Considerations for Securing and Optimizing the Internet of Things

Devices from smartphones to wifi-connected refrigerators represents what’s called the “Internet of Things,” billions of devices that are connected to the Internet. As the number of devices with Internet connectivity is set to expand significantly in the near future, it is worth examining how to best use the IoT for the future.

It is first of all worth noting that there will be numerous security vulnerabilities opened for consumers because of the expansion of the Internet of Things. Of the tens of billions of devices that will be added over the next several years, few of them will likely have regular security updates.

Security updates are important in computer security because they allow for vulnerabilities in software to be patched. While vulnerabilities in devices are known and persist as unpatched, it creates opportunities for adversaries to exploit them.

Billions of new vulnerabilities create problems because the way computer security tends to work, it may only one vulnerability on a network to compromise much else. That’s part of why defense in computer security has been so difficult — the attacker may only need one opening, while the defender may have to defend everything.

For example, say an adversary manages to compromise someone’s phone. The phone may then later connect to the refrigerator to prepare refreshments, further allowing the spread of malicious software from one infected device to another. This process may repeat itself again if the refrigerator were able to compromise the Internet-connected router, and once the router is compromised, the thermostat could be compromised too, making a home too hot or cold while driving up electricity costs.

There are a variety of realistic enough scenarios like this, which are more concerning when more sensitive items such as computers accessing bank accounts and home cameras are included. There are of course solutions to these concerns though.

It is probably better that some devices (such as pacemakers) are simply never designed to have Internet connectivity to begin with. Thermostats and refrigerators are the type of devices which clearly don’t require Internet connectivity to fulfill their intended purpose. Letting them be connected to the Internet may be convenient, but it may very well not be worth the increased potential of compromising other devices and being compromised themselves, leading to substantial costs in unintended heating or spoiled food.

For the devices that are for whatever reason connected to the Internet, it’s better if there could be multiple networks with strong security in a home or building if possible. That way, if an IoT device is compromised on one network, devices on another network have another barrier of protection against being compromised.

This relates to a concept in security known as security by compartmentalization. Since all of today’s software contains flaws — vulnerabilities that can be exploited — the approach of compartmentalization seeks to limit damage before it can spread too far.

In terms of optimization, some things are worthwhile to have connected. Different machines or robots should be communicating with each other on a task such as how many raw materials are needed. This will save humans the need to say this, allowing them to focus on more productive tasks than those that merely report details.

As cooperation can be powerful among humans, so too can it be among machines and other devices. It’s going to require strong security practices such as implementing compartmentalization, having standards on security updates, and using better encryption schemes for software, but it can be done, and it should be done. Since technology has no moral imperative, what humans do with technology will likely either create dystopias or utopias. It’s a question of whether the Internet of Things will lead primarily to chaos or to widespread benefits.

New Coating for Devices Would Make Them Much More Resistant

Good news for the safety of electronics, especially with regards to their potential exposure to liquids.

Sometimes our phones end up in the toilet bowl, or laptops end up covered in tea. It happens.

But if they were coated with an ‘omniphobic’ material, like the one created by a team of University of Michigan researchers, your devices would be a lot more likely to come out unscathed.

[…]

This everything-proof material works by combining fluorinated polyurethane and fluorodecyl polyhedral oligomeric silsesquioxane (F-POSS).

F-POSS has an extremely low surface energy, which means that things don’t stick to it.

The coating developed by the team stands out from other similar materials because of the clever way these two ingredients work together, forming a more durable product.

“In the past, researchers might have taken a very durable substance and a very repellent substance and mixed them together,” Tuteja said.

“But this doesn’t necessarily yield a durable, repellent coating.”

But these two materials have combined so well, they ended up with a durable coating that can repeal everything – oil, water, or anything else the researchers threw at it.

[…]

Although this all sounds amazing, this incredible coating won’t be available quite yet – F-POSS is rare and expensive right now, although that is changing as manufacturers scale up the product, which should lower the cost.

Germany Will Possibly Enact Law That Requires Device Manufacturers to Put in Dangerous Backdoors

Backdoors in technology are a problem because they are vulnerable to being exploited by more than just “good” people — they are also vulnerable to exploitation by malicious adversaries. With this reasoning in mind, backdoors (security flaws that are designed in) being required to be built in would make the German public much more at risk of harm to criminal threats. So this proposal to mandate backdoors is dangerous and should be opposed, as it’s a policy of horrible security.

German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.

Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND).

[…]

Furthermore, the new law would also give German officials powers akin to the “Hack Back” bill proposed in the US, allowing authorities the power to hack any remote computer. The Minister says this is important to “shut down private computers in the event of a crisis,” such as is the case with botnet takedowns.

But privacy advocates who also read the new law proposal say the text also contains verbiage that would allow the German state to intercept any traffic on the Internet [1, 2], effectively setting up a surveillance state with full snooping powers over everyone’s online communications. Experts called for caution before approving the new law, which could be abused in its current state.

German authorities anticipated such reaction and said that any access to such data would be allowed only after law enforcement have obtained a court order. But the problem with encryption backdoors is not how you access them, but that they exist in the first place and that they could be abused by ill-intent actors as well.

The law proposal is not a surprise for people who’ve been keeping an eye on such things. There are concerted efforts going on in Germany, France, and the UK to introduce legislation for mandatory encryption backdoors. In fact, de Maizière and his French counterpart even signed a joint letter they sent to the European Commission that supported encryption backdoors.