It kind of makes sense.
With all these IOT devices being so dangerous, just don't let them on the internet... ;)
The best way of protecting us from Internet of Things botnets is to compartmentalise the entire internet, Intel’s chief architect for IoT security solutions has said. Sven Schrecker, speaking exclusively to The Register at IoT Solutions World Congress in Barcelona, also branded the potential impact of IoT botnets as ‘“ …
They are already not supposed to be on the internet, but behind NAT routers. If the manufacturers would default them to accepting only private IP addresses (IPv4 addresses of 192.168.X.X, 172.16.X.X - 172.31.X.X, and 10.X.X.X, and/or IPv6 addresses of fdxx:xxxx:xxxx…), that would probably help. (Along with random default passwords.) If someone really needs the IoT device to have a non-private address, make them jump through a bunch of hoops (like remove the default user ID completely, plus require a 20 digit complex password) to remove the private IP address restriction.
That would buy us all of three seconds, four even, if we're lucky. It would just mean traditional PC-infecting nasties would start carrying payloads looking for LAN-dwelling IoT stuff to infect; from then on, NAT would do nothing against Mr. 192.168.1.200 and half a million of his buddies suddenly starting to hammer briankrebs.com or whatever...
"behind NAT routers"
Firstly, there is no such thing. There are routers, firewalls and NATs - three different animals, although often included in the same box. As has been emphasised here many times, it's the firewall that protects you, not the NAT.
Second, it isn't that simple. Most malware gets into domestic devices despite the firewall, because it arrives via email or dirty web sites. If malware gets into a Thing, even if the Thing is behind a firewall and is supposed to have only a local address, it can do its dirty work. If the malware is clever, it can get a globally routable IPv6 address of some kind, or fool the IPv4 NAT into letting its traffic through. This is not an easy problem to solve.
I don't think that compartmentalising or partitioning the 'internet' is the solution, or even really viable, because how do you control, or use the data coming from, IoT devices if you can't access them?
The real cause of the problem that IoT devices are now presenting is that the manufacturers of these devices want control but not responsibility. They achieve that control through proprietary software, that only they can update, but then refuse to accept the responsibility for it by failing to maintain that software and provide updates when problems are found with it.
It's pretty easy to see why the IoT manufacturers are doing this: exclusive control of the device gives the manufacturer exclusive access to the marketable data they acquire from it and control over its planned and ensured obsolescence.
The only solution I can see is a standardised IoT h/w platform, pretty much along the lines of the PC model, where all of the software can be maintained independently of the OEM or vendor.
"The only solution I can see is a standardised IoT h/w platform, pretty much along the lines of the PC model, where all of the software can be maintained independently of the OEM or vendor."
Which will never happen because device (and CHIP) manufacturers value their trade secrets in a highly-competitive market. Plus there are countries like China who don't care and can hide behind sovereignty.
I've thought for a while that one way to help achieve partial separation of IOTs this would be to have home routers run two or more separate networks, with the IOT network not having access to the more secure network you put your Desktop and Laptop on. The more secure network could though interrogate the IOT network.
I'm not sure how you'd allow important IOT warnings (The freezer temp is too high) to get through! Maybe via the cloud?
I know some better home routers do offer multiple networks but I'm not sure if it achieves the same end. Not having used such a router or any IOTs.
with your girlfriend's name as default password. You will change it quick before your wife finds out.
Also I suppose before your girlfriend finds out.
Some technical issues in this solution to the problerm, I admit. I suppose that if first of all you install the manager app on your phone, we can find out who you are calling and maybe why...
"As Schrecker warned, however, until there’s a major IoT DDoS that affects something people care about - financial services rather than cloud-based pet-feeding apps - there’ll be no public will to harpoon the Moby Dick that is IoT security."
OK, quick, just grab some Bitcoins and rent an attack on a financial institution, just for grins. And then ... profit! Right?
While it would be good for the edge gateways to do something, a gateway scanning its addresses is not the sort of task they were designed to do. Sure, put in a separate scanner and let it do the job, and then send an update to the gateway. Oh, and term of service will definitely change: We reserve the right to attempt to log into your system to test basic security.
Something needs to be done because there will be some event which has the usual media suspects and their all-caps commentards calling for something to be done and we probably won't like the kind of knee-jerk reaction that provokes from governments and authorities ... "if only every bit of kit had a backdoor so it could be disabled when it was being a nuisance".
There are ways to get existing and incoming exploitable kit off the net and nuked out of existence in countries which desire to do that. That would only leave those reluctant to do so. Reducing the risk is at least a start to removing it.
There isn't any single and simple solution, it will require a multi-faceted approach. But if we don't do something it will only get worse.
It will probably be even worse. The demand will be that everyone will need a background check and a permit to own an internet-connected device. There will be government sysadmins for every town/state to review and grant such permits on a may-issue basis. You will need their permission to connect to the internet or to change your home network configuration. You will only be able to run/access services the sysadmin allows, all others will be blocked for your own good. Website censorship will be next (think of the children!).
These edge connectors. Where does he propose to put them? At the interface between the individual customer sites and the ISP? If so we already have such things there, they're the customer routers and in some cases they are the bots in the botnets. So his first problem is to produce a more secure router/edge connector that can be safely put in that place. And when the security holes start to become apparent in those, then maybe we need a more secure edge connector in from of them.
The edge connectors idea, or even at the ISP or an 'exchange' point in between...
1) Most IoThingies really only need access to a very limited number of IP addresses - they don't need to have a web browser. They need to 'phone home', check for software updates, maybe contact Tesco if they're a fridge, hit Netflix and Amazon if they're a TV, and that should be about it - perhaps a dozen or two addresses (obviously there will be exceptions.)
2) Given the above, could an ISP identify which IPs are being used by IoThingies, and do some sort of filtering - they are allowed to access a fixed set of IP addresses and that's it (bit like parental filters, but with a whitelist rather than a blacklist.)
Just a thought, please feel free to tear it to shreds.
<sigh> "we couldn't be bothered to design a car with seatbelts that work, so if you could just drive at ridiculously low speed that will fix the problem"
Tell you what, Intel - how about if IoT devices had to meet actual standards including security ones? Of course, that means making sure said standards are set by eggheads and not manufacturer representatives.