Inbound Filtering as an ISP Defense Against IoT Attacks

You’re not supposed to host services on consumer internet connections, but many people do.

As long as you’re not serving too much traffic, and you don’t mind your IP changing every once in a while (for those who don’t have static IPs), it generally works.

This applies to common ports like 22, 23, 80, 443, all the Windows networking ports, database ports, whatever. For most ISPs, you have wide open inbound connectivity.

But now IoT is becoming a problem.

I think one of the controls we’re going to see a lot of ISPs doing in 2017 is massively limiting inbound connectivity to their consumer ranges. It’s restrictive. It’ll make a lot of people mad. But compared to having a legion of misbehaving IoT systems attacking the world from your network it looks pretty smart.

I’m sure some companies are already doing this, but we should expect it to get FAR more popular.

Expect to see it become the norm while we get the devices themselves sorted out, along with active scans for devices to see who’s hosting things that they shouldn’t be.

It’ll be a while.

Notes

1. Blocking inbound won’t solve all issues, of course. One opening it leaves is when devices connect outbound to a cloud-based meeting point, where a mobile app or web login then enables control of the device from the Internet. Control of smart home devices from mobile apps while traveling will continue to be considered core functionality, so this will be an issue for the foreseeable future.

Related posts:

1. Those Bashing Smart Locks Have Forgotten How Easy it is to Pick Regular Ones

2. Preparing to Release the OWASP IoT Top 10 2018 (Updated: Released)

3. Responding to Rob Graham’s “Your Threat Model is Wrong” Post

4. The Differences and Similarities Between IoT and ICS Security