How secure is the the Internet of Things

Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.

The system manufacturers — usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product — choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.

The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority.Bruce Schneirer

I'm very concerned about this. While the Apple router in my home isn't subject to any known vulnerabilities, I have very little visibility into the device and I am completely at the mercy of Apple's engineers when it comes to patching. This one device separates the other components of my computing network from the wild wild Internet. It's the my main line of defense. I used to have a basement full of servers that I controlled -- firewall, network attached storage, web server etc. Now I'm dependent on the cloud for services and limited control of my network security. It's time for change.

The surveillance business

You're the product, and you're being improved for their actual customers: their advertisers.

Google recently announced that it would start including individual users' names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached—without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on its website. Bruce Schneirer


If these features don't sound particularly beneficial to you, it's because you're not the customer of any of these companies. You're the product, and you're being improved for their actual customers: their advertisers.Bruce Schneirer