More of this feature • Part 1: Enabled Devices • Part 2: Security

Elsewhere on the Web • Reptile Labs • LG Electronics • BBC Article

Question: Do you feel users approach Internet access too casually, that is to say, without properly understanding and protecting against security risks?

A.Lizard: Yes, and the vendors encourage this. Excite@home is still telling people that firewalls are optional for broadband 24/7 connections for PCs. Personally, I think that all ISP "new user packages" and computers should be provided with a bundled personal firewall and anti-virus software to at least get users started with security.

Ever see a computer or ISP ad that shows a user finding a virus or trying to respond to a port scan?

Question: Do you feel it is the appliance industry's or the user's responsibility to ensure security?

A.Lizard: In this case, the appliance industry. Users have no intellectual basis for thinking of their washing machine as a networked security risk. At minimum, anything intended for browser control needs to have an SSL server on board allowing encrypted user and factory technician access and NO access for anybody else. I think what's going on is that the people designing the hardware platform and the computer platform aren't talking to the network people, the people designing the embedded computer figure their job stopped when they got a TCP/IP stack running on the appliance and got it talking to the Net... and of the prototype appliances which are continuously connected, there's no provision for firewalls and intrusion logs, the logs would tell the story in explicit detail for all with eyes to see.

Extend this a bit into the future. Imagine that some hacker managed to get a copy of the Manufacturer Service Manual covering several Web-enabled appliances, including "hidden" URLs to diagnostic and internal configuration controls (e.g. if a voltage is a bit low, tweak voltage upward by hand) that a user wouldn't be aware of. The appliance has no way to know it's being hacked. You don't find out there's a problem unless the appliance breaks or catches fire.

Question: Are there resources devoted to "watch-dogging" these appliances? In other words, where might the average user obtain more information?

A.Lizard: None that I am aware of, other than at ReptileLabs. If readers know of any, I'd appreciate the URL. The only places where firewall and kitchen appliances show up on the same page are in "news pages" with chunks of a number of different articles about technology. The only place where security and appliances occur together is in security applications, alarm control and setups where you can view your home via security Webcam. However, does the promise that "you can see the inside of your room from anywhere in the world" mean "and so can anybody else!" You might discover a problem here by seeing your naked body on somebody's XXX page taken by your home security cam somebody figured out how to turn on.

My Belkin 425VA power supply promises that I can monitor and control my UPS from anywhere in the world via the built in mini-Webserver through any Web browser. That function is disabled by deinstalling the Web server and at the firewall because if it's working correctly, so can anybody else. A person could turn off (I don't mean orderly shutdown, I mean as in pull the plug.) my workstation from anywhere in the world if I were stupid enough to leave the UPS remote control enabled.