Spitballing IoT Security
bicknell at ufp.org
Thu Oct 27 11:26:01 UTC 2016
In a message written on Wed, Oct 26, 2016 at 04:40:57PM -0300, jim deleskie wrote:
> So device is certified, bug is found 2 years later. How does this help.
> The info to date is last week's issue was patched by the vendor in Sept
> 2015, I believe is what I read. We know bugs will creep in, (source anyone
> that has worked with code forever) Also certification assuming it would
> work, in what country, would I need one, per country I sell into? These
> are not the solutions you are looking for ( Jedi word play on purpose)
You're referencing a wider problem set than I am trying to solve.
Problems I think consumer safety legislation can solve:
* SSH and Telnet were enabled, but there was no notification in the UI
that they were enabled and no way to turn them off. Requirements
could be set to show all services in the UI and if they are on or
* There was a hard coded user + pass that the consumer COULD NOT CHANGE,
and did not display. Requirements could be set to never hard code an
* That the system has a user-friendly way to update. "Click here to
check for update." "Click here to install update."
What consumer safety legislation can't do is insure a patch is made
available at some point in the future.
As for certification, I will point out minimally all of these
products are already geting CE, UL, and FCC (if Wireless). They
also have to meet other regulations (e.g. RoHS) to be imported. To
really minimize burden, these security items could be added to one
of the existing schemes so there is no additional org. But the
idea that a certification per country is difficult is pretty much
debunked by the fact that it is that way already, multiple times
over in most cases.
Leo Bicknell - bicknell at ufp.org
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 811 bytes
Desc: not available
More information about the NANOG