Spitballing IoT Security -- Dancing around a solution

Stephen Satchell list at satchell.net
Thu Oct 27 22:42:39 UTC 2016


I've been following the discussion with quite a bit of interest.  What
had become crystal clear to me is that nobody here has been looking at
the problem from the perspective of the manufacturer, particularly how
they actually get product to marked.  A la "Dilbert".

The engineer's credo:  "Why build it when you can buy it?"  I doubt very
seriously that manufacturers are starting completely from scratch when
they design their IoT product.  They buy this piece, they buy that
piece, they buy this hunk of software, they buy these hardware
components.  Slap them together, and you have your product.

That being the case, the question of "what happens when the company goes
bankrupt" becomes less of an issue so long at the company who supplied
the IP stack is still around.  By government implementing some
not-unpleasant rules, the companies can outsource the IP stack portion,
including updates.  Then the manufacturers can concentrate on the value
add stuff.

For durable goods like refrigerators and thermostats, you could require
that the IP-capable part be in a plug-replaceable module, so that all
the customer needs to do is go to Home Depot or wherever and get a
replacement module.  Instant update!  The back end of the module would
be a well-defined API so the manufacturer can do his product, divorced
from the Net stuff.  Indeed, it wouldn't take long for the various
industry associations to codify what the modules should look like, both
physically and electrically.

The semiconductor industry did this big time in the TTL days.  There is
precedent.

So what if your washing machine is working perfectly well 15 years into
its lifecycle.  You replace the network module and get the latest and
greatest security updates.

Light bulbs are harder, but even then there is an opportunity for
someone to market an "industry standard" interface that can be upgraded
easily and cheaply.  By the original software vendor.

Can someone say "IoTsoft"?


More information about the NANOG mailing list