why not have router->device permissions like phone?

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Larc

Member
May 31, 2022
5
0
tldr: a router that uses your phone or some API as a 2nd factor to add devices to your network, and during this time, permissions are requested/granted.
I can think of a lot of cool ways to expand this basic idea. does this help security, is this a good idea, what flaws exist?

-----

When you add an app to your phone, it tells you what it plans on doing, and you choose to allow or not, in some cases disallow certain requests.
Would this help IOT and other devices from being taken over and if they were taken over, to limit what they could do?

Why not have this on a router?
Lets say I have a smart router and it connects to my phone
For example, add an IP camera on network
1) I connect it normally.
2) Now I get a notification on my phone asking if i want to allow this device to connect to my network, included is the information that it only wants to recieve connections from local IPs

if i want to add a smart doorbell
1) i connect it normally
2) i get a notification on my phone that its connecting and wants to be able to communicate with some.cloudcamera.com or whatever, but no local devices

if i want to add a computer
1) connect normally
2) i get a notification that it wants all access

i'm sure the connection method could be improved, but thats a different conversation, but it could be put into spec form, like part of the Matter spec for example, so at least those devices know how to request access. alternately or in addition, the router could query the device or ask a user to type in what it is, and that could do a lookup in a database to see what applicable permissions apply to that device, and with this, it could change over time, if the services change, and people would be made aware of the changes. if it were popular enough the manufactures themselves would want to make sure their devices were in the database, but it could be done by users in the beginning.

I haven't put nearly all of the thoughts i have on the subject here, just wanted to see if this existed anywhere/perceived benefit/issues. i'd love to see this happen.

permissions
outgoing connection recipient list
outgoing connection ports allowed
incoming connection recipient list
expected/max bandwidth (a lightbulb should use more than a tiny amount of data)
time window of allowed use
 
I connect it normally.
What does this mean?

If you connected it with a wire (wired networking) there is nothing in the network that can prevent a device from issuing packets. *IF* you connect every device directly into a router port, then yes, a router could manage which devices can do what. (These devices exist in a corporate environment, they're enterprise class smart switches, and use a protocol like 802.1X to authorize devices using something like a RADIUS server https://www.securew2.com/solutions/802-1x .)

But I assume you meant a wireless router--and thus my question. A wireless device either is on your network or is not on your network. There is no in-between. Either it knows the wireless password, and can form packets that are valid on your network, or it cannot. I guess there could be a new protocol adjunct created that allows a device to request access, but to prevent that from becoming an DoS vector against you, it would need an additional password. In the end, it's probably just too complex to bother doing, because most home WiFi users just don't have the technical abilities.

There are features like 802.1X that work with enterprise WiFi gear. You could check into the features of network controllers like Ubiquity offers if you're technically interested and financially able to build such a enterprise WiFi network at home.
 
What does this mean?

If you connected it with a wire (wired networking) there is nothing in the network that can prevent a device from issuing packets. *IF* you connect every device directly into a router port, then yes, a router could manage which devices can do what. (These devices exist in a corporate environment, they're enterprise class smart switches, and use a protocol like 802.1X to authorize devices using something like a RADIUS server https://www.securew2.com/solutions/802-1x .)

But I assume you meant a wireless router--and thus my question. A wireless device either is on your network or is not on your network. There is no in-between. Either it knows the wireless password, and can form packets that are valid on your network, or it cannot. I guess there could be a new protocol adjunct created that allows a device to request access, but to prevent that from becoming an DoS vector against you, it would need an additional password. In the end, it's probably just too complex to bother doing, because most home WiFi users just don't have the technical abilities.

There are features like 802.1X that work with enterprise WiFi gear. You could check into the features of network controllers like Ubiquity offers if you're technically interested and financially able to build such a enterprise WiFi network at home.
My mindset was mainly in wifi, since most IOT are wifi.
So when i said "i connect normally", i'm saying follow the device setup normally, if you buy a ring doorbell, you go through their usual setup.
For things that are wired, there is no connect normally, its connected.

While they may be on the network, it doesn't mean they can do whatever they want, the router can monitor and limit connectivity to the outside and internal devices. for example, in my house i have a couple of IP cameras, but as i dont access them outside of my house, i do not allow them to connect to the internet at all, but i can communicate with them from my internal devices.

During the setup, my router would see that there is a new device on the network and I'd see it on my phone, i can grant access to this new device. (access means the router will forward packets acording to what is allowed) and by default this could be full access, but as a library of devices is created by the router company or the most tech savy users.

does this make sense?

the idea is that its a way that a user could behind the scenes have an advanced ubiquiti like router, with maybe even more complex rules, but the rules are created/managed/etc behind a friendly UI. the UI also can alert you to possible issue with devices, either with how they are performing, indications of compromised, or firmware notifications, whatever.
 
Last edited:
If you connected it with a wire (wired networking) there is nothing in the network that can prevent a device from issuing packets
You can and should have unused ports disabled. You can't with dumb switches, but many active switches allows you to either assign them to a different vlan, or not connected to the switch until you assign them. Talking about ubnt, they have some cheap ones

 
doesn't mean they can do whatever they want
If a device can form packets on your network, it is a danger to you. It might be more dangerous if it has easy access to the Internet, but it doesn't necessary need that to cause you harm. It could have a hidden 4G network connection, and be snooping your network and forwarding specific data to a bad guy via the cellular network. It could be smart enough to spoof other devices on your network and presumably one of those will have better access than another. If you don't have at least minimal trust of the device, you should NOT put it anywhere on any network. Yes, there are ways you could improve the user interface to a router, but as I said, there is no money in building this for the 1% of home users who are technical enough to make use of it.
 
tldr: a router that uses your phone or some API as a 2nd factor to add devices to your network, and during this time, permissions are requested/granted.
I can think of a lot of cool ways to expand this basic idea. does this help security, is this a good idea, what flaws exist?
In principle, yes it is a good idea.

What flaws exist:-

1 How do you handle all the existing devices which don't understand this new process?
2 Why would any router manufacturer develop the software to do this when it would cost them money and 99.9..9% of users would not understand it or use it?
3 Would the additional software and processing fit within the limited power and storage of a typical router or would it force a price increase, thus reducing the target market even more?
4 Device manufacturers would just request "all privileges", regardless of what they need, just in case something new occurs
5 Device manufacturers would not want to block internet access as they would not get the telemetry, or be able to force adverts on to your device.
6 How do you get software updates to a device that is not allowed to access the internet ( Yes you could download it to a PC and import from there, but how many users would?)

I am sure there are more reasons.