<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Narrow";
panose-1:2 11 6 6 2 2 2 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1278371288;
mso-list-type:hybrid;
mso-list-template-ids:-929950876 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">My view as an InfoSec pro is along the same lines as Michaels above.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">The only way this is going to change is by push back from those knowledgeable enough to have a say. Making people aware of
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">The lack of need to have an internet connected toothbrush<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">The dangers of toothbrush connectivity<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">The potential impact to them and the rest of the community of said connectivity<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">And if you do really need this, then here are the toothbrush manufacturers and products that have put some thought into their
product.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">The number of hacks of children’s toys that are net connected just grows daily. I saw a darkweb forum offer recently of a few thousand
voice recordings from hacked toy bears available to anyone who wanted to pay. The wider community need to make informed choices for manufactures to stop producing this crap.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Our own homes and sphere of influence is an awesome place to start, but we do need an industry wide approach to stop ill-informed people
selling this type of dangerous garbage to a public who may never have the requisite skills to be able to determine independently the inherent “safety” of an IoT device.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I’m thinking ANCAP style…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I have no idea how good my car really is in a bad accident. The ANCAP rating is 5 (I understand this is dumbed down a lot) but it’s
a great starting point for people like me with no way to truly determine a car’s safety capabilities.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Regards</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Ross Marston</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:#F8A65F">|</span><span style="font-size:10.5pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="font-family:"Calibri",sans-serif;color:black">Ramtech
Computing Pty Ltd</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial Narrow",sans-serif;color:#F8A65F">_______________________________________________________<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> AusNOG [mailto:ausnog-bounces@lists.ausnog.net]
<b>On Behalf Of </b>Michael Keating<br>
<b>Sent:</b> Monday, 12 June 2017 10:48 AM<br>
<b>To:</b> Mark Delany <g2x@juliet.emu.st><br>
<b>Cc:</b> ausnog@ausnog.net<br>
<b>Subject:</b> Re: [AusNOG] What are we going to do about IoT (in)security?<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I don't think you'll find many people in the field of Network Administration/Operations, or Systems Administration/Operations (even Help Desk) would be disagreeing with you. It could certainly be argued that the disaster is already in progress,
not just waiting to happen.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The bigger, industry-wide issue is a lack of focus on security by manufacturers of home/SOHO devices. Out of the box, the default passwords are well known and virtually never changed. Telstra home gateways don't even need a log-in if you
connect to it from the same network... It's like security and access control aren't a thought, let alone an afterthought. Is it because that part of the market "just want stuff to work"? Probably. Is it part of a culture of "not my problem" by these companies?
Possibly. Thoughts about security would also impact on the bottom line, which is not great when you're trying to take control of the sub-$200 part of the market. Not that any of this should be an excuse, and certainly something that should be pushed back on
by those who will be impacted by the lack of effort.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I certainly don't have answers, but making a point of why this is a problem, in a perfect world, should help enact some change before it knocks us all around.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Michael Keating<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <<a href="mailto:g2x@juliet.emu.st" target="_blank">g2x@juliet.emu.st</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">It seems that this is a disaster just waiting to happen.<br>
<br>
If network appliance companies can't get security right, the chances of<br>
white-goods manufacturers doing so has got to be even less likely. E.g., the<br>
latest model of my electric toothbrush has bluetooth connectivity so<br>
Internet access is surely just a step away. Does a toothbrush manufacturer<br>
attract top-notch security programmers (yet alone think they need them)? I<br>
doubt it.<br>
<br>
A natural choke point is the residential router/modem. Has any work been<br>
done to define the capabilities or profile of such a choke point that might<br>
inherently protect IOT devices?<br>
<br>
Without thinking too hard, I envision a residential router might create a<br>
number of local networks that are constrained in certain ways such as no<br>
inbound connections, no outbound connections, no cross-device connections,<br>
filtered list of external destinations, that sort of thing.<br>
<br>
Such constraints might be implemented as separate VLANs or wifi networks or<br>
both, managed in a user-friendly manner. Something that most modern<br>
residential routers could implement today.<br>
<br>
When a new device is added to the network, the router portal could be used<br>
to allow it access and place it in the appropriate VLAN. Address-space<br>
management might also work - such as link-local address allocation. Heck, an<br>
IoT device might identify itself in some way and the router could<br>
automatically spin up the appropriate VLAN and firewall rules without any<br>
human intervention.<br>
<br>
<br>
Beyond constraints, there are also service needs. My new AV receiver likes<br>
to contact their manufacturer's HQ for an NTP service. That could readily be<br>
offered locally rather than opening up wider access. One imagines some sort<br>
of local service discovery might work here, such as Bonjour. Again something<br>
that most modern routers could implement today with ease.<br>
<br>
Serendipitously, NBNCo has a list of approved VDSL modems. One wonders<br>
whether that could be extended to a list of modems that support an IoT<br>
security profile?<br>
<br>
Sorry about the ramble, but improving IoT security seems like a<br>
multi-faceted problem that we can't afford to ignore. Does anyone disagree?<br>
<br>
<br>
Mark.<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>