Spitballing IoT Security

Wed Oct 26 12:06:34 UTC 2016

On Mon, Oct 24, 2016 at 01:24:59PM -0700, Ronald F. Guilmette wrote:
>    2) Second, once elected I will decree that in future all new IoT devices,
>       and also all updates to firmware for existing IoT devices will have,
>       BUILT IN TO THE KERNEL, code/logic which (a) prevents all outbound TCP
>       session initiation and which also (b) strictly rate-limits all other
>       protocols to some modest value.

I like this idea.  But unfortunately, I think it has no chance of succeeding.

The makers of IoT devices are falling all over themselves to rush products
to market as quickly as possible in order to maximize their profits.  They
have no time for security.  They don't concern themselves with privacy
implications.  They don't run networks so they don't care about the impact
their devices may have on them.  They don't care about liability: many of
them are effectively immune because suing them would mean trans-national
litigation, which is tedious and expensive.  (And even if they lost:
they'd dissolve and reconstitute as another company the next day.)
They don't even care about each other -- I'm pretty sure we're rapidly
approaching the point where toasters will be used to attack garage door
openers and washing machines.

I think our working assumption should be that there will be zero cooperation
from the IoT vendors.  (Yeah, once in a while one might actually step up,
but that will merely be a happy anomaly.)

After all, why should they care?  It doesn't impact their profits,
and profits are all they care about.  They're not the ones fielding
support calls or frantically trying to stop a DoS or trying to work
out a mitigation strategy or participating in this discussion thread.
So they don't care.  They don't have to.

---rsk