<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Have ISP's surveyed the state of ancient & insecure CPE's that
they have supplied<br>
and which are still operating? This has a bearing on things.<br>
<br>
<div class="moz-cite-prefix">On 12/06/2017 6:51 p.m., Narelle wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACRMD1FUse6vXMra1ZD9GrFah4QU-Vyvhqt7BA9hmEptG=LwKQ@mail.gmail.com">
<div dir="ltr"><br>
<br>
On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <<a
href="mailto:g2x@juliet.emu.st" moz-do-not-send="true">g2x@juliet.emu.st</a>>
wrote:<br>
> It seems that this is a disaster just waiting to happen.<br>
><br>
> If network appliance companies can't get security right,
the chances of<br>
> white-goods manufacturers doing so has got to be even less
likely. E.g., the<br>
> latest model of my electric toothbrush has bluetooth
connectivity so<br>
> Internet access is surely just a step away. Does a
toothbrush manufacturer<br>
> attract top-notch security programmers (yet alone think
they need them)? I<br>
> doubt it.<br>
<br>
<br>
The Communications Alliance currently has a Guideline out for
comment on the security of IoT. I encourage you all to comment.
<div>See: <a
href="http://www.commsalliance.com.au/Documents/newsletter/we-communicate/Latest-Edition"
moz-do-not-send="true">http://www.commsalliance.com.au/Documents/newsletter/we-communicate/Latest-Edition</a> </div>
<div><br>
</div>
<div>It will be published as Communications Alliance Industry
Guideline G654:2017 Internet of Things Security once reviewed.<br>
<br>
We at ACCAN have been doing a project on IoT security of smart
home devices and expect to release that data more broadly
later this year. Basically we funded a group of researchers at
UNSW to "examine" the security of a bunch of devices on the
market for Australian consumers. We found most were easily
exploitable with some improvements noted over the course of
the study. <br>
<br>
You're right, a lot of mitigation can be done at the home
gateway, and on the ISP network, and there are a range of
issues today. From not imposing anti-spoofing filters to
shipping home gateways with open ports and default/no password
it doesn't help the situation. Why is it there are so many
people running networks today that can't even spell BCP38??!!
Then along come all these devices without the CPU or memory
capacity to implement additional security after the fact. </div>
<div><br>
</div>
<div>What is likely to cause change are two things: insurers not
covering vendors of these devices when they are insecure; and
getting sued for not being fit for purpose/being exploitable.
This may well apply to network operators as well.</div>
<div><br>
</div>
<div>If you don't implement even baseline security and your
customers face trouble, their insurers may force them to come
after you when the liabilities are sheeted home.<br>
<br>
I never thought I'd ever broach this topic on AUSNOG, but what
the hey, here goes... there is a classic example of how an
insecure device manufacturer can be held liable: <a
href="http://fortune.com/2017/03/10/sex-toy-maker-settlement-smart-vibrator-lawsuit/"
moz-do-not-send="true">http://fortune.com/2017/03/10/sex-toy-maker-settlement-smart-vibrator-lawsuit/</a>
US$3.75 for leaking privacy details in response to a class
action being awarded against them. While this was for breach
of privacy legislation (which wouldn't apply under Australian
rules) it is only inevitable that security issues will also
trigger law suits in future. Here as well as elsewhere.
<div> <br>
You also see devices with code cut and pasted from other
systems without any thought of the actual application the
thing is for. The absolute most worst example I've seen is
this one: <a
href="https://www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/"
moz-do-not-send="true">https://www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/</a>
I truly cannot comprehend what the designers of this were
thinking. </div>
<div><br>
</div>
<div>Privacy and security by design please people... <br>
<br>
<br>
-- <br>
<br>
<br>
Narelle<br>
<a href="mailto:narellec@gmail.com" moz-do-not-send="true">narellec@gmail.com</a></div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>