back to article Divide the internet into compartments to save us from the IoT fail whale

The best way of protecting us from Internet of Things botnets is to compartmentalise the entire internet, Intel’s chief architect for IoT security solutions has said. Sven Schrecker, speaking exclusively to The Register at IoT Solutions World Congress in Barcelona, also branded the potential impact of IoT botnets as ‘“ …

  1. Anonymous Coward
    Thumb Up

    It kind of makes sense.

    With all these IOT devices being so dangerous, just don't let them on the internet... ;)

    1. The Man Who Fell To Earth Silver badge
      Black Helicopters

      Re: It kind of makes sense.

      They are already not supposed to be on the internet, but behind NAT routers. If the manufacturers would default them to accepting only private IP addresses (IPv4 addresses of 192.168.X.X, 172.16.X.X - 172.31.X.X, and 10.X.X.X, and/or IPv6 addresses of fdxx:xxxx:xxxx…), that would probably help. (Along with random default passwords.) If someone really needs the IoT device to have a non-private address, make them jump through a bunch of hoops (like remove the default user ID completely, plus require a 20 digit complex password) to remove the private IP address restriction.

      1. DropBear

        Re: It kind of makes sense.

        That would buy us all of three seconds, four even, if we're lucky. It would just mean traditional PC-infecting nasties would start carrying payloads looking for LAN-dwelling IoT stuff to infect; from then on, NAT would do nothing against Mr. 192.168.1.200 and half a million of his buddies suddenly starting to hammer briankrebs.com or whatever...

      2. Yes Me Silver badge
        Alert

        behind NAT routers???

        "behind NAT routers"

        Firstly, there is no such thing. There are routers, firewalls and NATs - three different animals, although often included in the same box. As has been emphasised here many times, it's the firewall that protects you, not the NAT.

        Second, it isn't that simple. Most malware gets into domestic devices despite the firewall, because it arrives via email or dirty web sites. If malware gets into a Thing, even if the Thing is behind a firewall and is supposed to have only a local address, it can do its dirty work. If the malware is clever, it can get a globally routable IPv6 address of some kind, or fool the IPv4 NAT into letting its traffic through. This is not an easy problem to solve.

  2. Anonymous Coward
    Anonymous Coward

    About bloody time

    We need to divide the internet into 3 parts.

    The IoT botnet, phoneposters, and the real internet for everything else.

    1. frank ly

      Re: About bloody time

      Maybe IPV6 has enough addresses for any partitioning scheme that you can think of?

      1. Anonymous Coward
        Anonymous Coward

        Re: About bloody time

        Great idea.

        Phoneposters can go on feed:face, and the IoT can map to dead:baad

    2. Anonymous Coward
      Anonymous Coward

      Re: About bloody time

      I don't think that compartmentalising or partitioning the 'internet' is the solution, or even really viable, because how do you control, or use the data coming from, IoT devices if you can't access them?

      The real cause of the problem that IoT devices are now presenting is that the manufacturers of these devices want control but not responsibility. They achieve that control through proprietary software, that only they can update, but then refuse to accept the responsibility for it by failing to maintain that software and provide updates when problems are found with it.

      It's pretty easy to see why the IoT manufacturers are doing this: exclusive control of the device gives the manufacturer exclusive access to the marketable data they acquire from it and control over its planned and ensured obsolescence.

      The only solution I can see is a standardised IoT h/w platform, pretty much along the lines of the PC model, where all of the software can be maintained independently of the OEM or vendor.

      1. Charles 9

        Re: About bloody time

        "The only solution I can see is a standardised IoT h/w platform, pretty much along the lines of the PC model, where all of the software can be maintained independently of the OEM or vendor."

        Which will never happen because device (and CHIP) manufacturers value their trade secrets in a highly-competitive market. Plus there are countries like China who don't care and can hide behind sovereignty.

  3. Anonymous Coward
    Facepalm

    Or you could just...

    Oh I dunno.... make those crappy IoT things less easy to hack ?

    1. Nunyabiznes

      Re: Or you could just...

      Gave you an upvote - but that doesn't do anything for the existing billions of <useless punter crap> <pwned> devices that are out there.

      1. Anonymous Coward
        Anonymous Coward

        Re: Or you could just...

        Maybe some bright punter can write an application that will compromise the old crappy ones, then brick them.

        1. Anonymous Coward
          Anonymous Coward

          Re: Or you could just...

          Laurie Love asked if he *should* do exactly that on Twitter. General advice was no effing way.

  4. Chris Evans

    Doing it at home!

    I've thought for a while that one way to help achieve partial separation of IOTs this would be to have home routers run two or more separate networks, with the IOT network not having access to the more secure network you put your Desktop and Laptop on. The more secure network could though interrogate the IOT network.

    I'm not sure how you'd allow important IOT warnings (The freezer temp is too high) to get through! Maybe via the cloud?

    I know some better home routers do offer multiple networks but I'm not sure if it achieves the same end. Not having used such a router or any IOTs.

    1. Fungus Bob
      Trollface

      Re: Doing it at home!

      The human race has managed to get along without IoT warnings for thousands of years, I'm sure we'll manage to get along without them for another several thousand.

  5. Sureo

    IOTs are polluting the internet just as we are polluting the earth.

  6. Mr Dogshit

    http://www.commitstrip.com/en/2016/10/14/good-old-adminpassword/

    1. Robert Carnegie Silver badge

      device arrives pre-configured

      with your girlfriend's name as default password. You will change it quick before your wife finds out.

      Also I suppose before your girlfriend finds out.

      Some technical issues in this solution to the problerm, I admit. I suppose that if first of all you install the manager app on your phone, we can find out who you are calling and maybe why...

  7. Brian Miller

    Rent some concern

    "As Schrecker warned, however, until there’s a major IoT DDoS that affects something people care about - financial services rather than cloud-based pet-feeding apps - there’ll be no public will to harpoon the Moby Dick that is IoT security."

    OK, quick, just grab some Bitcoins and rent an attack on a financial institution, just for grins. And then ... profit! Right?

    While it would be good for the edge gateways to do something, a gateway scanning its addresses is not the sort of task they were designed to do. Sure, put in a separate scanner and let it do the job, and then send an update to the gateway. Oh, and term of service will definitely change: We reserve the right to attempt to log into your system to test basic security.

    1. DropBear
      Trollface

      Re: Rent some concern

      "We reserve the right to attempt to log into your system to test basic security.[1]"

      [1] If you don't start exponentially delaying us after the first few attempts, we reserve the right to totally brute force you.

  8. Jason Bloomberg Silver badge

    It's not looking good

    Something needs to be done because there will be some event which has the usual media suspects and their all-caps commentards calling for something to be done and we probably won't like the kind of knee-jerk reaction that provokes from governments and authorities ... "if only every bit of kit had a backdoor so it could be disabled when it was being a nuisance".

    There are ways to get existing and incoming exploitable kit off the net and nuked out of existence in countries which desire to do that. That would only leave those reluctant to do so. Reducing the risk is at least a start to removing it.

    There isn't any single and simple solution, it will require a multi-faceted approach. But if we don't do something it will only get worse.

    1. MSmith

      Re: It's not looking good

      It will probably be even worse. The demand will be that everyone will need a background check and a permit to own an internet-connected device. There will be government sysadmins for every town/state to review and grant such permits on a may-issue basis. You will need their permission to connect to the internet or to change your home network configuration. You will only be able to run/access services the sysadmin allows, all others will be blocked for your own good. Website censorship will be next (think of the children!).

  9. Doctor Syntax Silver badge

    These edge connectors. Where does he propose to put them? At the interface between the individual customer sites and the ISP? If so we already have such things there, they're the customer routers and in some cases they are the bots in the botnets. So his first problem is to produce a more secure router/edge connector that can be safely put in that place. And when the security holes start to become apparent in those, then maybe we need a more secure edge connector in from of them.

    1. Charles 9

      Indeed, what's to stop these sentries being owned themselves and turned into bots?

  10. Anonymous Coward
    Facepalm

    The best way of protecting us from Internet of Things botnets

    The solution being to charge the ISPs with mitigating the DDOS attack. ref

  11. streaky
    Megaphone

    This..

    Is actually the dumbest idea I've ever heard, and isn't a solution to any actual problem.

  12. Pen-y-gors

    There's a germ of an idea here...

    The edge connectors idea, or even at the ISP or an 'exchange' point in between...

    1) Most IoThingies really only need access to a very limited number of IP addresses - they don't need to have a web browser. They need to 'phone home', check for software updates, maybe contact Tesco if they're a fridge, hit Netflix and Amazon if they're a TV, and that should be about it - perhaps a dozen or two addresses (obviously there will be exceptions.)

    2) Given the above, could an ISP identify which IPs are being used by IoThingies, and do some sort of filtering - they are allowed to access a fixed set of IP addresses and that's it (bit like parental filters, but with a whitelist rather than a blacklist.)

    Just a thought, please feel free to tear it to shreds.

    1. Doctor Syntax Silver badge

      Re: There's a germ of an idea here...

      "Just a thought, please feel free to tear it to shreds."

      How does the ISP know which request came from an IoThingy and which from a user? Assuming, here, an IPv4 network with everything arriving at the ISP bearing just the router's address.

  13. Neoc

    <sigh> "we couldn't be bothered to design a car with seatbelts that work, so if you could just drive at ridiculously low speed that will fix the problem"

    Tell you what, Intel - how about if IoT devices had to meet actual standards including security ones? Of course, that means making sure said standards are set by eggheads and not manufacturer representatives.

    1. Charles 9

      Tell you what. If Big Brother insists on inspecting the things we do in the privacy of our homes, then civilization as we know it is pretty much shot.

      1. Neoc

        Are you a politician? Because you took my complaint that instead of fixing their security problem the manufacturers were pushing it on the public - and you turned it into a Big Brother rant.

        Wow.

  14. cantankerous swineherd

    proceed as if the internet is fucked, whilst thinking up another one.

    1. Charles 9

      But how do you keep it from (a) becoming as lawless as the one we have now or (b) building a completely-stateful Internet (Hello, Big Brother)?

  15. defiler

    Segregation

    Can't we just shove IoT onto IPX? Routable and yet completely distinguishable so we can turn it off immediately.

    What do you mean you don't have an IPX router? Oh well - good enough I guess!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like