[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Feb 27 19:19:24 EST 2017
Ray Dillinger <bear at sonic.net> writes:
>I would not expect an IoT device to even be *able* to connect to the Internet
>until I configure it with the key for my house-area network, and with the
>certificate it needs to communicate with the proxy server to get packets
>across my outbound firewall.
That makes you about 0.01% of the IoS vendor's audience. Or perhaps 0.00%,
I've rounded up.
>The fact that many IoT devices expect this is laughable.
It's not IoS devices that expect it, it's people buying them. They want
something they can plug in and that just works, with as little configuration
as possible, preferably zero.
This is a real problem for IoS device vendors, because your typical IoS device
has a UI that consists of an LED and possibly a button (fridges and whatnot
are atypical devices). One commonly-used way to set these up is that on
first power-on they set up a temporary open AP that you connect to with your
phone and enter your standard AP's credentials. They then restart, shut down
the temporary AP, and connect to your standard AP. It's a simple, elegant
solution... if you're a geek. Look at the support forums for some of these
devices for the amount of problems it causes for non-geek users.
This isn't helped by the fact that a great many IoS devices are singularly
incapable of maintaining an active WiFi + IP connection. I've got some SCADA
gear that uses WiFi that just works (uptimes of years for the stuff I keep
running permanently), my Windows stuff just works, but anything IoS seems
totally unable to keep a network connection up for any amount of time. For
some things like Raspberry Pis I wrote scripts to try and restart connections
(and there are lots of other versions on places like Stackexchange), but in
the end I just set up a WiFi bridge and ran wired ethernet to them.
>Until somebody starts selling devices whose architecture implements that
>standard of behavior, I'm not buying IoT devices.
That's fine, you're not the IoS vendors' intended audience.
Peter.
More information about the cryptography
mailing list