top | item 37434254

(no title)

While I'm sure the FCC has an end game of actually mandating these labels, the vast majority of IoT devices are not exposed to the internet and just aren't a major attack vector in most environments. How much money and time needs to be spent to secure an RGB lightbulb or a wireless speaker?

There is approximately one class of consumer devices that I suppose fall under the IoT umbrella and that are commonly attacked: modems and wifi routers. But these generally get security support. And if you had product labels, would it change shopping behaviors in any way? "This NetGear router will get security updates for 8 years" sounds great. But then, in 10 years, you might have the same router in your closet. Will you even remember the label by then?

discuss

loeg|2 years ago

If the device isn't internet-connected, it's not an IoT device. That's what the I stands for.

If what you're getting at is that most networked devices sit behind a consumer firewall, and that's probably good enough -- well, I mostly agree.

riskable|2 years ago

Most consumer routers these days are automatically assigning global IPv6 addresses to every device on their network. The only security feature protecting them is the difficulty of (random) discoverability (no firewall rules by default). As in, you can't just scan the entire IPv6 Internet looking for insecure devices as it would take too long (e.g. thousands of years) but if you can figure out their address they're right there, ready for hacking, from anywhere in the world.

The truth is that there's always other ways to find the IPv6 address of various devices inside a home. Many of them will happily tell you if you just send out the right broadcast (e.g. zeroconf) or they connect to services on the Internet that can be spoofed or just have generally terrible security (e.g. the addresses of all devices are publicly discoverable).

Another fun way to find these devices is buying up dead domain names (e.g. because the company no longer exists) and setting up services that auto-hack the insecure devices once they can finally "phone home" again due to the malicious domain suddenly coming back online. This kind of hack works regardless of firewall rules (assuming the device is allowed to "phone home" at all).

Karunamon|2 years ago

Disagreeing on being good enough. The problem is that many of these devices regularly poll their mothership for commands and updates. We are one (feasibly, already done but unknown) server compromise away from millions of light bulbs or outlets or whatever turning into a botnet.

permo-w|2 years ago

>If the device isn't internet-connected, it's not an IoT device. That's what the I stands for

in practice, the I in IoT means that the device connects to your wi-fi. whether that extends to the open web or not, it's still an IoT device, even if it doesn't conform to the word "internet" in the strictest sense

diffeomorphism|2 years ago

In the same way a butterfly is made out of butter.

Many devices work just fine with local only connection. If an IOT devices does not work without internet that is a reason to not buy it.

unethical_ban|2 years ago

I disagree. Regardless of the use of the word Internet, I argue IoT is a broad term describing devices not traditionally connected to networks which now are.

Just because I build a private network of cameras, power monitors and weather sensors at my house doesn't mean those don't qualify as an IoT device.

2OEH8eoCRo0|2 years ago

The FCC commissioner that was here the other day explained that if companies put these labels on their products then they will be liable for cyber security issues which would be enforceable under contract law. The label being a contractual agreement.

thayne|2 years ago

> the vast majority of IoT devices are not exposed to the internet

IoT stands for "internet of things". I am by no means an expert in the area, but my understanding was that am IoT device is by definition connected to the Internet.