[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do
Ray Dillinger
bear at sonic.net
Mon Feb 27 14:36:19 EST 2017
I would not expect an IoT device to even be *able* to connect to
the Internet until I configure it with the key for my house-area
network, and with the certificate it needs to communicate with
the proxy server to get packets across my outbound firewall. The
fact that many IoT devices expect this is laughable. The firewall
on outgoing packets tells me what devices I need to disconnect
and destroy.
Perniciously, it is the case that some devices, especially cameras
and printers, which are not marketed as Internet-enabled, still
attempt to send outbound packets. Many routers which are configured
for local network only still attempt to send outbound packets onto
the wide open Internet. My desktop mill's goddamned CNC controller
made a DNS request the instant I plugged an ethernet cable into it
to transfer G-code to it! It got replaced with an arduino board.
Even if I wanted an Internet-enabled device, and even if it *had*
the wifi and proxy info to connect from anywhere in my house, I
wouldn't want it to attempt to connect to the Internet before I
told it what certificates it should use, exactly where to connect
to, and exactly what certificates its only valid connection partners
have. If it connects to anything else, or communicates with
anything that does not present that certificate, or communicates
with anything at all using any other certificate besides the one I
give it or communicates at all via unsecured protocols, then the
busted pieces of it go into the trash.
Until somebody starts selling devices whose architecture implements
that standard of behavior, I'm not buying IoT devices. But sometimes
I discover that I have bought one unintentionally. That's one of
the reasons I keep a fire axe handy.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170227/ec91d4a8/attachment.sig>
More information about the cryptography
mailing list