Internet of Things: making your network unsecure

Story: Internet of Things Blows Away CES, and it May Be Hunting for YOU NextTotal Replies: 13
Author Content
jimbauwens

Jan 13, 2015
9:47 AM EDT
Many devices (smart plugs, etc) that are currently on the market are extremely insecure. My brother has bought some stuff and after a short while reverse engineering these (linux based) devices, I found that many contain easily exploitable flaws that allow you to take fully control of the device. The biggest problem is that all of this is possible over http plus there is no XSRF protection - meaning that any website that simply iterates over the most common IP addresses within your internal network can easily get full control over these devices.

The problem is that manufacturers mostly just take take old existing router hardware and slap some extra hardware to the GPIO pins. The software however is still from the last decade and naturally full of holes.

So if you are thinking about buying some smart plugs, be aware that they can crush your network security :)
seatex

Jan 13, 2015
11:12 AM EDT
Ah yes. That's why it's being called "the internet of things" without even a mention or nod to security.
rnturn

Jan 13, 2015
11:27 AM EDT
Introducing IoT devices into an environment seems like the following situation: You've got your network secured, the servers hardened, the firewall is keeping out the bad guys. Then someone has the brilliant of running a phone line to everyone's desk and giving them a modem. And if you think that's a bad idea then you must be some kind of Luddite.
flufferbeer

Jan 13, 2015
3:56 PM EDT
@seatex,

Seems to me that not only have IoT device manufacturers ignored security, but they also are obliterating PRIVACY! All that juicy information on realtime actions that these Internet-enabled devices gather up on consumer usage is CERTAINLY handed down on a silver platter straight to the Google-like Marketing depts of our planet. And they're done so BY DEFAULT! (We tinfoil "head platters" would say that all this info also inevitably gets stored and data-mined by the NSA ;)

2c
gus3

Jan 13, 2015
7:48 PM EDT
But let someone release a Morris-worm type attack on the IoT, and there will be nine kinds of h311 to pay.
seatex

Jan 14, 2015
12:10 AM EDT
@flufferbeer

Yes, I agree completely. I don't even bother trying to preach about the privacy thing anymore though. Most people just don't care about the long term implications right now. If I have a client interested in privacy concerns, I am happy to discuss. But, if they don't care - well, they'll be calling me back later on, probably after they no longer have anything left to hide.

I just tell people, "If your PC, server, or device is connected to the internet, nothing on it can be considered secure - even if you employ encryption, firewalls, etc. And neither can anything stored on a cloud server, obviously for the same reasons."

There are things like firewalls, encryption and so forth designed to help protect, but they are simply countermeasures.
penguinist

Jan 14, 2015
12:34 AM EDT
Quoting:There are things like firewalls, encryption and so forth designed to help protect, but they are simply countermeasures.


I respectfully disagree. It is still possible to construct systems that are verifiably secure. Open source is a prerequisite, followed by a good measure of intelligent system configuration.
jdixon

Jan 14, 2015
3:34 AM EDT
> It is still possible to construct systems that are verifiably secure.

Sure. A computer which is never turned on and is securely locked away from human contact, for instance. :)
seatex

Jan 14, 2015
11:22 AM EDT
> I respectfully disagree. It is still possible to construct systems that are verifiably secure. Open source is a prerequisite, followed by a good measure of intelligent system configuration.

Can you define "verifiably secure" for me? My experience has been that most systems are only secured against those threats known at the time they are designed. And even then, there are usually holes later discovered in the system (unknown at the time of design). SSL would be one example, for instance.
BernardSwiss

Jan 14, 2015
10:06 PM EDT
Cyberattack Results In Physical Damage To German Steel Mill's Blast Furnance - - https://www.techdirt.com/articles/20150109/09291629651/cyber...

Maybe we should focus on properly securing existing network-connected infrastructure, before extending it into every nook and cranny, under the auspices of ordinary consumers who have no clue what the issues are, let alone how to deal with them?
flufferbeer

Jan 14, 2015
10:55 PM EDT
@BernardSwiss

>> Maybe we should focus on properly securing existing network-connected infrastructure, before extending it into every nook and cranny, under the auspices of ordinary consumers who have no clue what the issues are, let alone how to deal with them?

I agree, and I think just spreading the whole lot of IoT devices out to unwary con$umer$ is just incredibly IdioTic! Seems that recent IoT counteropinions are in line with this. https://twitter.com/symantec/status/555157347371585536/photo... and http://www.cnn.com/2015/01/12/opinion/yang-ces-gadgets/?link...

2more c's
seatex

Jan 15, 2015
12:31 AM EDT
Interesting story along this topic...

BMW sounds alarm over tech companies seeking connected car data

http://www.ft.com/cms/s/0/685fe610-9ba6-11e4-950f-00144feabd...

jimbauwens

Jan 15, 2015
9:02 AM EDT
The idea of IoT is broken, it's unsecure to the core. Giving all those devices an internet connection will never be a good solution.

I wonder, is it possible with some linux router to easily put every IoT device in it's own subnetwork? Then using some NAT to link it to your home network. Basically, create a dmz or whatever it's called and put every device in it's own subnet, just that the DMZ is still protected by a NAT with firewall from the internet. The devices can't talk to each other, the devices can't access the home network. But the home network can access the devices.

Ah well but that would just get crazingly complex.
jdixon

Jan 15, 2015
4:58 PM EDT
> I wonder, is it possible with some linux router to easily put every IoT device in it's own subnetwork?

Sure. And you can set up routing so that it's only accessible from within your network. Then set up OpenVPN so you can access your network from outside. All readily doable with open source tools.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!