Re: IoT security

[William Herrin <bill () herrin us>]

On Mon, Feb 6, 2017 at 7:14 PM, joel jaeggli <joelja () bogus com> wrote:
> On 2/6/17 2:31 PM, William Herrin wrote:
> > This afternoon's panel about IoT's lack of security got me thinking...

Hi Joel,

For clarification I was referring to this:

http://nanog.org/meetings/abstract?id=3051

The long and short of the panel was: as an industry (device vendors
and service providers both) it behooves us to voluntarily get on top
of the IoT security problem before some catastrophic event requires
the government to dictate the precise manner in which we will get on
top of the problem.


> > What about some kind of requirement or convention that upon boot and
> > successful attachment to the network (and maybe once a month
> > thereafter), any IoT device must _by default_ emit a UDP packet to an
> > anycast address reserved for the purpose which identifies the device
> > model and software build.

> self identification is privacy hostile and tantamount to indicating a
> willingness to be subverted (this is why we disable lldp on external
> interfaces) even if it would otherwise be rather useful. the use of
> modified eui64 addresses as part of v6 address selection hash basically
> gone away for similar reasons.

I'm not sure how we get on top of the problem without offering an
effective network kill switch to the nearest security-competent
person. I think I'd prefer a user-disableable kill-switch used on a
single piece of equipment to a kill switch for my entire Internet
connection.

The IPv6 SLAAC address suffers a rather worse case of the privacy
problem since it allows the entire Internet to track your hardware,
not just your local ISP.

In any case, I thought "how do we fix this long term" could stand
discussion on the list. Because yes, the IoT device vendors mostly
produce trash and if (to borrow a phrase) it saves them a buck at
retail they will keep producing trash. But we're the ones letting that
trash cause nation-scale problems and when the regulatory hammer
crashes down it's gonna hit us all.


On Mon, Feb 6, 2017 at 7:10 PM, Michael Thomas <mike () mtcc com> wrote:
> Uh, yuck at many levels. Do you leak your cisco ios versions to the
> internet?

Hi Michael,

I'm not aware of any Cisco IOS devices that qualify as IoT. Some
lighter weight Cisco gear, yes. And no, I do not want to broadcast my
information. But I'm professional who customizes my gear when I plug
it in. I don't run with the defaults.


> Do you really want the responsibility for the remote kill switch for IoT S&M
> gear?

I already have the kill switch for the customer's entire S&M transit
link. I'd prefer to also have a smaller hammer whose use won't net me
a furious call from Sales.


> And of course, you're depending on rfc 3514, right?

Nope. I'll decide what's evil and what's not (more likely I'll pay a
service to provide me a regularly updated database) and I depend only
on a high enough percentage of the devices offering themselves up for
that decision that it becomes impractical to construct another Mirai.

Regards,
Bill Herrin



-- 
William Herrin ................ herrin () dirtside com  bill () herrin us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>