So weev had some fun with printers recently. With 6 lines of shell, weev not only trolled hundreds of people from across the Atlantic Ocean, but also showed how screwed IT security is. If any of the affected organizations used even the most basic security measures, all of this could have been prevented. It’s sad that in $CURRENT_YEAR companies still can’t be bothered to implement the simplest of security measures.

But this post isn’t about anything Andrew Auernheimer has done, it’s about something worse – the Internet of Things (hereafter referred to as IoT).

Right now the IoT market is absolutely terrible for users. It’s incredibly insecure, it’s unreliable, and it’s incredibly hostile to user privacy and control. End-users must rely on manufacturer to patch any bugs, to keep hosting their services in the Cloud™ from now until the end of time, and to not sell out their users privacy for a few extra bucks. Right now, the IoT is absolute nonsense and people should not spend money in the IoT market until things get better.

Brokennet

A particularly chilling example of the IoT nonsense is Nest’s outages and software fails which incorrectly set the temperature or sometimes stopped working completely.

Oh, your software crapped out on your thermostat causing your power bill to go through the roof? Maybe you should’ve saved that money you paid for that fancy thermostat and put it towards something else… like your power bill!

Unfortunately, most IoT devices are made this way. So, if the software bricks itself or is infected, the hardware is useless. Engineers: please make the hardware work without the software. The plumbing should work, even when the porcelain breaks. Nothing infuriates people more than crappy software, and since most software is garbage, implement a hardware fallback.

Owned All Day

Another awful thing about the IoT is bugs and exploits are rarely fixed. For example, this smart refrigerator is still vulnerable to a Man-in-the-Middle attack that exposes user’s Google Accounts two years later.

This doesn’t just apply to appliances, it also applies to anything with an Android device inside. After the recent wave of Android and OpenSSL CVEs, the vast majority of Android devices are still exposed and vulnerable. If you thought getting a virus on your computer was a pain, just imagine how fun it will be to get a worm off the oven.

Imagine something like Cryptolocker for IoT hardware. That’s something you cannot fix with regular and redundant backups. Just imagine the possibilities: PhoneLocker, GunLocker, FridgeLocker, IronLocker, and CribLocker: all coming to an IoT retailer near you!

That time the toaster oven burned your toast? Hacker. That time when your coffee machine wouldn’t work? Hacker. All your kitchen are belong to us.

What’s even worse is companies are putting chips inside locks too. Good God, as if lock design wasn’t bad enough already. Now instead of raking a Kiwkset in 5 seconds a thief can just use their phone to break in - as if locks aren’t already insecure enough. Now thieves can use literal backdoors to steal your precious data belongings.

Not scared yet? What if I told you that a water utility company and steel mill were hacked? So, even if you as a consumer choose to not purchase an IoT product, you can still be affected by other’s idiocracy.

But Wait, There’s More!

Perhaps the scariest thing about all of this is that nearly all consumer devices in IoT phone home to a company’s servers. As if the prospect of home network-attacks wasn’t bad enough, companies the idea of creating a command-and-control botnet of thermostats and refrigerators. That surely won’t be a plump and juicy target for hackers and skids in search of epic lulz.

The tragedy of all of this is these attacks can be avoided using existing technology and software – one of the popular standards used for IoT is XMPP. Developers know damn well how to use XMPP, because it’s nearly XML. Even better, many XMPP hosts reject unencrypted connections from client and other hosts.

The best part of using XMPP is federation. Federation is exactly what it sounds like: two different servers connecting for a common purpose (communicating between two users). This means alice@example.com can talk to bob@example.net, even though they connected to different XMPP servers.

Users should have the option to use their own XMPP server as a “control center” for IoT devices. In the case a user doesn’t want to bother with setting up a server for their content, then hardware vendors can host public XMPP servers for their users.

Put a Chip in It

Please, for the love of God, don’t network the systems! Maybe you really like the idea of being able to have your Google Calendar on your fridge, or connect your phone to your car’s wifi, but you really shouldn’t ok?

With all that said, IoT still has potential, it’s just the vast majority of manufacturers are careless and negligent. These companies are not equipped to build a secure product for consumers. At its best, IoT has some great reasons to exist. At its worst, IoT is an absolute nightmare.

In the best case scenario, a company hoping to have any support from consumers or the tech community will do these things:

  1. Enable self-hosting – People are very skeptical of letting appliances in their house connect to third-party servers because this causes all sorts of risks to privacy as well as security. Users must be able to host their own centralized control hub and have one account to rule them all.
  2. Open-source your firmware – The first company in the IoT to open-source everything will be adored by the tech community. In fact, creating an enthusiast fan-base is perhaps one of the greatest things for an IoT company. Enthusiasts will actively promote, contribute, and fix bugs in your software. An active and organic community means a happy company.
  3. Sell Silicon and services – The only way IoT companies are going to make money in the future is by selling hardware. Users are tech enthusiasts are inherently afraid of closed-source IoT things. The most profitable route for an IoT company is not by selling software, but rather hardware and services. Producing a swath of IoT sensors and devices is the most profitable way going forward. Another possible monetization strategy is by selling services, such as remote monitoring and backup.

But finding a company that does any one of these things is rare – let alone all three. So, at least for now, the last thing you should do is put a damn chip in it.