tag:blogger.com,1999:blog-37798047.post1001225627762847506..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Notes on the UK IoT cybersec "Code of Practice"David Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-37798047.post-79467205119034441882018-10-16T19:46:26.839-04:002018-10-16T19:46:26.839-04:00Rebuttal to the rebuttal :)
1. I agree that this ...Rebuttal to the rebuttal :)<br /><br />1. I agree that this should have been clearer, but you're reading the requirement very narrowly. You could consider "no default password" to mean "including no password-protected access to telnet or other services". Many IoT devices also have unauthenticated APIs that responds to HTTP POST and can trivially be subject to CSRF (concrete example: https://www.cvedetails.com/cve/CVE-2018-11315/). These should go away, and "no default password" captures that. <br /><br />3. I don't get this. Many phones retail at < $100, and many, many IoT devices retail at > $100. is the IoT market really more competitive than the phone market? See e.g. BLU phones, which cost < $50 and get (some) Android updates. The UI aspect is a good point; the cost aspect is less convincing. Comitting to fixes ads a cost, but that's not necessarily bad: if everyone on the market has the added cost, it's not a competitive disadvantage anymore.<br /><br />5. I disagree. I think that's good advice, and it's quite feasible (without HTTPS warnings). Plex does it, for example, and it seems to work quite well; see https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/.<br /><br />11. I think you might be misunderstanding them. IoT devices typically upload your data to a remote server. The document says users should be able to erase that remote data. Concretely, users of a Nest thermostat send temperature and presence data to Google; they have an option to delete it. Users of honeywell Wifi thermostats also send that data, but they don't seem to have the option to delete it. A factory reset changes nothing to that.<br /><br /><br />Clémenthttps://www.blogger.com/profile/05065934437109523096noreply@blogger.com