Jump to content
Sign in to follow this  
yyrkoon

RANT: Cloud of this, IoT of that . . .

Recommended Posts

That's why emails with cloud and IoT in the title usually get deleted unopened.

 

That being said, I think the webinar description is pretty clear and level-headed. It's about means for secure communication between the gateway and a node. Probably TLS and some such. Not sure where you got the end-of-the-world and ultimate-security-solution-for-everything vibe from.

Share this post


Link to post
Share on other sites

That's why emails with cloud and IoT in the title usually get deleted unopened.

 

That being said, I think the webinar description is pretty clear and level-headed. It's about means for secure communication between the gateway and a node. Probably TLS and some such. Not sure where you got the end-of-the-world and ultimate-security-solution-for-everything vibe from.

Dramatization . . . from "Designing an IoT gateway with security protection can be a very challenging task"

 

This has nothing to do with an IoT gateway, and everything to do with internet facing. Which as I stated above is true for *anything* internet facing, especially servers. As far as being "level headed" I somehow do not get that statement. Since again this has nothing to do with IoT gateways, and everything to do with being internet facing( positive meaning this time ).

 

See my point yet ? "The cloud", and "IoT" are irrelevant.  I'm sure any one here who maintains servers for their companies can see my point.

 

example:

 

So, I have an msp430 launchpad v1.5 connected to a PC. I take temperature readings from it at regular intervals and shoot that data to a server we have online. That server then puts that data onto a webpage for the whole world to see. No magical cloud pixie dust, or magical IoT incantations. Just plain old networking, servers, and clients.

Share this post


Link to post
Share on other sites

Truthfully speaking. I will *maybe* watch that video seminar, but probably after it's been recorded( not live ). Just to see whats up. But I suspect that it will be like many other video seminars that I've watched, and possibly wish I had the time spent watching said video back. To do something actually meaningful with my life . . .

Share this post


Link to post
Share on other sites

So, yeah: "Designing an internet-facing server with security protection can be a very challenging task" is fair enough. It's not so much that the original title implies the world will end if you don't attend, more that it implies the content is somehow specific to IoT when it's not.

 

What would be nice is if someone came up with a way to deal with the security holes left in the many internet "things" abandoned by their manufacturers without ongoing firmware updates...

Share this post


Link to post
Share on other sites

Well am I the only one who does not relay see this purported threat ? One has an internal network, zigbee, low power RF, whatever, to a Linux, BSD, or something else NOT windows server. Which deals with all the security details as we already know them. By this of course, I mean as we already know how to deal with them the best we can. Because nothing is ever perfect . . . if someone wants into a remote system badly enough chances are pretty good they'll find a way in. *If* they're smart.

 

Anyway, maybe I'll watch this: https://app.pluralsight.com/library/courses/breaking-down-cloud-security/table-of-contents it definitely can't hurt.

Share this post


Link to post
Share on other sites

Also, for those of you who do care. I was reading embedded monthly last month, or perhaps the month before that. And read an announcement by Dell that they'll be building, and selling IoT gateways . . . So as far as someone who does not have the time, or know how. . .  Well now you can buy one from a big OEM . . .

Share this post


Link to post
Share on other sites

WTF is an of-the-shelf IoT gateway anyway? Just an rebranded ordinary router? An edge router for every protocol they thought of - Zigbee, 6LoWPAN over various frequencies, etc.? Sounds like a scary idea.

 

By the way, there's now an OWASP for IoT. Not great but better than nothing. Not sure where I heard about it. Apologies if it was here!

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

Share this post


Link to post
Share on other sites

Well am I the only one who does not relay see this purported threat ? One has an internal network, zigbee, low power RF, whatever, to a Linux, BSD, or something else NOT windows server. Which deals with all the security details as we already know them. By this of course, I mean as we already know how to deal with them the best we can. Because nothing is ever perfect . . . if someone wants into a remote system badly enough chances are pretty good they'll find a way in. *If* they're smart.

 

That works against remote attacks, but the linux/BSD/non-windows server protecting the wireless device can be bypassed if you're in the vicinity. Then the unsecure wireless device can be exploited to leak your wireless key (for example).

 

The scale of that approach is greatly limited by the need to be near the target, but it means you can't assume a secure router will protect you if the devices are unsecure.

Share this post


Link to post
Share on other sites

That works against remote attacks, but the linux/BSD/non-windows server protecting the wireless device can be bypassed if you're in the vicinity. Then the unsecure wireless device can be exploited to leak your wireless key (for example).

 

The scale of that approach is greatly limited by the need to be near the target, but it means you can't assume a secure router will protect you if the devices are unsecure.

Nah, not really. wifi and bluetooth are extremely hackable. bluetooth in particular can very easily be spoofed. However, with wifi there is the WDS protocol where only a specific MAC address can connect to the router, and it's a point to point protocol. Problem with that, in Linux MAC addresses can also be spoofed, but I'm not exactly sure how easy it would be to find the MAC addresses of authorized devices . . .

 

But my feelings are that if anyone is within close proximity, that you'll be in trouble no matter what. *IF* they know what they're doing.

Share this post


Link to post
Share on other sites

The IOT thing has been around for long enough to become a cliche. As it stands now, in the consumer marketplace, it is a sales point for people that want the latest and greatest technology but have no clue how it works or what it is useful for. Roughly four years ago, I was shopping for a new refrigerator. The big store I went to had nothing that wasn't advertised as IOT (except dorm size), though only some of them were networkable. All of the networkable ones had features like temp setting through a web interface. All identified themselves readily with no security over the connection. A couple allowed Wifi connections direct to them (they acted as hubs if also connected to, say, a home network) 'for convenience'.

 

I don't need to know the details to know that a) these devices are a big ol' security hole, B) there is no need for a network connection for a home 'fridge, and c) once it is set, I have never changed the temp setting on a fridge or freezer, and don't see the benefit to being able to via a web interface, and d) I want no part of a neighbor, or a neibor's annoying kid, being able to shut my fridge off when I go away for a couple days while there is food in it.

 

I also don[t see the point of the same features (and basicly same interface and poor security) in a lightbulb. Or many other products. A toaster oven with wifi and web interface (they exist)? What on earth for?

 

This is related to, but different from, the cloud push.

 

There are things that can benefit from the 'cloud' storage (file server) and always connected models. In most cases, it is a gimmick or a way to rent-seek. Note where autodesk, for example, is going. Subscription and cloud storage, on their server, only. No net connection, no use. Saving backups locally is made awkward to impossible (awkward in autodesk's case). Drop the contract, and you no longer have access to your files. Since software doesn't wear out, it is a way to insure an income stream, and a better one, for the provider, than the last generation upgrade without downgrade path model that sold a new Autocad or Inventor license to most enterprise users every year (upgrade one machine, and all of the othrs in the organization can no longer work with projects touched on the upgraded machine), Given the market constraints and the need for the company to have an income stream if it is to remain solvent, I don't know how else they can do it, but that doesn't mean that I, as the little guy, like it or can afford it.

 

I'll shut up now. <Pshhhh> And have an adult bevvie.

Share this post


Link to post
Share on other sites

The IOT thing has been around for long enough to become a cliche. As it stands now, in the consumer marketplace, it is a sales point for people that want the latest and greatest technology but have no clue how it works or what it is useful for. Roughly four years ago, I was shopping for a new refrigerator. The big store I went to had nothing that wasn't advertised as IOT (except dorm size), though only some of them were networkable. All of the networkable ones had features like temp setting through a web interface. All identified themselves readily with no security over the connection. A couple allowed Wifi connections direct to them (they acted as hubs if also connected to, say, a home network) 'for convenience'.

 

I don't need to know the details to know that a) these devices are a big ol' security hole, B) there is no need for a network connection for a home 'fridge, and c) once it is set, I have never changed the temp setting on a fridge or freezer, and don't see the benefit to being able to via a web interface, and d) I want no part of a neighbor, or a neibor's annoying kid, being able to shut my fridge off when I go away for a couple days while there is food in it.

 

I also don[t see the point of the same features (and basicly same interface and poor security) in a lightbulb. Or many other products. A toaster oven with wifi and web interface (they exist)? What on earth for?

 

This is related to, but different from, the cloud push.

 

There are things that can benefit from the 'cloud' storage (file server) and always connected models. In most cases, it is a gimmick or a way to rent-seek. Note where autodesk, for example, is going. Subscription and cloud storage, on their server, only. No net connection, no use. Saving backups locally is made awkward to impossible (awkward in autodesk's case). Drop the contract, and you no longer have access to your files. Since software doesn't wear out, it is a way to insure an income stream, and a better one, for the provider, than the last generation upgrade without downgrade path model that sold a new Autocad or Inventor license to most enterprise users every year (upgrade one machine, and all of the othrs in the organization can no longer work with projects touched on the upgraded machine), Given the market constraints and the need for the company to have an income stream if it is to remain solvent, I don't know how else they can do it, but that doesn't mean that I, as the little guy, like it or can afford it.

 

I'll shut up now. <Pshhhh> And have an adult bevvie.

 

Networked lights are useful, and in fact have you heard of the DALI protocol ? https://en.wikipedia.org/wiki/Digital_Addressable_Lighting_Interface

 

Networked, a DALI setup can be used to control / monitor lighting in a very large building. Which is very useful. As far as bluetooth lights go . . . I have one, and this one is not all that great, but I can see how bluetooth, or wifi lights can be very useful.

 

Anyway, there is an article in this months electronic design magazine."The biggest Security Threats facing embeded designers", and much of it covers IoT. They propose that this can not be dealt with using software alone, but instead software, and hardware. I disagree. If a decent software protocol was in place, hardware would not matter. The problem *IS* all the major "consumer grade" networking protocols are garbage. Industrial networking protocols, I do not know all that well.

 

However, if somehow we could move most or all of these remote sensors to a wired network. For any given situation. We would not be having this discussion. So what we really need, is a wireless networking protocol that is not so insanely flawed, that an 8 year old child could break into it . . .

Share this post


Link to post
Share on other sites

Or the person making the IoT device *DOESN'T* ;)

 

(Yes, this has since been patched out)

 

It's really easy for anyone to not know everything they need to in order to design a secure device. I was in the security sector for years as a private consultant, and it was not easy keeping up. Just on security flaws. Not to mention everything else an embedded designer would need to know . . .

Share this post


Link to post
Share on other sites

WTF is an of-the-shelf IoT gateway anyway? Just an rebranded ordinary router? An edge router for every protocol they thought of - Zigbee, 6LoWPAN over various frequencies, etc.? Sounds like a scary idea.

 

By the way, there's now an OWASP for IoT. Not great but better than nothing. Not sure where I heard about it. Apologies if it was here!

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

I was not aware of this, but one thing I did noticed once you provided the link is that there is not project for the one language that needs it the most probably. Javascript(  Nodejs ).

Share this post


Link to post
Share on other sites

It's really easy for anyone to not know everything they need to in order to design a secure device. I was in the security sector for years as a private consultant, and it was not easy keeping up. Just on security flaws. Not to mention everything else an embedded designer would need to know . . .

 

Agreed. That's why I'm not delighted by the prospect of IoT-mania encouraging a proliferation of cheap internet-connected devices.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×