This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[iot-wg] some experiences with deny-by-default for IoT devices
- Previous message (by thread): [iot-wg] Resolution of issues raised in onboarding document Re: To be published: Architectural Considerations for IoT Device Security in the Home
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Michael Richardson
mcr+ietf at sandelman.ca
Mon Mar 29 19:37:57 CEST 2021
The CIRALabs SHG project (https://www.cira.ca/labs/projects/cira-secure-home-gateway ) has been trying to get our systems into the hands of 50+ in-house alpha testers, but the pandemic has set us back: sorting people's network plumbing without visiting their house is a challenge. There will always be someone with something that just isn't wired up right, and non-technical people don't want to screw with their setup when they need it for minute-by-minute school work, etc. (Ironically, our home routers probably make their network better if wired right). So, our team has been onboarding devices and letting our SPIN/SHG hybrid system do analysis of the devices to form filtering policies. We have leant that this is harder than we'd like. For instance, I got a $20 Globe Suite single outlet back in December. It's in green so that it will match your Xmas-tree. https://globe-electric.com/en/product/globe-electric-wi-fi-smart-plug-no-hub-required-white50114/ Our system is set up to accept new devices online, but to drop traffic from them by default until the administrator says, "okay". The device wants to put into onboarding mode by having a button held down for 5s, and then it flashes fast, and it is supposed to be discovereable by the phone. I'm unclear if it gets discovered by BT or via 2.4Ghz public frames. The app is repeatedly very specific: "Make sure you are on 2.4Ghz WIFI" My app just could not discover my device despite repeated attempts. No obvious errors, just "not there".... I went back to our SHG app, saw that in fact a new device was now present. (Yes, there is a bug with delays with Notifications that we haven't figured out yet). I then enabled access for this new device. NOW, I could onboard the device. Apparently, it attempts to join the WIFI, connect to Internet, and connect to the cloud, and if anything fails, then everything fails, and the device appears to not even be found! That's terrible UI. Now for the kicker: one might assume that the device is really controlled through the cloud then, right? So after plugging in a light to test it, and confirming I could turn it on and off with my phone, I turned wifi off on my phone, and tried to control it via LTE. What's the latency that way? Infinite, as I don't think it can be controlled via the Internet. Yes, you can onboard it to Siri,Alexa,Google Home, and I imagine you can control it that way. The device needs Internet to onboard, but doesn't apparently use it. Firmware updates? Maybe. The onboarding fails in less than human reaction time, so I could never actually enable access for the device via any kind of UI! -- Michael Richardson <mcr+IETF at sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: </ripe/mail/archives/iot-wg/attachments/20210329/b6e9e803/attachment.sig>
- Previous message (by thread): [iot-wg] Resolution of issues raised in onboarding document Re: To be published: Architectural Considerations for IoT Device Security in the Home
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ iot-wg Archives ]