[Cryptography] Confidentiality and IoT (was: Old Let's Encrypt's Root Certificate expires...)

Jeremy Stanley fungi at yuggoth.org
Fri Oct 1 18:00:26 EDT 2021

On 2021-10-01 14:22:01 -0400 (-0400), Phillip Hallam-Baker wrote:
> If all you want is confidentiality, unauthenticated ephemeral key
> exchange is sufficient to defeat passive attack which is more than
> sufficient to control my conversations with my house thermostats,
> etc.

Veering even farther off-topic, I don't really think confidentiality
is the problem with where IoT is going.

I recently had my home HVAC replaced and the installer put in what
had the potential to be a "smart thermostat" but the "smartness" of
it depended on me creating an account on some random Web site,
giving its operators my personal details, and then configuring the
thermostat to report what's going on to them so that they could in
turn provide me with access to *their* data about my home.

Needless to say what I have is instead a "dumb" thermostat which has
not been given information on how to connect to the Internet, but
manufacturers of these sorts of devices have already figured out a
variety of ways around that problem as well, from trying to
illicitly send through any open WiFi access points they happen to be
able to see, to embedding low-cost cellular radios with subsidized
service, to federating with other devices within range which know
how to relay to the Internet.

Similar anecdote... years ago my wife got a training watch which was
basically a wrist-mounted GPS receiver displaying distance, speed,
and other telemetry used in training for endurance events. It came
with software you could install on your computer into which you
could sync the telemetry and do fun things like map the routes you
took or trend performance over time. As eventually happens, its
internal rechargeable battery started to go so we looked into
getting a newer model.

Apparently the vendor stopped making the computer software to do
analysis locally, instead requiring you to send your telemetry over
the Internet to them so they could then provide you with access to
*their* data about where you went. Even more fun, they stopped
putting GPS circuitry in the watches at all, requiring you to pair
them to a smartphone you carried with you in order to rely on its
GPS instead. Luckily, I found a suitable replacement battery pack to
solder into the old watch, though I don't know how long I'll be able
to keep doing that.

People are concerned with the notion of criminals getting access to
poorly-secured IoT devices, but the joke's on them. The real
criminals were baked in before those devices ever shipped.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211001/c179d7d9/attachment.sig>

More information about the cryptography mailing list