Laughable IoT security

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
Is a clear failure of the 'free market'.

Let's suppose I accept that it would be an undue burden on those selling IoT devices to make sure their own software that they put on it to perform device functions is not woefully unsecure (I don't, really).

Even if I did- how is it acceptable for these vendors to be shipping with (really old) 2.x kernels, default passwords and open ssh servers, and unauthenticated and insecure means for firmware updates (not that the firmware updates will ever be used for security patches anyway)?

Really, it's a pity that China hasn't put together a reference Linux distro that can be mandated for all these things, along with mandatory updates to the base system and public executions for anyone who runs their outside-accessible servers as root or ships with default passwords for anything that allows owning the device.
 
  • Dumb
  • Thunk-Provoking
Reactions: DanteAlighieri and Spedestrian
3119967d0c said:
Even if I did- how is it acceptable for these vendors to be shipping with (really old) 2.x kernels, default passwords and open ssh servers, and unauthenticated and insecure means for firmware updates (not that the firmware updates will ever be used for security patches anyway)?

Really, it's a pity that China hasn't put together a reference Linux distro that can be mandated for all these things, along with mandatory updates to the base system and public executions for anyone who runs their outside-accessible servers as root or ships with default passwords for anything that allows owning the device.
Click to expand...

The ancient kernels are usually a direct result of changes to the kernel source to make the hardware work. These customizations are often done with, lets say, little attention to kernel development guidelines, to put it mildly.

The end result can really sometimes only called being "linux-alike" but not really a proper kernel anymore. They have all sorts of issues with spagetti code, breaking stuff to make shit work, bypassing security features in the laziest way possible to make stuff work easier and so on. The code changes are often "chinese dude with degree in electrical engineering" quality. Usually the changes are peppered all over the kernel code in the most atrocious "14 day C tutorial" ways and that's also why porting this stuff to make a properly maintained mainline driver for the hardware in question is often akin to just rewriting the driver completely from the ground up. When the chinese company doing that atrocity feels like adhering to the GPL (they often don't, nobody does anything about that anyways) and publishes the source, you often can't even recompile their kernel with harmless different options (support for other filesystems etc.) because shit will break. It's that bad. Changes are of course never documented. That'd amount to additional work hours.

That the same kinds of people won't care about maintaing and updated userland to their kernel-soup doesn't need to be explained.

The problem is that these companies see linux and it's software landscape more as a cheap platform to support their current chinkshit hardware with and hack something together to make it work and don't care what will happen with it three months down the road when the product is already out the door. They even care less about the users' saftey with outdated kernels that often can't even really be patched if you were to port back security stuff. They don't want to invest the work and money to support mainline and write proper drivers and maintain them. They don't want to spend money on maintaining firmware updates. This will never change as this cheap hackery is an integral part of the chinese-gadget-shovelware business model. The only way to resolve this is to not buy such products.
 
  • Semper Fidelis
  • Informative
Reactions: Synthetic Smug and ⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛
AmpleApricots said:
The ancient kernels are usually a direct result of changes to the kernel source to make the hardware work. These customizations are often done with, lets say, little attention to kernel development guidelines, to put it mildly.

The end result can really sometimes only called being "linux-alike" but not really a proper kernel anymore. They have all sorts of issues with spagetti code, breaking stuff to make shit work, bypassing security features in the laziest way possible to make stuff work easier and so on. The code changes are often "chinese dude with degree in electrical engineering" quality. Usually the changes are peppered all over the kernel code in the most atrocious "14 day C tutorial" ways and that's also why porting this stuff to make a properly maintained mainline driver for the hardware in question is often akin to just rewriting the driver completely from the ground up. When the chinese company doing that atrocity feels like adhering to the GPL (they often don't, nobody does anything about that anyways) and publishes the source, you often can't even recompile their kernel with harmless different options (support for other filesystems etc.) because shit will break. It's that bad. Changes are of course never documented. That'd amount to additional work hours.

That the same kinds of people won't care about maintaing and updated userland to their kernel-soup doesn't need to be explained.

The problem is that these companies see linux and it's software landscape more as a cheap platform to support their current chinkshit hardware with and hack something together to make it work and don't care what will happen with it three months down the road when the product is already out the door. They even care less about the users' saftey with outdated kernels that often can't even really be patched if you were to port back security stuff. They don't want to invest the work and money to support mainline and write proper drivers and maintain them. They don't want to spend money on maintaining firmware updates. This will never change as this cheap hackery is an integral part of the chinese-gadget-shovelware business model. The only way to resolve this is to not buy such products.
Click to expand...
Also for a lot of them, it's not just the money. Usually custom development work like that is initially done by an expert contractor and the gaggle of Rajneeshes they grab off Fiver couldn't get halfway through a header file without getting lost.

As for the OP, SCADA networks have a lot worse security flaws to them than IoT. I know a couple of fab sites that still have NT4 domain networks live in-environment because it'd cost them the better part of their yearly revenue to update that stuff.

Then again, security by obsolescence is still a step up from IoT.
 
You must log in or register to reply here.
Back