[192017] in North American Network Operators' Group
Re: IoT security, was Krebs on Security booted off Akamai network
daemon@ATHENA.MIT.EDU (Mel Beckman)
Sun Oct 9 16:24:18 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: "bzs@TheWorld.com" <bzs@TheWorld.com>
Date: Sun, 9 Oct 2016 20:24:11 +0000
In-Reply-To: <22522.42555.121770.918579@gargle.gargle.HOWL>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
You might as well wish for fingerprint readers. It's not going to happen, a=
nd thus can't be remedied. But there are already acceptable COTS solutions =
that need no special hardware. IoT vendors simply have to use them.=20
-mel beckman
> On Oct 9, 2016, at 1:20 PM, "bzs@TheWorld.com" <bzs@TheWorld.com> wrote:
>=20
>=20
>> On October 9, 2016 at 20:07 mel@beckman.org (Mel Beckman) wrote:
>> Barry,
>>=20
>> The problem isn't authentication during initial installation, since that=
can be done using SSL and a web login to the cloud service. The problem is=
that vendors aren't even using minimal security protections, such as SSL, =
and then leaving devices open to inbound connections, which is bad even beh=
ind a firewall (because viruses typically scan LANs for these vulnerable de=
vices). These are the devices exploited by hackers to become DDoS attack ve=
ctors.
>=20
> It helps solve the bad (including manufacturer's default) password
> problem which was one of the attack vectors.
>=20
> The proposal only forces this to be used during initial installation
> and configuration (and any reconfig) arguing that it so lowers the
> threshold, just swipe a magstripe, there's really no excuse. And
> eliminates the owner choosing a password for the device, bad or
> otherwise.
>=20
> But, again, alas no swipe hardware. Big historical error I think but
> rectifying is feasible.
>=20
> --=20
> -Barry Shein
>=20
> Software Tool & Die | bzs@TheWorld.com | http://www.TheWor=
ld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
> The World: Since 1989 | A Public Information Utility | *oo*
