Re: [HOME_NETWORK_TF] Security concerns around Home Networking APIs

Matt,
I see your case now, I'll add it to the list.

Using pairing is indeed a possible solution, but I'm wondering if this  
security problem is more related to the shared nature of the device than  
to the Home Networking technology itself, and if this could/should be more  
a concern for the device manufacturer; for example STB/TV could use a  
master password to enable/disable this functionality, an OS could rely on  
normal Users permissions and so on.

/g

On Mon, 18 Apr 2011 15:46:46 +0200, Matt Hammond  
<matt.hammond@rd.bbc.co.uk> wrote:

> hi Guiseppe,
>
> Apologies - I did not properly explain the difference:
>
> I refer to a use case where, for example, the owner of the TV may wish  
> to prevent other members of the household from using websites to remote  
> control it unless he grants permission. In this circumstance, not only  
> might the user of the website need to grant the website permission, but  
> also a privileged user of the TV (or other device) may need to authorise  
> it too.
>
> With a pairing code approach, this can be achieved if only certain users  
> can access the pairing setup part of the user interface on the device to  
> be controlled.
>
>
> regards
>
>
> Matt
>
> On Mon, 18 Apr 2011 14:41:52 +0100, Giuseppe Pascale  
> <giuseppep@opera.com> wrote:
>
>> On Mon, 18 Apr 2011 14:16:28 +0200, Matt Hammond  
>> <matt.hammond@rd.bbc.co.uk> wrote:
>>
>>> Hi Giuseppe,
>>>
>>> Another class of security concern could be access by unauthorised  
>>> users (via their personal devices). For example, a family may wish to  
>>> prevent any website that the children view on their PCs or phones from  
>>> being able to query and/or control other devices on the home network  
>>> (such as the lounge TV) unless explicitly authorised to do so.
>>>
>> Agree, in my opinion this was listed under the first bullet of  
>> "Malicious attacks"
>> "An external server can control an HN device (e.g. send spam to your  
>> printer)"
>>
>> /g
>>> The pairing code mechanism you suggest is one possible way of  
>>> achieving this.
>>>
>>> regards
>>>
>>>
>>>
>>> Matt
>>>
>>>
>>> On Mon, 18 Apr 2011 13:06:34 +0100, Giuseppe Pascale  
>>> <giuseppep@opera.com> wrote:
>>>
>>>> Hi all,
>>>> we have discussed in several places (workshop, this mailing list,  
>>>> etc) how important it is to address privacy and security concerns  
>>>> around  Home Networking Technologies.
>>>>
>>>> In order to trigger some discussion, I started a new document about  
>>>> Security.
>>>> The idea behind this document is to collect all reasonable concerns  
>>>> and a list of possible solutions.
>>>> I don't think is in the scope for this TF to decide on one solution,  
>>>> but I think would be valuable if this group could come up with an  
>>>> analysis and a list of suggestion for a WG to work on.
>>>>
>>>> The document is as usual available on the wiki
>>>>   http://www.w3.org/2011/webtv/wiki/HNTF/Home_Network_TF_Discussions/Security
>>>>
>>>> I'm sure there are more things that can be written, so feel free to  
>>>> comment on it and propose extensions or corrections to it.
>>>>
>>>>
>>>> /g
>>>
>>>
>>
>>
>
>


-- 
Giuseppe Pascale
TV & Connected Devices
Opera Software - Sweden

Received on Monday, 18 April 2011 14:13:28 UTC