[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Confidentiality and IoT (was: Old Let's Encrypt's Root Certificate expires...)

On Sat, Oct 2, 2021 at 8:25 PM Dennis E. Hamilton <dennis.hamilton AT acm.org> wrote:
-----Original Message-----
From: cryptography Jeremy Stanley
Sent: Friday, October 1, 2021 15:00
To: cryptography AT metzdowd.com

>On 2021-10-01 14:22:01 -0400 (-0400), Phillip Hallam-Baker wrote:
 >> If all you want is confidentiality, unauthenticated ephemeral key
 >> exchange is sufficient to defeat passive attack which is more than
 >> sufficient to control my conversations with my house thermostats, etc.

 >Veering even farther off-topic, I don't really think confidentiality is
the problem with where IoT is going.

 [ ... ]

>People are concerned with the notion of criminals getting access to
poorly-secured IoT devices, but the joke's on them. The real criminals were
>baked in before those devices ever shipped.

Yes, and with regard to prescribed healthcare devices, it is concerning how
these phone home, are now blue-toothed to phone apps, and are somehow
controllable remotely as well as monitored.  I may trust my sleep therapist,
but have not such confidence in the intermediaries and knowing who all of
them are and the dependability of their protections of data about me.  My
fitness band doesn't even have HIPAA assurance.

I'm also distressed by how health providers and some insurers are captivated
by snake-oil (bespoke) chart systems that exhibit serious faux privacy
safeguards to their patients/subscribers.  That a surgeon trusts the office
manager to have proper secure access to charts is not any reassurance for
me, who sees blatant sign-in bypasses.

Le sigh, expecting things to get worse before forced to get better.

 - Dennis

Absolutely. I was responding to a series of issues with IoT devices being reported on Twitter etc., stuff stopping working that were being blamed on the WebPKI. There are two issues that appear to be separate but are actually joined.

When I was at VRSN, we had a group of people whose entire job was managing embedded root keys, getting them updated when needed, working out the configurations of intermediaries etc. So we replace a paid service with a 'free' one and such things are ignored because hey, our service is free. And stuff breaks when we have Device A talking to Device B which hasn't updated its root store.

This situation is actually a consequence of an issue that should receive a lot more attention but doesn't:

WHOSE Security.

That is the real step 1 in analyzing security. Who owns the assets being secured, who will bear the loss comes before identifying the assets or how to secure them.

The WebPKI was designed to stop consumers being ripped off when they shop online because the store they are buying from is being run is a scam operation that will take the money and run. The WebPKI-Lite is only designed to protect Google's advertising margins by preventing ISPs substituting adverts and because that is all they care about, the user is now exposed to the crooks and my Facebook feed is full of implausible adverts offering to sell me a one off wind sculpture by Anthony Howe $500K and weighing over a ton for $49.99. Oh and of course Facebook could block those ads but they make money from them so they make absolutely sure it is impossible to report them as scams because that might transfer liability to Facebook.

Whose Security explains a lot about the defects in IoT. To put it bluntly, the Smarthome today is utterly unworkable. Unless things change fast every single IoT company is going to go bust because the only reason to buy 'smart' devices is to save money and they all come with a much larger system administration effort requirement than they save effort. If you have a device with more than a couple of dozen IoT devices installed, at least one of them will be offline because it needs reconfiguration.

Oh and those device updates the manufacturers, push? Those often take away functionality. So I buy my Google Nest on the basis that it will integrate with my other systems and then find that it won't: Not unless it is on their terms. 

So control is a major issue that has to be fixed in the IoT world and control is a security issue. Every security control that is installed represents a shift in power between one party and another. Manufacturers are only thinking about their own security, not the user's security concerns. So every 6 months there is a new industry wide coalition to develop a new way for IoT devices to interoperate and every one of them is based on the user's 50+ devices connecting individually to 10+ manufacturer cloud services and interacting with them.

Security means security of the recurring revenue which should absolutely not exist. I don't pay rental on my Edison era lightswitch, why would I pay rental just because it has a CPU inside?

I have other issues with IoT, not least responsiveness. An Edison lightswitch responds instantly. Starting an app on my smartphone is a 5 sec delay, then 30 secs to log in, then 15 for some idiot clutter they want to push at me telling me how things changed, then another delay before I get to the page that lets me turn the light on or off.

I started in this business writing video games for the ZXSpectrum using Z80 CPU. A video game is a UI experience so compelling people pay to use it. If I could get instantaneous response in a 3D video game running on a 4MHz processor, Nest, etc, can give me instantaneous control over my thermostats.
The cryptography mailing list
cryptography AT metzdowd.com