物联网专业并不好_在广阔的物联网中，“智能”仍然并不意味着安全

物联网专业并不好

It’s long past time for the Internet of Things (IoT) to come with a qualifier. A caveat. Because it is demonstrably the Internet of Vulnerable Things. Of sometimes very dangerous things.

物联网(IoT)带有限定符已经很久了。 警告。 因为它显然是脆弱的物联网。 有时是非常危险的事情。

Indeed, you can’t get through a week — frequently you can’t get through a day — without news of yet another potentially catastrophic security problem with what is rapidly becoming the Internet of Everything.

的确，如果没有关于另一个正在Swift成为万物互联的潜在灾难性安全问题的消息，您将无法度过一个星期，而常常无法一天。

Just one example of those ubiquitous problems was a report on smart locks this past week. They are, as is true of all “smart” devices, only as smart and secure as a manufacturer makes them. As Larry Trowell, principal consultant at Synopsys, puts it, “locks only keep out honest people, but they should slow down the dishonest.”

这些普遍存在的问题的一个例子就是上周有关智能锁的报告。 正如所有“智能”设备一样，它们只有制造商制造的那样既智能又安全。 正如Synopsys的首席顾问拉里·特洛威尔(Larry Trowell)所说的那样，“锁只会挡住诚实的人，但他们应该放慢不诚实的态度。”

What security researcher Craig Young found with the U-Tec UltraLoq smart locks was that while they had some cool features and conveniences like fingerprint readers and anti-peep touchscreens, they didn’t slow him down much. He found it was possible for people other than the owners to control those locks.

安全研究人员克雷格·扬(Craig Young)使用U-Tec UltraLoq智能锁发现的是，尽管它们具有一些很酷的功能和便利性，例如指纹读取器和防窥视触摸屏，但它们并没有使他放慢脚步。 他发现除了房主以外的其他人也可以控制那些锁。

Himself, for instance. He could have unlocked hundreds of people’s doors remotely.

例如他自己。 他本可以远程打开数百个人的门。

In a Tripwire blog post earlier this month, Young wrote that he discovered he “could easily steal ‘unlock tokens’ in bulk or from specific devices knowing only the MAC address.”

在本月初的Tripwire 博客文章中 ，Young写道，他发现他“很容易从大量或仅知道MAC地址的特定设备中窃取'解锁令牌'。”

The MAC [media access control] address is a unique identifier of six two-character pairs assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. You can find yours on your phone, generally in the “About” portion of your Settings.

MAC [媒体访问控制]地址是分配给网络接口控制器(NIC)的六个两个字符对的唯一标识符，用作网络段内的通信中的网络地址。 您通常可以在“设置”的“关于”部分中找到自己的手机。

It did take some homework and some skill to pull off the hack. Young used the IoT search engine Shodan to look for entries related to UltraLoq and the use of MQTT, a publish-subscribe protocol used in IoT devices to exchange data between nodes.

确实需要一些功课和技巧才能破解。 Young使用IoT搜索引擎Shodan来查找与UltraLoq和MQTT的使用有关的条目，MQTT是IoT设备中用于在节点之间交换数据的发布-订阅协议。

He found an Amazon-hosted broker that contained UltraLoq topic names and also personally identifiable information (PII) of owners that included email addresses. From there he found a “repeating message flow on the unlock process.” He then wrote a script using the programming language Python to replay the messages and found that doing so would open the lock.

他找到了一个由Amazon托管的经纪人，其中包含UltraLoq主题名称以及所有者的个人身份信息(PII)，其中包括电子邮件地址。 从那里，他发现“在解锁过程中重复出现消息流”。 然后，他使用编程语言Python编写了一个脚本来重播消息，并发现这样做会打开锁。

Fix took some prodding

修复了一些问题

Fortunately, Young is an ethical hacker. By the time he went public about it, the UltraLoq problem had long since been solved. He discovered it last November and immediately notified the company, which he said fixed the problems he flagged within a week.

幸运的是，Young是一名道德黑客。 到他公开发布该软件时，UltraLoq问题早已得到解决。 他于去年11月发现了此问题，并立即通知了该公司，他说这已解决了他在一周内提出的问题。

But it took some prodding. And the awareness and understanding of the security defects by U-Tec doesn’t inspire overall confidence in the product.

但是这花了一些时间。 而且，U-Tec对安全缺陷的认识和理解并不能激发人们对该产品的整体信心。

When Young first contacted them, U-Tec dismissed his concern. “Unauthorized users will not be able to open the door, please don’t worry,” was the reply.

Young首次与他们联系时，U-Tec消除了他的担忧。 回复说：“未经授权的用户将无法打开门，请不要担心。”

When he then demonstrated that he had already conducted a successful attack as an unauthorized user and sent the company a screenshot from Shodan “including active customer email addresses leaked in the form of MQTT topic names,” the company responded, within a day, that it had taken multiple steps to prevent non-authenticated users from getting access to control the locks.

然后，当他证明自己已经以未经授权的用户身份进行了成功的攻击，并向公司发送了Shodan的屏幕快照“包括以MQTT主题名称形式泄漏的活动客户电子邮件地址”时，公司在一天之内做出了回应。已经采取了多个步骤来防止未经身份验证的用户访问控制锁。

Young said that was an improvement, but still didn’t address the “key problem … they failed to implement user-level access controls.”

Young表示，这是一项改进，但仍未解决“关键问题……他们未能实现用户级访问控制。”

A few days later, U-Tec contacted him to say that it had implemented “user isolation.” And Young confirmed that he could no longer hack into others’ accounts.

几天后，U-Tec与他联系，说它已经实施了“用户隔离”。 Young确认他无法再入侵他人的帐户。

The fix didn’t win much praise from experts, however. Bruce Schneier, author, blogger and IoT security expert who has testified before Congress on the topic, was unimpressed. “U-Tec eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they’re doing,” he wrote in a brief post on his blog last Monday.

但是，此修复程序并未获得专家的太多好评。 Bruce Schneier是作家，博客作者和IoT安全专家，曾在国会就该主题作证 ，但对此印象深刻。 “U-Tec的最终固定的漏洞，而不是在一个方式，应该给你任何的信心，他们知道自己在做什么，”他在写简短的帖子在他的博客上周一。

Young is also not the only one who has found problems with UltraLoq. PenTest Partners reported more than a year ago on both physical and internal security problems with the locks.

Young也不是唯一发现UltraLoq问题的人。 PenTest Partners 一年多以前报告了有关锁的物理和内部安全问题。

“This apparently seemed like a good idea to someone who didn’t know a lot about locks,” said Trowell.

Trowell说：“对于一个不太了解锁的人来说，这显然是个好主意。”

Rampant vulnerabilities

猖amp的漏洞

Young also wrote that while the specific problem he reported was ultimately addressed, U-Tec is not an outlier. “The underlying concerns regarding privacy and safety in the (IoT) industry still remain,” he wrote.

Young还写道，虽然最终解决了他报告的具体问题，但U-Tec并不是一个离群值。 他写道：“有关(IoT)行业隐私和安全性的潜在问题仍然存在。”

Indeed, stories like this are “very familiar” to Zach Lanier, managing principal and embedded:IoT practice lead at Atredis Partners. “Often it’s not a single vulnerability or flaw, but a combination of issues,” he said. “Backend/supporting services being wide open or with weak authentication and authorization controls, coupled with some kind of device-level defect, or even a supporting mobile app doing something insecurely.”

确实，像这样的故事对于Zach Lanier来说是“非常熟悉”，他负责管理主要和嵌入式工作：Atredis Partners的物联网实践主管。 他说：“通常这不是一个漏洞或缺陷，而是一系列问题的组合。” “后端/支持服务是开放的，或者具有较弱的身份验证和授权控制，再加上某种设备级别的缺陷，甚至是支持移动应用程序执行不安全的操作。”

In short, IoT insecurities are rampant, and have been for a long time. Security experts have issued warnings for well over a decade that “smart” does not mean secure. Young said he has continued to investigate “exposed MQTT systems and have identified countless industrial IoT network exposures including vehicle tracking, taxi dispatch, lottery kiosks, building management systems, and more.”

简而言之，物联网的不安全现象十分普遍，而且已经存在了很长时间。 十多年来 ，安全专家已经发出警告 ，“智能”并不意味着安全。 Young表示，他将继续调查“暴露的MQTT系统，并发现了无数的工业物联网网络，包括车辆跟踪，出租车调度，彩票亭，楼宇管理系统等。”

Why? Trowell said one major reason is that the pressure for speed in producing IoT devices is still much more powerful than it is for security. “A lot of old-school and small startups think about getting the product out the door first, and security later. It’s getting better, but IoT still has a lot of problems,” he said.

为什么？ Trowell表示，主要原因之一是生产IoT设备的速度压力仍然比安全性要强大得多。 “许多老牌和小型初创公司都考虑先推出产品，然后再考虑安全性。 它越来越好，但是物联网仍然存在很多问题，”他说。

Yossi Naar, chief visionary officer and cofounder at Cybereason, said the vulnerabilities Young found “are very common” in IoT devices. “IoT security in many ways resembles the internet 20 years ago or, unfortunately, today as well,” he said.

Cyber​​eason首席远见官兼联合创始人Yossi Naar说，Young发现的漏洞在IoT设备中“非常普遍”。 他说：“ IoT安全在很多方面类似于20年前，或者不幸的是今天也是如此。”

Which leads to the obvious question: What can and should be done to make IoT security better? There is no way to achieve perfect security, but experts have said for years that it is possible to implement basic “security hygiene” that will keep IoT devices and networks out of the low-hanging-fruit category.

这就引出了一个显而易见的问题：如何并且应该做些什么来改善物联网的安全性？ 无法实现完美的安全性，但是专家们多年来一直在说，有可能实施基本的“安全卫生”，这将使IoT设备和网络脱离低挂水果类别。

The market, so far, hasn’t come close to doing that. The reality is that vendors give customers what they want, which are devices that offer features, fun and convenience. Security is not yet a “differentiator” in customer purchasing decisions.

到目前为止，市场还没有做到这一点。 现实情况是，供应商为客户提供他们想要的东西，这些设备具有功能，乐趣和便利性。 安全性尚未成为客户购买决策的“差异化因素”。

Too complicated

太复杂

And even if vendors do provide security options, they are likely to be intimidating to the average user. Jennifer Janesko, senior consultant at Synopsys, said earlier this year about a list of security measures recommended by the FBI that, “the majority are not going to be actionable by the typical end user.”

即使供应商确实提供了安全选项，他们也可能会对普通用户造成威胁。 Synopsys的高级顾问Jennifer Janesko在今年早些时候谈到了联邦调查局建议的一系列安全措施，“大多数将不会由典型的最终用户采取行动。”

Lanier agrees. “It can be difficult to really convey to most ‘non-techie’ people the importance of the security of the entire product — the device, any apps, networking, supporting/backend services, and so on,” he said.

拉尼尔同意。 他说：“很难向大多数'非技术人员'传达出整个产品(设备，任何应用程序，网络，支持/后端服务等)的安全性的重要性。”

Which is why a number of experts have lobbied for government to mandate better IoT security, somewhat along the lines of mandating core safety features in cars, or the EU’s General Data Protection Regulation (GDPR) to protect online privacy.

这就是为什么许多专家游说政府要求更好的物联网安全性的方法，某种程度上是出于对汽车核心安全功能的强制性要求，或者是欧盟的通用数据保护条例(GDPR)保护在线隐私。

There is plenty of evidence that government is aware and interested — in recent years there has been a steady stream of proposed legislation in Congress, recommended standards and best practices from federal agencies and lengthy whitepapers from presidential commissions about IoT security.

有大量证据表明政府知道并感兴趣 -近年来，国会中不断出台立法提案，联邦机构推荐的标准和最佳实践，以及总统委员会有关物联网安全的冗长白皮书。

But the legislation tends to get hung up in committee and the standards and best practices have been voluntary, meaning they have no force of law.

但是立法往往被挂在委员会上，标准和最佳实践是自愿的，这意味着它们没有法律效力。

Why can’t government mandate certain core security features in IoT devices? So far there is no clear answer to that, and there is a divide among experts about whether that would be a good thing. Trowell, for one, is skeptical. “I’m not a fan of government standards,” he said. “They mean well but they can only check for stuff that has been done before and rarely keep up with the times. And there is a lot of infighting in creating those standards.”

政府为什么不能在物联网设备中强制使用某些核心安全功能？ 到目前为止，还没有明确的答案，而且专家之间是否存在好分歧也存在分歧。 特洛威尔(Tr​​owell)对此表示怀疑。 他说：“我不喜欢政府标准。” “他们的意思很好，但是他们只能检查以前做过的事情，很少跟上时代的步伐。 在创建这些标准时有很多内”。”

There has also been plenty of talk about creating a private-sector “seal of approval” somewhat like UL safety certification for products. But that is complicated.

关于创建私营部门“批准印章”的讨论也很多，有点像产品的UL安全认证 。 但这很复杂。

Lanier notes that there are a “myriad” of private-sector initiatives focused on both consumer and industrial IoT security, “including the Cyber Independent Testing Laboratory, UL Consumer Technology, Consumer Reports, the ioXt Alliance, the IoT Security Foundation, the Cloud Security Alliance IoT Working Group, and so on.”

Lanier指出，有大量针对消费者和工业物联网安全的私营部门计划，包括网络独立测试实验室，UL消费者技术，消费者报告，ioXt联盟，物联网安全基金会，云安全联盟物联网工作组，等等。”

Too much overlap

重叠太多

While each initiative is laudable, “there is so much overlap without a whole lot of cohesion between these groups, so it can be difficult for a manufacturer/OEM, designer, engineer, etc. to really make sense of what the actual ‘standards’ might be,” Lanier said.

尽管每个计划都是值得称赞的，但是“这些小组之间存在太多重叠而没有太多凝聚力，因此制造商/ OEM，设计师，工程师等可能很难真正理解实际的'标准'。可能是，”拉尼尔说。

Not to mention, he added, that it makes it impossible to point a non-techie friend or relative to “a standard security and privacy report card. We’re not there yet.”

他补充说，更不用说，它不可能指向非技术人员的朋友或相对于“标准安全和隐私报告卡”的亲戚。 我们还没到那儿。”

So until consistent IoT security standards are in place, the only real incentive for IoT security amounts to “buyer beware.” As in, it’s largely up to users. Before you buy, check out the vendor, make sure the device you’re buying is part of its core business, read some reviews, read the terms of service and privacy policy. And then get a tech-savvy friend or relative to help you set it up.

因此，在制定一致的IoT安全标准之前，对IoT安全的唯一真正诱因就是“购买者当心”。 在这种情况下，很大程度上取决于用户。 在购买之前，请先检查供应商，确保购买的设备属于其核心业务，并阅读一些评论，阅读服务条款和隐私政策。 然后找一个精通技术的朋友或亲戚来帮助您进行设置。

“I still have smart devices,” Trowell said, “but I make sure they are more secure. I use a private network, mic shield, limited access, etc.”

特洛威尔说：“我仍然拥有智能设备，但我要确保它们更安全。 我使用专用网络，麦克风罩，访问受限等。”

翻译自: https://medium.com/the-innovation/in-the-vast-internet-of-things-smart-still-doesnt-mean-secure-840950cd8094

物联网专业并不好