Spitballing IoT Security
Ronald F. Guilmette
rfg at tristatelogic.com
Wed Oct 26 22:02:46 UTC 2016
In message <20161026123043.GA10916 at thyrsus.com>,
"Eric S. Raymond" <esr at thyrsus.com> wrote:
>There is, however, a chokepoint we have more hope of getting decent software
>deployed to. I refer to home and small-business routers. OpenWRT and kin
>are already minor but significant players here. And there's an NRE-minimization
>aregument we can make for router manufacturers to use rebranded versions
>rather than rolling their own crappy firmware.
>I think the anti-IoT-flood strategy that makes the most sense is:
>1. Push open-source firmware that doesn't suck to the vendors with a
> cost- and risk-minimization pitch.
>2. Ship it with egress filters. (And telnet blocked.)
So basically, this is a proposal to "fix" the problem for all IoT devices
that are behind SOHO routers.
I am compelled to note that the grand vision of the Home of the Future[tm],
as it has been presented to me at least, looks rather more like this:
i.e. a multitude of wall plates in every room, each one bristling with a
multitude of RJ11 sockets into which all manner of shiny new IoT things
will be directly plugged, thence to be issued their own IPv6 addresses
directly via DHCP from the local provider.
If I have misunderstood the general direction is which we are all heading,
then I will be only too happy to be disabused of my incorrect notions.
>It wouldn't be technically very difficult to make the firmware
>rate-limit outbound connections...
No, but if you do that to my desktop PeeCee, then I'm gonna be pretty mad
On the other hand, if you come up with a way for devices to somehow signal
to an associated SOHO router that they are either (a) desktop PeeCees or,
in the alternative, IoT devices, and if you should me that you method is
(a) simple and (b) fool-proof and (c) hack-proof, then I'll be the first
one to say that you're really on to something.
P.S. As noted in my prior post, the proplem of regulating IoT devices to
insure that they do not exceed their reasonably expected operational limits,
vis-a-vis outbound bandwidth usage, is in some ways reminicent of the FCC
regulations which, ideally, prevent SOHO WiFi routers from exceeding
reasonable power output limits designed to prevent them from interfering
with other devices.
Given that, and given that "OpenWRT and kin" often provide the end-user
with readily accessible dials and knobs via which the user can force the
device to *exceed* legal/FCC limits on power output, I am not persuaded
that open source WiFi router firmware actually represents a shining
example of a methodology to prevent inexpensive devices from behaving badly.
More information about the NANOG