As I said previously, someone needs to bring negligence suits against some IoT vendors, wholesalers, and retailers. Start with the retailers, like Amazon. They'll find the supply chain for you as they try to pass the buck. It worked with hoverboards.
There's a problem at the China end with crap low-end devices driving out the good ones. Here's a good example: solid state relays, useful little devices for safely switching AC power with a logic level signal. Look at this Fotek solid state relay on Amazon.[1] That's a counterfeit. Fake manufacturer name. Fake UL and CE marks. Here's UL's warning notice on counterfeit Fotek solid state relays, and how to recognize fakes.[2] There are lots of unhappy customers; the fake ones have been reported to overheat, melt, or stick in the ON condition. Every Fotek relay on Amazon that I can find is fake.
The fakes are real solid state relays with grossly exaggerated power ratings. For real ones, cost goes up with power. The fakes all cost about the same regardless of nameplate power rating. Here's an especially bad one: a "100 amp" version.[3] The real Fotek, in Taiwan, doesn't even make a 100 amp version in that form factor - the terminals aren't big enough for 100 amps.
The result is that nobody is selling legit solid state relays on Amazon. They exist; you can buy them through Digi-Key or Mouser. They cost about 2.5x the fake price. But Amazon has been totally conned. (The ones on eBay are fake, too.) Worse, if you're a legit solid state relay maker in China, you have a hard time selling. The counterfeits have pushed the price down too far.
Back to hoverboards. There are now UL-approved hoverboards. They don't catch fire. Heavy pressure on China suppliers worked. That needs to happen with insecure IoT devices.
someone needs to bring negligence suits against some IoT vendors, wholesalers, and retailers
IANAL, so I wonder if that would actually work. Especially since everyone always attaches the standard no-warranty disclaimers to software (and we're talking about vulnerabilities in the software on these devices).
Maybe we need to give the FCC power similar to the CPSC.. they can issue recalls of unsafe products (or in the case of the FCC, products that interfere with our communications infrastructure), and they can even have them stopped at the border by customs.
Losing the ability to sell your product in the US is a pretty powerful incentive to get it right
Also IANAL, but I don't think that no-warranty disclaimers work for commercial products. Some countries even specify mandatory warranties (e.g. Australia's Warranty Against Defects[1])
I'm not sure those disclaimers work. They usually say something like, "We disclaim all warranties, including fitness for a particular purpose"
And then you look on their marketing pages and call their sales people, and they tell you all the particular purposes for which their software is a perfect fit.
As someone who has dozens of these cheap SSRs, thanks for this. A lot of them don't even have English labels on them. I'll be sure to not use them in any critical situation or something that might be fire-prone.
Tear-down reports indicate that the big problem is way overrated current ratings. Real SSRs start at 5A, which isn't too expensive, and prices go up with the current rating. Fake SSRs start at 25A, and have maybe 10A components inside. Past 10A or so, you have to add a heat sink, which a lot of the fake vendors don't mention.
If you want cheap SSRs, it may be better to order them directly from, say, LIRRD in China.[1] They make solid-state and mechanical relays under their own name, and have UL certification in their own name. There's a minimum order (40 units), but they will send samples. The prices are about as good as the fakes.
Counterfeit component risk and bad security for an assembled IoT device are two separate issues. Sourcing components on Amazon in the first place is ludicrous to me, to be honest, and I'd be shocked if any reputable EMS companies do it. As an aside, a couple years ago I saw some guys from NXP do a talk on component counterfeiting. People will apparently remove them from dead boards, shave a few microns of material off the top of their legitimate capacitors, change their reported value, and resell them. Pretty nuts.
The "reputable EMS companies" part was an important qualifier. But, as the guy I originally replied to demonstrates, counterfeit risk is a lot higher. I order parts for my projects from Digi-Key.
It's fine as a hobbyist, but once you're making 1000+ then the only way Amazon (which doesn't do volume pricing I think?) can be cheaper is by selling you fakes.
As a hobbyist I buy stuff from ebay, amazon, and aliexpress all the time, but not for anything mains-powered or safety-critical.
I don't follow your comment. I'm not sure how you can claim that Solid state relay is fake. Also poor security practices in IoT devices and counterfeits sounds like 2 completely different topics.
Let me play the devil's advocate:
How can you be sure [1] is fake? To me the picture looks like the real one reported in [2]. It is also 2.5x the price of the fake one reported in [2]. You also say there are lots of unhappy customers, but [1] has only 1 five stars review. If there were unhappy customers wouldn't there be more reviews?
> They exist; you can buy them through Digi-Key or Mouser. They cost about 2.5x the fake price
Do you have a link by any chance to compare the prices? I didn't find any on either Digi-key or Mouser.
Also how are solid state relays related to large quantities IoT devices? Most buying IoT devices aren't buying raw components, but a finished product instead (Hue, Nest, Cameras, Baby monitors, etc.)
Here your main point is against counterfeits, but the issue mentioned in the article is not about counterfeits, it's about bad security. Those IoT devices with low (or non-existent) security unfortunately aren't even fake ones.
How can you be sure [1] is fake? To me the picture looks like the real one reported in [2].
Read the UL warning notice. Note that the real ones have a bevel in the plastic frame outlining the product label,
(this prevents putting the label in upside down) while the fake ones do not, even though some have a corner cut on the label. They also say "Taiwan Made", not "Made in Taiwan".
Here's a 5 amp Omron solid state relay in the same form factor on Digi-Key.[1] $24.75. Digi-Key doesn't carry Fotek.
Here's a teardown of a counterfeit relay on Instructables.[2] The author had designed these relays into a larger system and was getting warranty returns of the entire product. It has components sized for maybe half the nameplate current rating. There are complaints on forums from people using these for 3D printer hot bed control, brewing control, freezer control, and "grow rooms". They're a popular way to get an Arduino to switch large AC loads. Under higher loads, some units have been observed to melt. Others failed, sometimes into the ON state.
Animats said "There's a problem at the China end with crap low-end devices driving out the good ones"
That is the connection between the two topics. You go on Amazon and no one is selling quality. A lawsuit would kill the crap products and you are left with the certified / branded / or otherwise 'proven' good products.
The control points are rapidly becoming retail and payment systems. Suing Amazon, Walmart, Visa, MasterCard, Paypal, etc., for facilitating the commerce of counterfeit and manifestly harmful products seems to be the logical evolution.
Retailers have always been the first point of liability for products. In some jurisdictions it was hard to sue the manufacturer directly - after all, they're not the one you had a contract with.
Payment processors are another matter IMO, and should not be made into product police or underwriters.
With IoT, this may catch the low hanging fruit, sure. Negligence for poor defaults, fine? But then attackers will just evolve to the next lowest fruit. Keep in mind that to some attackers, finding a software or hardware bug to exploit (and weaponising that), even in highly "secure" systems, is probably just a step or two beyond playing with default credential lists.
The author of this article compares the complexity of the Marai code to that of the Morris worm. It's an apt comparison but not because the state of IoT has gotten worse -- rather it's because we haven't gotten that much better at securing our code, on the Internet at large, since 1988.
What I'm trying to say here is negligence suits for IoT will probably just bring a lot of negligence suits and not a more secure Internet. I believe they would only address the symptoms and not the root of the problem and at great risk to innovation.
In one sense, sure. But IMO regulating the IoT "industry" in a general way is a bad idea because it will just shift the low hanging fruit around some, while ultimately stifiling innovation, which is what is needed for any deep, meaningful security to happen in the long term .
I cannot take this idea that "innovation" will be stifled because people were told to actually give a shit about what they were doing. Honestly, if it means that fly by nite groups aren't releasing their "innovations" out there, I'd consider it a pretty good trade.
What I'm ultimately arguing here is that: even after the regulators step in and make make them give a fuck, I mean really give a fuck, and they are forced to fix the low hanging fruits, these botnets or other similar machinations, will still exist. In fact, if we assume the regulations work and actually make things harder to exploit, we can add in the knowledge that the price for using and creating IoT botnets will go up - possibly making botnet creation a more lucrative career than IoT defense. I'm saying we have a technical conundrum that regulation can't regulate away.
Well I think we can agree to disagree on regulation as the method of fixing the issue. Of course we should do something. I'll admit I'm not sure what though and have no better proposal. I just believe regulation is too blunt an instrument.
I don't see how anything but regulation would do it. The companies clearly don't give a shit, and they won't, as they can't really be held accountable.
Given that most of the ddos attacks come from China, isn't it a reasonable assumption that the Chinese manufacturers are complicit in keeping the system broken?
I haven't seen anything about originations on recent broad internet attacks - any good links? Having done "internet work" for about 20 years, it seems like a reasonable statement, but they certainly are getting harder to pinpoint.
There's a problem at the China end with crap low-end devices driving out the good ones. Here's a good example: solid state relays, useful little devices for safely switching AC power with a logic level signal. Look at this Fotek solid state relay on Amazon.[1] That's a counterfeit. Fake manufacturer name. Fake UL and CE marks. Here's UL's warning notice on counterfeit Fotek solid state relays, and how to recognize fakes.[2] There are lots of unhappy customers; the fake ones have been reported to overheat, melt, or stick in the ON condition. Every Fotek relay on Amazon that I can find is fake.
The fakes are real solid state relays with grossly exaggerated power ratings. For real ones, cost goes up with power. The fakes all cost about the same regardless of nameplate power rating. Here's an especially bad one: a "100 amp" version.[3] The real Fotek, in Taiwan, doesn't even make a 100 amp version in that form factor - the terminals aren't big enough for 100 amps.
The result is that nobody is selling legit solid state relays on Amazon. They exist; you can buy them through Digi-Key or Mouser. They cost about 2.5x the fake price. But Amazon has been totally conned. (The ones on eBay are fake, too.) Worse, if you're a legit solid state relay maker in China, you have a hard time selling. The counterfeits have pushed the price down too far.
Back to hoverboards. There are now UL-approved hoverboards. They don't catch fire. Heavy pressure on China suppliers worked. That needs to happen with insecure IoT devices.
[1] https://www.amazon.com/Frentaly-24V-380V-Solidstate-Arduino-... [2] http://www.ul.com/newsroom/publicnotices/ul-warns-of-solid-s... [3] https://www.amazon.com/Industrial-FOTEK-Protective-SSR-100DA...