[192419] in North American Network Operators' Group
RE: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Thu Oct 27 19:57:29 2016
X-Original-To: nanog@nanog.org
Date: Thu, 27 Oct 2016 17:55:19 -0600
In-Reply-To: <b68aaff7-4a1a-b74e-9e60-a03d8689b9d9@ofcourseimright.com>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > The problem is in allowing inbound connections and going as far as doin=
g
> > UPnP to tell the CPE router to open a inbound door to let hackers login=
g
> > to that IoT pet feeder to turn it into an agressive DNS destroyer.
> Well yes. uPnP is a problem precisely because it is some random device
> asserting on its own that it can be trusted to do what it wants. Had
> that assertion come from the manufacturer, at least you would know that
> the device was designed to require that sort of access.**
And why would anyone in their right mind trust the manufacturer to make thi=
s decision? <Shudder>
Neither the device nor the manufacturer have the authority to make that dec=
ision ... ONLY the owner of the device has that authority, and once made th=
e owner of the device is responsible for *all* consequences resulting from =
that decision. If the device itself makes the decision (because it is prog=
rammed to do so by the manufacturer), then the manufacturer is responsible =
for all the consequences resulting therefrom.
End Of Line.
