Philip Homburg <[email protected]> wrote: >>>> ddos attack like against Dyn >> >> I could be wrong, but I believe that Dyn was DDoSed by the Mirai >> botnet, which propagates by exploiting devices configured with default >> credentials. This has nothing to do with outdated firmwares.
> The problem is that you cannot realistically update those firmwares.
> If is trivial to compile a new firmware for those devices that doesn't
> request upnp to open ports to telnet or ssh. But is is impossible to
> deploy such an update.
> For consumer electronics, we cannot rely on consumers to actually
> download and install new firmware. So part of the solution to securing
> those devices has to be that (out of the box) they will update
> automatically.
Which in some implementations, means having a clock to know that your current
firmware is actually newer than the "proposed" new firmware (which is really
much older), or knowing that it's been too long since a firmware load.
If update cycle expects a new firmware every 6 months, but at the same time,
won't install firmware older than 1 year, you need a clock. An attacker that
can force time backwards, can set it back to that time when the telnet port
was open with the default password... (It's not fake firmware afterall, it
has a signature and everything).
And you can't force people to monotonically go up in versions, because bugs
do occur, and people need to "undo"...
> For the same reason, having lots of devices on the internet that have
> been abandoned by the vendor is also a huge security risk. So ideally
> those devices should shutdown automatically.
again, some notion of current time, so the device can reasonably die.
(And in this case, getting too new time might be a threat)
> Note that PCs, browsers, etc. are now somewhat secure because they
> update automatically. We need to do the same will all other devices
> connected to the internet.
> _______________________________________________ homenet mailing list
> [email protected] https://www.ietf.org/mailman/listinfo/homenet
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
