Spitballing IoT Security

Eliot Lear lear at ofcourseimright.com
Fri Oct 28 04:09:17 UTC 2016


Hi Keith,


On 10/28/16 1:55 AM, Keith Medcalf wrote:
>>> The problem is in allowing inbound connections and going as far as doing
>>> UPnP to tell the CPE router to open a inbound door to let hackers loging
>>> to that IoT  pet feeder to turn it into an agressive DNS destroyer.
>> Well yes.  uPnP is a problem precisely because it is some random device
>> asserting on its own that it can be trusted to do what it wants.  Had
>> that assertion come from the manufacturer, at least you would know that
>> the device was designed to require that sort of access.**
> And why would anyone in their right mind trust the manufacturer to make this decision?  <Shudder>

Because the manufacturer designed the device and knows best as to what
sort of access it will require.  Consider that today most devices have
unfettered outbound access, and many can arrange for unfettered inbound
access.  That's Not Good®.  That doesn't mean that network
administrators shouldn't be the kings and queens of their castles, but
as I'm sure you well know, home users don't really know how to rule, and
so they need some good defaults.

Put it another way: you bring home a NEST and the first thing you the
expert might do is read the net to figure out which ports to open.  Are
you really going to not open those ports?

Eliot

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161028/7b1574e6/attachment.pgp>


More information about the NANOG mailing list