank that found it improved not just customer service but alowed for increased expansion at customer level without increasing overhead at managment level.

Safety is a quality issue and likewise is security, mandating minimum levels will focus designers and mangments minds on the issue and the market will actually improve from it not just for customers but manufactures and suppliers.

And in a way we are starting to see this with various governments taking issue over security with suppliers of equipment and systems, and it’s highly likely with only the tinyest of pushes that it will spill over into the business consumer and then home consumer markets simply because not doing it will end up costing the manufactures more.

Figureitout August 23, 2013 10:29 AM

Chelloveck
–Would have to agree on your comparison between engineers just based on my personal experience.
About 10 years ago I had to implement an IP stack on a PIC microcontroller. I had 1024 bytes (bytes!) of RAM.
–Yeah but it makes for a nice story! Pretty neat, a simple digital_serial_read example program on my arduino (which I love and makes experimenting so easy it feels like cheating) was like 1094 bytes. For $60 anyone can get a nice kit and there are so many easy and practical projects even non-engineers can do and there’s really no excuse for engineers to not check it out. So much power in these tiny boards/devices/modules!

Thecaseforpeace August 23, 2013 10:32 AM

I’m surprised by your comment that implies government regulation is an answer.

Some companies certainly do abuse the public. On that I agree: pharmaceutical companies, healthcare companies, and other mega sized companies, banks, etc. You are correct to criticize them. However you are missing the pathology. Most of these companies only exist because the government protects them . These mega companies that produce this crap are in bed with the same government you expect reasonable regulation to come from. two words: Regulatory capture.

The truth is, without the government protecting these industries, these companies would not exist in their current extremely large form. It is a fact that the banking industry wrote their own regulations to benefit themselves. It is a fact that the healthcare companies wrote the ARRA (Obamacare). Qui Bono? Not the common man or woman.

So you’re right, the market system doesn’t work right now for the extremely large corporations. Though the government regulatory structure doesn’t work either. When government and big companies become intertwined, we call it FASCISM. At this point in time, the government regulatory agencies are not protecting the people. They are in fact killing thousands of people, facilitating the theft of their wealth, and stealing their freedoms and privacy.

I encourage you to watch the documentary “Burzinski”. That should destroy any ideas that the vaunted FDA has any interest and incentive but their own in mind.

Clive Robinson August 23, 2013 10:39 AM

@ Layer_8,

If you look back far enough on this blog you will find I’ve said this quite some time ago to the general disbelife of many.

A protracted conversation was held on how exactly this could be done with RobertT, Nick P and myself describing not just what could be done but also what would need to be done to mask it.

On another occasion Robert T pointed out how powerfactor correction in devices could be modified under firm/soft ware control to open up side channels that could leak information back out onto the power grid.

From what I remember the chip sets used in smart meters can clearly see upto and sometimes beyond the tenth harmonic of the mains frequency, thus enabeling software to fairly easily distinquish hair dryers from microwave ovens etc etc not just by looking at the power consumption envelope but also the frequency distortion and harmonic interferance all mains connected devices make.

I suspect Nick P has saved away the URLs of the conversations and can pull them out quickly from his DB for you.

Figureitout August 23, 2013 10:52 AM

Bruce
–I think it’s important to make the point between products you buy (and can take apart) as opposed to public ATM machines/toilets/RFID access points/MWorIR sensors that one cannot or would look out of place if one were to inspect it personally; in fact that’s probably illegal. You go to the gas station to get gas quick and get on w/ your life and if a keylogger is so well disguised there’s really not much an individual can do and it is the gas station’s responsibility to secure its station.

R2 August 23, 2013 11:07 AM

Thecaseforpeace: Most of these companies only exist because the government protects them

All corporations exist in their current form because the government grants them entity status. Yet the people who (often rightfully) complain about government interference “distorting the market” never address the sacred cow of “corporate personhood”, and how that distorts a free market.

Thecaseforpeace: So you’re right, the market system doesn’t work right now for the extremely large corporations.

Are you saying that, absent government interference, large corporations would behave like benevolent engines of innovation and job creation?

jeff August 23, 2013 11:20 AM

Consumers don’t care because they don’t see it as a likely problem. And the essay seems to support this conclusion by observing how many things are hackable and how rarely it happens. So the article should not say “The free market won’t fix the problem” it should say “There isn’t a problem” Spending all the time to properly secure all this stuff, and we know getting security right is hard, when there isn’t a real problem, would just be a huge waste of resources.

Daniel August 23, 2013 11:21 AM

So what about IPv6 then. Doesn’t it make this problem much worse? Isn’t the list of consumer devices that are hackable inherently limited currently because of the limit on IP addresses. What happens when everyone’s lawnmower is connected to the internet so that the software to run it’s high tech fuel-efficient engines can be updated?

“The point is that we don’t have to worry about hackers smart enough to figure out these vulnerabilities, but those dumb hackers who just use software tools written and distributed by the smart hackers.”

That may be true right this second but that is only an incentive problem stemming from the limited number of items hooked to the internet which is limited by the number of IP addresses. When every consumer good is hooked to the internet, I think there will be plenty of incentive to worry about the smart hackers as well as the dumb ones.

wumpus August 23, 2013 11:30 AM

“Without the expertise to make an informed buying decision, cheaper wins.”

The other catch is that while lead in children’s toys can be measured, “security” is really the converse of “insecurity”. “Insecurity” can be proved or not, but “security essentially requires you to prove a negative. You can specify a maximum allowable amount of lead in toys (likely as close to zero as you can measure) but there isn’t a good way to measure the amount of security in a device.

Short of a “Bruce Schneier seal of approval” I have no idea how a consumer is supposed to determine good security from snake oil.

Peter A. August 23, 2013 11:38 AM

@Aspie:

WiFi leaks, but can be encrypted easily. Power line communications is no cure, it leaks as hell. You are having an antenna the size of your house – or your 20-storey apartment building.

Daniel August 23, 2013 11:46 AM

@jeff

The problem is that your position is in itself a risk. You’re correct that security in consumer devices isn’t a problem this exact second. So what? The better question is whether or not it is going to become a problem down the line…the term for this is “foresight”. This is especially true with security because it is often much more time consuming and expensive to to get the cow back into the barn than prevent it from leaving in the first place.

Clive Robinson August 23, 2013 11:49 AM

@ Jeff,

    Spending all the time to properly secure all this stuff, and we know getting security right is hard, when there isn’t a real problem, would just be a huge waste of resources

Err no.

Two reasons,

Firstly whilst it is not seen as a problem today ICT-Sec history tells us without any doubt that due to the “low hanging tree principle” it will be very soon.

Secondly the most expensive waste of resources is “throwing a product away” because it’s faulty and beyond what is laughingly called “economic repair”. The least expensive use of resources is to design security in from before Day Zero in the design process.

As I’ve said many times befor on this blog NIST should be comming up with standards that are “frameworks” to make security a much easier solution. At the lowest level a standard mandating the ability to “in place update” the low level algorithms which in turn should have a standardised API to alow simple “plug-n-play” updating. Above this again an API to alow protocols to be PnP updated and at higher levels classes of devices which are standardised.

None of this is rocket science and much of it has been done in similar ways for European and Industry standards (look at GSM etc).

The simple reason it appears not to have happend is “vested interests” at Federal level pushing against making ICT-Sec simple and reliable and thus easily integrated in a standardised way into products.

AC2 August 23, 2013 12:00 PM

@Clive

One good thing from the IOT could be that the upstream filters put in place by TSAs and Big Data solutions used by corporates could be overwhelmed by the amount of traffic generated. In the monetary sense, not the technical sense.

Thecaseforpeace August 23, 2013 12:03 PM

@R2

Corporations are not people. Anyone who argues that point can be accurately pegged as a raging fascist. A corporation is a risk isolation legal structure to protect the people who own the company, that is all.

The market incentives (and disincentives) don’t work for large corporations because their sole reason for continued existence is government protection. In a natural market, large companies GM, GE, IBM, JPmorgan, Goldman Sachs, Coca Cola, etc. would not exist at all (i.e. die) because they are so inefficient. Their biggest reason for survival now is because they have political and economic power and influence. Alternatively in a natural system they would have to be split up into far smaller micro companies to survive. These mega companies are the same ones who pay no corporate tax (why? – fascism). Meanwhile the small businesses are increasingly exposed to the predatory legal, tax, intellectual property, and regulatory structure to ensure the big companies survival.

If they’re too big to fail/jail, they are a government organization. Take them behind the woodpile and shoot them. “Free market” is window dressing at that point.

Everyone knows innovation comes from small renegade businesses experimenting and taking risks. Mega corporations are parasites feeding off of humanity while using government violence to prevent the host from throwing off it’s attacker.

Thecaseforpeace August 23, 2013 12:23 PM

@R2

I forgot to mention defense contractors. They are a special kind of hell spawn. Any company that receives over 90% of it’s revenue from the government is a government agency with “benefits”. Private prisons fall into this category as well. This structure is one of the most despicable in existence and in human effect ever known.

Even if the managers of these companies had the best of intentions there is no possible way, with the malincentives present, can the company avoid the result of despicable acts and corruption. Calling the government your “customer” is beyond perversion and depravity.

Kevin an Auditor August 23, 2013 12:39 PM

I think that no one clicked on my link near the top of this thread:
Apparently dishwashers don’t spark much interest here. So I’ll
repost:

CIA Chief: We’ll Spy on You Through Your Dishwasher (March, 2013)
http://www.wired.com/dangerroom/2012/03/petraeus-tv-remote/

Clive Robinson at 9:24 AM wrote (at end of his post)
“The more smart devices we have the easier it is for the burglers and other criminals to stake us out, and it’s an odds on bet that when “remote meter reading” by utilities is more the norm then the various US TLAs such as the FBI will be dropping NSL’s on them as they currently do with the telcos like Verizon..”

Clive really is an optimist. Have everyone forgotten the FBI’s proposal, just three months ago, that all software be equipped with a backdoor for their own use?
https://www.eff.org/deeplinks/2013/05/caleatwo

In light of the Snowden revelations, I really don’t want the USG to “certify” smart devices. Remember the PRNG the NSA helpfully supplied for Windows Vista? “Yes, this is the same RNG that could have an NSA backdoor” Bruce Schneier.
https://www.schneier.com/blog/archives/2007/12/dual_ec_drbg_ad.html

If we require “government certified hacker resistant” what we’re likely to get is a hardwired tunnel to Utah.

Perhaps some believe that laws can be passed to prevent this. But there are very few cases in hisory of empires voluntarily surrendering their power. And the current surveillance establishment seems an empire and law unto itself in my eyes. I think only massive, or at least substantive, budget cuts might force these TLA’s
back into there appointed niches.

I’ll be looking for the “Romanian Hacker Certified” label on any new smart appliances that I buy;) – or maybe train a bear to guard the entrance to my cave!

Thecaseforpeace August 23, 2013 12:54 PM

@Kevin an Auditor

I couldn’t agree more with your post.

It’s human nature to want somebody to take care of the problem. Unfortunately many have been programmed to think the best somebody is the government. Personally, I want nothing to do with those goofy criminals. Give me the hackers. They’re certainly more trustworthy, or at least their motives are more transparent than the government.

How do you know it’s time to run for your life? you hear these words: “We’re the government. We’re here to help.”

Pepermint August 23, 2013 1:47 PM

Security really doesn’t have to cost a lot…

My home network’s router is some utter piece of trash. It barely puts packets through without crashing, requires frequent reboots, and requires a full reboot (2-3 minutes) anytime any configurational option is changed — like say the password. Utter hell to use. Not worth the money it would cost to send it back.

But it accepts DD-WRT. DD-WRT: Open source. Heaven to use. I can ssh into it from the command line. Run a web or file server on it. Tweak anything you can imagine in mere moments. Hell, it even includes network traffic graphs.

I like this business model.

Software should be open-source. The costs to the (hardware) company are minimal. And somehow, with Open Source, where anyone can look at the source code, I trust the security a whole lot more!

Plus, legal liability… The (hardware) company benefits. They may be liable for failures in their own crappy software. But seeing how difficult it is to actually get it to work, breaking it would be a very time consuming and challenging operation. On the other hand, the Open Source software, well surely they can’t be liable for that? If I put that on, well I’m off the proverbial reservation, out there on my own. Legally speaking, liability wise.

All this gets back to something I believe Bruce said some years back: Do you trust the company who makes safes & vaults who says their product is unbreakable and that it’s hidden somewhere in upstate New York? Or do you trust the safe & vault company who says their product is unbreakable and that they’ve given copies to all the world’s best safecrackers, basically to anyone who wanted to try and break it, and nobody could crack it?

Open Source for the win. Vastly better security, far superior features, lower costs to develop, and avoidance of legal liability.

Not Your Mother August 23, 2013 1:57 PM

@Clive

The auto industry reference can’t be verified. Since .gov got involved, we didn’t see the driver of the market. What you need is two “markets” one in which is tampered by .gov and one that isn’t. Otherwise, nice strawman.

Note that new safety features on cars were invented by private industry first, and adopted by many car companies, before the bureaucratic behemoth chose to jump in and force the new features, too. Industry creates, government taxes and destroys.

The point is … I have the right to choose a product that doesn’t have a regulator’s equivalent to a value added tax on it. I have the right to buy a product that you view as insecure. My application of that product is my own prerogative; therefore, I should be able to purchase it at lowest possible cost.

Caveat emptor … and most certainly caveat civem!

And on that note, I’m done with the comments on this thread. While I enjoy Bruce’s articles, I have a rule to not debate with random people on the Internet, and I’m already bending that rule. I need to get back to making as much money as I can with as little or as much ‘security’ as my customers and I agree should be there. Wink, wink!

Aspie August 23, 2013 2:02 PM

@Camilla

Yes, multiple houses may well be on the same phase or the signals find their way through by other means. The reason I brought it up is that waaaay back Radio Shack offered intercom systems to work this way. Seems to me that a baby monitor (minus the, perhaps superfluous, video signal) could be accommodated.

I agree that it negates the “on the hip” option but then … well, how far from ‘baby’ do we feel we need to be? 😉

Voice can be sent over low frequencies – perhaps up to 8KHz and (freely question my poor math/physics here) multiplexed sideband frequencies, offset from harmonics, used as parallel digital frequency channels reassembled at the destination, might deliver acceptable fidelity over moderate quality copper even with attendant noise from feeding appliances.

@Peter A

I’m (clearly) not an RF engineer so, since I suspect many here might be, I’ll say I was working on the notion that lower frequencies have much shorter range. How far would 50KHz go and what length of antenna (presumably a multiple of the frequency) would be required for “perfect” transmission?

R2 August 23, 2013 2:04 PM

Thecaseforpeace: Corporations are not people. Anyone who argues that point can be accurately pegged as a raging fascist.

Your “raging fascists” includes a vast majority of conservatives, libertarians, Republicans, Ayn Randians, Tea Party types, etc. (Is there a single word to describe these groups?)

Thecaseforpeace: The market incentives (and disincentives) don’t work for large corporations because their sole reason for continued existence is government protection.

Uh, no. Even absent the evils of government, free-market incentives won’t work for large corporations. They won’t simply behave as benevolent engines of innovation and job creation.

In addition to the market distortions caused by “corporate personhood” vesting power in immortal sociopaths, incentives and pressures don’t scale up very well. There’s a book about this calledLiars and Outliers written by some guy named Bruce Schneier (you may have heard of him). Read the whole thing, but especially chapters 12 (“Organizations”) and 13 (“Corporations”).

But we often treat organizations as if they were actually individuals, assuming that societal pressures work on them in the same way they do on individuals. This doesn’t work, and results in some pretty bad trust failures, and high scopes of defection. (p. 155)

Less Insecure Monitor August 23, 2013 3:32 PM

Note that there are, in fact, much more secure options for consumer devices – corporate and industrial devices.

For $200+, you can get an industrial network camera (like an AXIS M10xx series or the ACTi Exx series), which does allow for long passwords by default, and as I recall from setting one up, SSL by default is available. With a minor configuration change, the HTTP port can be given a nonstandard address – I forget if HTTP can be turned off entirely. Minor config changes can also allow encrypted vs. unencrypted authentication, regardless of SSL or not.

To the user asking who would pay for it, I did a couple hundred for one, not counting the display device (Android device capable of Wifi, VPN, and camera access using CyanogenMod).

Both of these options are easy, once you get to the right page in the Web configuration interface. The hardware install is easy; either use POE or a regular Ethernet cable and the supplied AC adapter – multiple mounts are included.

The next level of security or insecurity, however, comes at the firewall level – do you allow the outside Internet access? What about your own Wifi network? To which port(s)? This level is probably the top end of what most users can do.

The next level of security or insecurity is setting up a VPN for the internet and/or the local network/Wifi, and that’s well beyond what most users are capable of, particularly a certificate based VPN.

I do have a portable device that connects to long-random-password based WPA2(AES) Wifi (or someone else’s Internet connection), and then uses cert-based OpenVPN to gain access to anything else, and then is allowed to connect to the camera’s SSL port and enter the username and long random password there. This is, very likely, a reasonably secure solution (minimum 2 levels of encryption – camera’s HTTP + OpenVPN), but is well outside most people’s capabilities.

More importantly, should I lose control of any device with access, it becomes more possible for an adversary to get in until I start changing levels of security – revoke the SSL cert they have and change the camera and Wifi passwords, for example. Again, not trivial for most people.

I agree that NIST should have guidelines, but more importantly, the reviewing literature (Consumer Reports, etc.) needs to be funded to consult security experts for evaluation of products as well, to make this aspect more obvious to consumers.

Thecaseforpeace August 23, 2013 5:02 PM

@R2

I’ve yet to meet anyone from the left (except some notable senators), libertarians or anyone related who believes corporations are persons. I think the only people who actually believe that are neocons, fascists and useful idiots (see also: senators of both parties).

You completely missed the point on the latter argument. Believe what you want, but it’s empirical fact. Let me break it down:

Without government support and government force (including bailouts) mega corporations cannot and don’t exist very long. They self destruct, implode, kaput, gone. Why is all a matter of scale and leverage. Large corporations (or systems) require large inputs and are more vulnerable to exogenous forces. They are simply more likely to blow up than smaller sized companies. This principle applies to all complex systems, and natural ecology (dinosaurs). They act as if they are above the law, because they are. They have taken control of government to their own ends, to survive. They’re cheating nature. It’s a story as old as human history, from the railroad barons, IG Farben (and the Nazis) to the Byzantine empire. So long as the regime supports them, they survive. However, once a company has been materially supported by the government, they become even more fragile, then when the regime collapses, so goes the company(ies).

Bruce actually makes a similar point related to scale of systems and human networks in his book. Though I cannot, nor would I pretend to speak for him on this particular subject.

If you want to go break up all the too big to fail/jail corporations, you’ll get no argument from me. But you’re not going to get much help from government; they are the same people (fascism remember). In reality we’ll likely have to wait until the US goes the way of the Soviet empire, into complete collapse. Shouldn’t be too long now, probably 5-10 years… more or less?

Clive Robinson August 23, 2013 5:08 PM

@ Not Your Mother,

    The auto industry reference can’t be verified. Since .gov got involved, we didn’t see the driver of the market. What you need is two “markets” one in which is tampered by .gov and one that isn’t. Otherwise, nice strawman

Ahh the “strawman” argument of “we need N markets to see, where N is greater than one”, that’s a very old get out argument because it’s impossible to set up as an experiment, but then you know that don’t you or you should…

With regards,

    Note that new safety features on cars were invented by private industry first,

That is true of a lot but by no means all inovation because what you chose to call “private industry” is in reality where the “domain experts” are employed at the time. As has been seen with some inovation such as voice compression and cryptography and quite a chunk of communications inovation this came out of various government labs, because at those times the domain experts were employed by the government.

Ignoring that makes the rest of your argument hopless floundering on a false assumption.

As can be seen in Europe, the various governments select people from industry via trade bodies to formulate requirments which then get given back to industry as proposels for standards. Experts and others with relevant interests then make sugestions, for modifications and deletions these get voted upon and drawn up as a technical draft, which usualy then gets converted into “legalise”.

In Europe the standards are requirments to be met often by measurands not mandated methods. This alows for continuous inovation whilst achiving an objective that can be measured and verified. But with many European standards it’s actually a legal framework which is actually without measurands or methods, the actual measurands are in subsiduary standards actuall drawn up by commities of industry representatives with just a tiny handfull of government representatives. Where methods are needed industry puts forwards methods that are evaluated and a candidate selected, however any method put forward usually has to be free of encumbrance or put under strict control such that it cannot be used for market manipulation in the way that patents are infamous for.

Any way you say you’ve broken one of your self imposed rules, so I guess others will have to take up your point of view if they feel it’s valid…

RosalynRandiB August 23, 2013 6:03 PM

This reminds me of the time one of my neighbors installed an analog 2.4GHz baby monitor. I too shouted various profanities–in the privacy of my own home, not over the airwaves or interwebs–and dropped three more WiFi APs in my house to drown out the constant background radio noise, eventually fully occupying the entire 2.4 GHz spectrum and staking a claim on some 5GHz channels too.

I have no idea if the neighbor’s device continued to work after that, but some time later the interference did stop…

Figureitout August 23, 2013 6:05 PM

How far would 50KHz go and what length of antenna (presumably a multiple of the frequency) would be required for “perfect” transmission?
Aspie
–General rule of thumb is the lower the freq, the bigger the antenna; you can also “scale the freqency” w/ D=(f1/f2)*d; where D=scaled dimension, d=orig. design dimension, f1=orig. design freq., f2=scaled freq. (the one you want). Depends on many factors too such as how you want to transmit, the elevation/azimuth pattern, how far, how loud, atmospheric weather (Ham’s actually like CME’s from the sun lol), SWR, directivity, gain, polarization, etc. Big thing lately is the “magnetic Q”, that receives the magnetic field of the wave and has noticeable quality of reception.

Check this place out and this. I have this book but the old ones would be fine for the most part unless you’re looking for more digital. I can’t make the antennas (a big dish and 199 ft. tall tower) I want to make b/c I live in a neighborhood that considers them “eyesores” like the neighborhood assoc.’s faces.

Anyway you should get your license and a call sign b/c it’s a great area of science that is being used to talk to probes 11 billion miles away and will be used for the Mars Expedition. Could be useful for attack/defense if someone’s getting on your nerves.

rob August 23, 2013 7:00 PM

I think that Apple has pretty good security on their notebooks, but a few years ago, a school system decided that adding software to enable remote activation of the webcam would be a good idea. This did not turn out that well (it led to some abuses by the school IT administrators).

The point of the above is that if the capability is there, it will be used or hacked.

The whole problem with a baby monitor could have been avoided by doing without one to start with. Really, what kind of parents need 24-hour surveillance on a two year old?

Wesley Parish August 23, 2013 7:12 PM

“Bruce Schneier seal of approval”

Speciest! What’s wrong with “sea lion of approval” or “walrus of approval”? 🙂

Facetiously, the image that opens before my eyes is something out of “Consider Phlebas”, where the Culture Minds crack into the Idiran Empire ICT backbone and changes it into a copy of itself, thus bloodlessly winning the decades-long war …

Combine the huge wetted surface of an insecure IOT with the equally vast wetted surface of the NSA data collection, and the horrifically insecure environment – like a chocolate bonbon: hard on the outside, soft on the inside – that is involved in storing and analyzing so much data (storing is static and a decent security model will hold for quite a while: analyzing is dynamic and will add risks exponentially as the number of analysts with access increases), and the likeliehood – close to 0.79%, if not greater, if my guess is anything to go by – that in 65% of all NSA analysts’ homes there are such IOT devices, and you have the interface to the data.

Add to that the likeliehood that if you don’t have NSA analysts preparing to leak data a la Snowden, you can be sure they are planning to capitalize on it financially through blackmail for personal security, and you do have the scenario of extremely rapid collapse.

T August 23, 2013 11:03 PM

Because security is very hard to get right. It takes expertise, and it takes time.

It also takes a mind set that most people don’t like. Had to point out to a cop that the two inch pen knife on my keychain was not a threat compared to the ten inch screw driver in my tool bag. The pen knife was still confiscated and I walked through with a dozen tools more useful in a fight. Thinking of a screwdriver as a weapon is outside the boundaries of people supposedly trained to keep us secure. It smacks of paranoia to them. Similarly, thinking of a knife that realistically can only be used to slice security tape as anything but a weapon requires thinking. But rules and regulations take the place of critical thinking for many people.

My first thought though was did the neighbor just have the same baby monitor setup and which happened to catch them in a screaming match? (you have to meet some of my neighbors…) Used to be at least the cheap ones all worked on the same frequency. We used them as cheap walkie talkies in grade school because of the flaw/feature. Is security even necessary for a baby monitor or do some people just need a cheap walkie talkie to keep tabs on their kids?

rufo guerreschi August 24, 2013 2:55 AM

You wrote:
“Computer security has resisted these mechanisms, both because the industry changes so quickly and because this sort of testing is hard and expensive. But the effect is that we’re all being sold a lot of insecure consumer products with embedded computers”

A possible solution to this may be to make such certification authority(ies) thoroughly independent and competent, and international so that certification would be done once for global roll out. Such certification may be made required by law for device and cloud service, as soon as the number of its users pass a given number.

Such certification would necessarily need to be a continuous process, wheres they would need to have intrisically secure way to ascertain that the software, hardware and procedures they review mathes the actual deployed at present and any given time in the past.

One example for such authority may be International Institute of Democratic and Electoral Assistance for decades has provided crucial and largely independent assistance and review for governments electoral processes world-wide.

More on this: http://www.rufoguerreschi.com/2013/08/23/for-an-international-institute-of-privacy-and-security-assistance/

Rufo Guerreschi,
Exec. Dir. Open Media Cluster
Founder of the User Verifiable Social Telematics Project

R2 August 24, 2013 8:18 AM

Wesley Parish: “Bruce Schneier seal of approval” Speciest! What’s wrong with “sea lion of approval” or “walrus of approval”? 🙂

If you want to go down that road, it might as well be the “Bruce Schneier Squid Of Approval”.

name.withheld.for.obvious.reasons August 24, 2013 12:32 PM

@ Clive Robinson

“But with many European standards it’s actually a legal framework which is actually without measurands or methods, the actual measurands are in subsiduary standards actuall drawn up by commities of industry representatives with just a tiny handfull of government representatives. Where methods are needed industry puts forwards methods that are evaluated and a candidate selected, however any method put forward usually has to be free of encumbrance or put under strict control such that it cannot be used for market manipulation in the way that patents are infamous for.”

Having some experience we a few standards groups in the United States, IEEE, NIST, NERC, FERF, and WECC (luckily they are FLA’s and not TLA’s) in the not so distant past I find the processes and results a mixed bag. I’d estimate that for the most part, the concerns of industry are served with little consideration for the “customer” or “consumer”. Most of the drivers for development of an operational standard (not procedural or process) can be recognized by the character of the working group. Invariable the most dominant vendor has the most influence and there is little that can be done to make these initiatives accountable from a “right thing to do” perspective.

I would posit that a proper working group would include a non-industry, non-commercial, non-partisan, and even non-academic “advocate” that chairs or co-chairs the group. In addition, adoption cannot be made without the consent of the “advocate”. For example, IEEE relies on members of the specific society all of which have some tie to the affected industry (though I’d argue the IEEE is probably the least gerrymandered working group). NIST has their own internal leads and is often populated by the largest vendors in the space. Most of these groups fail to make the necessary linkage between adoption and the impact on the consumer (notice I didn’t say citizen) or customer/market. I choose Richard Feynman–oh yeah, he’s not available. And the review process for the NASA Challenger is another example of it done right (the review/investigative process) and still achieving a less than desired result.

The Federal Communications Commission is an excellent example of the transformation of standards and regulatory bodies. And I agree, there is currently no better process where “frameworks” provide skeletons for industry that can be made to work. Though many of these organizations are open to suggestions, the tendency is to side with the “largest/loudest” interest. I was also a member of the IATF (an NSA task force) as part of SELinux. There was a more collegial tone due mostly to the “nerdiness” of the task force and was a far less “forced” process. Work groups and standards bodies that enumerate “accurately and completely” the elements of merit, risk, complexity, and any number of indirect components of a system (or System of Systems) is rare. Also, you touch on the problem about corporations doing the right thing on the way in. I cannot argue with that so every time some inititative is proffered I just shake my head and hope for the Galaxy Police.

Rufo Guerreschi guerreschi August 24, 2013 3:31 PM

kevin wrote:
“In light of the Snowden revelations, I really don’t want the USG to “certify” smart devices. Remember the PRNG the NSA helpfully supplied for Windows Vista? “Yes, this is the same RNG that could have an NSA backdoor” Bruce Schneier.
https://www.schneier.com/blog/archives/2007/12/dual_ec_drbg_ad.html

Good point, such a body would need to be non-governmental, and not even intergovernmental, but world citizen controlled, citizen financed (or with a very large endowment) , no-profit and international …

W L August 25, 2013 5:25 AM

There was also the presentation at this year’s Black Hat of owning a smart-TV and causing it to display false news popups, quietly stream video from its builtin camera, etc.

akf August 25, 2013 8:16 AM

@Pepermint: When I read this headline, my first thought was also: “I wished consumer devices were more hackable”.
I also thought about my router. I paid for it, I bought it. But do I own it? Doesn’t feel like that.

Teyvon August 25, 2013 8:46 AM

I always thought that my father watching gay pornography in the next room might be the reason I’m gay. I think I might have heard it in the background.

Dirk Praet August 25, 2013 8:09 PM

@ Bruce

The moral is that pretty much every “smart” everything can be hacked, and because consumers don’t care, the market won’t fix the problem.

I don’t entirely agree. Consumers do care, but unfortunately suffer from a number of misconceptions that are clouding their judgement.

1) The average consumer/user assumes that the products he or she is buying are secure by default, either because of applicable laws and regulations or through market mechanisms. Only the paranoid and those in the security community know that they are not, and if by any means remotely controllable or attached to the internet probably prone to hacking.

2) The average user/consumer thinks of hackers as extremely rare basement nerds with god-like computer powers trying to break into government and big corporation networks only. Chances are that, if asked, they’re more likely to point out multiple terrorist suspects than even one hacker in their neighbourhood. No normal person knows the difference between a hacker and a script kiddie, and the mischief even the latter category can do just by using stuff found on the internet.

Some time ago, I demonstrated a simple Facebook hack using the firesheep Firefox add-on in a wifi enabled bar. It totally freaked out everybody, to the point that several of them switched to https immediately and some others even deleted their account. There was also one guy who paid me several drinks to teach him that trick.

3) The average user/consumer is even less aware of the presence of state actors, organised crime and corporations/vendors tracking and exploiting their every move. No one I know with a Google, Hotmail or similar email/other free service account – outside the SC that is – is aware that he/she is not the customer, but the product. Most are under the mistaken belief that gangsters only target internet banking, and that stringent privacy laws govern the way state actors and corporations can track them.

A couple of weeks ago, the WordPress website of our gym was hacked, started sending out spam and linking to an Indian pr0n/malware site. The owner, asking why on earth any hacker would do such a thing, genuinely had no idea that this sort of thing is done by organised crime syndicates.

I believe many users are unable to make a calculated risk assessment of what they are doing/buying because they just don’t have all the facts, and admittedly the industry is not giving them. That said, there also remains a huge factor of intellectual laziness trading in security/privacy for convenience and hiding behind the “when you have done nothing wrong, you have nothing to hide” phallacy.

I’ve grown used to being considered a tinfoil hat and people shrugging their shoulders when I try to educate them on electronic/digital hygiene. That goes for private and professional contexts alike. From their side, they have grown used to me charging them their pants off in times of digital calamities I warned them about.

Figureitout August 25, 2013 11:47 PM

Bruce Re: Dirk Praet’s Post
because consumers don’t care, the market won’t fix the problem.
–You know just as well as anyone else that if consumers were to verify to the extreme every product they ever consumed that our society would be a bunch of nutcases. Any social interaction would be so awkward people would just stop; and we would all be essentially robots stuck doing the same repetitive job.

I think it’s time that the consumer electronics/IT security industry as a whole recognize the massive failure they have been a part of and that we start putting out products that cannot be hacked by script kiddies and amateurs like me. If they can’t recognize this then go get a liberal arts degree.

Figureitout August 26, 2013 12:12 AM

At the very least the amount of known possible states needs to be reduced to a realistic manageable number and error checking code/ real testing by true hardware engineers of the components you sell to consumers that will not do this testing nor have the knowledge/tools to do so.

It’s essentially a scam just like Wall Street selling financial derivatives they don’t understand themselves to suckers; it’s wrong and it needs to stop. It’s a falsehood that needs to stop or be made very clear that it’s a falsehood.

Figureitout August 26, 2013 12:42 AM

A lot of hacks happen because the users don’t configure or install their devices properly, but that’s really the fault of the manufacturer. These are supposed to be consumer devices, not specialized equipment for security experts only.
Bruce
–You need to stop saying that it’s the consumers fault, then calling them all hopeless idiots. Let’s just assume they’re hopeless idiots and they need a secure device to send a message to an acquaintance. I wonder how many times someone’s been sold a polyester shirt and not a cotton one; what if you burger’s been spat in; what if there’s water or sugar in the gasoline you just put in you car; what if the drugs aren’t really what was prescribed to you; what if your water contains high levels of intestinal bacteria (that do actually happen); what about the air that you breath isn’t as healthy as you’re told it is; what if your milk really does have an illegal amount of pus in it; what if the algorithm you thought was secure was really a sucker’s game to get your privileged conversations; what if that car you bought really is a lemon; what if the bootloader code on a ‘clean’ chip you just bought contains malware; what if your neighbors are conducting surveillance on you?

These are all terrible questions and are all totally possible in the modern world.

vas pup August 26, 2013 9:31 AM

“Bruce Schneier seal of approval”
Not Bruce, but private independent non-for-profit organization like ‘UL’ under EFF roof with Bruce just one of experts to conduct independent privacy/security (informational aspect, not physical) rating of consumer addressed electronics. I suggest for privacy rating label which looks like circle with 1984 inside crossed by one line with color of the line
mapping level of privacy (5 levels suggested).
E.g. phone answering machine with remote access for monitoring inside the the rooom with four digit password – level 0 – bad privacy, same machine with chance to turn microphone off by mechanical (hardware) switch at all after outgoing message was recorded – level 3 – substantially better, and so on.
Such PSL (privacy/security lab) may get paid requests for rating by manufacturer, consumer groups, even government, lawyers (consumer protection, etc.) with full discloser and transparency.
PSL may ask opinion, expertise of anybody upon discretion, as safe’s manufacture ask for expertise of former criminals for safe security.
Basically, same as for open source sofware.

rohit January 28, 2014 6:42 AM

hello sir,
i want to make my hasp srm upgrading file with your help
so plz help me………….

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.