[AusNOG] What are we going to do about IoT (in)security?

Alan Maher alanmaher at gmail.com
Mon Jun 12 17:50:58 EST 2017 

Have ISP's surveyed the state of ancient & insecure CPE's that they have 
supplied
and which are still operating? This has a bearing on things.

On 12/06/2017 6:51 p.m., Narelle wrote:
>
>
> On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <g2x at juliet.emu.st 
> <mailto:g2x at juliet.emu.st>> wrote:
> > It seems that this is a disaster just waiting to happen.
> >
> > If network appliance companies can't get security right, the chances of
> > white-goods manufacturers doing so has got to be even less likely. 
> E.g., the
> > latest model of my electric toothbrush has bluetooth connectivity so
> > Internet access is surely just a step away. Does a toothbrush 
> manufacturer
> > attract top-notch security programmers (yet alone think they need 
> them)? I
> > doubt it.
>
>
> The Communications Alliance currently has a Guideline out for comment 
> on the security of IoT. I encourage you all to comment.
> See: 
> http://www.commsalliance.com.au/Documents/newsletter/we-communicate/Latest-Edition 
>
>
> It will be published as Communications Alliance Industry Guideline 
> G654:2017 Internet of Things Security once reviewed.
>
> We at ACCAN have been doing a project on IoT security of smart home 
> devices and expect to release that data more broadly later this year. 
> Basically we funded a group of researchers at UNSW to "examine" the 
> security of a bunch of devices on the market for Australian consumers. 
> We found most were easily exploitable with some improvements noted 
> over the course of the study.
>
> You're right, a lot of mitigation can be done at the home gateway, and 
> on the ISP network, and there are a range of issues today. From not 
> imposing anti-spoofing filters to shipping home gateways with open 
> ports and default/no password it doesn't help the situation. Why is it 
> there are so many people running networks today that can't even spell 
> BCP38??!! Then along come all these devices without the CPU or memory 
> capacity to implement additional security after the fact.
>
> What is likely to cause change are two things: insurers not covering 
> vendors of these devices when they are insecure; and getting sued for 
> not being fit for purpose/being exploitable. This may well apply to 
> network operators as well.
>
> If you don't implement even baseline security and your customers face 
> trouble, their insurers may force them to come after you when the 
> liabilities are sheeted home.
>
> I never thought I'd ever broach this topic on AUSNOG, but what the 
> hey, here goes... there is a classic example of how an insecure device 
> manufacturer can be held liable: 
> http://fortune.com/2017/03/10/sex-toy-maker-settlement-smart-vibrator-lawsuit/ 
> US$3.75 for leaking privacy details in response to a class action 
> being awarded against them. While this was for breach of privacy 
> legislation (which wouldn't apply under Australian rules) it is only 
> inevitable that security issues will also trigger law suits in future. 
> Here as well as elsewhere.
>
> You also see devices with code cut and pasted from other systems 
> without any thought of the actual application the thing is for. The 
> absolute most worst example I've seen is this one: 
> https://www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/ 
> I truly cannot comprehend what the designers of this were thinking.
>
> Privacy and security by design please people...
>
>
> -- 
>
>
> Narelle
> narellec at gmail.com <mailto:narellec at gmail.com>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170612/777f5eb0/attachment.html>

More information about the AusNOG mailing list