Spitballing IoT Security

Wed Oct 26 22:24:16 UTC 2016

On Wed, 26 Oct 2016 15:02:46 -0700, "Ronald F. Guilmette" said:

> i.e. a multitude of wall plates in every room, each one bristling with a
> multitude of RJ11 sockets into which all manner of shiny new IoT things
> will be directly plugged, thence to be issued their own IPv6 addresses
> directly via DHCP from the local provider.

Actually, it seems to be going to wireless/bluetooth, and DHCP from the
household router.  Note that although a minor difference, it's one that
can be leveraged.  If we can change the dynamic from "plug it in and it
Just Works" to "plug it in, and click the pop-up from your router confirming
that you just added a device, and it Just Works after that", the battle is
3/4 won.  The other 1/4 is the device initially telling the router what sort
of device it is. - and we already know how to do that for USB and BlueTooth...

> Given that, and given that "OpenWRT and kin" often provide the end-user
> with readily accessible dials and knobs via which the user can force the
> device to *exceed* legal/FCC limits on power output, I am not persuaded
> that open source WiFi router firmware actually represents a shining
> example of a methodology to prevent inexpensive devices from behaving badly.

Given that out of the box, the default config is in bounds, and it requires
actual user interaction to exceed the limits, and that we don't see a very
large problem out in the wild, I think we have prior art for the concept
that "shipped with default and clued user can reconfigure" is a workable design.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161026/0b8b7fc0/attachment.sig>