nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IoT security

From: William Herrin <bill () herrin us>
Date: Thu, 9 Feb 2017 14:54:26 -0500
On Thu, Feb 9, 2017 at 12:04 PM, Rich Kulawiec <rsk () gsp org> wrote:

On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:

The devices are trivially compromised (just log in with the default root
password).  So here's a modest proposal: log in as root and brick the
device.


No.  It's never a good idea to respond to abuse with abuse.


Hi Rich,

On that we agree. Vigilantism is a non-starter.


[regarding the tattler kill switch]
2. This will allow ISPs to build a database of which customers have
which IOT devices.  This is an appalling invasion of privacy.


Is there some way an industry association could overcome this? Perhaps
have some trivial way to assign each model of IoT device some kind of
integer and have the device report the integer instead of its plain
text manufacturer and hardware model number? Where the assigned
integer is intentionally not published by the industry association
though of course trivially determinable by anyone who owns one of the
devices. Wouldn't especially impair building a database of vulnerable
devices but it would raise the bar for trying to turn the
self-reporting in to business intelligence. Particularly if industry
association rules forbid retaining a record of device self-reports on
pain of whatever.

Regards,
Bill Herrin



-- 
William Herrin ................ herrin () dirtside com  bill () herrin us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Previous By Date Next
Previous By Thread Next

Current thread: