Re: [homenet] write up of time without clocks

Fri, 04 Nov 2016 21:27:04 -0700 

Philip Homburg <pch-homene...@u-1.phicoh.com> wrote:
    >>>> ddos attack like against Dyn
    >>
    >> I could be wrong, but I believe that Dyn was DDoSed by the Mirai
    >> botnet, which propagates by exploiting devices configured with default
    >> credentials.  This has nothing to do with outdated firmwares.

    > The problem is that you cannot realistically update those firmwares.

    > If is trivial to compile a new firmware for those devices that doesn't
    > request upnp to open ports to telnet or ssh. But is is impossible to
    > deploy such an update.

    > For consumer electronics, we cannot rely on consumers to actually
    > download and install new firmware. So part of the solution to securing
    > those devices has to be that (out of the box) they will update
    > automatically.

Which in some implementations, means having a clock to know that your current
firmware is actually newer than the "proposed" new firmware (which is really
much older), or knowing that it's been too long since a firmware load.

If update cycle expects a new firmware every 6 months, but at the same time,
won't install firmware older than 1 year, you need a clock.  An attacker that
can force time backwards, can set it back to that time when the telnet port
was open with the default password... (It's not fake firmware afterall, it
has a signature and everything).

And you can't force people to monotonically go up in versions, because bugs
do occur, and people need to "undo"...

    > For the same reason, having lots of devices on the internet that have
    > been abandoned by the vendor is also a huge security risk. So ideally
    > those devices should shutdown automatically.

again, some notion of current time, so the device can reasonably die.
(And in this case, getting too new time might be a threat)

    > Note that PCs, browsers, etc. are now somewhat secure because they
    > update automatically. We need to do the same will all other devices
    > connected to the internet.

    > _______________________________________________ homenet mailing list
    > homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet

--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to