IoT security

Rich Kulawiec rsk at gsp.org
Tue Feb 7 10:26:26 UTC 2017


On Mon, Feb 06, 2017 at 05:31:10PM -0500, William Herrin wrote:
> What about some kind of requirement or convention that upon boot and
> successful attachment to the network (and maybe once a month
> thereafter), any IoT device must _by default_ emit a UDP packet to an
> anycast address reserved for the purpose which identifies the device
> model and software build.

I can think of at least four reasons why this idea must be killed
immediately and permanently.  This is off the top of my head *before*
coffee, so I strongly suspect there are more.

1. An attacker who takes control of an IoT device can change the contents
of that packet, cause it to be emitted, suppress it from being emitted, etc.

2. This will allow ISPs to build a database of which customers have
which IOT devices.  This is an appalling invasion of privacy.

3. This will allow ISPs to build a database of which customers have
which IOT devices.  This will create one-stop shopping for attackers.

4. It won't take long for this to be used as a DDoS vector.

---rsk



More information about the NANOG mailing list