[AusNOG] What are we going to do about IoT (in)security?

Paul Wilkins paulwilkins369 at gmail.com
Mon Jun 12 19:14:07 EST 2017


We're discussing maybe 3 different things:

1 - the security delivered as part of a provider service. When you sign up
with an ISP, you sign up for a service. Security can and in future will
need to be part of that service.
2 - security on the CE router. Most people on this list will run a
firewall, and a great many will run PVLANs.
3 - security on the IoT devices themselves. How it is developed, packaged,
and maintained.

All of this presently is consumer driven, and very much caveat emptor, but
as Ross Marston points out, consumers are not experts in the field of
infosec. I can't think we can persist with a deregulated market if the
relevant industries demonstrate incapacity to keep their house in order. A
very small step I would propose, we already have a mandated monopoly on
wholesale household internet. Either the NBN could implement a scheme
similar to ANCAP for hardened CEs, or the government can easily direct such
a scheme through legislation.

As a quiet aside, everyone's keen to insist security measures are adopted,
but there is the unaddressed gap between the internet as originally
envisaged as a platform for open any to any communications, and the needs
of what has grown into a global platform requiring confidentiality and
authenticity, never part of the original internet blueprint. The root cause
being the lack of a data protocol that can deliver end to end security, and
the lack of a security plane in the ISO stack.

Kind regards

Paul Wilkins

On 12 June 2017 at 17:50, Alan Maher <alanmaher at gmail.com> wrote:

> Have ISP's surveyed the state of ancient & insecure CPE's that they have
> supplied
> and which are still operating? This has a bearing on things.
>
>
> On 12/06/2017 6:51 p.m., Narelle wrote:
>
>
>
> On Mon, Jun 12, 2017 at 10:31 AM, Mark Delany <g2x at juliet.emu.st> wrote:
> > It seems that this is a disaster just waiting to happen.
> >
> > If network appliance companies can't get security right, the chances of
> > white-goods manufacturers doing so has got to be even less likely. E.g.,
> the
> > latest model of my electric toothbrush has bluetooth connectivity so
> > Internet access is surely just a step away. Does a toothbrush
> manufacturer
> > attract top-notch security programmers (yet alone think they need them)?
> I
> > doubt it.
>
>
> The Communications Alliance currently has a Guideline out for comment on
> the security of IoT. I encourage you all to comment.
> See: http://www.commsalliance.com.au/Documents/newsletter/
> we-communicate/Latest-Edition
>
> It will be published as Communications Alliance Industry Guideline
> G654:2017 Internet of Things Security once reviewed.
>
> We at ACCAN have been doing a project on IoT security of smart home
> devices and expect to release that data more broadly later this year.
> Basically we funded a group of researchers at UNSW to "examine" the
> security of a bunch of devices on the market for Australian consumers. We
> found most were easily exploitable with some improvements noted over the
> course of the study.
>
> You're right, a lot of mitigation can be done at the home gateway, and on
> the ISP network, and there are a range of issues today. From not imposing
> anti-spoofing filters to shipping home gateways with open ports and
> default/no password it doesn't help the situation. Why is it there are so
> many people running networks today that can't even spell BCP38??!! Then
> along come all these devices without the CPU or memory capacity to
> implement additional security after the fact.
>
> What is likely to cause change are two things: insurers not covering
> vendors of these devices when they are insecure; and getting sued for not
> being fit for purpose/being exploitable. This may well apply to network
> operators as well.
>
> If you don't implement even baseline security and your customers face
> trouble, their insurers may force them to come after you when the
> liabilities are sheeted home.
>
> I never thought I'd ever broach this topic on AUSNOG, but what the hey,
> here goes... there is a classic example of how an insecure device
> manufacturer can be held liable: http://fortune.com/2017/03/10/
> sex-toy-maker-settlement-smart-vibrator-lawsuit/  US$3.75 for leaking
> privacy details in response to a class action being awarded against them.
> While this was for breach of privacy legislation (which wouldn't apply
> under Australian rules) it is only inevitable that security issues will
> also trigger law suits in future. Here as well as elsewhere.
>
> You also see devices with code cut and pasted from other systems without
> any thought of the actual application the thing is for. The absolute most
> worst example I've seen is this one: https://www.theregister.
> co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/  I truly
> cannot comprehend what the designers of this were thinking.
>
> Privacy and security by design please people...
>
>
> --
>
>
> Narelle
> narellec at gmail.com
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-2782940634075169157_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170612/49c3e4d0/attachment.html>


More information about the AusNOG mailing list