The Internet of Things can make life more convenient – it can also make it more dangerous…
I recently invested in a couple of ‘smart’ WiFi plug sockets to allow me to turn various pieces of audio gear on and off from the comfort of my own phone. Needless to say, these were made in China, and the idea of connecting these things to my WiFi network gave me a few little shivers down my spine – these things can pose some sort of risk, as can all these Internet of Things (IoT) devices.
It is possible that these devices (and other such gadgets) have a little back door, and will phone home, giving all sorts of useful information about the home network and all devices attached to it, which can be used and abused by threat actors who can then take over some of the devices for their own purposes. Even if no back door has been built in, such devices use a relatively primitive operating system, which could easily be modified to allow them to act as digital spies, logging information sent to and from the computers and smartphones sharing the network with these smart sockets.
John Douglas, Technical Director of First Response, comments that security updates to such devices “are few and far between, and that IoT devices such as these present an easy target to attackers”.
How to secure IoT devices (one way)
However, a little thought, and a look through my router’s Web interface provided me with a few ideas to implement security. My router is a rebadged ArrisVMDG505 / TG2492LG-VM(Virgin SuperHub 3) and there are several options available to stop the villains in their tracks. Most routers will have similar facilities, and it is worth exploring to see what is available.
Setting up the devices was a bit of a pain – the 2.4GHz and 5GHz WLANs on the router use the same SSID, and I had to rename the 2.4GHz to force the phone and sockets to be on the same net in order to start the setup process. I also had to send the WiFi password to the devices – possibly in clear, rather than using a WPS setup. Not that great, really. I also had to set up an account with the maker to allow timer settings – and a strong unique password, of course. But now for the security.
I had disabled external access to my router’s settings (and enabled its firewall). What I needed to do in addition was to block access from the outside to these new devices, and prevent them from talking to the outside world and providing information about the network.
First job was to configure the DHCP (IP address allocation mechanism) so that the sockets always had the same IP address when they connect to the network – as determined by their MAC (hardware) addresses. I couldn’t do this without the MAC addresses (undocumented by the maker, but easily obtained from the list of connected devices obtainable from the router once this connection had been made). I could also have used NMap – a great free network diagnostics tool. Having done that, I set the router to block all transmissions from those IP addresses to all destinations outside the LAN on all ports.
Next, I used the MAC filtering capability to disable all input to those devices from the Internet. However, this means that the timer functions from the smartphone app won’t work, since the signals to switch power on and off are sent from a central server, whose parameters are set up from the app.
Scanning the ports of these gadgets using nmap(1), I now find that the only port open from another device on the LAN is the IRC port (6688). The devices are now at least partially locked down, and though my network may not be 100 percent hack-proof, I feel I have taken some precautions which will at least discourage casual interest.
More smart gadgets
I have also installed a smart thermostat system which allows us to control our heating system remotely through the internet (the other week, I turned on my central heating from Dubai airport, meaning that we came back to a warm house, rather than a refrigerator!). The bridge is wired into my router, and can only ‘phone home’ to its maker. The wireless thermostats in the house communicate with the bridge via a completely different network, and are invisible to most network tools.
More recently, I acquired a smart TV – and this device is really smart. All kinds of streaming services, and a Web browser. I installed it using a wired Ethernet connection to the hub, so that any information regarding Netflix passwords or authentication can’t be picked up by a wireless packet sniffer, but there is still a possibility that it could be accessed from outside in such a way that could reprogram it to sniff around the home LAN and pick up useful information.
Accordingly, I used the same process as for the smart sockets above to tie an IP address to the TV’s MAC hardware, and then placed that IP address in the router’s DMZ (demilitarized zone), which should now protect the rest of the network from unwelcome attentions paid to the TV by the bad guys.
My home network now includes a few bits and pieces which are not strictly computers or IT devices, such as printers, and I feel that I am relatively secure with regard to them. I know what’s there, and I know what vulnerabilities might be associated with them. However, in an enterprise, there may be many such devices which have been added to the network, some of which have slipped in without the knowledge of the IT department.
Call First Response to help you conduct a security audit of your enterprise, highlight the points where you might be at risk, and assist you in blocking the entry points that might allow malware into your system, and/or prove to be the gateway out of which your confidential information flows.