Princeton Project Aims To Secure The Internet Of Broken, Shitty Things

from the Barbie-needs-a-better-firewall dept

Year after year, we’re installing millions upon millions of “internet of things” devices on home and business networks that have only a fleeting regard for security or privacy. The width and depth of manufacturer incompetence on display can’t be understated. Thermostats that prevent you from actually heating your home. Smart door locks that make you less secure. Refrigerators that leak Gmail credentials. Children’s toys that listen to your kids’ prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death.

The list goes on and on, and it grows exponentially by the week, especially as such devices are quickly compromised and integrated into massive new botnets. And as several security experts have noted, nobody in this chain of dysfunction has the slightest interest in doing much about this massive rise in “invisible pollution”:

“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

One core part of the problem is that IOT device makers refuse to provide much control or transparency over what their internet-connected devices actually do once online. Often the tools and device interfaces provided to the end user are comically simple, providing you with virtually no data on how much bandwidth your devices are consuming, or what data they’re transferring back to the cloud (frequently unencrypted). As a result, many normal people are participating in historically massive DDOS attacks or having their every behavior monitored without having the slightest idea it’s actually occurring.

To that end Princeton’s computer science department has launched a research program called the IOT Inspector they hope will provide users with a little more insight into what IOT devices are actually up to. The researchers behind the project say they spent some time analyzing fifty different common IOT devices, and like previous studies found that security and privacy in these devices was a total shitshow. Sending private user data unencrypted back to the cloud was common:

Unfortunately, many of the devices we have examined lack even these basic security or privacy features. For example, the Withings Smart Blood Pressure Monitor included the brand of the device and the string “blood pressure” in unencrypted HTTP GET request headers. This allows a network eavesdropper to (1) learn that someone in a household owns a blood pressure monitor and (2) determine how frequently the monitor is used based on the frequency of requests. It would be simple to hide this information with SSL.”

As were devices that immediately began chatting with all manner of partner services whether the user wants them to or not:

Samsung Smart TV: During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.

Again, user control and transparency is almost always an afterthought. Obviously, the creation of some unified standards is one solution. As is creating routers and hardware that alert users to when their devices have been compromised. Smarter networks and hardware are going to need to be a cornerstone of any proposed solution, the researchers note:

We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms.

Of course better standards are going to need to be built on the backs of a joint collaboration between governments, companies, consumers and researchers. And while we’ve seen mixed results on that front so far, efforts like this (and the Consumer Reports’ open source attempt to make privacy and security an integral part of product reviews) are definitely a step in the right direction.

Filed Under: , ,
Companies: princeton

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Princeton Project Aims To Secure The Internet Of Broken, Shitty Things”

Subscribe: RSS Leave a comment
11 Comments
Ninjasays:

The only way you’ll get standards adopted or security taken seriously will be when it hurts in the pockets. We can make it hurt now via regulations or we can wait until it hurts later because it will get out of control pretty badly. That’s the choice we need to do now. I have this feeling it will not involve preemption.

Anonymoussays:

Re:

There’s also the concept of “graveyard legislation”. If enough bodies pile up, laws can be made, but no guarantee those laws will really do anything to stop the problem.

If so many cars can be broken into (notably Audis and Volkswagens added to that list recently), why is this not being looked at more seriously?

I don’t own or know most of the non-advertised functions of a modern car, so I have no idea how reliably the firmware or software on cars patch themselves when problems like this happen.

Anonymoussays:

Re: Re:

If so many cars can be broken into (notably Audis and Volkswagens added to that list recently), why is this not being looked at more seriously?

I have hope for this market, unlike the general IOT market. Cars and their contents are usually insured, and the insurers will eventually catch on and demand better security (and demand higher rates for insecure vehicles). Home insurers may similarly push for improvements in "smart" door locks etc.

With baby monitors, blood pressure monitors, …, the owners of those devices will never have any reason to file an insurance claim because of manufacturer negligence. "Regular" people have no insurance against DDOS etc., and the companies who have this insurance are unlikely to have baby monitors. So there’s no incentive.

Anonymoussays:

“Unfortunately, many of the devices we have examined lack even these basic security or privacy features. For example, the Withings Smart Blood Pressure Monitor included the brand of the device and the string ?blood pressure? in unencrypted HTTP GET request headers. This allows a network eavesdropper to (1) learn that someone in a household owns a blood pressure monitor and (2) determine how frequently the monitor is used based on the frequency of requests. It would be simple to hide this information with SSL.””

Unfortunately just sending this over an SSL won’t fix that problem either. It’s just security theater in this case. The reason being none of these devices are going to be using encrypted DNS either, or if someone’s really on the ball, simply tracking IP addresses for the requests. Privacy is a tough nut to crack and requires layers rather than one silver bullet fixes everything (usually encryption is the one trotted out by the unwashed).

“We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms.”

More hand wavingly vague goals with a few buzzwords to dazzle the press in their press release. The only way to fix this problem entirely is to make the people that have these devices responsible for any damage they create with reasonable responses and (mandantory) education once a problem has been identified. You also hold manufacturers legally responsible for any negligence on their part for privacy leaks and negligent software upkeep (proper firmware updates).

This is no different than licensing any other use case where use of a community resource carries dangers to the general public: automobiles, radio frequency use, public park use permits, large structure construction permits, parking permits, etc. If you want to use the Internet then you need to prove you can do it and not be a danger to everyone else on it.

Richard Stallmansays:

The article seems to define “security” as ensuring that the device
does no harm to Brian Krebs. I think we need a stronger definition:
ensuring that the device does no harm to the person using it. For
instance, it must not be able to collect the user’s personal data on
behalf of anyone else, such as the manufacturer.

To achieve this, the device must contain exclusively free (libre)
software that the users can replace (see
https://gnu.org/philosophy/free-software-even-more-important.html), or
else it must not be able to communicate over the internet except to
the user’s own computer.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it