So sad. I find the mechanics here really challenging to overcome. The hotel management no doubt wants "really cool tech" for their hotel to show they are up to date etc. And they send out an RFQ which someone bids on, really cheaply. Knowing that by only doing the things the hotel asks for, they can throw something together quickly and cheaply for a big payday.
This is exactly the mechanism that gets people in trouble going to China for manufacturing. They say "I want you to build widgets" and they get a good price quote, and say "Wow, this is awesome!" because they have in their mind that "making things in China is cheap" but in reality its that if you cut a lot of corners you can make things really cheap, and since the contract doesn't say you can't cut corners, it is all "perfectly" legal. But the manufacturer knows what the buyer doesn't, and exploits that information asymmetry to make money at the buyer's expense without the buyer having any true recourse.
The hotel in question could have said in the RFQ, "System will be impervious to network traffic snooping and at no time will systems or a guest supplied computer be able to access the controls in another room."
Had they said that, the price quotes would have gone up and had the system the author speaks of been delivered, the Hotel could recover the costs of installing it from the vendor. But they hotel didn't even know they needed to ask for that since they no doubt would assume, "nobody would make something that shoddy would they?"
I learned about this when I saw one of the rules in a NetApp hardware contract that said "Manufacturer will install all components shown on the schematic on the final units in their designated locations." That seemed really odd. I learned that before that clause had been part of the standard contract, there had been a manufacturer who decided unilaterally that half of the noise suppression capacitors in the schematic were "unneeded." Units from that manufacturer started failing in odd ways in the lab.
> This is exactly the mechanism that gets people in trouble going to China for manufacturing.
I keep hearing about the "cheap Chinese tech", even though nowadays a lot of high-quality gadgets are really Chinese. Even Apple's products are mostly from China. And it's not even for the cheap prices, it's because the entire production chain is there[1]
The mistake is not going to China, it's going to China just in order to save money - or anywhere, for that matter. I get that your point is not actually about China, but saving money on the wrong things.
I'd just appreciate if we could stop using "Chinese" as a synonym for "cheap".
This is a great point, and there's a close parallel with the way that people make similar comments about Indian developers and completely ignore the many highly-qualified developers who just won't work at lowest-payer wages.
I was thinking the point would be that one reason for the low price is that the manufacturer wants your design so they can use it to build a competing product at their other factory down the road--a joint venture with the local Party boss. You'll never know, but even if you figure it out, what do you imagine you can do about it? Maybe get a court to block the product in the US (causing them a week's delay while they change labels and distributors), but if you're looking for cheap Chinese manufacturing, you won't usually have the resources for any worldwide legal battle against these guys.
And if the design you are paying them to take from you is for some IoT product, the local Party boss can even make bonus points with his superiors by offering them a chance to backdoor it.
I'll bet the cheap tablets in that hotel for tech conference attendees, the tablets with the ethernet and WiFi listening circuitry, could collect a lot of great technology for their makers, and I'll bet they were made in China.
I read the OP as making exactly your point. They were saying that the people they describe make the error you discuss, and get bad results on account of it.
The practice of unethical corner cutting seems somewhat rampant in China, though. And isn't there a reason why cheap tools that easily break are said to be made of "chineesium"?
The full history of commerce. :p I'd suggest looking at the history of food and drug regulation and testing, or weights and measures regulation if you want more. The early years of both UK and US food and pharmaceutical regulation is terrifying!
TL;DR Immature locations cut more corners. More regulation, experience and reputation helps. Consumers are naive. Manufacturers want you to buy the same things many times over your life.
In all markets, There's always going to be someone willing to cut corners to secure a place in a market, or make a fast buck in a mature market. Or maybe it's a new market that can't yet have matured. That's only part of the problem.
As markets mature regulation increases and companies tend to trade more on reputation (not always deserved of course. eg Beats headphones). Now there's an opportunity to trade on the good reputation of wherever (Proudly Made in America! / Britain! / Japan!), whilst selling you cheap crap. That's the other half of the problem. The meaningless label to tell the consumer it's made wherever they currrently believe is good.
In the early 80s most things Japanese were crap. Hifi sounded awful, but had lots of LEDs. Bolts, tools and vehicles were made of soft cheese. Their stainless steel rusted (I kid you not)! Honda made cam chains of special stretchy metal and probably accidentally invented cheese strings. Now Denon make very nice hifi, Teng make very nice tools and their cars are pretty reliable.
Why pay £50 for a Snap On or Britool[1] spanner when there's an almost identically packaged one, made in the same place, for £3 or £40? Only one will last longer than you in daily use. One risks breaking on first use.
So, it would be more accurate to say "isn't there a reason cheap tools break", "cheap materials break", "consumers naively expect $100 quality for $3.99" or "dishonest people are dishonest" than blame a specific locality.
The ONLY thing that has changed is all manufacturers adding built in obsolescence whenever possible. Now even the premium item is made to last "just long enough" (to get away with), but that doesn't make any one location especially good or bad at making stuff.
The only thing geography introduces is the further away it's made, the harder it is to audit your supply chain. Racism and nationalism has no relevance however.
[1] They're no longer British, or often made in Sheffield, they're just another meaningless brand of Stanley trading on 100 years of reputation. You're actually better served buying Teng these days.
I think you misread cheap. The "mistake" is assuming the low cost bids will deliver the same high quality you see in other Chinese exports,so not doing proper research / QA.
Exactly — and so you can make the point better simply by saying “cutting corners” directly rather than confusing the issue by using a nationality to imply it.
Fair enough, however with this audience I would expect they recognize that the manufacturing contracts of China, which by their number rather than their nationality, are expressly tailored this way. It is by virtue of the Chinese success as capturing the manufacturing contracts from all other nations in the world that has helped them develop expertise and skill.
This has been an interesting conversation. I found it particularly interesting that my communication came across as disrespectful to the Chinese.
Few people that I've met have any real world experience with contract manufacturing. Of the ones I do, they have mostly dealt with Chinese manufacturers, although I do know one person who worked with a Japanese contract manufacturer and one with a Vietnamese factory. Everyone who has ever asked me about this I point to Bunnie's "Made in China" blog entries [1]. Which convey the challenges and rewards of taking manufacturing to China much more clearly than I ever could.
That said, people who have had experiences with contract manufacturing in China have all had a very similar experience, that experience was that the contract manufacturers have an exquisite expertise in squeezing costs out of manufacturing through creative techniques, not specifically disallowed by the contract. Bunnie writes about this at length in his blog.
The thing here is the law of large numbers. There are so many contract manufacturers, and their business is so competitive, the ones who develop this expertise survive and the ones who don't, they don't survive because nobody accepts their bids. It is important to understand that they are this way because they are good at what they do, not for any negative reason.
It is this exact asymmetry of information which I expect befell the hotel in its attempt to have "cool programmed light switches and TVs." This mechanism, which many people who have used contract manufacturers have experienced, is that an inadequate specifications on the final product can give the manufacturer room to economize on their costs, which increases their profit, and also increases the chance that the bidder will be around for the next bid.
And it is the large number of Chinese contract manufacturers, the ease with which they can be located and contacted via Alibaba or other web sites, that means so many people have had a chance to experience this effect first hand with them. Using Chinese manufacturers as an example of the challenge in my post was my way to communicate what I was talking about in a way that folks who might look this up could find additional resources discussing this challenge (and they would probably find Bunnie's blog too).
The leap here, was to take what I wrote and assume that I said, or believed that because something was made in China, is was cheap.
That was not what I said, and certainly not what I meant. But a mix of people have both read it both ways. So it certainly could have been written more clearly.
I really do recommend Bunnie's blog. Everyone should understand the challenges of working with contract manufacturers, regardless of their nationality. Not tightly specifying a contract (and worse not knowing how to tightly specify a contract) will create situations like the one with the Android controlled light switches.
> I learned that before that clause had been part of the standard contract, there had been a manufacturer who decided unilaterally that half of the noise suppression capacitors in the schematic were "unneeded."
I don't understand how putting that in the contract is supposed to help if the manufacturer being used is pulling stupid "you didn't say the product actually had to work" semantics games that would get them smacked in any reasonable court anyway.
Welcome to the world of law. Often I've seen it said that thinking like a software developer, looking for edge cases and such, will get you smacked down by a judge who doesn't let you just use loopholes. There is an XKCD about insurance law on this topic. But the reality is that a lot of loopholes do work, and have a better chance of working if you have a really good lawyer. Part of the equation is how charismatic a lawyer is and if they can pull up records of the loop hole happening in the past (assuming you are in a court that allows past rulings to have impact).
From what I've seen it is extremely arbitrary and is extremely frustrating. I was on a jury once, where one witness was told to tell only what they had heard/seen/etc. They would try to say "I heard so and so say such and such", and the other side would object. The judge would then say to tell only what you saw, heard, etc., not what other people did or said. And I'm sitting there thinking "But what that is exactly what they were trying to do!" (of course I couldn't say a single word for risk to my own safety).
games that would get them smacked in any reasonable court
You're talking about a Chinese court, right? The guy you're planning to sue lives in China and is a long-time business "associate" of the judge who will decide your case.
This is exactly right. When you disagree with a supplier you can only disagree based on the contract, and if someone could reasonably (and there is a wide latitude here for "reasonably") argue their interpretation was within the constraints of the contract than your remediation options are limited.
If you read contracts a lot (and over the years I've probably read a couple of thousand and negotiated maybe 100 or so) you will begin to see clauses that are in the contract which specifically prevent what was clearly a problem before that had not been decided as being in breach, so the added clause insures that in future contracts it would be decided as being in breach.
My lawyer once told me that every contract tells a story if you know how to read it. The more I've read, the more I have come to appreciate that sentiment.
Why would you take an untested schematic to a manufacturer and ask them to build a product based off of it? If you are asking the manufacturer to both devise the schematic and build the resulting product, then it behooves you to ask for a prototype built from their schematic in order to evaluate the production's performance.
Re "nobody would do that": here's a quote from Destiny's Shield, one of the books in the Belisarius series:
"I was just thinking of the provisions of a typical Alexandrian rental agreement. For a house or an apartment. You know, the one about—"
Zeno smiled, nodding. "Yes, I know." His voice took on a sing-song cadence: " 'At the end of the term, the tenant shall return the house to the lessor free of dung.' "
He laughed himself, now. "It was so embarrassing for me, the first time I rented an apartment in Constantinople. I was puzzled by the absence of that provision in the contract. When I inquired, the landlord looked at me as if I were crazy. Or a barbarian."
This is a nice hacking story. But when you have physical access and expertise you can hack anything. So I don't understand what's so sad about it. I do advocate security in depth, and they should probably have added a few more "layers" of security, like hide the cables and encrypt the network traffic. But then he could just use a screwdriver or pull the encryption key from the device, etc. But they probably judged that stopping kids from playing with it would be enough. The guy is a freaking firmware developer and security expert!
Say you got inside a datacenter, or nuclear power plant, and pulled a cable from a control unit, you would probably be able to control stuff too, and probably more sensitive stuff then the room lights.
As soon as you get access to stuff you are not meant to access, it gets exponentially hard to protect from privilege escalation.
As a security exercise, assume a malicious hacker have physical access to your LAN. (shares, KVM, IPMI, MITM)
There are a few realms of business that seemingly necessitate such games. It's about as aggravating as can be imagined. I wish I knew a way around it. Different people? Closer aligned incentives? The cross-cultural aspects here make it especially difficult. You don't know what you don't know.
This is what makes people with so many years of experience so valuable. NetApp had a woman who would source parts from around the world and she had done it for long enough that she knew many (if not all) of the tricks in the book. Often her conversations would start with a new supplier and her requests with explicit constraints would tell them that she knew what she was talking about and that they had better play it straight. So they started out assuming none of the tricks they might use with an inexperienced buyer would work. That experience had tremendous value to the company.
Closer aligned incentives, yes. If you give someone money as gradually as possible they will need to make sure they can't pull a fast one and run off, they will actually need to perform.
Genuine question: Don't the other companies talk about security in their replies to the RFQ? Wouldn't that cause the original company to stop and ask the other repliers about the security they would implement (if they didn't mention security)?
Well that's just it, security is talked about but the buyer (the hotel in this case) is often not in a position to actually evaluate the vendor's claims.
You can put down "device should not be hackable" but without their own competent IT arm the hotel can't possibly verify the product delivers on the security promise.
> Well that's just it, security is talked about but the buyer (the hotel in this case) is often not in a position to actually evaluate the vendor's claims.
But at least the buyer becomes aware that security might be an issues, and thus take it into account when making the final decision. (Even if its just "take the lowest bidder that talks about security convincingly"). OTOH, this doesn't work for buyers that don't actually care.
> You can put down "device should not be hackable" but without their own competent IT arm the hotel can't possibly verify the product delivers on the security promise.
Sure, but if the vendor puts this in the contract and the hotel does get hacked, isn't the vendor then suddenly liable?
I don't understand why you use China as an example. The example you raised happens everywhere when your contract is exploitable. Pointing you finger to China does not help your case, only shows your prejudice
We still use locks on doors, even though they provide security theatre only. Not everything needs to be that secure. Criminal nuisance laws are probably enough to deter anyone actually turning on all lights at 3am.
> We still use locks on doors, even though they provide security theatre only
This isn't really security theater — the term refers to something which gives the illusion of security and doesn't deliver, not the failure to achieve absolute security. In general, door locks are about as secure as they're portrayed: they don't prevent someone from breaking in but they considerably increase the time, skill/tool requirements, and risk of detection. The other key part is that the threat model is obvious: people understand that if e.g. you put a Grade 1 lock on the door but leave the window open, it's not a failure of the lock.
> Criminal nuisance laws are probably enough to deter anyone actually turning on all lights at 3am.
When I stayed there, it was just as soul destroying to use these things as you might imagine.
The implementation felt like they'd asked a VB6 dabbler to implement it in Java. Then stuck it in the cheapest 600mhz tablet they could find.
The UI was purely a button grid with distorted graphics, and dodgy typography. Button presses took about 1/2 a second to respond, and every 5th press caused the app to crash (adding a good 30 s to the experience).
My room had 4 tablets* in, and all of them behaved exactly the same way.
* the idea of a tablet to control the room is neat if it could be moved around. Like a remote-control. But for security (and using Ethernet) they were all fixed down. Making them far more useless than plain switches
Of course they decided not to have it. It's not like they aren't capable of implementing simple features. I just think it's a dumb decision.
For many Twitter accounts, the top tweets are a lot more interesting than the latest tweets, especially if you've just discovered the account for the first time.
It's like on the pilot of Futurama. As Fry leaves the cryogenics he woke up in, the door automatically whooshes open. He stands under it and looks up, only to have it slam down into his face.
On the DVD commentary, one of the writers explained that the future will be like Star Trek, but nothing will work. It's turning out to be true.
I'm amused by the use of Modbus. I worked on Modbus networking back in the 1980's at Modicon (a company that disappeared long ago that created the "standard"). Using a protocol invented before the internet to control devices on a semi-public network is insane.
The original Modbus was designed to communicate with factory devices controlled by logic controllers over serial and eventually over a custom token ring network. Modbus got moved to TCP at some point when I stopped paying attention. Modicon rejected TCP when I was there because the OSI model 7 layer network stack was going to be the next big thing.
I think if people actually knew the true extent of the debacle that industrial control protocols are, they would pass out. If you ever want nightmares, check out EtherNet/IP CIP protocol...
Of course, there are no security provisions whatsoever. If you can get a device on the LAN, you're golden. Every device, fully open to monitoring and control of every attached piece of equipment.
In the new world of inexpensive, battery powered LoRaWan to Ethernet bridges with tens of kilometers range, I can't even begin to imagine the industrial carnage we're heading for. A sufficiently funded attacker could find ways to implant remote monitoring andcontrol in virtually every facility, where they can get a minimum-wage cleaning staff member hired. That means -- pretty much every facility (short of military, perhaps).
I recently went to a LoRaWan workshop funded by my megacorp (a utility company). It felt like paying someone to try and sell you their stuff.
Anyway, what the LoRa did emphasize is that both the network layer and application layer are encrypted with different keys using AES. This means someone would have to compromise both layers to actually control the devices.
Buuut, given that both encryption keys are stored on the device, I bet someone will just walk up with a chip clip and read the keys right out of EEPROM and then the pretty lights will start.
Or they'll just hack the application servers. I've seen some really god awful pieces of software in use.
A vendor once told me "it's so easy to admin our device over the internet. Just go to 192.168..." And of course due to corporate politics we still bought that piece of shit.
Moteino (arduino-based wireless dev platform) supports LoRa if anyone is interested in digging into some current sub-$10 ISM transceivers and their capabilities. http://lowpowerlab.com/moteino/#lora it's also a great project to get started with arduino if you've never worked with it before. Really solid documentation.
Same here - I used modbus only a few years ago, as it worked well for reading analog signals from hydroelectric turbine monitors, into a Linux box that converted them to digital for reporting. I cannot imagine actually using it on a modern network.
Could be. I just spent some time on the modbus.org site. I haven't looked in a while. There is pretty much no mention of security though they claim that Modbus over TCP is an internet protocol.
Given a completely static authentication realm like the rooms of a hotel, Modbus over TCP over IPSec would work just fine, and be transparent to the application. That sort of sounds like a good reason to be using Linux (Android) controllers in the first place; maybe they just forgot to enable it (or let go the installing contractors before their job was done, as soon as everything seemed to be "working.")
Just because its CAN doesn't mean its actually air gapped. If there is a Linux box on one end for SCADA use or similar, then the path is IP -> Linux spl01t -> SocketCAN
Turning lights on at 3 a.m. is a nuisance. Knowing when lights go on and off can tell you when the people are not in their room - which could help if you wanted to break in and steal their stuff. Overall quite disconcerting how lax they are with security.
Turning the lights on a 3am is a nuisance. Writing
while true; do turn_on_all_lights $IPADDRESS; done
is enough to ruin your night's sleep. Fighting with the lights that won't go off will probably pump enough adrenaline into your system to wake you up enough that you're not going back to sleep anytime soon.
And why not do that to the entire block of addresses you can reach, of course?
It's no "steal identity, rack up tens of thousands of debt" level of nuisance, but it's enough that some basic security is definitely called for. Given the capability of the devices on both side (i.e. we're not dealing with "embedded" 1MHz processors here), client and server side validation of SSL certificates on an SSL connection, combined with some basic physical security to detect that someone's pried the Android off the wall (this can be something like "seal" stickers; we're going for detection here more than prevention), would have had a pretty good cost/benefit ratio.
(Remember, the goal here isn't to make the security "perfect", merely to make hacking it more expensive than what is being protected, which in this case still isn't that much. Nobody's going to risk being physically fingered as the room that pried out the Android tablet just to screw with lights.)
while true
level = 0
while level <= 100
set all lights to level%
level = level + 1
sleep 5
sleep 120
set all lights to 0%
sleep 1800
The idea is to slowly raise all the lights from 0% to 100%, hoping that because it is gradual it will not wake the person. Then you turn them all suddenly off.
If that succeeds in waking the person, they will wake up in darkness, wondering what the heck woke them up.
More fun with lights: someone at Caltech once modified the wiring of a student's room and the adjacent bathroom so that the light switches in both rooms controlled the lights in both rooms. They they waited in the courtyard that the student's room and the bathroom both overlooked to watch the hilarity that they knew would ensue.
What happened was that the occupant of the room eventually went to bed, turning off his light. Then later someone went to use the bathroom, turning on the bathroom light (and so also the student's light). That woke the student, who got up, turned off the light, and headed back to bed. The guy in the bathroom shouts something, and a few moments later gets his pants under control and goes and turns the light back on and heads back to the stall to resume his business. Meanwhile, bed boy is shouting something and getting up to turn his light back off. What I'm told then happened is that the lights flipped on and off a few more times, with the time between flips getting smaller and smaller, until both guys are just standing at their light switch flipping it repeatedly, before they both go out into the hall to try to figure out what is going on, find each other, and figure it out.
Given the capability of the devices on both side ...
Your're not wrong, but the other point is they are swatting a fly with a sledgehammer. What wrong with a simple light switch for gods sake. Why would a hotel spend hundreds of dollars to do what a $2 device can do more reliably and securely?
I think you are talking thousands not hundreds. They had to pay people to set it up, pay for tablets for every room, and pay for the control devices too.
There might be significant cost savings in the ability to power off a room remotely instead of having to send someone over when a guest checks out. I would be more worried about the tv, the faucets and air conditioning, though.
Also, some hotels manage to have the tv showing a welcome message when you enter.
Sure. I work in a large university building and can power up/down various systems from my desk for the same reason. But it doesn't require a full tablet computer in each room. These are simple network addressable devices on their own VLAN that allow me to (for example) create an interface that sends a string of commands like a remote control, provided I give proper auth. If you're a regular person in any of the rooms in the building, you can't easily gain access to the VLAN, much less connect to any of the networked controllers in the rooms.
As a result, I can shut things down from my office or set up schedules to do the same. I can monitor usage and save resources (lamp hours on projectors and lighting, etc)
The idea of using a full-on tablet computer is just silly and sounds more like something I'd do while tinkering at home and was looking for a use for some old phone or tablet sitting in a drawer. It's not something I'd put in any enterprise or commercial space.
I've been in many hotels that required the key card to enable power to the room. Some hotels used a simple switch activated by presence of an object in the slot. Many could detect if the NFC tag key was present, but not read the value. Only a few I have seen actually verified that the key was the right key.
I've seen those too. They're quite inconvenient because they actively prevent you from charging your phone or laptop while out of the room. They should leave some marked outlets enabled but usually they only do so for the mini-fridge. And of course "fancy" places build that into a cabinet.
I usually have someone's business card on me, so I'll stick that in the card slot so that I can head to dinner while stuff recharges or the room cools down (for places where the A/C is tied to the same switch). I have yet to see one that's anything more than a simple mechanical switch.
The one I ran into that did that had an outlet that would work when out of the room... in the bathroom, for a rechargeable shaver, presumably. So my laptop got plugged in there...
I think the implication was that some asshole can obtain photos of you sleeping by opening the curtains and switching on the lights in the middle of the night. A nuisance, sure, but also a massive violation of privacy.
>the implication was that some asshole can obtain photos of you sleeping by opening the curtains and switching on the lights in the middle of the night.
So, somebody is going to set up shop across the way, in what is probably another commercial building, commit a couple of crimes, all to take a picture of some random, likely unidentifiable person sleeping in a hotel bed?
Personally, I'm not very worried about that.
I mean, it's not like there aren't easier attack vectors for creeping on people in hotel rooms if you were so inclined.
You or I, probably not. But just this week Erin Andrews won a $55 million legal case where somebody had intentionally booked a room next-door to her hotel room, then modified the peephole to her room, in order to film her naked. Certainly, there's people intent on prying into the private lives of others.
I would say most hotels have a first floor with rooms.
I was at one recently where the "balcony" was connected by a small path to the pool, so it was purposefully easy to access.
Well, if lights (and the article mentioned TV) repeatedly goes on at 3 a.m. this ca give quite bad reputation to the hotel. A few bad ratings hat reservation sites can have a notable impact on the business.
Maybe it's worse: If these are really off the shelf tablets, presumably the camera can be turned on remotely. Though I'm sure the hotel would have put a piece of black tape over it, right?
Depends on how targeted the attack is. A hacker who is bored and is searching Shodan for what entertainment the IoT is offering might find GPS quite useful.
It's on a private subnet. You'd have to have some way to get onto the hotel's internal network. The one described in the post is being physically at the hotel. Now, there might be other ways, but this most likely isn't about to show up on shodan.
You're right that in this particular case it's not a problem. Nevertheless any type of device that can be connected to a network, will be connected to the internet. Someone somewhere will make it happen.
I doubt the hotel came up with this solution completely by themselves. Whoever installed it will probably install it elsewhere and it's only a matter of time until it goes badly.
"Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable."
Which takes us to this: "Any sufficiently advanced technology controlled by a miscreant is indistinguishable from a possessed object in a Stephen King Novel."
I can't wait until Random Q. Hacker can flood the lobby with blood from the elevators.
And if you wonder why the blood reservoir has to be connected to both the elevator shafts and to the Internet, I ask you this: who would want a dumb blood reservoir in their hotel? I mean, obviously you have to have one, but wouldn't you rather be able to query tank levels from your phone and automatically order refills online? Nobody wants to be the unlucky employee that has to go up there with a dipstick at midnight during a thunderstorm, right?
Stephen King magic I can handle, it's a particular Stephen Koontz tale of a mad computer nerd turning his town into cyborgs that concerns me. Great read! I think... was almost 30 years ago now....
I feel like I'm missing out on a huge bulk of money simply because when I have ideas of "Internet of Things", I cant get over the security obstacles and cancel the ideas. If only I just didn't care (or didnt know) and just implemented whatever the heck brought in money from oblivious customers.
Under pressure in an interview, yesterday, I found myself saying "'The Internet of Things' is short for 'The Internet of Things you don't need, sending surveillance data you don't want, to people you don't know.'"
I argue to people that I'd rather have my photos on Googles servers than on the friendly local Dropbox clone.
Why? Because I know Google has systems in place to detect sysadmins browsing in data unrelated to their job and I know they have fired people over it even if was tought to have been done with good intentions.
Edit: as for tracking I wish they would up their game and stop providing ads for <insert eastern country here>-dating.<tld-of-the-day>
I wish they would take into consideration that I am happily married with more than 3kids, belongs to a subset of the population that has way less than 10% divorce rate and I might even be in the market for a new car at some point.
Nah companies want obediant placid fungible workers not free thinkering radicals. Even the hipster ones that let you work remotely and choose your own projects and stuff.
At the interview for my current job I was asked how I'd secure a remote service. My first response was along the lines of "Ask someone who actually knows about security, because I know just enough that I'd probably mess it up".
Or you could just implement them as-is, earn a shitload of money and then enhance their security in the next version or with a firmware update once you'll have the luxury of investing in R&D. At least it's better if a security-wary entrepreneur implements them instead of someone who simply doesn't give a flying fuck.
Keep in-mind that we're talking about always connected devices. Firmware updates could be done remotely without the end user needed to do anything, except perhaps give his approval.
There are way to build things so that this isn't a problem. Modularize.
It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.
My problem with this whole hatred of iot is that it's not productive.
it's a bunch of people commenting how the trend is dumb and how everything was so much better in the past. Nobody ever gives suggestions on how to improve it, or how to fix some of these issues, or even what they would like to see. It's always just "Who wants a wifi light switch anyway?" or "Oh great now my door lock can freeze".
> It's easy to build it in a way so that the worst that the software can do is cause it to turn into a "dumb" fridge.
If it's so easy, why don't more companies do it? Why didn't Nest build their thermostats so that when the battery runs out, it reverts to a "dumb" thermostat instead of turning off your heat? http://www.theguardian.com/technology/2016/jan/15/bug-nest-t...
To be fair, most "dumb" thermostats still require an external power source to continue to operate.
Very few actually pull operating current from the 24v C wire if it even exists on the given system. If it doesn't, R (the switched 24v power for Heat and Cold signals) isn't guaranteed to continually have current. Only when your Heat is turned on (probably a standard toggle lightswitch on the side of your furnace) will there be current on the Rh line, and only when your AC is enabled (possibly a breaker shunt on the side of your house near the condenser unit in a small box) will there be current on the Rc line.
Nest tries to recharge it's battery by trickling the C wire, if available, and if not it will try to charge off of one of the R wires, either during normal operation, or it will try and "pulse" the heat signal to pull a little bit of current to keep going. Thermostats were designed at a time where they didn't even consume any electricity on their own. We're trying to retrofit computers into signaling system, not a circuit.
The GP is right: most new thermostats don't take power from the 24VAC line. That surprised me when my heat wouldn't come on one morning because the battery was too weak to pull in the relay for more than a few seconds. That's what I get for ignoring the "low battery" warning! All my previous electronic thermostats only used the battery as a backup.
In any case, are you really saying that using a toxic metal (mercury), or an imprecise bimetallic strip is really an improvement over a simple $10 electronic thermostat?
I should have been more specific by stating the difference between a dumb digital thermostat as I was describing, and a truly analog thermostat like the Honeywell T87.
A dumb digital thermostat is just a thermocouple and a relay, which you could rig together with very little EE knowledge and a weekend with an Arduino.
It's clearly more work to do it that way, as you'd need multiple "layers" of firmware/code which all need to communicate and run on their own, but i personally see that as insurance against the exact situation you are describing.
Nest is far from what i'd consider a good IOT company. They are the epitome of vendor lock in, proprietary and buggy code, and shitty support.
I'd consider Philips one (specifically whatever part of the company does Hue products; even with their recent base-station changes to only work with their bulbs). I don't think their base station has EVER crashed on me, not once. They made sound architectural decisions for the product as a whole - it's not some bloated Linux thing but it runs FreeRTOS and does only what it needs to. I have one of their push-button kinetic power light switches in my setup and I've forgotten that it isn't an old-school lighting setup most of the time. That's because of another good architectural decision - they had the sense to decide that simple RF code-sending to the base station was good enough for the switch, rather than trying to make the switch into some kind of Wi-Fi connected thing running a TCP/IP and web stack (did I mention the switch needs no battery or external power of any sort?). The system stays out of my way and just works when I want it to, while still allowing me to dig in and add-on cool automation where it's appropriate.
The thing I don't get with 'control everything with your smartphone!' is that people don't think about everyday use. It's like the people that design these products don't look at the actual, repeated use cases. Why would I want to pull my phone out of my pocket, unlock it, find the app I need, launch the app, wait for it to connect, hit the buttons I want....
(Even when I'm on Android and I can have an IoT control widget on my homescreen, that's still pulling the phone out, switching it on, unlocking it with my fingerprint, finding the page, hitting the button.... oops I forgot to turn Wi-Fi back on, better do that....)
I think IoT is great, but to do a great job at it you need to design the product with that in mind to begin with. The whole architecture of the product has to fit (see again, Hue). Sure, picking an Android tablet is easy, but why would you architect all that complexity? Why not a touchscreen device with a really simple real-time OS that does only what it needs to do?
I'm confident that this will all be self-correcting in the end. Consumers and 'the market' are smarter than we give them credit for. Certainly it takes a long time for them to react, but I think that when enough of the public is jaded by 'bad IoT' and the fad phase has passed, the actually good IoT products will survive and those companies that really think about their designs as a whole will be rewarded.
I think it's because it's so prevalent. If your car had a faulty AC unit, you wouldn't swear off all cars, because most cars don't have that problem. But I feel like we're all still waiting for an Internet of Things Thing to show up that's actually done right. And it's been long enough that if nobody has done it right so far, it seems like a distinct possibility that nobody ever will.
>And it's been long enough that if nobody has done it right so far, it seems like a distinct possibility that nobody ever will.
But it hasn't been that long at all, and there are people doing it right.
The problem is that they are expensive and don't offer the same amount of features that some people want.
Take the "traditional" smarthome networks like z wave and friends.
I have a z wave light switch that works as a lightswitch 100% of the time. I actually installed the switches before i had a controller for them.
Add a controller and you have a "smarthome".
Connect that controller to your wifi and you have the ability to control these things safely from within your own network using anything from a bash script to shitty iphone apps.
Connect that network to the internet through a firewall and an authentication system and you now can control all of that stuff securely across the planet.
If any one of those breaks, functionality is reduced. Internet is down, i can't control it outside the house. Controller goes down, i can't control them as groups or from within the house but still "remotely". But it will literally always turn on/off the lights when i hit the switch. I don't need to worry about the security of a cheap chinese zwave knockoff thing because the controller is that gatekeeper.
That's IOT done right.
But people don't want to pay the money for that, they don't want to pay an electrician to come out and install them across the whole house, they don't care about security or what happens when the internet is down, they want a light they can control from their phone for as cheap as possible as fast as possible. And of course when people are asking for a product, manufacturers are going to make it.
Indeed, I'm quite happy with my INSTEON system. They're stylish, high quality in wall switches, they have a very reliable (though unfortunately proprietary) communications protocol. The serial and USB adapters for them are easy to code for and there's a variety of third party control programs available. I'm writing my own actually. They also now have a cloud hub for people who want that sort of thing.
If you connected fridge can brick itself in such a way that it stops refrigerating things then it wasn't worth buying in the first place, especially for things like this where you could end up accidentally poisoning someone the failsafe in case of software failure should be switching to an old school circuit that just keeps things at a fixed temperature.
Sure, I'll tag along. Problem is in a few years you may not have a choice because all fridges will be Internet-enabled by default. It's already happening with TVs where 70% of new sets are smart TVs. And you know, personally I don't mind because if it bothers me too much I'd just make sure that the damn thing never gets online access but I doubt the average consumer could go in such lengths. So instead of moaning and bitching about it perhaps we, as a community, ought to think about ways to solve security issues. Otherwise the industry will just go ahead and build them no matter what.
So we're back to a couple of comments above: suggesting that people actually upgrade firmware.
An opt-in switch is merely convenience for the incredibly thin % that bothers with this kind of thing. And that % will actually be informed enough to not opt in.
Come to think of it, that % will likely be informed enough not to buy this kind of device in the first place.
Tesla has a pretty vested interest in shit keeping working considering it's a pretty luxurious and high-profile product. The cut-price manufacturer of your $20 lightbulb or $300 fridge? Not so much.
The cheapest Chromebooks ship at $149 and have a pretty much unbrickable automated update flow that includes the firmware for the CPU and embedded controller(s).
It's not a matter of luxury, it's a matter of having people work on it who care.
Except when you're abroad on roaming cellular charges, and your three laptops decided that since your iPhone's personal hotspot is WiFi, it's time to download today's ChromeOS image version, because the one you had downloaded the night before was not good enough anymore.
Source: Chromebooks are awesome, and even with excesses like this, they're still the cheapest to operate by far.
Chrome OS tries to honor various DHCP server flags that state that the connection is metered. Unfortunately iOS doesn't seem to provide any such indication.
A comment in https://bugs.chromium.org/p/chromium/issues/detail?id=323010 claims that the BSSID is used for a "suspected" state, but that may not be enough to actually stop it from downloading updates, but I'm far from an expert in that domain.
In short, identifying tethering states with iOS seems to be hard.
You can determine whether the network is a Personal Hotspot heuristically. It is nice of them to have implemented private DHCP flags in Android, but if you routinely pull hundreds of megabytes without user interaction...
Then the opportunity is to convince customers why they should pay more for well-supported connected products. Easiest way is to make high-margin products.
That's the Tesla case. Or alternatively the Apple case. The vast majority of customers go with not that, and history shows you won't convince them the intangibles are worth it.
Opt-in just means nobody gets updates again. I realise this is more a techy audience but think of these things from the mainstream perspective. Especially when the tabloids and social network copypastes get the word out that hackers can turn your oven on or something if you enable updates
It is either possible to do something securely and won't really take significantly more time, or it's not possible to do it securely at all, and no future update is going to fix it.
There's a difference in security issues due to programming bug vs insecure design.
If an application was created without security in mind in worst case it might require complete rewrite. In other cases it might be a whack-a-mole game.
For example compare ssh vs application that simply opens port and starts bash as root. You can use both to control your server, but if you want to add security it would be a lot of work (you could incrementally add authentication, encryption, maybe restrict user what s/he can do but there will be million and one ways to escape).
After fixing one issue after another without seeing the end you'll realize it would be less work to just rewrite it from scratch with security in mind.
I think the parent post is talking about a design for security rather than fixing security bugs. A device or system designed without security in mind likely isn't going to get security as a priority at any point in its lifetime, or isn't going to be worked on by security minded folk. Any updates are likely going to be superficial, poorly implemented, or simply not a priority for the developers.
In regards to IoT devices, as the article is lamenting, many are designed with no security in mind and instead seem to be thrown together as quick as possible to achieve a function, without considering the implications that a security breach may have with said device. (e.g., IoT baby monitors, thermostats, home locking systems)
I worked for a startup and found cross site scripting vulnerabilities and other issues like GET urls for deleting things. I was told to leave it alone and not "waste my time" because we dont have a lot of users and we weren't popular. I cringe at the justification. Security should be a necessary skill. It shouldnt be something after the fact
I call this the "we don't do anything special" fallacy. They consider hackers to be something like in the movies where a team of slick black leather clad folks plan a digital heist, and why should a bunch of movie stars care about our little business.
In truth it's much much more like how Google just has computers trying to index every site on the internet that they can find. Most of the attacks these days are broad searching things, just testing every exploit they can against every site they can.
Also, seriously, Google will find and index those GET+DELETE non idempotent URLs and ruin their day.
Absolutely true! I have to tell people that many attacks just try every door to see if its unlocked. They are not movie plot-style targeted attacks. And such an attack can and do lead to data breaches!
This is why I absolutely believe and publicly talk about security being a matter of developer ethics. I have used my walk away power to get a company to do the security they needed in a similar, but not quite the same type of situation.
I think they were right to tell you to leave them alone, but a better answer would be: "we'll add them to our backlog (or whatever way you manage issues or work), and get to them by X iteration". As long as you were really working on an MVP and not a version 1.x .
That's technical debt, and it's hard to fix. A prototype, sure, it can have flaws, it's a proof of concept of feature X, not feature X SECURED. But then the release has to be a rewrite. If it's not, those flaws are more likely to become permanent. And when they do begin work on repairing their codebase, they'll spend several times the money and time to fix than if they'd spent some time early on. They'll also likely introduce numerous other issues in the process.
Ok, I'll clarify: I think they were right as long as it was a throwaway prototype. And the GET delete operations are probably a bad idea even for a prototype. I was thinking of a rewrite for release 1.x.
I don't have enough knowledge of the stage the OP's startup was to have answered, so I stand corrected.
These days, this is the kind of thing I negotiate up front. When they ask me how long something will take, I explain that they can have a prototype quickly, but only if they promise to throw it away as soon as the experiment is done. I explain that they can have me build a movie set or a real house, but that there's nothing in between. [1] And then I leave the choice up to them, explaining that it's really about their business judgement.
Generally people keep their promises on this, although sometimes it takes a little reminding. When they do, the business benefits are substantial. A good product person really benefits from doing quick, cheap experiments. And they also benefit from having a solid platform of high-reliability code for production use. But they can only get the benefits of both if they're careful not to mix the two.
I'm old and have been in this industry a long time, and I'm genuinely surprised on those oh-so-rare occasions when what you describe doesn't happen.
Prototypes-become-products is a trope much like _The Mythical Man Month_. We all nod knowingly when it is mentioned, we all know how it will turn out, and then we (well, management dictates that we...) turn right around and do the opposite.
The problem is those things end up being forgotten or interfaced to in so many places that in the end they become un-fixable or won't be fixed to keep other stuff running.
I was thinking more of a throwaway prototype, but the answers on other threads convinced me it wasn't good advice, and I don't know what stage the OP's startup is.
I build stuff like that - my approach is to limit capabilities to the absolute minimum, and anything that is not needed for function but necessary for debug/diagnostics stays on the device rather than going across the network. This limits the devices a fair bit - firmware update across the network with no local interaction is not allowed, nor is accessing the local data store. Want to email me and talk about this?
Absolutely - and for a light switch it's appropriate. As an example of a thing that needs internet to function, consider a heater controller that has a high power and low power mode depending on momentary cost of electricity - it fetches price data across the network, and it's important to log things like temperature at various points of the device for diagnostics. Now, it's very tempting to send the diagnostic data across the network, but this leaks usage information. It's also tempting to allow things like remote configuration, firmware updates and reading device memory for debug, but that can leak network access credentials or make the device a beachhead for access to the internal network. This is why any feature like that is to be avoided and, if present, needs to be activated from the device itself, not remotely. If you NEED remote control, see if you can limit its scope of functionality to the bare minimum, and consider who needs access to it - in the case of the heater controller, the provider of the pricing data doesn't need to know or control the state of the device, so there's no need to allow that on that connection. Where possible, make the device a CLIENT rather than a SERVER - have the device itself initiate connections, to an address that is entered by local interaction, rather than accept connections from anywhere. If you MUST break those rules and accept connections from anywhere, that's when you really need to spend a fuckton of effort securing every aspect of your device, client applications, and protocol.
I wonder if the competition wouldn't just skip the security, then beat you on the price because you are paying lots of money for security experts. Most customers don't care about/understand security and your company fails.
Find a way to demonstrate the flaws in various products, aim for non-consumer markets. Businesses that have an actual motivation to have secure devices like the hotel in the article would be more inclined to spend the extra money, especially if it at least eliminated a trivially hackable configuration like, again, in the article.
The difference between you and the dunces building things like this hotel light system is that you know that there's a problem and will work to fix it. As the market matures, security will become more important. But the only companies with the chance to fix it will be the ones with substantial market share. And the people who will fix it best will be the ones, like you, thinking about security from the beginning. But that can only happen if people like you get in early and lay down the infrastructure in a way where security will at least be possible.
Android/iOS is an interesting idea for a business.
They already have secure app distribution. A private channel in the Google play store or via app store adhoc.
Communication between the devices via a server should be possible at least using HTTPS but also private/public key encryption. Doesn't have to be an actual server just one of the devices in server mode.
Good point, seems like places get sold products that are smoke and mirrors. If they knew what was going on in the background they would be shocked. Best plan is to build up a big customer base with a smoke and mirror product and then sell out and hope you don't get sued.
Yes, I'm sure that the only thing standing between you and untold riches is your resistance to lax security measures in app-controlled sous vide machines.
The security risk in an app-controlled sous vide machine includes starting a fire that burns your house down.
- Sous vide normally uses a water bath at a controlled low temperature over a long period of time.
- Hike the temperature up past the boiling point, and the water is evaporated, allowing you to hike the temperature up to ignition points.
- Or, cycle the electronics fast enough to overload the power supply. If it isn't designed well, either the wall circuit blows or the power supply bursts into flame.
- In any case, the expectation of a long unattended cooking process means that human observers might not be in the loop.
It seems unlikely that the device received a UL certification without a simple thermal cutoff switch that is common even in low-end cooking appliances.
Even without deliberate hackers, the device needs to contend with software errors, running without water, or a stuck relay that could leave it boiling dry and overheating.
You just need to look at Therac-25 for a device which lacked hardware interlocks/cut-offs, had flawed/buggy software interlocks, and still received certification.
You mean I only need to look back 35 years to a professional medical device built when computer control was still very new and that wasn't intended to be operated by unskilled consumers, and wasn't certified by to be safe for home use?
Therac's often used as the "canonical" example, but there are more recent issues that stem from a lack of a physical interlock:
- VW's dieselgate (although that was intentional)
- Virgin Galactic VSS Enterprise crash
(yes, designed for a skilled operator, but still: no interlock on the brake)
- Pyranha Moulding's industrial oven [1]
- Hotpoint tumble-dryers catching fire [2]
Even without network connectivity, household products still get recalled for issues such as fire risk, because they lack things like thermal cutoffs, or the cutoff is in some way inadequate.
Perhaps 35 years ago computer control was still very new, but right now, IoT is very new, so there's a whole new world of mistakes to learn from, and the evidence is very clear: serious mistakes are being made.
I am coming to the conclusion that these devices should be treated like every other URL on the web. It should have TLs with a proper cert, a global domain name, wifi, and access controlled by something well known like Openid/oauth. With native apps and CORS firewall traversal is solvable without special protocols and adaptors.
This is the unfortunate outcome of a bunch of factors.
OEMs moving to XXX over TCP protocols which have zero security by default and documenting this in the datasheets.
VAR installers switching to the newer products because CAT5 cable is cheaper and easier to pull than what they used to use.
The previous solution was just as insecure but harder to hack because you needed more specialised equipment.
I'm not sure how we are going to fix this without getting the OEM industry and the industry bodies behind xxx over TCP to understand that they need to bake a security model in.
Also, for the particular case of MODBUS over TCP, MODBUS itself doesn't have any security aspect (by design) it is a very simple byte read/write protocol really.
Just read over their FAQ. They claim that Modbus over TCP is an internet protocol. No where do they even mention security. I wonder how many devices are sitting on IPv4 addresses that are completely controllable over the net without a shred of security. Lovely.
> For example, you might know that Shodan crawls the Internet for industrial control systems (ICS). One of the most popular protocols in ICS is called Modbus that runs on port 502. At the moment, there are about 17,000 devices listening to Modbus on the default port. It turns out there are also 700 devices listening on port 503, again a one-off sort of situation.
I couldn't agree more. It shouldn't surprise anyone that cheap outfits are cutting corners on something optional.
Structural engineering solved these kinds of problems with building codes. While I'm not sure that's the answer here, I think most people would welcome guidance beyond "just put whatever devices you want on a shared network and hope for the best".
> Structural engineering solved these kinds of problems with building codes.
I'm guessing a lot of buildings and bridges had to collapse for codes to take hold. I hate to think about how many power grid shutdowns and crashing cars we will have to go through. Clearly the routine theft of personal data has not made enough of an impact to improve security.
Technology for technology's sake is a real shitshow and a big problem.
I was in my friend's Honda Pilot the other day, which has the new trendy big screen interface to replace the radio. I'm sure it is insecure junk, but more importantly it is a nightmare for humans.
I have a BS in CS, have developed some enterprise apps, run major complex tech programs successfully, and could program my dad's VCR in the early 80s. And... It took me nearly 10 minutes to figure out how to turn off the radio on the weird touchscreen.
To turn the radio on requires 4 clicks, and the key button is on the corner of the screen, where it is least responsive to touch. I would probably be safer driving with my knees and texting with two hands than controlling that radios.
KNX, being one of the most sophisticated and proven building intelligent protocol, widely adopted in Europe.
If anyone interested, cross scan its default IP interface port 3671
and,
say German telecom ISP IP range (and there is CSV available on www),
with efficient penetration test tool like masscan, challenge it with 0x0205, look for 0x0206 on response.
Thousands of home and factories and commercial buildings welcome you with real time datagrams on all their switches/appliances/presences/sensors/cams/... Bonus point: writable!
yes i was also misled by the title. You read again, android in the text as well as in the title as if something to do with the android OS is responsible especially taking into account that the guy is a security developer at CoreOS.
* "I stayed in a hotel with Android lightswitches and it was as bad as you'd think "
Another title would be:
* "CoreOS security developer stays in a hotel, and hacks the light switches to.."
All that internet, and the android tablets are still just sitting on the wall where the light switches used to be. What's the cost in hardware and electricity to move from light switches to android tablets for an entire hotel?
I feel like the only thing that can fix this type of mentality is a line of products targeted towards annoying nerdy 13 year old boys-- the type of boy that a lot of us were. We need to make it easy for them to abuse security lapses in IoT products. When I was in middle school, I brought a universal remote to class and turned on the television set. Yeah, I know, I was a badass. But these kids will do much more.
The problem is that when a software engineer goes to the front desk of a hotel and complains about the security of the brand new Android-Powered Hi-Tech system that they just put in, the person working the desk thinks, "Haha wow! That nerd was a real Sheldon Cooper, like on the television!" and they don't care at all. If you live in a bubble where programming and computer work is black magic, well then of course it is completely inevitable that someone so nerdy and so smart would be able to hack everything on the planet. So they don't really think there's anything to be done.
When it's a group of annoying little 15 year olds that sneak out in the middle of the night to wake up all of your guests, it's a lot bigger of a deal.
Not sure why this is getting downvoted. This is a big part of what happened with internet security over the years.
Back at the dawn of time, less than a billion seconds from epoch, it was considered rude to exploit obvious security holes. People would actually track down casual hackers and get them in trouble. But once script kiddies came on the scene, it became a lost cause. Once it could be any 14-year-old idiot on the planet scanning your ports and exploiting your old, unpatched software, it became clear that tacit agreements and social pressure weren't enough. The burden of security began to shift to people who created the software.
Just let them. The sooner people realize that buying a cheap $35 smart watch, or embedding the cheapest Android tablets into walls, or turning off your heating completely after the battery in your smart thermostat dies... the sooner we'll be in a place where the security of IoT is actually considered, not only as important, but as crucial. Then, we can have nice things.
Yeah, wow. Twelve years ago, I worked for a firm that built DVOD (digital video on demand) systems for hotels across Australia and UAE.
Even then, and with the limited 'damage' that could be done, each and every single room got its own VLAN. That was certainly a little ugly to manage at times, especially in a 1200 room hotel, but yes.
This is why I don't understand the "Internet of Things." A light switch is a pretty effective solution to the problem; there seems little advantage to networking it. Ditto for a toaster, refrigerator, et cetera, et cetera.
You want to have your lights come on at a certain time.
You want to add motion detection to lights turning on.
You want to attach light sensors to have variable intensity bulbs be brighter or dimmer depending on ambient lighting conditions.
You want your lights to turn on inside your garage when the garage door opens.
You want your front hallway light to come on when your door is opened.
You want to be able to check all the lights in your house at a glance to make sure you did not accidentally leave any on.
You want to have all your lights auto-off when your kids should be in bed.
And of course, most importantly:
You want to turn your house into a rave party, or an epileptic seizure inducing disaster, and I don't think there is actually a difference there.
Your networked toaster might have online profiles for how to optimally toast bread, bagels, rolls, etc based on the type of bread and they would be available on a per-toaster basis. Rather than just odd balling how you want your toast done, you could buy a toaster that has profiles with high ratings that will toast your bread to your exact desire with your given model of toaster.
For your fridge, it could have isolated temperature and humidity per compartment, give alerts when different foods are low in quantity / going bad, track the expiration dates of all your food, and have the same lighting features as your house lights.
There are plenty of applications of "smart" devices. The problem with the IoT is that once you put software in a device you need to be responsible for it, and I don't believe there is actually a single hardware manufacturer on Earth right now who is legitimately responsible for their hardware and respectful of their users (particularly their software freedoms in relation to that hardware).
None of these things sound like killer applications, and few of them require any kind of computational power let alone networking. There are much simpler ways of accomplishing the same things. That is my point; IoT proponents are adding unnecessary complexity for dubious gains. Some examples:
You want to have your lights come on at a certain time.
I can get a timer at a hardware store.
You want to add motion detection to lights turning on.
I can get a motion sensor switch at a hardware store.
You want your lights to turn on inside your garage when the garage door opens.
Yep. That happens with most existing garage door openers.
You want your front hallway light to come on when your door is opened.
I've never seen this implemented, but it could be done in a multitude of ways such as the motion sensor or a simple contact switch on the door itself.
I've long been interested in "home automation" stuff, so I'll give you a quick example of what I have at my house now that can't be done with timers/motion sensors from the hardware store.
There's keypad in the entrance to the kitchen, with buttons labelled "Bright" "Dim" and "All off". If you press Bright, all of the lights (sink, under-cabinet, range hood, and island) turn on 100%. Dim sets just the under-cabinet lights are on at 50% and island is 10%. Without this keypad, you have to walk to 3 different switches on opposite sides of the room.
There's also a keypad by the front door. It has an 'all off' button which is great when we're leaving, and as we also walk by it on the way upstairs, handy when we're going to bed.
The front door keypad also has a "Garage" button. It lights up red if the garage door is open (as we can't see the door from anywhere inside the house). Press it and it'll toggle the door to open/close.
That stuff is just simple scenes, but I also have some more complex things..
The outside lights go to 20% from dusk until midnight, then turn off after midnight. On top of that, at any time between sunset and sunrise, if the garage door is open, or if the outside motion detector sees motion they go to 100%, and once the door is shut or no motion is seen for a few minutes, they return to previous level.
At sunset, if none of the lights in the house are on, one of the lights in the kitchen and one of the lights in the living room turn on (to make it look like someone is home).
At ~midnight, if only the one kitchen light and living room light are on (and nothing else has been adjusted, indicating someone is home), turn the lights off.
At sunrise, turn off all lights. (This used to be 3am until we had a baby, then it was annoying because, well, crying baby + preparing bottle + 3am + lights suddenly turning off = ..not good).
At some point I will also set up a motion sensor in the front hall (or maybe a door open sensor), so if the outside motion is triggered followed by the inside motion (or door opening), the inside front hall light turns on. A bit tricky, since I don't want to happen if I'm just walking around the house (or leaving).
Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.
Btw, I can control this from a PC/phone, although I basically never do (the keypad/switch on the wall is always going to be faster). I could also set it up to work via internet, but I don't, because 1) there's an attack vector and extra security to worry about, 2) adjusting the lights while I'm not home is pointless, 3) I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.
Thank you. Genuinely interesting, and in my opinion, one of the few examples of the technology done right.
I would point out that the three different switches on opposites sides of the kitchen sounds more like an issue of poor switch placement (admittedly, a common problem) than anything crying out for automation, but the ability to control sets of lights with one button is intriguing.
I think the take-away is this:
> Is any of this game-changing? Not really. It's interesting to me, it's not overly expensive (especially as I have built this up over time), and it's a nice albeit minor quality-of-life thing.
Which I contrast with: "Let's hook my toaster up to the internet because: Internet of Things!" which seems to be the prevailing attitude.
> I believe a key to home automation is the automation part. If I have to control it manually, it's by definition not automated.
Yup, this.
I built an automated heating system. It does all the right things at the right times. I never touch it; it has some graphs if I want to see what it's doing.
The shoddy consumer systems all have manual control and an app, because you just spent all that money, you want the warm fuzzy feeling of having an app to fiddle with.
I wouldn't pay a dime for most of those features, even if it worked perfectly. Where I can see the use is doing things remotely, as in when you're far away: locking/unlocking the doors, making sure the lights and appliances are off when you're traveling, turning on/off the heat remotely etc. IF you could do those things securely.
Too lazy to walk up to the light switch when I'm at home? Just no.
Depends what you mean by "Building Automation." If you mean things like a thermostat to control my heating, sure that has been around for decades. However, it can be a very simple mechanical device. Even for the computerized ones, I see little advantage to networking it (at least compared to the disadvantages).
If, however, by "Building Automation," you mean networked computers controlling your lights and every other aspect of your environment, this is not the norm now, never has been, and I would hazard a guess that it won't be any time soon because the cost and complexity is not worth the marginal advantages. Yes, some elements are creeping in: particularly systems to shut off lighting and environment control in office buildings at night because the power savings are worth it, but those systems are relatively simple and closed. There is no need to connect them to the sort of network that is featured in the article let alone the internet at large.
Lighting systems are very common in the building automation industry but they're typically connected to physical switches. Placing a computer or tablet there doesn't really change things - this could have been hacked regardless of the end-user input. The core protocol Modbus/TCP has been available and easily hackable for decades.
Building Automation is exactly what your describing and it is the norm. It's common for schools, hotels, and commercial buildings to be "smart", with something like Modbus or BACnet connecting lighting, HVAC equipment, smart meters.
I will defer to you re: Modbus/TCP as it is outside my area of expertise. Even if these systems are "common," I would still claim that they are not the "norm" for the simple reason that I have been in buildings that were clearly "smart" buildings and ones that were clearly not, and the latter outnumber the former. However, even if it were the norm for commercial buildings, I was thinking far more generally and that may be the source of our disagreement. Automatic doors, for example, are the norm for major retail stores (as well as airports, et cetera), but they just don't exist in private homes. It would be expensive and serve no purpose, and that is how I feel about most "Internet of Things" devices [EDIT: and most "home automation" devices].
I mean he did unplug network equipment and MiTM, if this isn't illegal it probably should be. I see ethernet cables all the time in things like hospitals and hotels, should anyone be able to simply unplug them and put their laptops in the middle?
Yes, anybody should be able to do that with no legal consequences. If you don't want to give people access to your network, don't provide them with a fucking port and cable explicitly designed for doing so.
Come on now, you really think people should be able to unplug cables anywhere they go? This could have major consequences at a hospital.
Edit: Completely agree Ska, no excuse for making it this easy. I'm just pointing out that just because it's easy to pick a lock or unplug some wires to MiTM doesn't mean it should be legal.
People shouldn't unplug equipment in a hospital without express permission, sure - they shouldn't do it in your home either.
If your security model relies on this, though, you have failed. Period.
It is maybe a little fuzzier in a hotel (should I be able to stream content to the TV from my device instead of paying you extra for a movie?) but similar applies.
Yes, if it's accessible, and nothing implies that you shouldn't - why not?
If a cable is not meant to be unplugged - there should either be a warning sign/message, a protection measure (even a nominal one, serving as a mere warning), or you shouldn't normally get access to it in a first place.
Obviously, there is common sense, too - you don't plug some working medical equipment, even though there may be no warnings - it's implied that it's commonly understood that disconnection would interfere with device's operation and endanger the patient. Or you don't suddenly turn off someone's PC at office just because the power outlet isn't covered by the table.
The door example is also misleading and plain wrong analogy. We're not talking about trespassing on others' property. When you rent a room, it's a common sense that you shouldn't steal the TV from it, but nothing tells you if some random Ethernet cable is some private network or just a WiFi replacement. It's the same as any other electrical socket (well, except it's a plug, not socket) - nothing implies that you can't use it, as long as you don't cause any damage to the property. If a rented room has a floor fan plugged in, I doubt you shouldn't be allowed to plug it out or even satisfy your curiosity and measure how much power it consumes. As long as you don't damage anything, of course.
There are too many people out there who want to plug in some odd lawmaking solutions (always, restrictions) that don't actually solve anything.
But what if you leave your door unlocked, or it isn't locked in a secure enough way?
Who is the guilty party?
Really, this is just social/legal understanding. It's unacceptable to open someone's door -- even if unlocked -- but acceptable (?) to wire yourself into someone's network if unguarded.
My favorite example of this is the evolution of volume controls in cars. These days you have all sorts of fancy and inferior alternatives that leave you wishing for a plain old-school volume knob. The worst are the purely virtual volume settings with up and down buttons on a touch screen. Or only a bit better, physical knobs that spin endlessly and just send up and down operations to a digital volume level. Reasons why the old school knob is better:
* It maintains its position across power cycles. It can even be adjusted when the car is off. So you can lower the volume knob before you turn the car on and blast loud rock into your grandmother's ears.
* It does not require you to look at a touch screen to find the volume buttons. Tactile feedback is enough. You can operate it while maintaining the other 99% of your attention on the road.
* It physically stops at the lowest and highest possible volumes. Again, no need to look at some display.
Even better would be a physical slider instead of a knob. That would let you feel out the exact position of the volume without looking. The downside would be the limited space on a car stereo dashboard. But please, a touch screen is the worst and most dangerous interface while driving.
The same goes for radio presets. In a car with physical buttons for the presets, I can switch between my favorite stations without having to look. Try doing that with a touchscreen. How is this progress?
Maybe it's just a symptom of an industry that's often more about selling status symbols than selling functional products.
I don't see what this gains the hotel. You get an increase in complaints/request about not being able to turn on/off lights, etc. Standard light switches are dirt cheap and last years and everyone from age 2 up knows how to use them.
Is this solely to look "fancy"? If so, then at least get the tech right otherwise you look incompetent.
Hotels are under substantial competitive pressure to seem fancy. Fancy hotels can charge a lot more. Looking good is often more important than ease of use, as is demonstrated by every hotel alarm clock I've ever tried to set.
It's also partly our fault. Computer-y stuff has had poor usability for years. A standard tech response to bad user experience has been to tell people that they're doing it wrong, that they just need to learn a particular trick and it will all be great. So people often assume that when something is hard to use, it's probably their fault. Which means that a buyer of stuff like this can have a bad experience and wave it away thinking that the tech is just fine. After all, why would somebody sell a computer-controlled lighting system that is in practice worse in every way than regular switches?
"Is this solely to look "fancy"? If so, then at least get the tech right otherwise you look incompetent."
How many of their guests have thought it looked fancy? Probably a lot. How many of their guests have done something similar to what this guy did? Probably not so much.
The 'Internet of Things' or whatever you want to call it – controllable peripherals, ubiquitous connections, stuff like that – is a pretty cool concept. I want to be easily able to do things like ask 'when will my laundry be finished?', or have my central heating come on when I start heading home. Not because it's massively beneficial, but because it removes some minor annoyances.
The technology is there, and has been for a while. But the proliferation of mindless, unforgiveable security flaws, pervasive surveillance, proprietary cloud-based networks, shitty software and bad UX generally – it's really mad. It really makes it difficult to want to use any of these devices.
I'd love some kind of proper, non-half-baked-and-riddled-with-holes solution for home automation, but I reckon I'd probably have to build it myself.
Well, one major problem that I see is that, we aren't required to learn about any of this stuff before we buy it and most of the people who's job it is to set this up would gladly do it for less than someone who knows what they're doing even though they know nothing about it. The entire world is set up incorrectly for something like IoT. We try to get as cheap as we possibly can with everything and we try to skimp on any labor cost but set everything up fancy as hell. That's always going to leave you with security holes because security doesn't make money. Not unless someone starts getting punished for the bullshit security they are putting into these things.
For the local hardware, I use Arduino Nano clones, nRF24L01+ mesh networking chip, whatever sensors/actuators, and the MySensors library. Encryption and packet signing are both turned on.
On the gateway, it is just a serial console opened up to a Arduino Nano and nRF24L01+. I use Node-Red on the machine the serial gateway is plugged into. I also use the MQTT broker Mosquitto as my backing store for IoT data, from any of my machines. I design my architecture around that.
To connect between physical areas (from house to hackerspace), I use Tor Hidden Services, giving each endpoint a .onion address. With that, all my computers on the .Onion network can talk with each other as if they are on medium-high latency hub. And it also solves the problem of "staticIP/port forwarding/firewall rule change/dynDNS" crap. I drop Tor, set up a hidden service, route 22 to Tor, and off it goes. All I need do is keep track of that onion address.
And that provides me devices I have complete control over, utilizing a cloud of computers I own. I'm looking in how I can blend in IPFS as well for logging capabilities.
If you found that you could do the same thing on a classic installation people will be like. So what? and an electrician wouldn't even be excited to try it.
But since hacking is cool, we like this stuff.
Weird thing also is that using WiFi years ago was basically giving your data, when SSL websites where so rare. And we didn't even cared for it...
I could see a hotel system that turns off the lights at some predetermined time if the room is not rented, in case they were accidentally left on. That might save them some electricity, but it's hard to see it saving enough to pay for the system.
I work in a flagship building in France, known for its environmental compliance and automation features. It's quite nice, but there's a web app to toggle the lights, the blinds and whatnot. And guess what, the logins to other floors are trivial to guess.
This is a great example of more technology making things worse. I don't mean badly done technology, I mean that even if this were working and secure, a light switch would be cheaper, more durable, easier to repair, and easier to use.
In a competition it's possible to wake up your competitor. I mean if you are going to play a tennis or football match the next day, you can bother your competitor to have an advantage.
Last week's episode, Ask This Old House, had something similar. They swapped a normal front door lock/handle with a Bluetooth (or WiFi) controlled unit. The phone could be used with an optional WiFi extender. My head swirled with so many scenarios where things could be bad.
1) Leave the phone in the home, you'll never be able to get in!
2) Wireshark the WiFi
3) Hijack the signal
I'm sure the dark side is waiting for us all to adopt IoT in our homes. I prefer my mechanical locks, thank you.
I think one part of the reason is "good" developers almost never apply for jobs to work on such projects. These projects are not cool or cutting edge, and you won't learn anything new. Also the reason why a lot of outsourcing, which is boring, and tedious 'business software' type work ends up being of average to below average quality.
It happens elsewhere too. Like how poor people get public defenders who are overworked, underpaid and not as good as private lawyers.
> My coworker asks whether you can control the channels. Can you set all of your neighbours' TVs to pay-per-view while they're out?
Hahahahahahah! "Asking for a friend."
But really, folks are talking about the nuisance of waking people up in the middle of the night and that's true. However, controlling channels could be a more significant nuisance.
Having stayed at a similar (same) hotel don't even get me started on the guest experience. It took longer to familiarise myself with all the controls in the room than a normal stay in the hotel. Also really appreciated the slight glow all the tablets gave off at night...well they did until they got covered with cushions and gaffer tape!
In the hotel's defence, I'm sure he could also go toconventional hotels and chop a hole in the wall and start messing with the wiring to achieve approximately similar "security breaches". The broken implementation is more concerning to me than the security aspects.
I wonder if a more fruitful attack target than the lights in other rooms might be the android switches themselves. Even cheap commodity android tablets contain cameras or at least microphones. There's almost certainly a remote update interface on them of some sort.
Don't suppose those tablets had any kind of microphone or image sensor/webcam built into them? If they're using cheap generic android tablets, they probably do.
Should be fairly simple to setup remote blackmail-material-collection. :(
There’s nothing inherently wrong with a touchscreen, IoT light switch. But the main problem here, apart from using an insecure legacy protocol, is the use of a general-purpose OS like Android instead of an embedded OS.
It’s not just this light switch – Android refrigerators, Android ovens, Android washing machines are all using a wildly inappropriate operating system for single-purpose devices. The problem is likely that it’s a lot easier to develop for Android than it is for a proper embedded OS: It’s faster, the commodity hardware is easy to procure, licensing fees are minimal to none, and it’s easier to hire developers.
The first company to bring to market a more IoT-appropriate, yet accessible combination of operating system and SoC reference designs stands to become a massive player when IoT goes mass-market.
Yes, there is. Touchscreens lack tactile feedback, and for stuff that one must manipulate on the dark (like a light switch), that's a very important flaw.
Write a script to rhythmically open and close the curtains, as well as turn the lights on and off for the whole floor. Then call OK Go and tell them to bring a drone because you got their next clip idea.
I wonder if, with MITM devices set up on a few consecutive floors, you could make massive pixelart animations on the outside of the building by turning lights on and off...
eh, It doesn't scare me because they have the name, credit card, and exclusive control over the lock on the attacker's door. You'd have to commit so many counts of fraud and hacking in order to attempt getting away with it, that the reward just doesn't seem there to me.
why on earth are the 2 largest and highest valued technological companies in human history repurposing mainframe multi-user computer operating systems from the 1970's (extended even further with sandboxed app containers!) for mobile phones!?
It smacks of deliberate incompetence to sell hardware.
iOT on top of this just smacks, again, of deliberate incompetence, to either sell hardware or raise the attack vector profile (the NSA loves you!)
why on earth is there still no reasonable competition to either android or ios?
A lot of consumer IoT feels forced. It feels like I am supposed to want these things. What am I? A luddite? It's The Future(tm)! Of course I should want a less reliable, more expensive, shorter life span, more complex security/privacy nightmare in place of a completely reliable long-lived inexpensive device.
Complexity is costly in many, many ways. There is zero justification for adding it to anything unless the payoff is some multiple of the complexity cost being added. I just don't see it here.
For any new tech, I always ask "what super power will this give me?" For much of IoT I can't answer that question. There are a few nice-to-haves but nothing compelling, no must-haves or genuine wows. Then you add in all the unbelievably creepy security and privacy implications and any lukewarm interest goes away. I can't shake the obviously crazy idea that some of this stuff is being pushed because certain people (advertisers, intelligence agencies) want as many sensors out there watching us as possible. Imagine every light switch, thermostat, etc. with an Internet connection and then think about the meta-data correlation capabilities with mobile sensor and location data and other Internet traffic.
We're really talking about a total surveillance society where literally every single thing you do is stored in a database somewhere. Anyone able to correlate your phone's approximate location and/or your web browsing history with, say, light switch data really will know every single time you use the bathroom and for exactly how long.
Do you stop moving and kneel every day at the correct time? Then you're praying to Mecca-- you're a Muslim. Do you leave the lights on late? That might say something about your personality profile. Do you work with the lights off? That says something else. Is there ambient sound but no light and are a male and a female present? They might be having sex. Two men in the bedroom? Gay sex! And that's just the easy low-hanging fruit I can imagine. Throw some theory-agnostic deep learning at it and I can imagine unbelievably spooky stuff that makes this look tame:
But mostly I think the driver is tech industry wishful thinking. Everyone is looking for the next catapult capable of tossing unicorns to billion dollar valuations in 1-2 years.
Mobile has IMHO been a bit of a disappointment. It's been big but not quite as big as everyone predicted. It's failed to displace desktop or achieve "convergence," and the limitations of the UI and the walled garden model have kept "serious" apps off mobile platforms for the most part. The collapse of app stores as a commercial software sales platform with prices spiraling down to $0 and clutter making new apps un-discoverable has further destroyed any incentive to push the boundaries of the platform beyond a "portable dumb terminal."
It's also been an architectural disappointment. It was supposed to be a clean slate where we could escape some of the cruft and bloat of desktop, but we're doing iOS and Android around here and the development experience on both is as bad or worse than Windows, Linux/Qt/GTK, and the web. It's not the promised land by any stretch. We took a lot of bad ideas with us from desktop and then added walled gardens and more resource constraints. Woohoo!
So now everyone's hoping IoT will be the next unicorn flinger. I'm skeptical so far. The Blackberry and the iPhone had immediate killer apps: maps, portable chat/email, portable books, music, and movies, etc. Those are real benefits that are worth the cost and the downsides. They're "super powers." Where's the super power in an internet connected light switch?
I work in the Hotel industry making Apps for reservations and in room entertainment and engagement. Some of your statements make sense but, form the hotels perspective, some of the reasoning for implementing this stuff has little to nothing to do with making the experience better for the guest. We use the data we get from things like the lights, temperature, and other information to find ways to save money and find how to better set up properties for profit. Its a numbers game. We hope that we can use the same tech to drive user engagement and keep them within the apps so they become lifetime guests and book with us for subsequent stays. It is a marketing and management effort. All about the ability to save money while driving engagement.
People forget how reliable and secure things like hard-wired physical light switches and other natural interfaces (like paper books, etc.) are. There seems to be a vast ignorance about topics like reliability, interfaces, usability and design. Just because it's digital, it doesn't mean it's better - I'd argue for the contrary in many cases. I don't want to upgrade the firmware of lightbulbs, I just don't. Despite my affinity for them, I have more than enough computers surrounding me in my everyday life.
Everything you said, and also that the old analog devices are future proof.
For a trendy metropolitan hotel, with a design refresh cycle of 10 years at the most, the future might not matter. But people are wanting to put these devices in homes with a refresh cycle that should be more like 30 to 50 years. Big difference.
This is exactly the mechanism that gets people in trouble going to China for manufacturing. They say "I want you to build widgets" and they get a good price quote, and say "Wow, this is awesome!" because they have in their mind that "making things in China is cheap" but in reality its that if you cut a lot of corners you can make things really cheap, and since the contract doesn't say you can't cut corners, it is all "perfectly" legal. But the manufacturer knows what the buyer doesn't, and exploits that information asymmetry to make money at the buyer's expense without the buyer having any true recourse.
The hotel in question could have said in the RFQ, "System will be impervious to network traffic snooping and at no time will systems or a guest supplied computer be able to access the controls in another room."
Had they said that, the price quotes would have gone up and had the system the author speaks of been delivered, the Hotel could recover the costs of installing it from the vendor. But they hotel didn't even know they needed to ask for that since they no doubt would assume, "nobody would make something that shoddy would they?"
I learned about this when I saw one of the rules in a NetApp hardware contract that said "Manufacturer will install all components shown on the schematic on the final units in their designated locations." That seemed really odd. I learned that before that clause had been part of the standard contract, there had been a manufacturer who decided unilaterally that half of the noise suppression capacitors in the schematic were "unneeded." Units from that manufacturer started failing in odd ways in the lab.