nanog mailing list archives
Re: IoT security, was Krebs on Security booted off Akamai network
From: Mel Beckman <mel () beckman org>
Date: Sun, 9 Oct 2016 20:07:48 +0000
Barry, The problem isn't authentication during initial installation, since that can be done using SSL and a web login to the cloud service. The problem is that vendors aren't even using minimal security protections, such as SSL, and then leaving devices open to inbound connections, which is bad even behind a firewall (because viruses typically scan LANs for these vulnerable devices). These are the devices exploited by hackers to become DDoS attack vectors. -mel beckman
On Oct 9, 2016, at 1:02 PM, "bzs () TheWorld com" <bzs () TheWorld com> wrote:
Elsewhere, for decades, I've bemoaned the fact that keyboards (etc)
don't have credit card swipes (perhaps today "and chip readers") so
with some care on the part of the software someone could prove they
likely have physical access to the card.
But it would be very useful in this IoT problem.
You power up a new device, it won't enable until you run some web
(e.g.) interface.
At that point you swipe a card which generates a hash which secures
the IoT device from further config until it's presented again. The
device can have the usual reset to factory config button for the case
of lost cards.
It needn't even be an active credit card. It could be an old spent
gift card. It could even be a free card that comes right in the box
tho that might invite predictability, but maybe a basket of cards to
use at the checkout counter "take one you'll need it for setup".
The software just has to be able to read the magstripe or chip and use
the info to generate a reasonably secure hash which is stored
(preferably in the device.)
Need to reconfig, open the window, swipe the same card.
Hotel safes often use this approach as an alternative to PIN entry.
The device doesn't store any info about the card directly, only the
hash. And as I said it could be most anything that looks like a credit
card and has a readable mag stripe.
The user doesn't have to come up with a password and can't use the
device until a hash is stored.
But, alas, no swipes...
--
-Barry Shein
Software Tool & Die | bzs () TheWorld com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
The World: Since 1989 | A Public Information Utility | *oo*
Current thread:
- Re: IoT security, was Krebs on Security booted off Akamai network, (continued)
- Re: IoT security, was Krebs on Security booted off Akamai network Stephen Satchell (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Large Hadron Collider (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Valdis . Kletnieks (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Valdis . Kletnieks (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Jim Shankland (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network bzs (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network bzs (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Rich Kulawiec (Oct 10)
- Re: IoT security, was Krebs on Security booted off Akamai network bzs (Oct 10)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Large Hadron Collider (Oct 09)