On Thursday, 3 July 2025 03:50:15 CEST Michael De Roover wrote: > For the time being, it's quite late at night and my brain is admittedly > starting to shut down. I have so far read until here, will try to do my best > to read more into it tomorrow. I have a bad habit of taking on more > projects than time allows though.. so no promises. Well, that should've been a red herring... Now with a clearer mind, it seems that I completely missed the mark on the IoT-centric subject matter. Sorry about that. > There are endless pages of results for "unpatched iot devices ddos > attack", > <https://www.google.com/search?q=unpatched+iot+devices+ddos+attack>. > But that is just the client-side problem of the "unpatched server" > problem that leads to so many data breaches and ddos attacks. This is noteworthy, fully agreeing with Jeffrey on this part. Some *very* significant attacks have come out of this, especially the attack on Dyn by the Mirai botnet has stuck with me ever since. So is the Verkada hack by who's actually an old friend of mine, Till Kottmann. 150.000 IP cameras and "super admin" access to Verkada's networks and their enterprise customers, hats off. While I disagree with them on the definition of "information should be free", I don't think that shoddy security by enterprises is justifiable either. Hiring 50 more engineers or 50 more lawyers to deal with that, pick your poison. Point being that IoT devices, especially IP cameras, are often abused for this purpose. I don't think the blame for shoddy security can be entirely put on the designers of IoT appliances though, rather it should be understood and addressed. The way that I entered the IT industry, now about a decade ago, is through Linux. So sysadmin is what I identify myself as. What came later, is programming and electronics. Recently that has resulted in a smartwatch project, using Arduino and an SSD1306 display. It made me realize with every step, how little I know about system programming and electronics-level protocols like I2C, serial and such. Where and why you might prefer them, and where and why you might want to use Bluetooth, WiFi, Zigbee and whatnot. Time sync over WiFi using NTP, or over serial with a PC while charging? Even the focal point of electronics design is so different, that I don't blame IoT developers for usually not knowing much about cloud security, for the same reason that I don't want to be blamed for not knowing much about electronics either. We cannot know everything about everything. But that doesn't mean that we don't have a duty to do what we can reasonably do, and offload certain duties to other engineers where necessary. Maybe even have a DevOps / SRE-like initiative in electrical engineering. > One classical response to exposing such devices to attacks from the Internet > is to then ensure the attack can't be propagate in the home. This is > difficult with todays home network equipment, but easy with better > "enterprise" equipment. Limiting connectivity between devices in the home. > Especially for IoT equipment i hate that idea, because i like the > p2p communication of such devices in the home. Light push-button device > that directly communicates with the light devices, no "IoT controller" > needed (yes, i like Home Assistant, but not that much). I agree with Toerless Eckert on both the need for VLAN / DMZ / etc separation, as well as the criticism towards it on grounds of network separation vs. practical usability. It's a stop gap, not a proper solution. To acknowledge these devices as often insecure is already a huge step, but the end goal should be to not have them be insecure and unable to be patched in the first place. So dear OEMs, do not touch the lockbits! Heck, make the code unreadable for all I care, but allow for reflash. I bought that thing, now I am its owner. And with that, the intellectual property (the code) still remains yours. And even for reading, the binary on the chip has to be reverse engineered anyway. We have laws to deal with that. Anyway, for now my idea is pretty clear-cut. I make the IoT devices myself, or they don't enter my house. Acknowledging the somewhat hostile sentiment in this email, for which I want to apologize.. there's a lot to be addressed. -- Met vriendelijke groet, Michael De Roover Mail: ietf@xxxxxxxxxxxx Web: michael.de.roover.eu.org
