IOT: Conveniently Dangerous

The internet is a fantastic tool…arguably one of mankind’s most amazing technology ever created (as of this writing anyway). It has a variety of uses; some use the internet to watch funny cat videos, others make their living off of it. And, in the last couple of decades, it’s become so incredible versatile and available, that billions of people have access to it both on and off earth (well, at least low earth orbit for now). However, with that many people having access to such a wonderful utility, that also opens the doors to “bad actors” who exploit security vulnerabilities and other methods to either gain access to a secure network, inject malware or a virus, or worse yet, encrypt large directories and ransom those sensitive files for a premium. That being said, there are many precautions one can take in order to minimize the risk of said bad actors infecting your network (whether they be bots or actual “hackers”). 

From an enterprise point of view, cybersecurity is a very complex issue with hundreds of variables that would take many, many pages to go into. That’s…not really the focus of this article. Small scale cybersecurity practices that can be done easily within your own home is what I’m here to talk about. IOT, or “Internet of Things” has become a phenomenon across consumer electronics worldwide, due to their ease of use and assumption that “everyone” has access to the internet in their home, and is broadcasting 802.11a/b/n/ac/ax as one of their main sources of connectivity. However, what most fail to realize is that these low cost (or sometimes, free) devices come at a great cost and risk that is not only not advertised, but specifically absent from product descriptions, warnings or other documentation that should be very accessible to the consumer. More and more I see devices that are “opt-out” rather than “opt-in” meaning features get added by default and you have to know to opt-out if it’s something you’d rather not participate in. Large companies like Amazon, Google, Facebook, etc. literally depend on the average consumer not knowing about such an “opt-out” feature. Instead, they depend on someone literally turning the device on, saying “ALEXA” and calling it a day. And, while this isn’t a slant against your average consumer, it’s just unrealistic to say that the average Joe would break out Wireshark and start sniffing packets to find out exactly how many of their devices “call home”.  

So, this brings us to two major issues. First, the issue is cybersecurity. How many external connections do you have going out to the web, constantly phoning home? And, what if one of those companies gets hacked to the point where they gain root access to your home or sends a bug to all associated hardware connecting back to “home base”? While the only easy solution may be “don’t use the internet”, there are much less extreme but still effective ways to minimize said risk. But, before we go into that, let’s talk for a second about the second issue: data privacy. I’m definitely not the first one to say it, but we/you/us are the product. It’s one of the main reasons most services or IOT devices you use today are either free or very low cost. The amount of revenue generated from targeted ads, controversial clickbait (whether factual or completely fictional) is in the trillions of dollars. Yes, trillions with a T. It’s astonishing how large social media, search, and consumer electronics companies are so unregulated in today’s day and age. Mark my words, that won’t last forever.

Anyhow, I’d like to focus on what you DO have some control on, and that’s cybersecurity. 

Source: https://www.ckd3.com/blog/2018/10/15/home-network-segmentation-a-must-in-the-iot-era

Here is a typical home network that many consumers have in their homes. Typically, all that separates you from the dangers of the web is your firewall/router in most cases. Beneath that router lives all of your devices. Cameras, lightbulbs, doorbells, thermostats, robot vacuums…heck, even refrigerators can be IOT devices these days. Everything being connected is “convenient” to the home user, making every day life that much easier. However, this leaves your home network very vulnerable to attackers. Keep in mind that with all devices on one network, if an attacker got in through what was thought of as a “safe” pathway, your entire network could be exposed.  Now, that’s not to say that IOT devices don’t have their place on your home network. And, if you think this is all paranoia, keep in mind that devices that are prevalent in people’s home are a perfect target for hackers, especially because of the number of customers that would be affected. 

So, you might be wondering after all of this…” What the heck am I supposed to do? Throw away all of my IOT devices?”

No. Not necessarily.

One basic concept we’ll very briefly touch on is called “Network Segmentation”. Essentially what you’re doing is taking one WAN connection coming in from your ISP, and “segmenting” it to handle traffic differently, but typically not with other segments. While there are other options for segmenting, one of the most popular options are called Virtual Local Area Networks, or VLANs. Let’s take a very simple example to explain further.

In the above diagram, we had multiple types of devices. Desktop Computers for example, are customizable devices with displays and only flow traffic based on what the user installs, browses to, or allows (typically, depending on what operating system and other software is being used at the time). Also, this may be the main way to access more sensitive equipment such as data servers, network equipment, security, and so on. In a “Zero-Trust” scenario, that computer may not even be able to access such devices, but that’s not the focus for today. The assumption is, you want to access some of those devices remotely, while also not exposing the rest of your network to it. A simple solution to this would be to set up two major VLANs: Admin and “Non-Admin” (or whatever you want to call it…” Bob’s Fun IOT Network” would work too). Then, assign devices like the server equipment, security, network, etc. into the “Admin” network, and everything else on Bob’s Fun IOT Network. Since VLANs are traditionally setup to not talk to each other (unless specifically set up to with rules), they’re already, by definition, isolated. You can go further with your rule set and define what traffic each network is allowed to talk to. Maybe the IOT devices can only talk to the internet and nothing on your home network, especially if they’re voice activated. The solution becomes more and more complex, depending on how you want to architect it, but the overall concept is simple. And, with cheap routers such as PFSense, Unifi Security Gateways, etc., it’s not difficult to set up VLANs and firewall rules. There’s 1000s of guides published to the web for popular gateways and routers on how to do this. And, there’s many more mitigations that can go into place to better protect your home and your data, but this is a good start…. assuming you don’t still lease your modem/router from your ISP. If you’re still doing that, stop. That’s step 1. And if you follow at least the idea behind this advice, you’re already ahead of 95% of all users on the internet. 

Previous Post

Oh, How I miss the LAN Party

Next Post

Is NASA still around?

Related Posts
Total
0
Share