Hacker News new | past | comments | ask | show | jobs | submit login

I like this idea a lot. Perhaps every IoT device should publish a profile of its expected behavior to the router. For example, a wifi-enabled thermostat might tell the router that it only intends to connect to a particular range of servers, by DNS name. The router could then set up an automatic firewall rule that stays in sync with DNS changes. The user should be able to disable that firewall rule (to overcome technical issues), but most users will never have a reason to do so.

We could bootstrap this idea by having the router fingerprint IoT devices and apply matching firewall policies from a database. If only we could install "apps" on routers, like we do on Android and iOS devices, someone could get started with this idea right now.




The only issue is that after that point, the device can never connect anywhere else.


So allow the device vendor a way to push a configuration change?


Then the attacker would push that configuration change before DDoSing someone.


Well, I would hope that any IoT device that accepts remote configuration or software updates also checks digital signatures before applying changes. If it doesn't, then I would want the automatic firewall on the router to block all updates.


Your router would notify you of the change and ask if it was intended before applying it, maybe?

I realize how close to Vista's UAC this is getting.


Make the configuration change come from the approved endpoints.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: