nanog mailing list archives
Re: Spitballing IoT Security
From: "Ronald F. Guilmette" <rfg () tristatelogic com>
Date: Thu, 27 Oct 2016 16:24:07 -0700
In message <CAF-Wqd5kuxZwFZ5gwCP9-k7chX6y06JMoMoZdvP_i2oRvbmFUg () mail gmail com> Ken Matlock <matlockken () gmail com> wrote:
Fixing the current wave of 'IoT' devices and phones and Tv's etc is only putting a bandaid on a broken arm. It gives the illusion of progress...
Until we accept that it's *everyone's* problem and work to fix the things under our control and work as an advocate for the other layers, we will continue to suffer attacks.
Agreed. Even if we could snap our fingers and fix the whole morass that is the IoT problem tomorrow, that still wouldn't prevent dumb consumers from pulling their dusty old Windows XP laptops own out of their closets and hooking them up directly to the Internet. Nor would it do anything about the small ISPs that have "mailbox full" abuse@ addresses, or the even larger ISPs that allow deliberately spoofed packets out onto the public Internet, or the Tier 1s that still peer with known utterly irresponsible ASNs. But, ya know, you gotta start someplace. And we can't let the perfect be the enemy of the good. That just won't wash anymore, I think. Not after last Friday. I put forward what I think is a reasonbly modest scheme to try to get IoT things to place hard limits on their "unsolicited" packet output at the kernel level, and I'm going to go off now and try to find and then engage some Linux embedded kernel people and see what they think. Maybe the whole thing is a dumb idea and not worth persuing, but I'm not con- vinced of that yet. So I'll go off, investigate in some more appropriate forum, and report back here if/when I have anything useful to say. Hacking embedded kernels to make them fault-tolerant, even in the event of attackers getting a root shell prompt, isn't going to save the world from DDoS attacks, but it may be one small part of the solution. Regards, rfg P.S. In the scheme I proposed, I left out one additional nicety that embedded kernels could also do to enhance security, namely disabling raw sockets completely in the kernel. No normal IoT thing needs the ability to forge outbound packets. But I would be willing to bet my bottom dollar, right now, that if we poked around long enough we could surely find some easily break-in-able busybox-based thingies out there, right now, as we speak, into which a binary could dropped that would have no trouble at all opening raw outbound sockets. BCP38 for toasters anyone?
Current thread:
- Re: Spitballing IoT Security, (continued)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Chris Boyd (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 26)
- Re: Spitballing IoT Security Mel Beckman (Oct 26)
- Re: Spitballing IoT Security tim () pelican org (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 27)
- Re: Spitballing IoT Security knack via NANOG (Oct 27)
- Re: Spitballing IoT Security Leo Bicknell (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 27)
- Re: Spitballing IoT Security Ken Matlock (Oct 27)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 27)
- Re: Spitballing IoT Security Laszlo Hanyecz (Oct 27)
- Re: Spitballing IoT Security bzs (Oct 26)
- Re: Spitballing IoT Security Valdis . Kletnieks (Oct 26)
- Re: Spitballing IoT Security Josh Reynolds (Oct 26)
- Re: Spitballing IoT Security Randy Bush (Oct 26)
- Re: Spitballing IoT Security Ronald F. Guilmette (Oct 26)
- Re: Spitballing IoT Security Mark Andrews (Oct 26)
- Re: Death of the Internet, Film at 11 bzs (Oct 24)
- Re: Death of the Internet, Film at 11 Mike Hale (Oct 24)
- Re: Death of the Internet, Film at 11 bzs (Oct 25)