[192348] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (JORDI PALET MARTINEZ)
Wed Oct 26 14:54:01 2016
X-Original-To: nanog@nanog.org
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: nanog@nanog.org
Date: Wed, 26 Oct 2016 20:53:51 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: <nanog@nanog.org>
In-Reply-To: <20161026171907.GA84841@ussenterprise.ufp.org>
Reply-To: jordi.palet@consulintel.es
Errors-To: nanog-bounces@nanog.org
Exactly, I was arguing exactly the same with some folks this week during th=
e RIPE meeting.
The same way that certifications are needed to avoid radio interferences, e=
tc., and if you don=E2=80=99t pass those certifications, you can=E2=80=99t =
sell the products in some countries (or regions in case of EU for example),=
authorities should make sure that those certifications have a broader scop=
e, including security and probably some other features to ensure that in ca=
se something is discovered in the future, they can be updated.
Yes, that means cost, but a few thousand dollars of certification price inc=
rease, among thousands of millions of devices of the same model being manuf=
actured, means a few cents for each unit.
Even if we speak about 1 dollar per each product being sold, it is much che=
aper than the cost of not doing it and paying for damages, human resources,=
etc., when there is a security breach.
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-bounces@nanog.org> en nombre de Leo Bicknell <bicknell@ufp=
.org>
Organizaci=C3=B3n: United Federation of Planets
Responder a: <bicknell@ufp.org>
Fecha: mi=C3=A9rcoles, 26 de octubre de 2016, 19:19
Para: <nanog@nanog.org>
Asunto: Re: Spitballing IoT Security
In a message written on Wed, Oct 26, 2016 at 08:06:34AM -0400, Rich Kul=
awiec wrote:
> The makers of IoT devices are falling all over themselves to rush pro=
ducts
> to market as quickly as possible in order to maximize their profits. =
They
> have no time for security. They don't concern themselves with privac=
y
> implications. They don't run networks so they don't care about the i=
mpact
> their devices may have on them. They don't care about liability: man=
y of
> them are effectively immune because suing them would mean trans-natio=
nal
> litigation, which is tedious and expensive. (And even if they lost:
> they'd dissolve and reconstitute as another company the next day.)
> They don't even care about each other -- I'm pretty sure we're rapidl=
y
> approaching the point where toasters will be used to attack garage do=
or
> openers and washing machines.
=20
You are correct.
=20
I believe the answer is to have some sort of test scheme (UL
Labratories?) for basic security and updateability. Then federal
legislation is passed requiring any product being imported into the
country to be certified, or it is refused.
=20
Now when they rush to market and don't get certified they get $0
and go out of business. Products are stopped at the boader, every
shipment is reviewed by authorities, and there is no cross boarder
suing issue.
=20
Really it's product safety 101. UL, the CPSC, NHTSA, DOT and a
host of others have regulations that if you want to import a product
for sale it must be safe. It's not a new or novel concept, pretty
much every country has some scheme like it.
=20
--=20
Leo Bicknell - bicknell@ufp.org
PGP keys at http://www.ufp.org/~bicknell/
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or con=
fidential. The information is intended to be for the use of the individual(=
s) named above. If you are not the intended recipient be aware that any dis=
closure, copying, distribution or use of the contents of this information, =
including attached files, is prohibited.
