[Cryptography] Confidentiality and IoT (was: Old Let's Encrypt's Root Certificate expires...)

[Phillip Hallam-Baker]

On Sat, Oct 2, 2021 at 8:25 PM Dennis E. Hamilton <dennis.hamilton at acm.org>
wrote:

> -----Original Message-----
> From: cryptography Jeremy Stanley
> Sent: Friday, October 1, 2021 15:00
> To: cryptography at metzdowd.com
>
> >On 2021-10-01 14:22:01 -0400 (-0400), Phillip Hallam-Baker wrote:
>  >[...]
>  >> If all you want is confidentiality, unauthenticated ephemeral key
>  >> exchange is sufficient to defeat passive attack which is more than
>  >> sufficient to control my conversations with my house thermostats, etc.
>  >[...]
>
>  >Veering even farther off-topic, I don't really think confidentiality is
> the problem with where IoT is going.
>
>  [ ... ]
>
> >People are concerned with the notion of criminals getting access to
> poorly-secured IoT devices, but the joke's on them. The real criminals were
> >baked in before those devices ever shipped.
> --
>
> Yes, and with regard to prescribed healthcare devices, it is concerning how
> these phone home, are now blue-toothed to phone apps, and are somehow
> controllable remotely as well as monitored.  I may trust my sleep
> therapist,
> but have not such confidence in the intermediaries and knowing who all of
> them are and the dependability of their protections of data about me.  My
> fitness band doesn't even have HIPAA assurance.
>
> I'm also distressed by how health providers and some insurers are
> captivated
> by snake-oil (bespoke) chart systems that exhibit serious faux privacy
> safeguards to their patients/subscribers.  That a surgeon trusts the office
> manager to have proper secure access to charts is not any reassurance for
> me, who sees blatant sign-in bypasses.
>
> Le sigh, expecting things to get worse before forced to get better.
>
>  - Dennis
>

Absolutely. I was responding to a series of issues with IoT devices being
reported on Twitter etc., stuff stopping working that were being blamed on
the WebPKI. There are two issues that appear to be separate but are
actually joined.

When I was at VRSN, we had a group of people whose entire job was managing
embedded root keys, getting them updated when needed, working out the
configurations of intermediaries etc. So we replace a paid service with a
'free' one and such things are ignored because hey, our service is free.
And stuff breaks when we have Device A talking to Device B which hasn't
updated its root store.


This situation is actually a consequence of an issue that should receive a
lot more attention but doesn't:

WHOSE Security.

That is the real step 1 in analyzing security. Who owns the assets being
secured, who will bear the loss comes before identifying the assets or how
to secure them.

The WebPKI was designed to stop consumers being ripped off when they shop
online because the store they are buying from is being run is a scam
operation that will take the money and run. The WebPKI-Lite is only
designed to protect Google's advertising margins by preventing ISPs
substituting adverts and because that is all they care about, the user is
now exposed to the crooks and my Facebook feed is full of implausible
adverts offering to sell me a one off wind sculpture by Anthony Howe $500K
and weighing over a ton for $49.99. Oh and of course Facebook could block
those ads but they make money from them so they make absolutely sure it is
impossible to report them as scams because that might transfer liability to
Facebook.


Whose Security explains a lot about the defects in IoT. To put it bluntly,
the Smarthome today is utterly unworkable. Unless things change fast every
single IoT company is going to go bust because the only reason to buy
'smart' devices is to save money and they all come with a much larger
system administration effort requirement than they save effort. If you have
a device with more than a couple of dozen IoT devices installed, at least
one of them will be offline because it needs reconfiguration.

Oh and those device updates the manufacturers, push? Those often take away
functionality. So I buy my Google Nest on the basis that it will integrate
with my other systems and then find that it won't: Not unless it is on
their terms.


So control is a major issue that has to be fixed in the IoT world and
control is a security issue. Every security control that is installed
represents a shift in power between one party and another. Manufacturers
are only thinking about their own security, not the user's security
concerns. So every 6 months there is a new industry wide coalition to
develop a new way for IoT devices to interoperate and every one of them is
based on the user's 50+ devices connecting individually to 10+ manufacturer
cloud services and interacting with them.

Security means security of the recurring revenue which should absolutely
not exist. I don't pay rental on my Edison era lightswitch, why would I pay
rental just because it has a CPU inside?


I have other issues with IoT, not least responsiveness. An Edison
lightswitch responds instantly. Starting an app on my smartphone is a 5 sec
delay, then 30 secs to log in, then 15 for some idiot clutter they want to
push at me telling me how things changed, then another delay before I get
to the page that lets me turn the light on or off.

I started in this business writing video games for the ZXSpectrum using Z80
CPU. A video game is a UI experience so compelling people pay to use it. If
I could get instantaneous response in a 3D video game running on a 4MHz
processor, Nest, etc, can give me instantaneous control over my thermostats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211003/2f006f45/attachment.htm>