[193636] in North American Network Operators' Group
Re: IoT security
daemon@ATHENA.MIT.EDU (Damian Menscher)
Thu Feb 9 03:59:19 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CAP-guGXRdTqnasqOvseHNukSs+FHvyZtjNswd5k6i5v00-=48Q@mail.gmail.com>
From: Damian Menscher <menscher@gmail.com>
Date: Wed, 8 Feb 2017 08:30:15 -0800
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>, Rich Kulawiec <rsk@gsp.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Feb 8, 2017 at 7:22 AM, William Herrin <bill@herrin.us> wrote:
> On Wed, Feb 8, 2017 at 10:12 AM, Rich Kulawiec <rsk@gsp.org> wrote:
> > In a better world, vendors would be far more
> > responsible, professional, and ethical. But we don't live in that
> > world. We live in one where they will happily dump toxic waste on
> > the Internet as fast as they can shovel it -- as long as it's not
> > their problem.
> >
> > We need to make it their problem.
>
> How?
The devices are trivially compromised (just log in with the default root
password). So here's a modest proposal: log in as root and brick the
device.
This will encourage the consumer to seek a solution. When 100k consumers
all discover their devices broke at the same time, they'll file a
class-action lawsuit against the manufacturer, or at least never buy from
them again. Market forces then solve the problem naturally, both for that
manufacturer and for others who don't want the same fate.
I realize there are drawbacks (including legal implications) to this method
(which is why I'm posting from a personal, not work, account). But I
challenge anyone to propose another solution that will work as well. Most
other proposals I've heard depend on individual ISPs to take action, or
governments to regulate devices and hope that foreign manufacturers care,
or ....
Damian
