nanog mailing list archives
Re: IoT security
From: Rich Kulawiec <rsk () gsp org>
Date: Tue, 7 Feb 2017 05:26:26 -0500
On Mon, Feb 06, 2017 at 05:31:10PM -0500, William Herrin wrote:
What about some kind of requirement or convention that upon boot and successful attachment to the network (and maybe once a month thereafter), any IoT device must _by default_ emit a UDP packet to an anycast address reserved for the purpose which identifies the device model and software build.
I can think of at least four reasons why this idea must be killed immediately and permanently. This is off the top of my head *before* coffee, so I strongly suspect there are more. 1. An attacker who takes control of an IoT device can change the contents of that packet, cause it to be emitted, suppress it from being emitted, etc. 2. This will allow ISPs to build a database of which customers have which IOT devices. This is an appalling invasion of privacy. 3. This will allow ISPs to build a database of which customers have which IOT devices. This will create one-stop shopping for attackers. 4. It won't take long for this to be used as a DDoS vector. ---rsk
Current thread:
- IoT security William Herrin (Feb 06)
- Re: IoT security Michael Thomas (Feb 06)
- Re: IoT security joel jaeggli (Feb 06)
- Re: IoT security William Herrin (Feb 06)
- Re: IoT security Rich Kulawiec (Feb 07)
- Re: IoT security William Herrin (Feb 07)
- Re: IoT security Tom Beecher (Feb 07)
- Re: IoT security William Herrin (Feb 07)
- Re: IoT security Rich Kulawiec (Feb 07)
- Re: IoT security Randy Bush (Feb 07)
- Re: IoT security Richard (Feb 07)
- Re: IoT security Ed Lopez (Feb 08)
- Re: IoT security Rich Kulawiec (Feb 08)
- Re: IoT security William Herrin (Feb 08)
- Re: IoT security Damian Menscher (Feb 08)
- Re: IoT security William Herrin (Feb 07)