[AusNOG] What are we going to do about IoT (in)security?
Narelle
narellec at gmail.com
Mon Jun 12 16:51:13 EST 2017
On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <g2x at juliet.emu.st> wrote:
> It seems that this is a disaster just waiting to happen.
>
> If network appliance companies can't get security right, the chances of
> white-goods manufacturers doing so has got to be even less likely. E.g.,
the
> latest model of my electric toothbrush has bluetooth connectivity so
> Internet access is surely just a step away. Does a toothbrush manufacturer
> attract top-notch security programmers (yet alone think they need them)? I
> doubt it.
The Communications Alliance currently has a Guideline out for comment on
the security of IoT. I encourage you all to comment.
See:
http://www.commsalliance.com.au/Documents/newsletter/we-communicate/Latest-Edition
It will be published as Communications Alliance Industry Guideline
G654:2017 Internet of Things Security once reviewed.
We at ACCAN have been doing a project on IoT security of smart home devices
and expect to release that data more broadly later this year. Basically we
funded a group of researchers at UNSW to "examine" the security of a bunch
of devices on the market for Australian consumers. We found most were
easily exploitable with some improvements noted over the course of the
study.
You're right, a lot of mitigation can be done at the home gateway, and on
the ISP network, and there are a range of issues today. From not imposing
anti-spoofing filters to shipping home gateways with open ports and
default/no password it doesn't help the situation. Why is it there are so
many people running networks today that can't even spell BCP38??!! Then
along come all these devices without the CPU or memory capacity to
implement additional security after the fact.
What is likely to cause change are two things: insurers not covering
vendors of these devices when they are insecure; and getting sued for not
being fit for purpose/being exploitable. This may well apply to network
operators as well.
If you don't implement even baseline security and your customers face
trouble, their insurers may force them to come after you when the
liabilities are sheeted home.
I never thought I'd ever broach this topic on AUSNOG, but what the hey,
here goes... there is a classic example of how an insecure device
manufacturer can be held liable:
http://fortune.com/2017/03/10/sex-toy-maker-settlement-smart-vibrator-lawsuit/
US$3.75 for leaking privacy details in response to a class action being
awarded against them. While this was for breach of privacy legislation
(which wouldn't apply under Australian rules) it is only inevitable that
security issues will also trigger law suits in future. Here as well as
elsewhere.
You also see devices with code cut and pasted from other systems without
any thought of the actual application the thing is for. The absolute most
worst example I've seen is this one:
https://www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/
I truly cannot comprehend what the designers of this were thinking.
Privacy and security by design please people...
--
Narelle
narellec at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170612/90ffbe8a/attachment.html>
More information about the AusNOG
mailing list