Re: IoT security, was Krebs on Security booted off Akamai network

[Mel Beckman <mel () beckman org>]

I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the GW-1000U. It does the usual IoT things: 
after you plug it in, it gets a DHCP address and phones home, then you register it using a smartphone on the same LAN, 
which I'm guessing finds the device via a broadcast and then configures the hub with my Lacrosse account info. All 
communication is thereafter through the cloud. 

 It set itself up quite conveniently and efficiently, and now will start charging me $12/year for alerts and texts. An 
acceptable business model.

Except the thing is a teaming mass of security vulnerabilities. 

How much authentication went on in this process? None. I captured the thing's packets in my firewall's onboard sniffer 
from the get go. All data is exchanged as plaintext on port 80. The protocol is completely undocumented, but I've since 
discovered that at least one enterprising tinkerer has reverse engineered it so people can bypass the manufacturer's 
monetization model. 

The device accepts TCP connections on 22, 80, and 443.  Theoretically I can't see why it ever needs ongoing inbound 
connections, so this seems to be a security concession made by the maker. Also, it appears to support SSL, but uses 
plaintext. Why? Because it's easier to debug in the early deployments, I'll wager. But the thing has been out for years 
and they're still not using encryption, even though the device apparently has the ability.

As a knowledgable consumer (and security researcher) I'll overcome these shortcomings by putting this device on its own 
VLAN with extensive firewalling. Still, I can't be sure it won't be malicious, or get exploited through the cloud. And 
VLANs have their own security weaknesses, despite my using pricey enterprise hardware at home. 

My point is that if an expert has to expend several hours of highly technical labor to "responsibly" use a $20 IoT 
sensor, and use enterprise-grade IT gear and methods to gain even a modicum of safety, then what hope do Ma and Pa 
Kettle have? 

This is not a consumer education problem, unless we think consumers should also learn  thermodynamics in order to 
drive, the Bernoulli principle in order to be airline passengers, and biochemistry to cook their own food. It's clearly 
a giant screw-up by manufacturers who could easily spread the cost of best-practice security measures across a large 
customer base.

That they don't shows lack of moral character, and nothing else. 

 -mel beckman

> On Oct 9, 2016, at 7:03 AM, John R. Levine <johnl () iecc com> wrote:
>
> > On Sun, 9 Oct 2016, Florian Weimer wrote:
> >
> > If we want to make consumers to make informed decisions, they need to
> > learn how things work up to a certain level.  And then current
> > technology already works.
>
> I think it's fair to say that security through consumer education has been a failure every time anyone has tried it.  
> Why do you think this would be any different?
>
> > There is little interest in this, however.  There's a comparable
> > business case for providing managed PCs to consumers, and I'm not sure
> > if any such companies are still left.
>
> There's at least two large ones: Microsoft and Apple.  Try installing Windows 10 without letting Microsoft update and 
> reconfigure the software any time they want, any way they want.
>
> Expecting consumers to evaluate the security behavior of their lightbulbs and their refrigerator is absurd.  We need 
> to figure out how to have the devices and routers configure themselves so the devices can do what they need to do 
> without doing what we really don't want them to do.
>
> Regards,
> John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly