John, On 9/27/16 2:13 AM, John R. Levine wrote:
Therein lies the problem if the traffic does not look anomalous I suppose. But even if it does look unusual, ISPs would be asking consumers to trash/update/turn off a lot of devices in time – like when every home has 10s or 100s of these devices. ISP: Dear customer, looks like one of your light switches is sending spam. Customer: Which one? I have 25 light switches. And 25 smart bulbs. And 3 smart TVs, and 3 smart thermostats, and 6 cameras, and…
That's why turning them off has to be mandatory if the ISP can't mitigate the traffic in real time.
As some on this thread know, I've been working with the folks who make light bulbs and switches. They fit a certain class of device that is not general purpose, but rather are specific in nature. For those devices it is possible for the manufacturers to inform the network what the communication pattern of the device is designed to be. This may be extraordinarily broad or quite narrow, depending on the device. Conveniently, the technology for describing much of this dates back to the paleolithic era in the form of access lists. That is what manufacturer usage descriptions are about. (Yep- MUD. There go my marketing credentials). They're slightly abstracted for adaptation to local deployments. There's a draft and we authors are soliciting comments. The service providers has a strong role to play here, since they drive standards for connectivity. Having some access to residential CPE in particular for this purpose, I believe, is very helpful because by doing so not only can SPs protect others, but can also provide lateral protection within the home. As I wrote upthread, if consumers come to see smart lightbulbs not just as useful, but also as a concern, they may wish their SPs to help them. That's the internalizing of an externality that I see possible, and maybe even probable over time. By the way, this isn't just about deliberate attacks. Ask Raul Rojas who built an IoT-based concept house and then had it taken down by a failing lightbulb.[2] Eliot [1] https://tools.ietf.org/html/draft-ietf-opsawg-mud-00 [2] http://fusion.net/story/55026/this-guys-light-bulb-ddosed-his-entire-smart-h...
Sorry, but something in your house is attacking strangers. Once you figure out what it is, here's a handy list of links to the ongoing class action suits against the manufacturers.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly