Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Communications Networking Security The Internet

Securing Networks In the Internet of Things Era 106

Posted by timothy
from the glad-that-someone-finally-invented-things dept.
An anonymous reader writes "Gartner reckons that the number of connected devices will hit 26 billion by 2020, almost 30 times the number of devices connected to the IoT in 2009. This estimate doesn't even include connected PCs, tablets and smartphones. The IoT will represent the biggest change to our relationship with the Internet since its inception. Many IoT devices themselves suffer from security limitations as a result of their minimal computing capabilities. For instance, the majority don't support sufficiently robust mechanisms for authentication, leaving network admins with only weak alternatives or sometimes no alternatives at all. As a result, it can be difficult for organizations to provide secure network access for certain IoT devices."
This discussion has been archived. No new comments can be posted.

Securing Networks In the Internet of Things Era

Comments Filter:
  • by Anonymous Coward

    Most "things" in the internet of things will send very small amounts of data. A microSD card full of random data will provide secure communication for several years. Incidentally the same has been true of banks for a very long time. They send you a new bank card every few years.

    • "Most "things" in the internet of things will send very small amounts of data. A microSD card full of random data will provide secure communication for several years."

      Assuming you will ever read this after posting as an AC, how do you propose the distribution of these One Time Pads will occur? How will each device determine which One Time Pads have been used and which haven't? What happens when you want to check your refridgerator contents from an internet cafe? Even if you can distribute a new OTP set

    • by Darinbob (1142669)

      Some devices use those, or smartcards. However some devices don't; they're too small, or are owned by utilities who don't want someone else messing with them, etc. A MicroSD is not necessarily secure either, how do you know if one has been removed and replaced with a fake? On-board flash with write protected blocks is a lot safer, though at some point someone highly determined will break in (desolder things, etc).

  • by Anonymous Coward

    When was gartner right about anything ?

    • Many many years ago Gartner said it cost some ridiculous amount of $$$ to support a workplace desktop. A little over a decade ago they said it would cost $3K/yr to support a handheld. I've never paid attention to anything they've had to say since.

      • by tepples (727027)

        A little over a decade ago they said it would cost $3K/yr to support a handheld.

        How much did cellular voice and data cost back then?

  • by dltaylor (7510) on Saturday August 23, 2014 @05:20AM (#47735463)

    Most of the management types I've met have just enough functioning brain cells to kiss ass and repeat whatever mantra they learned in MBA school or during the most recent management retreat.

    Target was breached because HVAC maintenance had access to the same network as the POS terminals, which is inexcusable stupidity. Unfortunately, this is exactly what will happen with the IoT devices. Putting them on an entirely separate network (own APs for wireless, blinkenlights, ...) will cost something, and, since the CIOs don't spend hard time in a closed prison for exposing their systems, or the personal data of employees or customers, they simply will not authorize the expenditure.

    • by Anonymous Coward on Saturday August 23, 2014 @05:50AM (#47735525)

      Exactly. I have yet to see a compelling argument or application for this "Internet of Things." I mean, it's a really catchy buzzword. I know my toaster is bored most of the day, having only 5 minutes' work to do each morning, and I can see where it might enjoy surfing the web during downtime. Maybe I'm just not very creative, that I fail to imagine the wondrous potential embodied in uploading my toast-cooking routine and consumption to the cloud. WTF do people want this?

      Until someone can explain the actual benefit to me, I'm going to see "Internet of Things" as a way to turn every object in my house into an advertisement and a potential hole in my already fragile network security.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        Exactly. I have yet to see a compelling argument or application for this "Internet of Things." I mean, it's a really catchy buzzword. I know my toaster is bored most of the day, having only 5 minutes' work to do each morning, and I can see where it might enjoy surfing the web during downtime. Maybe I'm just not very creative, that I fail to imagine the wondrous potential embodied in uploading my toast-cooking routine and consumption to the cloud. WTF do people want this?

        Until someone can explain the actual benefit to me, I'm going to see "Internet of Things" as a way to turn every object in my house into an advertisement and a potential hole in my already fragile network security.

        You want an explanation?

        Outside of IT, name 10 people you know who that have ever used the words "potential hole" and "fragile network security" when discussing their home wifi concerns.

        As far as your quest for a compelling argument, the audience hardly compels me with their brilliance. Consumers are for the most part children regardless of age, proven by the billions generated on some of the silliest shit in existence. Children want toys, not rules, hence the IOT we have today.

        • This is wrong-think.

          People who support the, "users are stupid," mentality are asshats.

          Design shit that works the way it is supposed to. Expecting consumer paranoia is evidence of crappy system design.

          The first thing I test for when hiring is a flawed outlook like yours and when I do, the interview is over.

      • by alen (225700)

        but imagine if you can put bread in your toaster and start it up on your phone in the shower so it will be perfectly toasted when you get out of the shower

        • How did we ever exist without...

        • "but imagine if you can put bread in your toaster and start it up on your phone in the shower so it will be perfectly toasted when you get out of the shower"

          This is Slashdot. Who the hell only eats bread once a week?

      • by Darinbob (1142669)

        We already have an "internet of things", for many years now. Computers are things. Mobile phones are things. The difference is now smaller things are networked (not necessarily on the "internet" though), and things not typically networked. Ie, smart meters, remote monitoring devices and sensors, televisions. There are the things that are only extremely loosely considered to be networked, attachment via bluetooth.

        Many of those internet of things devices won't ever be addressable by the general public, a

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The entire premise of the article as given by the headline "Securing Networks in the Internet of Things Era" is bogus. The hard shell soft core (aka boundary security) strategy isn't applicable to the internet of things, because the things are necessarily going to be on a "network" that an attacker can access: It's all wireless. If you can't get to them through the gateway, you can always talk to them directly over the air. You can't protect the things by protecting the network. (With more and more ways for

      • If you can't get to them through the gateway, you can always talk to them directly over the air.

        Somebody should invent WPA2!

        • by Darinbob (1142669)

          We already have better security than WPA2, which existed before WPA2 was invented.

          Wired networks are not necessarily more secure than wireless networks. The only thing wired networks provides is a minor physical hurdle. We have plenty of rs232 cables connecting vital infrastructure which is vastly less secure than many wireless devices.

          • Is there some reason for your rambling? The OP said that anything wireless can be accessed by anyone in range. I pointed out how stupid that was. I never said there is no better security than WPA2 or that wired is automagically more secure than wireless. These are all fantasies you seem to have had spontaneously.
      • ...(With more and more ways for hostile systems to access "internal" networks directly, network border security is increasingly becoming a useless strategy in general computing as well. Reflection attacks, where compromised internal hosts are used as stepping stones to get to the entire network, have been eating away at border gateway security for a long time anyway.)

        Not useless, just not enough. cf. Defense in-depth [wikipedia.org].

    • So maybe nobody mentioned this, but you do know that most homes, and even most companies, don't have CIOs, right?
      • And that's what's wrong with our world. The most important positions remain unfilled, I'm almost certain that I'm the only household around this area that has a CISO.

      • by dltaylor (7510)

        Actually, they do, but the person in that position doesn't even know what it means, much less how to deal with it.

        Picture an internet where home users must havea license to access the iy, or hire a "chaffeur" to manage their systems and there are penalties for failing to secure them. Many fewer bot farms, I suspect.

        • "Actually, they do, but the person in that position doesn't even know what it means, much less how to deal with it."

          Yes, and every computer owner is a software engineer; most of them simply don't know the first thing about software engineering*!

          * Substitute Slashdot member for computer owner to make the above statement true :-)

        • by epyT-R (613989)

          Yeah, but only because the net will then be so expensive and legally risky to use that people just won't use it very much.

  • The most secure computing device in general use is also the smallest: The (mini-, micro-, nano-) SIM card in your GSM phone does crypto that's good enough for payment processing. NFC cards are the same technology, just wireless. These cards run on microwatts. If the internet of things is insecure than it's due to laziness and cheapness, not because there's a technological problem. Minimal computing capabilities my ass.

  • by Rosco P. Coltrane (209368) on Saturday August 23, 2014 @06:46AM (#47735641)

    The Internet of Things is a buzzword. Buzzwords don't need securing. Problem solved.

    • by Ol Olsoc (1175323)

      The Internet of Things is a buzzword. Buzzwords don't need securing. Problem solved.

      Speaking of Buzzwords, just imagine a Sybian on the internet.

      • by fisted (2295862)
        Honestly, there are enough sybians on the internet already...
        • by Ol Olsoc (1175323)

          Honestly, there are enough sybians on the internet already...

          Yeah, but think about the business model.

          People could pay to give Felicity a good time, just use their credit card to keep them good vibes coming.

          Felicity too.

      • by tepples (727027)
        Before or after Elop?
    • by Livius (318358)

      It's not easy, since "Securing Networks In the Internet of Things Era" means exactly the same thing as "Securing Networks".

    • It's actually not a buzzword, any more than the term network was a buzzword in the 1970s. Cloud is a buzzword. Web 2.0 is a buzzword. Paradigm can be a buzzword when used incorrectly. The IoT is a term that describes something that is not only implementable, but currently being implemented. It describes something that actually exists. There is no cloud. There is no seperate Web called Web 2.0. There is an Internet, and it does have things attached to it.
      • by Anonymous Coward

        It is a buzzword. The "Internet of Things" is just "The Internet". There is zero difference between the two beyond superficialities.

        • No. It is not. You could argue with DARPA if you want, but the Internet was always intended to connect computers. While it is true that coke machines have been connected to the network by MIT as a novelty (for example), saying that the idea of connecting completely different systems to the internet for the purpose of doing something other than computing is just "the internet" is patently absurd.
          • connecting completely different systems to the internet for the purpose of doing something other than computing

            Define a "thing" and distinguish it from "computing" to help some of us understand. Is a printer a "thing"?

            • Most of us have graduated from elementary school, and understand that "Internet of a bunch of things that aren't related to computing" is excessivey and unecessarily verbose. Clearly, you are a unique individual. It turns out that isn't always a good thing, BTW.
      • by Opportunist (166417) on Saturday August 23, 2014 @09:21AM (#47736225)

        Sorry, but "Internet of Things", the term at least, has become a buzzword. As you correctly identified, it's bullshit bingo material considering that pretty much anything connected to the internet almost invariably has to be a thing (apologies to all the cyborgs out there). The "buzzwordism" (I really hope that doesn't become a buzzword now...) lies in the term meaning something along the line of "appliances connected to the internet that were not supposed to be connected when they were originally created". Routers, switches, hubs, bridges... they are by definition supposed to be connected to some sort of network. They have no use outside of one. Computers, gaming consoles and maybe even TVs kinda "belong" on a network, because even though they have a use without, it kinda makes sense to connect them.

        It's different for what the appliance industry termed "white goods". Washing machines, dryers, fridges, stoves... they came into existence long, long before anything remotely resembling a computer or internet, and people don't immediately consider them something they would possibly connect to a network. Those are the "things" the "internet of things" talks about.

        And this is basically also the reason why "internet of things" belongs to the buzzwords. Or, maybe rather, buzzterms. It's a made up term that qualifies a certain group of items that makes no sense whatsoever outside the world of marketing.

        • "bullshit bingo material considering that pretty much anything connected to the internet almost invariably has to be a thing"

          Well I've never played Bullshit Bingo, but the term refers to all that which is not for the purposes of computing. One could also argue that when someone is using the internet they are a person connected to the internet, and that when a location that did not have internet acces, that place now has internet acccess, and thus that place is now connect to the intenet. See also: I was go

          • There are exactly three possibilities:

            1) You skimmed my post and replied to it bit by bit and your client does not allow editing.
            2) You did not want to understand what I wrote.
            3) I was not clear enough.

            In case it was 3 (in case it's one of the other 2, there is little I can do to improve understanding): The "internet of things" is a buzzword, by the very definition thereof (though one might argue that it's a compound buzzword since it's actually comprised of three words). It is "a word or phrase used to imp

            • "The "internet of things" is a buzzword, by the very definition thereof (though one might argue that it's a compound buzzword since it's actually comprised of three words). It is "a word or phrase used to impress or that is fashionable"

              No. You don't seem to know what the internet is, or how it works. There is an actual IETF and actual RFCs which describe actual protocols and standards. There are no IETF ratified RFCs for "the cloud" or "web 2.0", but there is / will be for IoT.

              ""The internet of things",

  • Seperate VLAN. (Score:3, Interesting)

    by Karmashock (2415832) on Saturday August 23, 2014 @07:32AM (#47735759)

    You can buy a router for 200 bucks that can do port by port VLAN or create different Wifi SSIDs that link to different VLANs.

    Put all your internet of things stuff on VLAN 2, then setup firewall rules that allow the hub for the internet of things devices to either communicate directly with a control system on VLAN1 or just go out to the internet. If VLAN 2 is compromised... it will not compromise VLAN 1.

    • Re:Seperate VLAN. (Score:4, Interesting)

      by dotwhynot (938895) on Saturday August 23, 2014 @07:53AM (#47735843)

      You can buy a router for 200 bucks that can do port by port VLAN or create different Wifi SSIDs that link to different VLANs.

      Put all your internet of things stuff on VLAN 2, then setup firewall rules that allow the hub for the internet of things devices to either communicate directly with a control system on VLAN1 or just go out to the internet. If VLAN 2 is compromised... it will not compromise VLAN 1.

      What happens when your 200 bucks router is compromised?

      • Re: (Score:3, Interesting)

        by Karmashock (2415832)

        Same thing that happens when your router is compromised today. Its a zero sum game. At least the router has a chance of repelling an intrusion because it has some security features built into it. The IoTs stuff is naked.

        My worry with IoTs stuff is that an outside intruder will gain control over them through the internet. I'm less worried about a war driver tapping in from the street. The router idea should provide my computers protection from the shotty security of the IoTs.

        Ideally the IoTs stuff should not

      • Routers are (hopefully...) a bit more advanced in their security makeup, considering that they are routinely used by people who don't think TCP is the three letter acronym for the Chinese secret service, not to mention that there has been a bit of time now to find bugs in router hard- and software and iron them out.

  • ... we need to have an insecure buzzword, to "change our relationship" with the Internet? Why?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You need to for the following reason.

      A billion people who are clueless will buy IoT refrigerators, TVs, toasters, lamps, thermostats, washing machines, dishwashers, and so on.

      Companies will cater to this market, and moreover will stop making non-IoT enabled devices.

      "No problem", you think, "I just won't put them on the network". But to get around this and ensure you can be data-mined, the devices will be designed not to operate without connecting to their "home base" advertising company.

      So the answer is: y

      • Do you write dystopian stories in your pastime? If not, you should.

      • Companies [...] will stop making non-IoT enabled devices. [...] the devices will be designed not to operate without connecting to their "home base" advertising company.

        Then there's an opportunity for a competitor to say in an ad "Do you want your food to spoil just because your Internet went out? You don't have to worry about that with a QSI refrigerator."

      • ..but in 30 years. Meanwhile, the toaster manufacturer needs Granny to be able to but and use it without explicitly pluuging in a network or configuring anything.

        So IOT devices will have to have wifi sneak capabilities, always trying to establish a wifi connection. They can continually try to crack encrypted wifis.

        It will be an interesting household with a few dozen nodes continually spamming the aether trying for connection.

  • by sinij (911942) on Saturday August 23, 2014 @08:20AM (#47735949) Journal
    There is very little upside to having various infrastructure devices and appliances networked. Downside are too numerous to list here, and securing them is overly expensive.

    Solution? Air gap it!
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Then you won't be feeding the ad and data mining engines. Devices will be designed not to work if they can't send your data back to their home base.

      Think I'm kidding? [ideerapp.com]

      That's just the beginning. Wait and watch. You'll see. There's nothing you can do to prevent it, because people who don't think about things will ensure this model succeeds in the marketplace.

      • Just trust the free market.

        Or, put another way, rest assured the first thing I do when I find shit like that in my fridge is to create a server that tells my fridge everything is all right and plays a Tom and Jerry cartoon (sans PC-censoring) instead of an ad on the built in screen.

        I'll hand you the source when it's done. Just in case you prefer another cartoon

        • by rthille (8526)

          The trouble is, you might first have to conduct a side-channel attack on the crypto chip in your fridge to get its key so you can properly encrypt the messages to say "everything is all right".

    • Yup - an ethernet port is handy to configure something, but there is little need to hook every thingummababber to a network switch.
    • by Darinbob (1142669)

      The advantages can be enormous though. Consider smart meters. Utilities didn't even know when there was a power outage with old analog meters, until enough customers called in no trucks would roll. That's because if they respond to the first call it's almost always a blown fuse in a home. Similarly utilities did not know even the most basic facts about their infrastructure, like whether a neighborhood is being delivered the right voltage balanced across the phases, unless they sent an employee out to ch

  • by Anonymous Coward

    Most things like printers do not need to talk to the entire Internet. They just need to talk to the local network. So remove their default route. Without a route to the Internet, discover/communication/mischief becomes much more difficult. Its not perfect, but its an easy policy to remember. If it doesn't need to send packets out, then don't tell it how to get there..

    • Yup - only enable services that are actually needed. That reduces the attack surface. A printer doesn't need a default route, a DNS server address, a FTP/Telnet server and many other things that HP and others enable by default in their printers.
    • by tepples (727027)

      Most things like printers do not need to talk to the entire Internet.

      Even with things like Apple AirPrint and Google Cloud Print? Or printing postage?

  • by swschrad (312009) on Saturday August 23, 2014 @02:48PM (#47737821) Homepage Journal

    don't plug toasters, TVs, fridges, etc into the Internet. the geniuses behind them don't even finish the software they're loaded with at the factory.

"Text processing has made it possible to right-justify any idea, even one which cannot be justified on any other grounds." -- J. Finnegan, USC.

Working...