nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Spitballing IoT Security

From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Thu, 27 Oct 2016 17:55:19 -0600
The problem is in allowing inbound connections and going as far as doing
UPnP to tell the CPE router to open a inbound door to let hackers loging
to that IoT  pet feeder to turn it into an agressive DNS destroyer.



Well yes.  uPnP is a problem precisely because it is some random device
asserting on its own that it can be trusted to do what it wants.  Had
that assertion come from the manufacturer, at least you would know that
the device was designed to require that sort of access.**


And why would anyone in their right mind trust the manufacturer to make this decision?  <Shudder>

Neither the device nor the manufacturer have the authority to make that decision ... ONLY the owner of the device has 
that authority, and once made the owner of the device is responsible for *all* consequences resulting from that 
decision.  If the device itself makes the decision (because it is programmed to do so by the manufacturer), then the 
manufacturer is responsible for all the consequences resulting therefrom.

End Of Line.
Previous By Date Next
Previous By Thread Next

Current thread: