Spitballing IoT Security
matlockken at gmail.com
Thu Oct 27 18:56:02 UTC 2016
And I contend that the device manufacturer is only one part in this.
Yes, the manufacturers need to get better in securing their devices (that's
never been in question).
*But* the end users need to have better CPE that can do NetFlow/Sflow/etc
in a near real-time fashion. This would allow the end-user to act as a
check against the manufacturer(s) and see threats and DDoS packets
originating from their gear in real-time (and on the customer's CPE they
can get MAC or RFC1918 address to narrow it down better).
*But* that doesn't let the SP's off the hook either. The SP needs to be a
check against the end users as well, being able to do real-time (or
near-real time) flow data export/analysis. Why isn't it done currently?
Well, probably a few reasons (and more that I can't even imagine)
1) Cost - It's a real cost to put something like this in place, and upper
management does not want to spend money on something with little to no
2) Availability - How much SP gear even has the option to do any sort of
3) Competition - If I am SP 'A' and I allow my customers to participate in
a DDoS against SP 'B' (who is a competitor of mine), that at least
indirectly harms my competitor, and all I have to do is absolutely nothing,
why would management in SP 'A' lift a finger to fix the problem? (Until the
DDoS is directed at them).
Fixing the current wave of 'IoT' devices and phones and Tv's etc is only
putting a bandaid on a broken arm. It gives the illusion of progress, but
the fact is the reason DDoS'es are still a problem (and honestly, they've
been a problem for decades, IRC servers and Netsplits/channel
takeovers/etc), is that each layer in the problem is pointing the finger at
the other layers and declaring them the cause of the problem and washing
their hands of it (not unlike current politics).
Until we accept that it's *everyone's* problem and work to fix the things
under our control and work as an advocate for the other layers, we will
continue to suffer attacks.
> I say again, the only way to solve these problems is if the devices
> are fundamentally secure by design, on the day they first ship to
> customers. Post-sale patching is an ad hoc and haphazard catch-as-
> catch-can solution at best, and it's not something that most manufacturers
> have -any- financial incentive to even do. They already got their
> money, on the day when the consumer bought the device. The rest is
> just an afterthought.
More information about the NANOG