[192015] in North American Network Operators' Group
Re: IoT security, was Krebs on Security booted off Akamai network
daemon@ATHENA.MIT.EDU (Mel Beckman)
Sun Oct 9 16:07:54 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: "bzs@TheWorld.com" <bzs@TheWorld.com>
Date: Sun, 9 Oct 2016 20:07:48 +0000
In-Reply-To: <22522.41478.59506.907676@gargle.gargle.HOWL>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Barry,
The problem isn't authentication during initial installation, since that ca=
n be done using SSL and a web login to the cloud service. The problem is th=
at vendors aren't even using minimal security protections, such as SSL, and=
then leaving devices open to inbound connections, which is bad even behind=
a firewall (because viruses typically scan LANs for these vulnerable devic=
es). These are the devices exploited by hackers to become DDoS attack vecto=
rs.=20
-mel beckman
> On Oct 9, 2016, at 1:02 PM, "bzs@TheWorld.com" <bzs@TheWorld.com> wrote:
>=20
>=20
> Elsewhere, for decades, I've bemoaned the fact that keyboards (etc)
> don't have credit card swipes (perhaps today "and chip readers") so
> with some care on the part of the software someone could prove they
> likely have physical access to the card.
>=20
> But it would be very useful in this IoT problem.
>=20
> You power up a new device, it won't enable until you run some web
> (e.g.) interface.
>=20
> At that point you swipe a card which generates a hash which secures
> the IoT device from further config until it's presented again. The
> device can have the usual reset to factory config button for the case
> of lost cards.
>=20
> It needn't even be an active credit card. It could be an old spent
> gift card. It could even be a free card that comes right in the box
> tho that might invite predictability, but maybe a basket of cards to
> use at the checkout counter "take one you'll need it for setup".
>=20
> The software just has to be able to read the magstripe or chip and use
> the info to generate a reasonably secure hash which is stored
> (preferably in the device.)
>=20
> Need to reconfig, open the window, swipe the same card.
>=20
> Hotel safes often use this approach as an alternative to PIN entry.
>=20
> The device doesn't store any info about the card directly, only the
> hash. And as I said it could be most anything that looks like a credit
> card and has a readable mag stripe.
>=20
> The user doesn't have to come up with a password and can't use the
> device until a hash is stored.
>=20
> But, alas, no swipes...
>=20
> --=20
> -Barry Shein
>=20
> Software Tool & Die | bzs@TheWorld.com | http://www.TheWor=
ld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
> The World: Since 1989 | A Public Information Utility | *oo*
