[AusNOG] What are we going to do about IoT (in)security?

Michael Keating mkeating44 at gmail.com
Mon Jun 12 10:48:20 EST 2017


I don't think you'll find many people in the field of Network
Administration/Operations, or Systems Administration/Operations (even Help
Desk) would be disagreeing with you. It could certainly be argued that the
disaster is already in progress, not just waiting to happen.

The bigger, industry-wide issue is a lack of focus on security by
manufacturers of home/SOHO devices. Out of the box, the default passwords
are well known and virtually never changed. Telstra home gateways don't
even need a log-in if you connect to it from the same network... It's like
security and access control aren't a thought, let alone an afterthought. Is
it because that part of the market "just want stuff to work"? Probably. Is
it part of a culture of "not my problem" by these companies? Possibly.
Thoughts about security would also impact on the bottom line, which is not
great when you're trying to take control of the sub-$200 part of the
market. Not that any of this should be an excuse, and certainly something
that should be pushed back on by those who will be impacted by the lack of
effort.

I certainly don't have answers, but making a point of why this is a
problem, in a perfect world, should help enact some change before it knocks
us all around.

Regards,

Michael Keating

On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <g2x at juliet.emu.st> wrote:

> It seems that this is a disaster just waiting to happen.
>
> If network appliance companies can't get security right, the chances of
> white-goods manufacturers doing so has got to be even less likely. E.g.,
> the
> latest model of my electric toothbrush has bluetooth connectivity so
> Internet access is surely just a step away. Does a toothbrush manufacturer
> attract top-notch security programmers (yet alone think they need them)? I
> doubt it.
>
> A natural choke point is the residential router/modem. Has any work been
> done to define the capabilities or profile of such a choke point that might
> inherently protect IOT devices?
>
> Without thinking too hard, I envision a residential router might create a
> number of local networks that are constrained in certain ways such as no
> inbound connections, no outbound connections, no cross-device connections,
> filtered list of external destinations, that sort of thing.
>
> Such constraints might be implemented as separate VLANs or wifi networks or
> both, managed in a user-friendly manner. Something that most modern
> residential routers could implement today.
>
> When a new device is added to the network, the router portal could be used
> to allow it access and place it in the appropriate VLAN. Address-space
> management might also work - such as link-local address allocation. Heck,
> an
> IoT device might identify itself in some way and the router could
> automatically spin up the appropriate VLAN and firewall rules without any
> human intervention.
>
>
> Beyond constraints, there are also service needs. My new AV receiver likes
> to contact their manufacturer's HQ for an NTP service. That could readily
> be
> offered locally rather than opening up wider access. One imagines some sort
> of local service discovery might work here, such as Bonjour. Again
> something
> that most modern routers could implement today with ease.
>
> Serendipitously, NBNCo has a list of approved VDSL modems. One wonders
> whether that could be extended to a list of modems that support an IoT
> security profile?
>
> Sorry about the ramble, but improving IoT security seems like a
> multi-faceted problem that we can't afford to ignore. Does anyone disagree?
>
>
> Mark.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170612/b4d5873c/attachment.html>


More information about the AusNOG mailing list