It seems that this is a disaster just waiting to happen. If network appliance companies can't get security right, the chances of white-goods manufacturers doing so has got to be even less likely. E.g., the latest model of my electric toothbrush has bluetooth connectivity so Internet access is surely just a step away. Does a toothbrush manufacturer attract top-notch security programmers (yet alone think they need them)? I doubt it.
A natural choke point is the residential router/modem. Has any work been done to define the capabilities or profile of such a choke point that might inherently protect IOT devices? Without thinking too hard, I envision a residential router might create a number of local networks that are constrained in certain ways such as no inbound connections, no outbound connections, no cross-device connections, filtered list of external destinations, that sort of thing. Such constraints might be implemented as separate VLANs or wifi networks or both, managed in a user-friendly manner. Something that most modern residential routers could implement today. When a new device is added to the network, the router portal could be used to allow it access and place it in the appropriate VLAN. Address-space management might also work - such as link-local address allocation. Heck, an IoT device might identify itself in some way and the router could automatically spin up the appropriate VLAN and firewall rules without any human intervention. Beyond constraints, there are also service needs. My new AV receiver likes to contact their manufacturer's HQ for an NTP service. That could readily be offered locally rather than opening up wider access. One imagines some sort of local service discovery might work here, such as Bonjour. Again something that most modern routers could implement today with ease. Serendipitously, NBNCo has a list of approved VDSL modems. One wonders whether that could be extended to a list of modems that support an IoT security profile? Sorry about the ramble, but improving IoT security seems like a multi-faceted problem that we can't afford to ignore. Does anyone disagree? Mark. _______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
