nanog mailing list archives

Re: IoT security

From: Rich Kulawiec <rsk () gsp org>
Date: Tue, 7 Feb 2017 05:26:26 -0500

On Mon, Feb 06, 2017 at 05:31:10PM -0500, William Herrin wrote:

What about some kind of requirement or convention that upon boot and
successful attachment to the network (and maybe once a month
thereafter), any IoT device must _by default_ emit a UDP packet to an
anycast address reserved for the purpose which identifies the device
model and software build.


I can think of at least four reasons why this idea must be killed
immediately and permanently.  This is off the top of my head *before*
coffee, so I strongly suspect there are more.

1. An attacker who takes control of an IoT device can change the contents
of that packet, cause it to be emitted, suppress it from being emitted, etc.

2. This will allow ISPs to build a database of which customers have
which IOT devices.  This is an appalling invasion of privacy.

3. This will allow ISPs to build a database of which customers have
which IOT devices.  This will create one-stop shopping for attackers.

4. It won't take long for this to be used as a DDoS vector.

---rsk

Current thread:

IoT security William Herrin (Feb 06)
- Re: IoT security Michael Thomas (Feb 06)
- Re: IoT security joel jaeggli (Feb 06)
  - Re: IoT security William Herrin (Feb 06)
- Re: IoT security Rich Kulawiec (Feb 07)
  - Re: IoT security William Herrin (Feb 07)
    - Re: IoT security Tom Beecher (Feb 07)
    - Re: IoT security William Herrin (Feb 07)
    - Re: IoT security Rich Kulawiec (Feb 07)
    - Re: IoT security Randy Bush (Feb 07)
    - Re: IoT security Richard (Feb 07)
    - Re: IoT security Ed Lopez (Feb 08)
    - Re: IoT security Rich Kulawiec (Feb 08)
    - Re: IoT security William Herrin (Feb 08)
    - Re: IoT security Damian Menscher (Feb 08)

(Thread continues...)