<div dir="ltr"><div><div><div><div><div>We're discussing maybe 3 different things:<br><br></div>1 - the security delivered as part of a provider service. When you sign up with an ISP, you sign up for a service. Security can and in future will need to be part of that service.<br></div>2 - security on the CE router. Most people on this list will run a firewall, and a great many will run PVLANs.<br></div>3 - security on the IoT devices themselves. How it is developed, packaged, and maintained.<br><br></div>All of this presently is consumer driven, and very much caveat emptor, but as Ross Marston points out, consumers are not experts in the field of infosec. I can't think we can persist with a deregulated market if the relevant industries demonstrate incapacity to keep their house in order. A very small step I would propose, we already have a mandated monopoly on wholesale household internet. Either the NBN could implement a scheme similar to ANCAP for hardened CEs, or the government can easily direct such a scheme through legislation.<br><br></div>As a quiet aside, everyone's keen to insist security measures are adopted, but there is the unaddressed gap between the internet as originally envisaged as a platform for open any to any communications, and the needs of what has grown into a global platform requiring confidentiality and authenticity, never part of the original internet blueprint. The root cause being the lack of a data protocol that can deliver end to end security, and the lack of a security plane in the ISO stack.<br><div><div><br><div><div>Kind regards<br><br></div><div>Paul Wilkins<br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 12 June 2017 at 17:50, Alan Maher <span dir="ltr"><<a href="mailto:alanmaher@gmail.com" target="_blank">alanmaher@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Have ISP's surveyed the state of ancient & insecure CPE's that
they have supplied<br>
and which are still operating? This has a bearing on things.<div><div class="h5"><br>
<br>
<div class="m_-2782940634075169157moz-cite-prefix">On 12/06/2017 6:51 p.m., Narelle wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr"><br>
<br>
On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <<a href="mailto:g2x@juliet.emu.st" target="_blank">g2x@juliet.emu.st</a>>
wrote:<br>
> It seems that this is a disaster just waiting to happen.<br>
><br>
> If network appliance companies can't get security right,
the chances of<br>
> white-goods manufacturers doing so has got to be even less
likely. E.g., the<br>
> latest model of my electric toothbrush has bluetooth
connectivity so<br>
> Internet access is surely just a step away. Does a
toothbrush manufacturer<br>
> attract top-notch security programmers (yet alone think
they need them)? I<br>
> doubt it.<br>
<br>
<br>
The Communications Alliance currently has a Guideline out for
comment on the security of IoT. I encourage you all to comment.
<div>See: <a href="http://www.commsalliance.com.au/Documents/newsletter/we-communicate/Latest-Edition" target="_blank">http://www.commsalliance.<wbr>com.au/Documents/newsletter/<wbr>we-communicate/Latest-Edition</a> <wbr> </div>
<div><br>
</div>
<div>It will be published as Communications Alliance Industry
Guideline G654:2017 Internet of Things Security once reviewed.<br>
<br>
We at ACCAN have been doing a project on IoT security of smart
home devices and expect to release that data more broadly
later this year. Basically we funded a group of researchers at
UNSW to "examine" the security of a bunch of devices on the
market for Australian consumers. We found most were easily
exploitable with some improvements noted over the course of
the study. <br>
<br>
You're right, a lot of mitigation can be done at the home
gateway, and on the ISP network, and there are a range of
issues today. From not imposing anti-spoofing filters to
shipping home gateways with open ports and default/no password
it doesn't help the situation. Why is it there are so many
people running networks today that can't even spell BCP38??!!
Then along come all these devices without the CPU or memory
capacity to implement additional security after the fact. </div>
<div><br>
</div>
<div>What is likely to cause change are two things: insurers not
covering vendors of these devices when they are insecure; and
getting sued for not being fit for purpose/being exploitable.
This may well apply to network operators as well.</div>
<div><br>
</div>
<div>If you don't implement even baseline security and your
customers face trouble, their insurers may force them to come
after you when the liabilities are sheeted home.<br>
<br>
I never thought I'd ever broach this topic on AUSNOG, but what
the hey, here goes... there is a classic example of how an
insecure device manufacturer can be held liable: <a href="http://fortune.com/2017/03/10/sex-toy-maker-settlement-smart-vibrator-lawsuit/" target="_blank">http://fortune.com/2017/03/10/<wbr>sex-toy-maker-settlement-<wbr>smart-vibrator-lawsuit/</a>
US$3.75 for leaking privacy details in response to a class
action being awarded against them. While this was for breach
of privacy legislation (which wouldn't apply under Australian
rules) it is only inevitable that security issues will also
trigger law suits in future. Here as well as elsewhere.
<div> <br>
You also see devices with code cut and pasted from other
systems without any thought of the actual application the
thing is for. The absolute most worst example I've seen is
this one: <a href="https://www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/" target="_blank">https://www.theregister.<wbr>co.uk/2017/04/04/intimate_<wbr>adult_toy_fails_penetration_<wbr>test/</a>
I truly cannot comprehend what the designers of this were
thinking. </div>
<div><br>
</div>
<div>Privacy and security by design please people... <br>
<br>
<br>
-- <br>
<br>
<br>
Narelle<br>
<a href="mailto:narellec@gmail.com" target="_blank">narellec@gmail.com</a></div>
</div>
</div>
<br>
<fieldset class="m_-2782940634075169157mimeAttachmentHeader"></fieldset>
<br>
</div></div><span class=""><pre>______________________________<wbr>_________________
AusNOG mailing list
<a class="m_-2782940634075169157moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="m_-2782940634075169157moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a>
</pre>
</span></blockquote>
<br>
<div id="m_-2782940634075169157DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid #d3d4de">
<tbody><tr>
<td style="width:55px;padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" style="width:46px;height:29px" width="46" height="29"></a></td>
<td style="width:470px;padding-top:12px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" style="color:#4453ea" target="_blank">www.avast.com</a>
</td>
</tr>
</tbody></table><a href="#m_-2782940634075169157_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></div>
<br>______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>