[AusNOG] What are we going to do about IoT (in)security?

Mark Newton newton at atdot.dotat.org
Tue Jun 13 16:11:07 EST 2017



On 06/13/2017 02:53 PM, Jake Anderson wrote:
> I envisage some kind of discovery protocol that runs when the device 
> is plugged in, to register with the gateway, the customers smart phone 
> then goes "ping" asking them to accept the device.
> The device gives the gateway some kind of device description "I'm a 
> camera, or an air conditioner" something like USB HID/mass storage spec.
> Device gives the gateway a static HTML set with branded images and 
> whatever for the gateway to use with magic <?'s> to trigger the 
> actions in it's spec so the customer gets a pretty UI when they visit 
> "myplace.myisp.net.au"
> (Bonus points for ISP's doing DNS)

Nobody has implemented, or will implement, that discovery protocol, so 
it's a complete non-starter.

Here's a different view:

We've been happily living our lives for centuries with very poor 
security solutions.

We have doors and locks which only keep honest people out. We've spent 
most of the 200 years before financial system computerization with 
banking security which was 100% reliant on your teller recognizing your 
face, and have more recently switched to a new model which, for most 
citizens, is 100% reliant on the secrecy of 23 digits of card 
number/expiry/CVV. We have always had literally zero protection against 
being physically assaulted at night. If someone wants to DoS your life 
by burning your house down, they'll bloody-well burn it down. "Wire 
fraud" has been a concept that's existed since the invention of the 
telegraph, and we've never had adequate protections against it.

Somehow, we muddle on.

Even with a background radiation level of malware scans running 24x7 on 
the internet, almost none of us get hacked, and those that do almost 
always suffer negligible real damage, and the ones who have suffered 
real damage have generally needed to cooperate to make it happen (e.g., 
retirees on A Current Affair duped into giving remote desktop access to 
that nice helpful man on the telephone from Microsoft who subsequently 
cleans out their bank accounts).

We ignore negligible threats, and we construct norms of society and 
culture that we wrap around the non-negligible ones to make them less 
likely to occur.

We're going to keep doing that.

A lot of scaremongering panic I see about IoT devices seems to be 
predicated on the idea that we had nice comfortable secure existences 
before cloud-enabled teddybears came onto the scene, now all of a sudden 
we don't.

That simply isn't true. We've always had security threats. We will 
always have security threats. Whether those threats come from a 419 
scammer in Nigeria sending Aunty Dora a professional-looking letter 
about her unexpected millions, or from an internet refrigerator, is 
almost academic.

Our challenge isn't to make IoT secure. Our challenge is to construct a 
society that isn't so brittle and fragile that insecure IoT devices are 
capable of blowing up the world.

That is: There isn't a technical solution to this problem. There never 
is. You should all know that by now.


   - mark




More information about the AusNOG mailing list