[192003] in North American Network Operators' Group
Re: IoT security, was Krebs on Security booted off Akamai network
daemon@ATHENA.MIT.EDU (Mel Beckman)
Sun Oct 9 10:32:01 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: "John R. Levine" <johnl@iecc.com>
Date: Sun, 9 Oct 2016 14:31:54 +0000
In-Reply-To: <alpine.OSX.2.11.1610090950490.66756@ary.qy>
Cc: Florian Weimer <fw@deneb.enyo.de>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the=
GW-1000U. It does the usual IoT things: after you plug it in, it gets a DH=
CP address and phones home, then you register it using a smartphone on the =
same LAN, which I'm guessing finds the device via a broadcast and then conf=
igures the hub with my Lacrosse account info. All communication is thereaft=
er through the cloud.=20
It set itself up quite conveniently and efficiently, and now will start ch=
arging me $12/year for alerts and texts. An acceptable business model.
Except the thing is a teaming mass of security vulnerabilities.=20
How much authentication went on in this process? None. I captured the thing=
's packets in my firewall's onboard sniffer from the get go. All data is ex=
changed as plaintext on port 80. The protocol is completely undocumented, b=
ut I've since discovered that at least one enterprising tinkerer has revers=
e engineered it so people can bypass the manufacturer's monetization model.=
=20
The device accepts TCP connections on 22, 80, and 443. Theoretically I can=
't see why it ever needs ongoing inbound connections, so this seems to be a=
security concession made by the maker. Also, it appears to support SSL, bu=
t uses plaintext. Why? Because it's easier to debug in the early deployment=
s, I'll wager. But the thing has been out for years and they're still not u=
sing encryption, even though the device apparently has the ability.
As a knowledgable consumer (and security researcher) I'll overcome these sh=
ortcomings by putting this device on its own VLAN with extensive firewallin=
g. Still, I can't be sure it won't be malicious, or get exploited through t=
he cloud. And VLANs have their own security weaknesses, despite my using pr=
icey enterprise hardware at home.=20
My point is that if an expert has to expend several hours of highly technic=
al labor to "responsibly" use a $20 IoT sensor, and use enterprise-grade IT=
gear and methods to gain even a modicum of safety, then what hope do Ma an=
d Pa Kettle have?=20
This is not a consumer education problem, unless we think consumers should =
also learn thermodynamics in order to drive, the Bernoulli principle in or=
der to be airline passengers, and biochemistry to cook their own food. It's=
clearly a giant screw-up by manufacturers who could easily spread the cost=
of best-practice security measures across a large customer base.
That they don't shows lack of moral character, and nothing else.=20
-mel beckman
> On Oct 9, 2016, at 7:03 AM, John R. Levine <johnl@iecc.com> wrote:
>=20
>> On Sun, 9 Oct 2016, Florian Weimer wrote:
>>=20
>> If we want to make consumers to make informed decisions, they need to
>> learn how things work up to a certain level. And then current
>> technology already works.
>=20
> I think it's fair to say that security through consumer education has bee=
n a failure every time anyone has tried it. Why do you think this would be=
any different?
>=20
>> There is little interest in this, however. There's a comparable
>> business case for providing managed PCs to consumers, and I'm not sure
>> if any such companies are still left.
>=20
> There's at least two large ones: Microsoft and Apple. Try installing Win=
dows 10 without letting Microsoft update and reconfigure the software any t=
ime they want, any way they want.
>=20
> Expecting consumers to evaluate the security behavior of their lightbulbs=
and their refrigerator is absurd. We need to figure out how to have the d=
evices and routers configure themselves so the devices can do what they nee=
d to do without doing what we really don't want them to do.
>=20
> Regards,
> John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dum=
mies",
> Please consider the environment before reading this e-mail. https://jl.ly
