Spitballing IoT Security

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Wed Oct 26 17:30:38 UTC 2016


While I agree that fixing home routers is the best approach, something
bugs me.

If an IoT vendor doesn't even know that its devices have telnet or ssh
enabled by default (and hence, no management interface to change
passwords)  and only focuses on the web interface it has added , then
how come the kernel would be "UPnP" the telnet port to tell the router
to send inbound telnet to that device ?

And how do routers deal with multiple cameras each sending a "send port
23 requests to me" ?

I can understand a computer sending a UPnP request when you start a game
to tell router to forward inbound calls to a certain port to that
computer/app.  But for IoT devices that are on all the time, there
should be static setup, not UPnP.



More information about the NANOG mailing list