Spitballing IoT Security
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Oct 27 18:26:57 UTC 2016
In message <20161027112601.GA17170 at ussenterprise.ufp.org>,
Leo Bicknell <bicknell at ufp.org> wrote:
>Problems I think consumer safety legislation can solve:
>* SSH and Telnet were enabled, but there was no notification in the UI
> that they were enabled and no way to turn them off. Requirements
> could be set to show all services in the UI and if they are on or
>* There was a hard coded user + pass that the consumer COULD NOT CHANGE,
> and did not display. Requirements could be set to never hard code an
>* That the system has a user-friendly way to update. "Click here to
> check for update." "Click here to install update."
I say again, #3 is useless, unless and until you also have legislation
*) Forces tech companies to never go bankrupt.
*) Forces tech companies to -timely- issue security patches for all
"critical" security issues (and good luck legally defining THAT).
*) Forces tech companies to continue to issue security patches for
as long as any "significant" number of the relevant devices
remain actively in use, even if that turns out to be 20 years
You can force a company to implement a "user-friendly way to update",
but what's the point of doing that if the company never issues any
I say again, the only way to solve these problems is if the devices
are fundamentally secure by design, on the day they first ship to
customers. Post-sale patching is an ad hoc and haphazard catch-as-
catch-can solution at best, and it's not something that most manufacturers
have -any- financial incentive to even do. They already got their
money, on the day when the consumer bought the device. The rest is
just an afterthought.
More information about the NANOG