[AusNOG] What are we going to do about IoT (in)security?

Mon Jun 12 10:31:24 EST 2017

It seems that this is a disaster just waiting to happen.

If network appliance companies can't get security right, the chances of
white-goods manufacturers doing so has got to be even less likely. E.g., the
latest model of my electric toothbrush has bluetooth connectivity so
Internet access is surely just a step away. Does a toothbrush manufacturer
attract top-notch security programmers (yet alone think they need them)? I
doubt it.

A natural choke point is the residential router/modem. Has any work been
done to define the capabilities or profile of such a choke point that might
inherently protect IOT devices?

Without thinking too hard, I envision a residential router might create a
number of local networks that are constrained in certain ways such as no
inbound connections, no outbound connections, no cross-device connections,
filtered list of external destinations, that sort of thing.

Such constraints might be implemented as separate VLANs or wifi networks or
both, managed in a user-friendly manner. Something that most modern
residential routers could implement today.

When a new device is added to the network, the router portal could be used
to allow it access and place it in the appropriate VLAN. Address-space
management might also work - such as link-local address allocation. Heck, an
IoT device might identify itself in some way and the router could
automatically spin up the appropriate VLAN and firewall rules without any
human intervention.

Beyond constraints, there are also service needs. My new AV receiver likes
to contact their manufacturer's HQ for an NTP service. That could readily be
offered locally rather than opening up wider access. One imagines some sort
of local service discovery might work here, such as Bonjour. Again something
that most modern routers could implement today with ease.

Serendipitously, NBNCo has a list of approved VDSL modems. One wonders
whether that could be extended to a list of modems that support an IoT
security profile?

Sorry about the ramble, but improving IoT security seems like a
multi-faceted problem that we can't afford to ignore. Does anyone disagree?

Mark.