IoT Nutrition Facts
June 24, 2020 9:37 AM   Subscribe

IoT Security Is a Mess. Privacy 'Nutrition' Labels Could Help (Wired metered paywall): "At the IEEE Symposium on Security & Privacy last month, researchers from Carnegie Mellon University presented (computer.org) a prototype security and privacy label they created based on interviews and surveys of people who own IoT devices, as well as privacy and security experts. They also published a tool for generating their labels. The idea is to shed light on a device's security posture but also explain how it manages user data and what privacy controls it has. For example, the labels highlight whether a device can get security updates and how long a company has pledged to support it, as well as the types of sensors present, the data they collect, and whether the company shares that data with third parties." S&P 2020: Ask the Experts What Should Be on an IoT Privacy and Security Label (Youtube)
posted by not_the_water (29 comments total) 27 users marked this as a favorite
 
The statements of what data is collected is valid but the fact that objects that in the past were things that were expected to last for years to decades are now reliant on security updates that can cut out at any moment (regardless of what the theoretical label suggests) is a nightmare. Hell, even if it's not security issues, underlying infrastructure support for these devices can disappear in a heartbeat and there's nothing you can do about it.
posted by Ferreous at 11:22 AM on June 24, 2020 [4 favorites]


never forget, the S in IoT stands for Security!
posted by namewithoutwords at 11:59 AM on June 24, 2020 [26 favorites]


The only think I want to see on my IoT devices, of which I have none presently, is:

"WILL WORK WITHOUT THE INTERNET"
posted by grumpybear69 at 12:07 PM on June 24, 2020 [22 favorites]


The goals are laudable. But one issue is that they 'spoke with dozens of experts' to design the label. The terms they chose will probably make sense if you have some tech background or interest but they will mean very little or nothing to many consumers. For instance, how many people with a non-tech background can define 'data,' 'sensor,' 'the cloud,' etc.?
posted by carter at 12:14 PM on June 24, 2020


I don't see the industry adopting something where they have to give an expiration date to devices. This is the reason I have very little in the way of IoT in my home - no sense buying a device I know is going to become a paperweight or unpatched security hole in my home network. It would be nice if manufacturers had to call this out in big, bold print on the device.

I'd also like to see whether a device is using an industry standard / supported OS or if it's some home-grown hacked-together Linux-based where the company just slammed a few non-mainline drivers into the device with iffy license compliance and a team that has no experience maintaining an entire OS.
posted by jzb at 12:22 PM on June 24, 2020 [2 favorites]


But one issue is that they 'spoke with dozens of experts' to design the label.

Agreed. I really like the labels and the idea which probably means it's not great for the general public. I have a bad case of Engineer's Disease a lot of the time.

"WILL WORK WITHOUT THE INTERNET"


This is why I switched to a Hubitat device for my home hub and devices that don't dial home to the internet. It was surprisingly hard to get what I wanted in devices that did not require a cloud setup of some kind. I had to switch to non-supported firmware or design my own devices in a few cases. If something like these labels existed it would be a lot easier to find the kind of devices I want to use.
posted by Clinging to the Wreckage at 12:30 PM on June 24, 2020 [5 favorites]


The terms they chose will probably make sense if you have some tech background or interest but they will mean very little or nothing to many consumers.

The bar to meet in this is “iso safety labels”. Somebody completely illiterate can look at a container and know that it’s flammable or poisonous. We should expect the same of IoT devices that behave hazardously - requires a connection to a server, in what country, has a privacy policy that meets X standards, stores or sends user data, best before software update policies, etc.
posted by mhoye at 12:43 PM on June 24, 2020


The "memetic hazard" warning sign is the first one that springs to mind.
posted by BungaDunga at 12:56 PM on June 24, 2020 [1 favorite]


The problem with labels based on a privacy policy is that every privacy policy is subject to change. Until that's somehow fixed, you can't reify privacy policies into labels. Software can be changed, invisibly, from a distance, at will. If you can fix that, then... sure, maybe labels are a good idea?

Label 1) microphones, 2) cameras, 3) wireless capabilities. Those are all hardware, so labels can be informative.
posted by BungaDunga at 1:00 PM on June 24, 2020 [1 favorite]


How can IoT security be a mess when those two terms are never seen in the same hemisphere together?
posted by Thorzdad at 1:03 PM on June 24, 2020


Not going to happen without strong legislation that when violated generates massive fines and corporate executives hard jail time.
posted by sammyo at 1:34 PM on June 24, 2020 [3 favorites]


Software support, especially when it's not even stored on the device (in the cloud), is so malleable that these labels can mean very little.

Just to pick one item - Security updates, available up until a specific time, doesn't really guarantee anything. Does it mean that within a set amount of time, when a vendor knows about a vulnerability in their software, they'll push out a fix to all your devices? What if the vulnerable software is on the operating system on the cloud system that your device depends on? Or even the cloud itself, like a vulnerability in AWS or Azure that manages and controls all the cloud systems.

In business-to-business software, where the products cost millions of dollars for an explicit time of software support, there's a service-level agreement (SLA) which explicitly lays this out. Even so, I'm pretty sure companies miss these targets all the time.

There's also lots of instances of companies not locking down their own systems or databases and exposing user data or passwords. This isn't software that's on your IoT device.

Many of these companies just get acquired or simply go out of business so any previous legal agreements become invalid.
posted by meowzilla at 1:52 PM on June 24, 2020 [2 favorites]


Recycling instructions/info should be as high a priority. Or at least something that plants the idea in consumers' minds that most devices shouldn't just be thrown out with the rubbish.

I know the post is about privacy and security, but if the general idea is that of a 'nutrition' label and if IoT means a lot of stuff that previously lasted decades now has a limited useful lifespan, then disposal info should be part of that.
posted by theory at 1:52 PM on June 24, 2020 [3 favorites]


the internet of shit has taught me that the only IoT to trust is no IoT.
posted by zsh2v1 at 1:53 PM on June 24, 2020 [3 favorites]


Providing more consumer information is one thing, but you sort of have to wonder how many of these devices actually provide a useful benefit from being connected to the internet which would justify the security risks, besides gimmick value. There's a bench that appeared in the middle of the city not far from me a few years ago proclaiming a bunch of hi-tech environmental advantages - it had a vertical mesh thing for growing some kind of greenery and the whole thing inexplicably had to connect to the internet. Not sure if the bench is still there but, last time I saw it, the plants were not looking at all healthy. As far as I could tell, the whole contraption didn't serve any purpose that couldn't have been better met by an ordinary bench and a tree.

zsh2v1 beat me to linking internet of shit :)
posted by AllShoesNoSocks at 1:59 PM on June 24, 2020


Imagine what the label would look like on your phone:

Security updates - maybe
Sensor collection - Visual, audio, movement, health, location, calls, contacts, calendar, email, messages, behavior, etc.
Purpose - Providing and improving device functions (and making people money)
Data stored on the device - Identifiable
Data stored on the cloud - Identifiable
Data shared with - Our partners (anyone with money), law enforcement of any country that we have to obey
Data sold to - Anyone

Privacy policy - a broken link
posted by meowzilla at 2:07 PM on June 24, 2020 [5 favorites]


Especially important with the recent Ripple20 revelations. (Sorry if it's already been mentioned somewhere.)
posted by blue shadows at 2:25 PM on June 24, 2020 [1 favorite]


Obligatory xkcd: Smart Home Security

Alt-text caption reads: "If they're getting valuable enough stuff from you, at least the organized crime folks have an incentive to issue regular updates to keep the appliance working after the manufacturer discontinues support."
posted by mhum at 3:00 PM on June 24, 2020


Sadly there are an awful lot of devices that, if you can't roll your own, are probably a risk to bring into your home.

I'm no Luddite - I love computers and weird little breadboard projects and tidy programming languages and well-designed gadgets.

But I loathe planned obsolescence and poorly-thought-out firmware and black box proprietary design and cameras/microphones/pulsographs on everything and unnecessary network connections and the corporations that build them.

At least Google lets you address your little pocket snitch however you want. Can you even customize Siri or Alexa's wake words? "Hal" is sadly not quite uncommon enough phonologically to work as well as one might hope.
posted by aspersioncast at 7:44 PM on June 24, 2020 [1 favorite]


Can you even customize Siri or Alexa's wake words?

Alexa allows, "Alexa","Echo","Amazon", or "Computer"
posted by Just this guy, y'know at 1:33 AM on June 25, 2020 [1 favorite]


I wonder how much of this problem is the result of end-to-end network connectivity being perpetually broken because because of IPv4 and NAT, along with an unwillingness of the big ISPs to accept users as proper Internet peers (with unique hostnames/domain names)

Take for instance an internet-enabled garage door opener. It has an app which lets you check its status from anywhere. All that app needs to do is connect to the garage door opener and send a quick query, but because the app has no way of knowing where the garage door opener is (your house doesn't have an easily remembered hostname) and even if it did, there's no way for the average user to be expected to know how to set up port forwarding on their router so yourhouse.domain:8927 gets redirected to garage-opener.local:80

When I first got cable internet in the late 1990s, my dynamically-allocated ip address came with a customized reverse-dns entry on my ISP's domain which solved the "where" part of the problem. While it was pretty sweet having a fixed, easily remembered 'address' that always pointed to my computer (which made it easy to run my own web server) this practice was very quickly replaced either with randomized strings or strings reflecting the network interface card's not easily remembered ethernet address to enforce the idea that consumers only connected to the internet in order to consume content, not provide it.

For a while it seemed like the industry tried to solve the "how" part by creating a framework for devices to automatically configure firewalls (UPNP) but that ended up being a huge security nightmare in and of itself.

So now IoT devices are left with only one solution: punch their way out to the Internet and phone home to a remote cloud server which acts as a relay between the app and the garage door opener. And running a cloud service costs money, so the manufacturer might as well recoup some of the recurring operating expenses by selling user data about when the garage door is opened, when it's queried, etc.

Now that IPv6 is a thing that's actually being used, my dream would be a world were end-to-end connectivity and reverse dns exist everywhere and IoT devices use some sort of physical, out-of-band pairing system to establish strong VPN links (Wireguard!) with whatever other devices or apps they might have to communicate with. It wouldn't eliminate the problem of keeping devices security up-to-date, but it would reduce the attack surface and cut the "cloud" out of trivial tasks like home automation and security cameras.
posted by RonButNotStupid at 4:46 AM on June 25, 2020 [3 favorites]


enforce the idea that consumers only connected to the internet in order to consume content, not provide it.

And yes, making reverse dns unusable was also done because it's a security nightmare for everyone to be running their own potentially unpatched, unsecured, and unmaintained servers, but since we kind of ended up in that situation anyway because of all the unpatched, unsecured, and unmaintained IoT devices floating around, I think it's kind of a red herring.
posted by RonButNotStupid at 5:05 AM on June 25, 2020


I have two 10-year-old Samsung 40" TVs with zero dead pixels. They work perfectly but every now and then I check prices for a bigger one for the living room. Last review I saw for a new 60" TV of the same brand said "great TV but the software sucks and keeps crashing". I'm like ... um ... I just want you to accept a digital stream of content from a Roku and show it to me. What's all this software? Are you phoning home? In general it seems like a lot of IoT devices promise, but don't deliver, convenience. I'm not sure how often I need to open/close the garage door from miles away, turn on lights in a room I'm not already in (which has switches), turn on the oven while I'm not there (preheat is nice but ...), etc. I just want devices to do the thing they were designed for: cook food, provide illumination, whatever. The fantasy of the smart home a la 50s-60s sci-fi is great, but I don't want it if it comes with security risks, data breaches, and advertising. The jump between scrubbing clothes on a rock and tossing them in a washer is significant, but between the washer and a washer that orders detergent or something is not.
posted by freecellwizard at 6:00 AM on June 25, 2020 [2 favorites]


In general it seems like a lot of IoT devices promise, but don't deliver, convenience.

That's been my take - for me the convenience of a little pocket computer phone outweighs the (massive, alarming) privacy and security implications just enough to make it worthwhile; I have so far seen exactly 0 IoT devices that are worth the tradeoff for me.

I get that there are people for whom these tradeoffs are real, but I am also painfully aware of how many people have no idea they're making a tradeoff, until their doorbell camera footage gets someone killed by the cops, or the baby monitor spies on their sleeping kid.
posted by aspersioncast at 7:06 AM on June 25, 2020 [1 favorite]


What's all this software? Are you phoning home?

Way I deal with that is by doing my level best to ignore the "smart" in the TV, and just driving it with a Raspberry Pi class computer via HDMI (currently an Odroid N2 running CoreELEC, which works very well). No way is a TV at my house ever getting Ethernet or Wifi connected to it directly. Nuh uh. Not happening.

It's been an IT industry truism for all of the decades I've been involved in it that anything Marketing chooses to describe as "smart" is always going to be (a) superfluous (b) misconceived (c) irritating (d) buggy (e) deeply, deeply stupid.
posted by flabdablet at 8:10 AM on June 25, 2020 [3 favorites]


Dammit, I was just looking for something like the Odroid but apparently they're out of stock. My old Beaglebone Black is getting a little long in the tooth at this point, although it was great for running a NAS before all this WFH prompted me to actually start running a real home server again.
posted by aspersioncast at 4:05 PM on June 25, 2020


I'm in the process of building up a mini monster NAS out of an N2, a 7 port USB3 hub, and five 12TB WD Elements USB3 external drives that Amazon sold me for an average of AU$0.33/GB delivered.

Running simultaneous long sequential writes onto all five drives yields an aggregate throughput a whisker over 400MB/s, so I'm expecting the ensuing software RAID5 array to be well matched to the performance of the Odroid's gigabit Ethernet port. Nice to be able to use these cheap drives this way without needing to shuck them first.

My Beaglebone Black is still doing sterling service as my house's Internet gateway. Great little machine. Hasn't missed a beat for years.
posted by flabdablet at 11:17 PM on June 25, 2020


Sorry, that figure should have been AU$33/TB = AU3.3c/GB.
posted by flabdablet at 2:32 AM on June 26, 2020


If deciding to use "smart" devices for good reasons, GET a SECOND wifi router. Set up an isolated sub-networked (lan) just for the devices and highly limit the connections in and out of that subnet.

As easy as it is to scathingly mock the smart door locks or mood lights there are good use cases. Have not set it up due to ancient furnace tech but it would be really nice to turn the furnace on 30 minutes before arrival some chilly nights. Networks can be tightened down to minimize possible attacks. It's tricky, a single quality router could probably do all the isolation needed, OpenWRT is an open source project that would be useful to review.
posted by sammyo at 9:07 AM on June 26, 2020


« Older "...Have a good life."   |   On Translationese Newer »


This thread has been archived and is closed to new comments