Comment by selinkocalar 6 hours ago
IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning. Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.
There are countless routers in between you and your destination which you can't audit anyway. End devices long since consider the routers to be compromised and have everything verified and encrypted in transit. So unless your router is participating in a DDoS or mining bitcoins it doesn't really matter how secure it is.
Many IoT devices (or Windows when the LAN network location is set to “Private”) expose a wider surface area to local network addresses. Having a competent firewall on your residential router is still useful, especially for those that have no idea how to configure their endpoints securely.
Comparing a residential router to a network operator’s router is spurious: those routers don’t perform any sort of filtering for the public internet traffic flowing through them.
Most people are using routers given to them (and configured by) their ISP... so really they are blackboxes connected to an upstream blackbox for most people.
I am always surprised by how many people give me their ISP chosen router name and ISP chosen password when I connect to their WiFi. I don't want to give my ISP that much control.
Are you really surprised though or are you talking about the HN reading subset of your "many people"?
Coz I would absolutely 100% not be surprised for your average consumer.
For your average HN reader I would hope they treat whatever their ISP gave them as just some dumb "switch" type device that sits outside their trusted network and handles nothing but encrypted traffic. Like my ISPs device definitely does have a WiFi and such, which I disabled. I treat it as a bridge / modem and it's definitely not part of my "inner circle". Hasn't been in 25 years.
Not entirely true. There's a local admin option, where your Ubiquiti devices never see the internet (well, except your gateway). You can then connect and admin the whole thing remotely via your own VPN. It's quite nice, actually.
Or openWRT.
The bsd based distributions sure are powerful, but with the power/heat budget to match.
The soulutions is iptables.
The solution is nftables.
The solution is bpf.
The solution is emacs-m-x-butterfly-bpf.
>IoT security is generally terrible
I think IoT demands a rethink of security.
Like sometimes I want IoT devices to just bloody connect, and if I have to use a published exploit that circumvents online only requirements I will do it.
But some people do genuinely have use cases for cloud speaking IoT stuff.
Really I think the device should ask at first run, and then burn in your response and act only in the selected mode. If you want it to require Cloud MFA, thats an option, if you want to piss python at your lightbulb to make it blink, then thats where it lives permanently.