IoT security

Rich Kulawiec rsk at
Tue Feb 7 14:50:24 UTC 2017

On Tue, Feb 07, 2017 at 06:56:40AM -0500, William Herrin wrote:
> Immaterial. The point is to catch vulnerable devices before they're
> hacked. That can't always happen (even with customers and vendors
> engaged in best practice patching), but it need only happen often
> enough to limit the size of the resulting botnets.

This won't work on the majority of devices: they're pre-compromised
at the factory.  By the time you see the first packet from them,
IF you see the first packet from them, it will already be too late.

And a lot of them are deliberately designed and built to conduct attacks, e.g.:

	Vizio tracked and sold your TV viewing habits without consent

What a nice favor to do for attackers: Vizio spent its time and money
putting this in place for them, so they didn't have to.

This is going to get worse -- MUCH worse -- as the few flimsy consumer
protections in place are systematically dismantled and the agencies
charged with enforcing them defunded.

> As I envision it, it's an opt-out system. 

No.  In fact, HELL NO.  Too many ISPs have already put absolutely clinching
proof on the table that they will silently opt-in customers to all manner
of tracking, surveillance, and security/privacy attacks.  (I'm looking at
you, Verizon, at the moment.)  Opt-out is inherently abusive.

> Possible, though an ISP which retains the data opens itself to a class
> action lawsuit if it can't keep control of it.

First, that's a meaningless remedy.   Even if someone has the financial
resources to sue an ISP, they're going to wind up quietly settling years
later, the lawyers will get rich(er), the settlement will be sealed,
and they'll just keep right on doing it.

See the Vizio case above.  Did anybody go to prison?  No.  Did it
cost them anything?  Not really: the fine is just chump change.
Will Vizio do it again?  OF COURSE they will, they'd be crazy not to.
All they have to do is wait a little while, rename it, shuffle things
around a bit, and they'll be fine.

Second, the most likely outcome here is that the ISP will use this data
to spy on its users and market to them.  The next outcome is that someone
inside the ISP will figure out that this is a potential revenue source
and start selling it, under the argument that consumers didn't opt-out,
therefore they WANT their private data sold.

So let's not pretend that the delusional fiction of a successful class-action
lawsuit is a deterrent.  It's just a belly laugh for the executives and a
windfall for the attorneys.

> If the ISP can't keep control of its security head-end then sure, at
> least until the ISP regains control.

I think you're severely underestimating the threat.  And note that even
though you're just thinking about the problem from the perspective of ISPs,
they're not the only ones affected.  There are a lot of attack vectors
available to anyone who's already on the inside.

> Regardless, I encourage you to suggest alternate solutions which don't
> run afoul of the problems you mention. The problem isn't going away.

I'm aware of that.  But this is not the way.  I've seen this movie
WAY too many times:

	1. We must do something
	2. This is something.
	3. Let's do this.
	4. We have done something.
	5. Congrats and awards all around, everybody.


More information about the NANOG mailing list