Friday, October 4, 2019

IOT Security is in a Frightful State

An IOT front porch light
If you read my previous post on Philips IOT (Internet of Things) light bulbs, you already know most manufacturers put little thought into IOT device security.

Traditional devices now come in IOT versions.  These include the obvious ones like security cameras, routers and thermostats, as well as the less obvious ones like TVs, baby monitors, light switches and bulbs, weather stations, and doorbells.  This is not to mention industrial control devices for water and power utilities.

Each of these is a vulnerability exposure that a malicious hacker can use to attack you.  If these devices get compromised, it can open you up to identity theft, or worse.

Examples of these vulnerabilities include the VPNFilter router worm.  This was a remote exploit affecting major brands of wifi routers from companies like Linksys, Netgear, D-Link and TP-Link.  The exploit allowed hackers to monitor your internet traffic for things like banking passwords.  It was sophisticated enough to survive a device restart, and could only be stopped by a manufacturer-supplied firmware update.

Many device manufacturers are slow to issue fixes vulnerabilities, if they do at all.  TP-Link's series of "Kasa" wireless power switches shipped with weak encryption that was quickly broken.  Using a simple hack, someone cloud turn your lights, coffee maker, or refrigerator on/off if these were plugged in to the HS100.

The poor security of these devices can sometimes make them more useful to us.  A light switch that doesn't require a phone app to operate is more useful for a DIY home automation enthusiast.  The trick is to devices in a safe manner where the device's built-in security (or lack thereof) is not relied upon.  I will list several ways to protect your home network from these devices while still enabling their use.
  1. Block the device from talking to the internet.  Using MAC-based firewall rules it is possible to block a device from reaching out to the larger internet.  Some devices nefariously "phone home," sending your data off to some overly-curious entity on the internet.  If the device is filtered, it can't do this.  Research iptables for more information on how to block device internet access.
  2. Put all IOT devices on their own VLAN.  A VLAN is like a virtual network inside your physical network.  Devices connecting to a VLAN cannot see or talk to other devices on your network unless you allow it.  It is possible to put IOT devices on a VLAN such that the device can only talk to or see one other host. 

    An example would be a weather station that can only communicate with a web server on your network where you view the weather data.  By restricting which hosts a device can talk to, you reduce your threat exposure.  Research VLANs and trunk networks for more information.
  3. Favor open-source, open-firmware devices.  Open source allows thousands of people to scrutinize the code running on a manufacturer's device.  This increases the odds of detecting vulnerabilities, and of getting them fixed in a timely manner.  The flip-side, security by obscurity, has been proven to be less secure.
  4. Research a company's CVE list before buying a product.  The CVE list shows the vulnerabilities identified in a manufacturer's products.  Lots of CVEs isn't necessarily bad as long as the manufacturer has quickly supplied security fixes.  Avoid manufacturers with lots of CVEs and very few fixes issued.  Research CVEs here.
  5. Finally, learning to use basic networking tools will help you find problems others haven't found.  An example is the program tcpdump, which I used in a previous post to find problems with an IOT device.  These tools are advanced, but can be learned if you're willing to put in the time.
This is not a complete list of ways to secure your network, by any means.  Taking these initial steps will help increase your protection against many of the most common IOT security exploits.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.