The IoT revolution is here, and the bad news is that the companies that are here to make a quick buck, aren’t doing it with good security for your home, or business.
For example - a smart fish tank in a casino was the vector that those who would invade the casino’s network. I’d bet that all of their servers and workstations were running all sorts of end point security, antivirus software, maybe even some HIDS. But the computer that run their fish tank? Open as a rusty screen door with a broken latch.
IoT is everything that you own that is connected to the Internet that isn’t a, shall we say, proper computer.
I’ve got a Wink (recently acquired by i.am+) hub that runs five lighting fixtures in my house. The bulbs are GE Link bulbs and they run the Zigbee protocol. The probability that those bulbs are the weak spot in my home network is pretty low. Their range is limited and their computing power is limited and, most importantly, they don’t know how to talk to anything else other than the Wink hub.
The Wink hub, on the other hand, is probably one of the weakest parts of my home network. The good people at Wink have made a product that seems to be pretty solid. I’ve not been able to find anyone who wrote up a critique of the security of the hub that makes me particularly nervous. However, IoT devices have a nasty reputation for being insecure.
Take for example, one of the several stories that have made it out of strangers who have taken control of a baby monitor. From the SF Globe, Stranger hacks family’s baby monitor and talks to child at night. The first paragraph from the article:
A family living in Washington is speaking out about the horrors they experienced while operating a baby monitor inside their 3-year-old son’s bedroom. The couple Jay and Sarah were alarmed to discover that a stranger had hacked into their baby monitor and was spying on their toddler, sometimes speaking disturbing messages into the device, as CBS News describes.
The likely technical problem with the paragraph is, perhaps, a philosophical one. If I leave my front door completely open and leave the house, if someone comes in, does that constitute breaking and entering?
What happened with this baby monitor is probably the same thing. Whoever the creep on the other side of the camera was, probably utilized a IoT search engine like Shodan, ran a filter for models of cameras that he had the default admin password for, and found this one. In this case, the baby monitor may have had been designed with terrific security, but if the owner of the camera never bothered to change the default credentials - bingo bango, got a weird-o talking to your kid at night.
Again, I’ve not heard a single bad word about the Wink hubs, but it’s the most concerning part of my home network. Using my Netgear R7000 flashed with the Tomato by shibby firmware, I partitioned off that Wink hub from the rest of my network. And it was done easily with these three things:
- Setting up a dedicated wifi network for the Wink hub. I did this by changing the 2.4Ghz channel to be specifically for the hub, as it’s the only device that I own that requires to be on 2.4Ghz instead of 5Ghz. The firmware will let a person do virtual wireless networks, but I went this route since I don’t need anything else on 2.4Ghz.
- Setting up a dedicated gateway for that wireless network.
- Put that gateway and that wireless network on their own VLAN.
Previously, I had the hub on a older wireless base station, but it put out an extra wireless signal, and managing two access points seemed to be too much of a headache instead of consolidating into one. My next step is to investigate how to go about whitelisting the new VLAN for the hub so that it can only talk to it’s mothership with the people at Wink and nowhere else.