Re: Spitballing IoT Security

[Eliot Lear <lear () ofcourseimright com>]

Hi Mike,


On 10/27/16 11:04 AM, Mike Meredith wrote:
> On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear <lear () ofcourseimright com>
> may have written:
> > Well yes.  uPnP is a problem precisely because it is some random device
> > asserting on its own that it can be trusted to do what it wants.  Had
> From my own personal use (and I'm aware that this isn't a general
> solution), I'd like a device that sat on those uPnP requests until I logged
> into the admin interface to review them. Now if you could automate _me_
> then it might become more generally useful :-

You need to go further.  It is no longer enough to tackle this problem
simply as a firewall problem, because there are too many
reflection-style attacks.  Not only do you want to prevent devices from
opening pinholes to the Internet, but you really want to know what
they're going to be doing inside the home.  And Quite frankly, I
disagree that you want to nag the user unless it is absolutely
necessary.  To me, that means authorizing the device in the first place,
and the access point having access to enough intelligence to know what
sort of access is necessary for a device, given its purpose.

> As someone who manages an application-based firewall, every problem looks
> like it would be easier to solve using an application-based firewall :)

I don't generally prefer application firewalls except in limited
circumstances.

Eliot

Attachment: signature.asc
Description: OpenPGP digital signature