IoT security

William Herrin bill at
Thu Feb 9 19:54:26 UTC 2017

On Thu, Feb 9, 2017 at 12:04 PM, Rich Kulawiec <rsk at> wrote:
> On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:
>> The devices are trivially compromised (just log in with the default root
>> password).  So here's a modest proposal: log in as root and brick the
>> device.
> No.  It's never a good idea to respond to abuse with abuse.

Hi Rich,

On that we agree. Vigilantism is a non-starter.

> [regarding the tattler kill switch]
> 2. This will allow ISPs to build a database of which customers have
> which IOT devices.  This is an appalling invasion of privacy.

Is there some way an industry association could overcome this? Perhaps
have some trivial way to assign each model of IoT device some kind of
integer and have the device report the integer instead of its plain
text manufacturer and hardware model number? Where the assigned
integer is intentionally not published by the industry association
though of course trivially determinable by anyone who owns one of the
devices. Wouldn't especially impair building a database of vulnerable
devices but it would raise the bar for trying to turn the
self-reporting in to business intelligence. Particularly if industry
association rules forbid retaining a record of device self-reports on
pain of whatever.

Bill Herrin

William Herrin ................ herrin at  bill at
Owner, Dirtside Systems ......... Web: <>

More information about the NANOG mailing list