智能设备生命周期可以拉动安全

Richard Adhikari

2020.11.20 上午5：00

使用智能和互联设备可以使我们的生活更加容易，但它也可能让其制造商更好的控制我们的生活。

根据Park Associates的报道，在美国，每三个拥有宽带连接的家庭中，有一个家庭拥有至少一台智能家居设备，并且有百分之二十的家庭装有允许远程交流和控制交互性安全系统。

一些公司提供智能设备，像Google、Belkin、和Best Buy,它们在没有预警的情况下切断了其智能设备生产线，对消费者弃之不顾。

它导致了“在障碍中监管”，这一概念是由加拿大约克大学助理教授Natasha Tusikov提出的。现在，制造商们故意损害或破坏软件，目的是给产品的功能产生一定的负面影响。

“这样的障碍重塑了对实体产品的监管，因为制造商可以任意远程地影响任何允许软件运行的设备地功能，甚至可以决定产品的寿命。”Tusikov 说道。

“它还赋予公司一种不公平的能力，使得公司能单方面自动地、远程地强加其首选的政策。通过他们的软件，物联网产品保持连接…给他们的制造商，这让公司…对软件拥有强大的购买后控权。”Tusikov如是说。

哈德利任何选择

例如，谷歌去年停止了和雀巢地合作，该计划项目让第三方制造商提供与雀巢系列连接设备合作的产品。这是谷歌助手连接国内市场推出全法庭新闻的前奏。从本质上来说，第三方要么将其产品过渡到与谷歌合作，要么停止与谷歌的合作。

正如Jason Perlow在ZDNet中描述的那样，那些购买了与雀巢一起的第三方制造的智能互联设备地消费者，开始担心自己将只剩下一所满是砖块的房子。

“有相当多的产品是为雀巢设计的，目前在我家使用的就包括有：飞利浦Hue智能灯、Chamberlian智能车库门和Wemo智能插头。”Perlow写道。

“这也包括亚马逊Alexa——它似乎被给予了特殊的豁免，至少现在是这样。但是谷歌有权随时终止，因为它有自己的智能扬声器产品，谷歌之家。”

公司可以进一步迫使客户接受某些产品特性并确定产品使用方式，Tusikov如是说。这一切在公司的最终用户许可协议下都能得以实现，但是人们大多不会去阅读公司的政策，许多人甚至可能都不知道管理其物联网产品的使用规则。

“更进一步来说，公司在制定其政策方面有相当大的自由度，并且保留了其在不通知用户的情况下更改许可协议条款的权利。”她说。

监视和安全的结果

监视，于物联网设备制造商而言，是一种商业模式和监管机制，Tusikov说道。这些设备每天与其制造商的服务器通信，甚至一天多次通信，从他们的使用者截取大量数据。

人们对互联设备中的声音助手科技的使用越来越多，包括谷歌声音，苹果Siri和亚马逊的Alexa，这也进一步提升了其监视性能。这三项科技一直保持倾听，并能够轻易地使用随机短语被突然激活。

“消费者需要清楚任何与互联网相连的事物都会分享他们信息的部分或全部给家庭组织，他们会进行分析、改进或其他需求操作”，James McQuiggan，网络安全意识培训公司KnowBe4的安全意识倡导者，如是说道。

“这些一直在倾听的设备所带来的安全威胁是真实存在的”，Gurucul的首席执行官Saryu Nayyar警告道，“对这些系统有很多潜在的攻击，更不要说对隐私的压倒性影响了。但是，对于普通消费者来说风险没那么大，因为普通消费者没那么重要。”

迄今为止，大部分互联设备的黑客攻击都是相对来说较轻的，尽管对受害者来说很可怕——比如说侵入婴儿监视系统。

这就是说：“在一个人们不断发现产品漏洞的世界里，你需要一个能对安全问题做出响应的供应商，”网络安全公司Tripwire的安全研发经理Tyler Reguly告诉TechNewsWorld。

不过，风险仅存在于智能电视、视频游戏机和我们家中过多的其他设备中。

制造商真的在乎吗？

如果有用户在计划终止前发现漏洞，那么计划终止的产品线确实会对现有用户造成安全威胁。

“我们已经向一些较大的制造商报告了安全漏洞，他们的最终回复是他们并不会修复这些漏洞，原因是他们计划停止制造这些产品，” Tripwire公司的安全研究高级领导Lamar Bailey,告诉TechNewsWorld。

科技的不断前进发展使得消费者陷入迷茫。智能互联设备科技是我们的生活更加轻松，但同时我们为这份轻松所付出的代价很大程度上仍不清楚。

Smart Device Life Cycles Can Pull the Plug on Security

By Richard Adhikari Nov 20, 2020 5:00 AM PT

Smart Device Life Cycles Can Pull the Plug on Security | Internet of Things | TechNewsWorld

The use of smart and connected devices promises to make our lives easier, but it might also give their manufacturers greater control over our lives.

One out of three households in the United States with broadband connections owns at least one smart home device, and interactive security systems that allow remote connection and control capabilities are installed in 20 percent of these households, research firm Park Associates reports.

Some companies offering smart devices, including Google, Belkin, and Best Buy have killed off their smart device product lines without warning, leaving consumers in the lurch.

That leads to what Natasha Tusikov, an assistant professor in Canada's York University, calls "regulation through bricking." This is when manufacturers deliberately impair or destroy software "with the intention of negatively affecting product functionality."

Such bricking reshapes the governance of physical products because the manufacturers can "arbitrarily and remotely affect the functionality of any software-enabled device and even determine the product's lifespan," Tusikov stated.

It also gives the companies "an unfair capacity to impose their preferred policies unilaterally, automatically and remotely. Through their software, IoT products remain connected...to their manufacturers, [which] lets companies...wield significant post-purchase control over the software," Tusikov said.

Hardley Any Choice

For example, Google last year shut down its Works with Nest program that let third-party manufacturers offer products that worked with its Nest family of connected devices. This was a prelude to launching a full court press into the connected home market on the back of Google Assistant. Third parties, in essence, either had to transition their products to work with Google Assistant or stop working with Google.

Consumers who had purchased smart or connected products made by third parties that belonged to the Works with Nest program were left with the specter of owning a house full of bricks, as Jason Perlow recountedin ZDNet.

"There are quite a few products out there that were designed for Works with Nest, which includes Philips Huesmart lights, Chamberlain smart garage doors, and Wemo smart plugs -- all of which I currently have in my house," Perlow wrote.

"That also includes Amazon Alexa -- which seems to be given special dispensation, at least for now. But yes, Google could decide to pull the plug on it at any time, since it has its intelligent speaker product, Google Home, instead."

Companies can further force customers to accept certain product features and determine how goods are used, Tusikov noted. This is all enabled under the companies' end-user licensing agreements, but people "tend not to read corporate policies and may not even be aware of the rules that govern their use of IoT products."

Further, companies "have considerable latitude in crafting their policies and reserve the right to change the terms of their licensing agreements without notice to the user," she said.

Consequences of Surveillance and Security

Surveillance "is a business model and a regulatory mechanism" for IoT device manufacturers, Tusikov said. These devices communicate daily with the manufacturers' servers, or even multiple times a day, harvesting staggering amounts of data about their owners.

The increasing use of voice assistant technology such as Google Voice, Apple's Siri and Amazon's Alexa in connected devices further enhances their surveillance capabilities. All three technologies are always listening and can be activated accidentally quite easily through the use of random phrases.

"Consumers need to be aware that anything connected to the Internet will share some or all of their information back to the home organizations for analysis, improvements, or other needs," James McQuiggan, security awareness advocate with cybersecurity awareness training firm KnowBe4 told TechNewsWorld.

"The threat to security from these always-listening devices is real," warnedGurucul CEO Saryu Nayyar. "There are many potential attacks against these systems, not to mention the overwhelming privacy implications." However, the risk is small for the average consumer because "you're just not that important."

To date, most hacks of connected devices have been relatively minor, although terrifying to the victims -- such as hacking into a baby monitor.

That said, "In a world where people are constantly finding vulnerabilities in products, you need a vendor that's responsive to security issues," Tyler Reguly, manager of security research and development at cybersecurity firm Tripwire, told TechNewsWorld.

Still, the risk is "certainly no more than smart TVs, video game consoles and the plethora of other devices we all have in our homes."

Do Manufacturers Really Care?

Product lines slated for termination do pose a security threat to existing users if vulnerabilities are discovered in them prior to the termination date.

"We've reported security vulnerabilities to several larger manufacturers and their final response is they're not going to fix the issues because they plan to stop making the product," Lamar Bailey, Tripwire's senior director of security research, told TechNewsWorld.

The relentless march of technology has put consumers in a bind. Smart and connected device technologies make our lives easier but the bill for that ease is still largely unknown.