Comments

Denton ScratchFebruary 18, 2019 8:07 AM

Re. Supermarket Freezers: Cool hijack. (sorry).

It's not clear to me why supermarkets, hospitals and pharmacies think they need internet-connected thermostats. And hospitals and pharmacies in particular should have managers with a bit more clue about these matters; clueful managers in supermarkets are unfortunately far and few.

RobFebruary 18, 2019 9:56 AM

Sheesh, the freezer will give you a map of the floor it's on without the password.

Next time I plot out a heist...

BrookeFebruary 18, 2019 10:37 AM

I think internet connected freezers is actually a solid application for IoT. Think about a grocery store that has a couple massive freezers/fridges in the back and then all of the display stuff. It would be amazing to send an alarm for temperature over something all of the stores have already, network connections home to the store mothership. Wouldn't it be nice if the freezer could tell you what was broken before you even dispatched a tech so they had the right parts, or you could turn on another chiller to compensate for the downed/failing portion?

I think the applications are absolutely worth considering the risks of connecting it. It's got to be the consumers who demand better security, there's no other way to do it. It doesn't matter if it's large corporate consumers or home users, we have to make it loud and clear that we need security over the cheapest item. Until the markets start demanding it and chosing more expensive products with better security/update paths over products that are cheap but easily taken over without timely patching. Even with all of the news, it seems we aren't making enough noise as consumers! We still pick cheap crap every time.

David RudlingFebruary 18, 2019 10:56 AM

@Brooke
All the noise in the world from consumers won't do the trick.
The amount of compensation awarded by the courts to the dependents of the deceased are the only thing that will be listened to by otherwise deaf corporate ears.

Joseph JulicherFebruary 18, 2019 11:38 AM

There is at least one IoT freezer business case that is happening in Europe.
Essentially it is energy frequency trading. By managing a large number of freezers, you can start and stop large blocks of electricity at a moments notice. This allows you to buy energy cheap and sell it dearly at a moments notice. You keep the freezers energized off the profits. When the energy you are using to freeze food can be more profitable selling it, your turn the freezer off and sell the energy. The freezer will keep the food cold for a while. If you offer to manage all the freezers in a town, you have control of many KWH's and you can offer a discounted "freezer as a service" cost to the grocers.

These companies are looking at other loads such as lighting to expand the business.

tazer2000February 18, 2019 5:01 PM

@Denton In a future where information is the ultimate tool, then it stands to reason that maximization of captured data correlates to levels of power/control. The more data you have, the better your simulations/models become. The explosion of AI wasnt just because better hardware, but also about more data being available for the training of the neural nets. Sooo, with 5G coming online and likely something like a magnitude increase in the data to mine, i'd say things are gonna get interesting pretty quick. lol...buckle up.

tedFebruary 18, 2019 6:58 PM

"The industry is now being urged to build more robust systems."

Urged. URGED! This is heavy construction equipment not an IOT camera. Government regulators ought to say "You've got 90 days. Fix it or shut it down".

Bruce SchneierFebruary 18, 2019 8:29 PM

@Brooke

"I think internet connected freezers is actually a solid application for IoT."

I think they're all solid IoT applications. I just want them to also be secure.

VinnyGFebruary 19, 2019 8:29 AM

@Joseph Julicher re: freezer power management - What safeguards are in place in that arrangement to remove any incentive to maximize profit by diverting power away from the freezers to the point that food quality, and possibly safety, is compromised? Without some kind of independent monitoring, that consequence is inevitable. Worse, the power "broker" may be in a position to avoid liability for any damages that occur as a result of that kind of conduct. I would be quite reluctant to purchase frozen food from a market that participates in such an arrangement without strong assurances on those matters.

Sed Contra February 19, 2019 6:36 PM

Re: freezers a solid application of IoT

Obligatory

In regard to freezers especiallly, it had better be.

MeFebruary 20, 2019 8:36 AM

This is why I was initially horrified when I heard about our companies services that allow connecting industrial plants to the web, to allow alerts and check ins etc.

I was not initially placated when they mentioned "data diodes" they put in place to ensure that the connection was entirely one way (data out of the plant, not instructions in). However, when they mentioned that the data diodes were physical (basically a one way fiber optic system, without all the actual fiber), I started to realize that someone here actually took security seriously. I had assumed software diodes, and those I couldn't trust.

UntitledFebruary 20, 2019 3:08 PM

You need to be careful about pasting "IoT scare!" onto everything.

Neither the construction crane hack nor the electric scooter hack was anything to do with the "Internet of Things". The machines aren't connected to the Internet. The crane hackers hijacked the specialised local radio communication between crane and controller – no IoT there. The scooter hackers sent unauthenticated commands over Bluetooth – no IoT there either.

War GeekFebruary 21, 2019 1:25 PM

No...just because there was a publicized Bluetooth construction crane discovery doesn't mean I can't hack a crane and bomb your car as your drive under it :)

https://patents.google.com/patent/CN203639024U/en

0008] A further: said wireless communications network is a 3G network or a WIFI network; construction of the video transmission to the host through a wired broadband access to the Internet, the host monitoring control room is also connected to the Internet.

"There's going to be an App for That" Said the Hacker in the movie plot script...

War GeekFebruary 21, 2019 1:27 PM

Er...the above link is to a 2013 Chinese patent for a construction crane monitoring system...

IzzyFebruary 22, 2019 12:34 PM

NIST search for quantum computing resistant encryption algorithms for IoT devices (e.g. - relatively low processing power) has reached the semi-finals stage.

Circuit Secures the IoT Against Quantum Attack

“...to develop one or more classes of encryption schemes that classical computers can use but quantum computers can’t crack.”

https://spectrum.ieee.org/tech-talk/computing/embedded-systems/circuit-secures-the-iot-against-quantum-attack

https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization

Matt TaylorMarch 15, 2019 5:50 AM

I like the idea of having all of these things connected but why don’t the treat these things like they do a database server for instance. Have all of the internal IoT devices be behind a firewall and who ever “needs to communicate from the outside has to authenticate into the network. Then it matters less if they change the default password or if there is a vulnerability. But manufactures can easily require the user to change the default password when they first setup the device, that’s not that hard either.

EddieMarch 15, 2019 9:53 AM

From the scooter article:

"Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter's firmware, and viewing other real-time riding statistics."

Why use Bluetooth at all? All these features could be accomplished just as easily with a built-in control panel on the scooter... and you'd probably get a simpler, more efficient, more intuitive interface too. This sounds like a gadget that tries too hard to be gadgety.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.