Spitballing IoT Security
kmedcalf at dessus.com
Thu Oct 27 23:55:19 UTC 2016
> > The problem is in allowing inbound connections and going as far as doing
> > UPnP to tell the CPE router to open a inbound door to let hackers loging
> > to that IoT pet feeder to turn it into an agressive DNS destroyer.
> Well yes. uPnP is a problem precisely because it is some random device
> asserting on its own that it can be trusted to do what it wants. Had
> that assertion come from the manufacturer, at least you would know that
> the device was designed to require that sort of access.**
And why would anyone in their right mind trust the manufacturer to make this decision? <Shudder>
Neither the device nor the manufacturer have the authority to make that decision ... ONLY the owner of the device has that authority, and once made the owner of the device is responsible for *all* consequences resulting from that decision. If the device itself makes the decision (because it is programmed to do so by the manufacturer), then the manufacturer is responsible for all the consequences resulting therefrom.
End Of Line.
More information about the NANOG