[192375] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Eliot Lear)
Thu Oct 27 01:59:12 2016
X-Original-To: nanog@nanog.org
To: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca>, nanog@nanog.org
From: Eliot Lear <lear@ofcourseimright.com>
Date: Thu, 27 Oct 2016 07:59:00 +0200
In-Reply-To: <580F19BF.2070002@vaxination.ca>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--RkmbpBbThWF0l8tQliwENiHpd15EJOMrK
From: Eliot Lear <lear@ofcourseimright.com>
To: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca>, nanog@nanog.org
Message-ID: <b68aaff7-4a1a-b74e-9e60-a03d8689b9d9@ofcourseimright.com>
Subject: Re: Spitballing IoT Security
References: <4246.1477383031@segfault.tristatelogic.com>
<580F19BF.2070002@vaxination.ca>
In-Reply-To: <580F19BF.2070002@vaxination.ca>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Jean-Francois,
On 10/25/16 10:37 AM, Jean-Francois Mezei wrote:
> On 2016-10-25 04:10, Ronald F. Guilmette wrote:
>
>> If all of the *&^%$# damn stupid vacation pet feeders had originally s=
hipped
>> with outbound rate limits hard-coded in the kernel, maybe this could h=
ave
>> been avoided.
>
> I view this differently.
>
> The problem is in allowing inbound connections and going as far as doin=
g
> UPnP to tell the CPE router to open a inbound door to let hackers login=
g
> to that IoT pet feeder to turn it into an agressive DNS destroyer.
Well yes. uPnP is a problem precisely because it is some random device
asserting on its own that it can be trusted to do what it wants. Had
that assertion come from the manufacturer, at least you would know that
the device was designed to require that sort of access.**
>
> Then again, you need to have the owner access the pet feeder from the
> remote beach to feed the dog.
>
> One way around this is for the pet feeder to initiate outbound
> connection to a central server, and have the pet onwer connect to that
> server to ask the server to send command to his pet feeder to feed the =
dog.
Precisely so.
>
> This way, there need not be any inbound connection to the pet feeder.
>
>
But if instead of a pet feeder we're talking about a home file sharing
system or a video camera where you don't want to share the feed into the
cloud? There will be times when people want inbound connections. We
need an architecture that supports them.
Eliot
--RkmbpBbThWF0l8tQliwENiHpd15EJOMrK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
iQEcBAEBCAAGBQJYEZelAAoJEIe2a0bZ0nozQgQH/38W64egevnlhJdWR1HbgOVW
gkTznNSg9SD1D3eCRQfAI4w5ljQn3P82H0BM5u0Hid8krZzzIffblA/pil2iCDJZ
sNf3kL5mNsg2H3X8PGSJH4ZeQdQRlgnhc5kz+I4Csx/33le75BO4gJ7ETyijmycv
YMnp2yk6HWaE1m/Okl+e4cgHIlsizBdql5WSWKZpVsFR/Of3iGmYB6yk00DDS4+8
px/l/jYZaH1lQU+p3KxFtF1qFkuVM1E+aIUUPfQcR4lMvgGgfu4W59PjHlqh5ASN
apgnhuKBysRlfGe8MW5j2P2hOqnQ9OK4CoJl6js7E9mjgFSlB5EQIdpZSm1xDTQ=
=vh5c
-----END PGP SIGNATURE-----
--RkmbpBbThWF0l8tQliwENiHpd15EJOMrK--
