[AusNOG] What are we going to do about IoT (in)security?

Ross Marston Ross at ramtech.net.au
Mon Jun 12 11:04:22 EST 2017 

My view as an InfoSec pro is along the same lines as Michaels above.
The only way this is going to change is by push back from those knowledgeable enough to have a say.  Making people aware of

1.       The lack of need to have an internet connected toothbrush

2.       The dangers of toothbrush connectivity

3.       The potential impact to them and the rest of the community of said connectivity

4.       And if you do really need this, then here are the toothbrush manufacturers and products that have put some thought into their product.

The number of hacks of children’s toys that are net connected just grows daily.  I saw a darkweb forum offer recently of a few thousand voice recordings from hacked toy bears available to anyone who wanted to pay.  The wider community need to make informed choices for manufactures to stop producing this crap.

Our own homes and sphere of influence is an awesome place to start, but we do need an industry wide approach to stop ill-informed people selling this type of dangerous garbage to a public who may never have the requisite skills to be able to determine independently the inherent “safety” of an IoT device.

I’m thinking ANCAP style…

I have no idea how good my car really is in a bad accident.  The ANCAP rating is 5 (I understand this is dumbed down a lot) but it’s a great starting point for people like me with no way to truly determine a car’s safety capabilities.


Regards
Ross Marston  |  Ramtech Computing Pty Ltd
_______________________________________________________

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Michael Keating
Sent: Monday, 12 June 2017 10:48 AM
To: Mark Delany <g2x at juliet.emu.st>
Cc: ausnog at ausnog.net
Subject: Re: [AusNOG] What are we going to do about IoT (in)security?

I don't think you'll find many people in the field of Network Administration/Operations, or Systems Administration/Operations (even Help Desk) would be disagreeing with you. It could certainly be argued that the disaster is already in progress, not just waiting to happen.

The bigger, industry-wide issue is a lack of focus on security by manufacturers of home/SOHO devices. Out of the box, the default passwords are well known and virtually never changed. Telstra home gateways don't even need a log-in if you connect to it from the same network... It's like security and access control aren't a thought, let alone an afterthought. Is it because that part of the market "just want stuff to work"? Probably. Is it part of a culture of "not my problem" by these companies? Possibly. Thoughts about security would also impact on the bottom line, which is not great when you're trying to take control of the sub-$200 part of the market. Not that any of this should be an excuse, and certainly something that should be pushed back on by those who will be impacted by the lack of effort.

I certainly don't have answers, but making a point of why this is a problem, in a perfect world, should help enact some change before it knocks us all around.

Regards,

Michael Keating

On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <g2x at juliet.emu.st<mailto:g2x at juliet.emu.st>> wrote:
It seems that this is a disaster just waiting to happen.

If network appliance companies can't get security right, the chances of
white-goods manufacturers doing so has got to be even less likely. E.g., the
latest model of my electric toothbrush has bluetooth connectivity so
Internet access is surely just a step away. Does a toothbrush manufacturer
attract top-notch security programmers (yet alone think they need them)? I
doubt it.

A natural choke point is the residential router/modem. Has any work been
done to define the capabilities or profile of such a choke point that might
inherently protect IOT devices?

Without thinking too hard, I envision a residential router might create a
number of local networks that are constrained in certain ways such as no
inbound connections, no outbound connections, no cross-device connections,
filtered list of external destinations, that sort of thing.

Such constraints might be implemented as separate VLANs or wifi networks or
both, managed in a user-friendly manner. Something that most modern
residential routers could implement today.

When a new device is added to the network, the router portal could be used
to allow it access and place it in the appropriate VLAN. Address-space
management might also work - such as link-local address allocation. Heck, an
IoT device might identify itself in some way and the router could
automatically spin up the appropriate VLAN and firewall rules without any
human intervention.


Beyond constraints, there are also service needs. My new AV receiver likes
to contact their manufacturer's HQ for an NTP service. That could readily be
offered locally rather than opening up wider access. One imagines some sort
of local service discovery might work here, such as Bonjour. Again something
that most modern routers could implement today with ease.

Serendipitously, NBNCo has a list of approved VDSL modems. One wonders
whether that could be extended to a list of modems that support an IoT
security profile?

Sorry about the ramble, but improving IoT security seems like a
multi-faceted problem that we can't afford to ignore. Does anyone disagree?


Mark.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170612/cc1e9436/attachment.html>

More information about the AusNOG mailing list