[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

[Kevin W. Wall]

On Mon, Feb 27, 2017 at 2:36 PM, Ray Dillinger <bear at sonic.net> wrote:
> I would not expect an IoT device to even be *able* to connect to
> the Internet until I configure it with the key for my house-area
> network, and with the certificate it needs to communicate with
> the proxy server to get packets across my outbound firewall.  The
> fact that many IoT devices expect this is laughable.  The firewall
> on outgoing packets tells me what devices I need to disconnect
> and destroy.

Those of use who are security conscious, run our own custom firewalls,
etc. would agree, but that's not likely to work for the masses as
it's simply not usable and as a result it negatively impacts
sales. There's a lot more members of the Blinking Twelve Club
that we'd like to admit. I don't think that it's because they
don't care or are dumb as much as the instructions are poor
or too lengthy for them to read. So they are content with their
DVD clock blinking 12:00 or their IoT devices connecting to the
Internet unbeknownst to them. What could possibly go wrong?

> Perniciously, it is the case that some devices, especially cameras
> and printers, which are not marketed as Internet-enabled, still
> attempt to send outbound packets.  Many routers which are configured
> for local network only still attempt to send outbound packets onto
> the wide open Internet.  My desktop mill's goddamned CNC controller
> made a DNS request the instant I plugged an ethernet cable into it
> to transfer G-code to it! It got replaced with an arduino board.

Makes me think of those Visio Smart TVs that spying on consumers.
(https://www.wired.com/2017/02/smart-tv-spying-vizio-settlement/)
I'm really surprised they got off for only $2.2M.

And sadly, as Henry Baker noted, if IoT devices can't jump on the Internet
via your secured network, they will try to do so if they can access
an open WiFi from a neighbor.

> Even if I wanted an Internet-enabled device, and even if it *had*
> the wifi and proxy info to connect from anywhere in my house, I
> wouldn't want it to attempt to connect to the Internet before I
> told it what certificates it should use, exactly where to connect
> to, and exactly what certificates its only valid connection partners
> have.  If it connects to anything else, or communicates with
> anything that does not present that certificate, or communicates
> with anything at all using any other certificate besides the one I
> give it or communicates at all via unsecured protocols, then the
> busted pieces of it go into the trash.

I agree, but most people don't want to go through that trouble. As
long as their IoT devices do what it's supposed to do from their
end, all is good. They are completely oblivious to everything else.
>
> Until somebody starts selling devices whose architecture implements
> that standard of behavior, I'm not buying IoT devices.  But sometimes
> I discover that I have bought one unintentionally.  That's one of
> the reasons I keep a fire axe handy.

I'm with you, although I don't think I'd go as far as using a fire
axe. (Pretty sure that would void the warranty. :) But I will login
to change all the default passwords to some random 64 character string
that I'll store in a password manager and then proceed to shut
down every possible "service" that I can. But it's not what the people
on this list would do or wouldn't do, it's what the person who wants
it to "just work" will do and who are ignorant of all this as well
as all of the hazards.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.