Dangers of Home "Smart" Devices

Topic

New Reply

One of the current dangers out there with all of the “smart” devices in your home is that they can be taken over by hackers, usually very easily. The problem is, most of these “smart” devices have very poor security built in; that’s why it is easy for hackers to take control of them.

http://www.pcworld.com/article/3118763/security/hackers-found-47-new-vulnerabilities-in-23-iot-devices-at-def-con.html

http://ns.umich.edu/new/multimedia/videos/23748-hacking-into-homes-smart-home-security-flaws-found-in-popular-system

Once that happens, your “smart” devices have become “bots”, part of a “botnet”, available to the hacker for launching attacks.

The hacker then waits till someone pays him to launch a DoS (Denial of Service) attack against someone; he will then instruct his “botnet” to start sending traffic to the target of his attack. So much traffic will go to the target that it will overwhelm his network and shut him down.

Thousands of different “smart” devices could be part of the “botnet”, so it will be next to impossible to determine where the attack is originating from.

There is also the danger that a hacker could use your “smart” devices to spy on you, or install ransomware on them, making you pay to regain control of your device.

Do you really need “smart” light bulbs, “smart” electrical outlets, a “smart” refrigerator, a “smart” door lock, or a “smart” thermostat? The only real benefit to having these “smart” devices is that you gain some convenience in your life. But at what cost?

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

4 users thanked author for this post.

HiFlyer, WildBill, Elly, 212louis

Reply | Quote

Replies

Some other negatives with “smart” home devices:

* They complicate your life. In order to adjust your “smart” thermostat, you’ll need to connect it to your home network, run the app on your smart phone, and adjust it. Why not just walk over to the thermostat and adjust it?

* Someone could pick your lock and walk right into your house, if they hack your “smart” door lock.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

2 users thanked author for this post.

HiFlyer, WildBill

Reply | Quote

Why bother with the Internet of Things at all? There is no need for any of these ‘smart’ devices. It is just a marketing exercise to sell stuff to people who don’t need it. The IoT for homes is a solution to a problem that doesn’t exist. It may have some uses in large commercial premises to (for example) reduce energy consumption, but all the devices will have to be much more hack-proof than they appear to be at present. The Iot will probably cause more problems than it solves.

4 users thanked author for this post.

HiFlyer, MrJimPhelps, WildBill, Elly

Reply | Quote

MrJimPhelps wrote:

Some other negatives with “smart” home devices:

* They complicate your life. In order to adjust your “smart” thermostat, you’ll need to connect it to your home network, run the app on your smart phone, and adjust it. Why not just walk over to the thermostat and adjust it?

* Someone could pick your lock and walk right into your house, if they hack your “smart” door lock.

The idea of “walking over and adjusting it” is nice…if you are home.

The reason many people want a smart thermostat is because they aren’t home. So if they’re getting home an hour earlier than usual, they can turn it up. Or if it’s summer, and the temperature soars unexpectedly, they can turn on the AC so their pets don’t go into heat exhaustion mode. These are the kinds of reasons I have a (basic) smart thermostat. Mine isn’t the level of a Nest or an Ecobee, but it does let me do a few basic things remotely.

Of course, I also have a business-level firewall at home, and am hoping to put devices like this on a VLAN to prevent them from talking with my regular network. But I know that’s not always feasible for the average user. What really needs to happen is that IoT vendors need to start with security as the baseline for their products.

1). Not allowing a blank or default password; forcing a change the first time the system is set up through the actual setup process.
2). Ensuring logins to the device use encrypted standards (these days, TLS 1.1/1.2) so that nothing is sent in clear text.
3). Enforcing strong passwords (and then just providing the user with a note card in the box to write it down to store somewhere, and/or a way of recovery that isn’t insecure).
4). Regular audits of code by either QA or a third-party contractor under NDA to ensure their devices can’t be hacked trivially.

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

2 users thanked author for this post.

WildBill, Elly

Reply | Quote

LoneWolf:

You make some good points.

As you said, they MUST do better with security on these devices. But from what I’ve read, the rush to get them to market works against taking the time to make sure that they have good security features.

Jim

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

3 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

A new article on zdnet.com today, discussing passwords and security on IoT.

No wonder there has been an endemic of cyberattackers hijacking Internet of Things (IoT) devices when default passwords are this poor and users aren’t bothering to change them — or worse, don’t have the option to.

 
With the increase of botnets such as Hajime and Mirai, and malware like BrickerBot, now is not the time for complacency or default passwords!

 
Good reading from zdnet.com on IoT security, in addition to today’s link above:

Hajime:
http://www.zdnet.com/article/a-mysterious-botnet-has-hijacked-thousands-of-devices/ (April 26, 2017)
BrickerBot:
http://www.zdnet.com/article/homeland-security-warns-of-brickerbot-malware-that-destroys-unsecured-internet-connected-devices/ (April 19, 2017)
Mirai:
http://www.zdnet.com/article/mirai-botnet-attack-hits-thousands-of-home-routers-throwing-users-offline/ (November 29, 2016)

Reply | Quote

Kirsty wrote:

With the increase of botnets such as Hajime and Mirai, and malware like BrickerBot, now is not the time for complacency or default passwords!

Kirsty, it’s so bad with these devices that I would say that “now is not the time for IoT devices.”

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

3 users thanked author for this post.

Elly, HiFlyer, Bill C.

Reply | Quote

Best advice yet!!!

Unfortunately, I believe the ‘convenience’ will slowly addict the users and there they go. I am not a ‘tin-foiler’ but not building doors is more effective than locking them.

I am becoming a true believer in that which is connected, can be hacked. Maybe not by the local tech fan or prankster, but there is always someone better financed, with an ulterior motive, to make it worth their while. Why give them a new tool.

I never gave network access to my smart TV for that reason. It can access the net only, but has never been given access to the network group or any PC or device.

1 user thanked author for this post.

Elly

Reply | Quote

@MrJimPhelps
I came across something that pricked up the ol’ ears… It will be interesting to see its impact (launched Feb. 20, 2017):

 
KasperskyOS (11-11)
https://eugene.kaspersky.com/2017/02/20/qa-on-11-11/

“We’ve officially launched a secure operating system for network devices, industrial control systems, and the IoT.
…
What matters most for Linux, Windows, macOS and the like is compatibility and universality. The developers do their utmost to popularize their solutions by oversimplifying app development and toolsets. But when it comes to our target audiences (hardware developers, SCADA systems, IoT, etc.), this approach is a no-go: What matters most here is security.”

 
Might be worth adding to your reading list?

Reply | Quote

The danger with IoT has always been that these devices connected directly to your network (router), but they had little to no security. This enabled hackers to get onto your network with ease.

What has been needed has been a secure gateway for these devices to connect through. If the CloudFlare or Kaspersky systems do what they say they do, then this should secure you from all but the most highly-skilled hackers.

I’m guessing that you’ll need a separate computer for the Kaspersky or CloudFlare OS, and that the IoT devices will then connect through that computer.

Even with all that, I still don’t want to have an “online” house. My home is my refuge, my place to disconnect and to be with my family. Sorry, no internet house for me.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

3 users thanked author for this post.

Elly, Kirsty, Sessh

Reply | Quote

Cloudflare Orbit is now available for IoT manufacturers to deploy security – it will be interesting to see how long until protection like this becomes commonplace, if not demanded by customers:

 
I*oT protection by Cloudflare
https://www.cloudflare.com/orbit/

Technology is changing — shifting towards a world where low cost, connected chips power products used by billions of people around the world. Everything from jet turbines and oil rigs, to cars, cameras, and clothing are coming online. And while these tiny chips unlock incredible potential, they are a liability if not secure.

When PC vulnerabilities are discovered, software vendors issue a patch, which end users are required to download and install. These patches keep PC software up-to-date and secure. IoT devices also require patches, but the PC security model can’t scale to 22 billion devices; IoT manufacturers often haven’t built over-the-air (OTA) update mechanisms and are terrified that updates will brick a user’s device. In the meantime, consumers never think about having to upgrade their internet-connected “toaster.”

Cloudflare Orbit solves this problem at the network level by creating a secure and authenticated connection between an IoT device and its origin server. Orbit takes the Internet out of IoT: Behind Orbit, devices are I*oT.

Orbit allows device manufacturers to instantly deploy “virtual patches” and block vulnerabilities across all devices on the network simultaneously. This keeps malicious requests from reaching devices, buys time for IoT manufacturers to carefully QA their updates, and keeps devices from leaking data or launching DDoS attacks…

 
Read the rest here

1 user thanked author for this post.

Reply | Quote

The Looming Threat of Health Care IoT Devices
May 15, 2017 | By Michael Ash

 
Are Health Care IoT Devices Secure?
…a complete inventory of all IoT devices must become part of an overarching security risk assessment. You cannot manage or control what you don’t know exists. Only an assessment can yield this kind of information, with details on each device.

As more IoT devices enter the hospital, they need be systematically cataloged and incorporated into the broader security-focused inventory. As part of the risk assessment, consider conducting penetration tests of IoT devices — the results of which can serve as proof points for gaining support for security measures.

For practical purposes, there is no holding back the flood of IoT devices, both authorized and otherwise. The best security strategy is to get out front of this wave with practices and governance designed to secure what is already in place as well as what’s coming.

 
Read the full article, and access podcast series on IoT Security on securityintelligence.com

Reply | Quote

In hospitals, there are two kinds of IoT devices: those purchased by the hospital for patient care, and those increasingly brought into the workplace as convenience devices. Both types are often linked directly to the hospital’s Wi-Fi, which is often part of a flat network topology connecting all the hospital’s digital devices. It is entirely possibly for cybercriminals to gain access to that network via the less secure convenience devices.

The “looming threat” is that the hospital allows people to bring their own devices and connect them to the corporate wifi. If they do that, they are vulnerable to attack — no question — and it will be difficult to defend against these attacks.

They could very easily stop this “threat” by not allowing ANY devices to get onto the network in any way, unless they are first checked by the IT dept and then whitelisted. With the sensitive information that hospitals deal with on a daily basis, they cannot afford to allow these vulnerabilities into their network.

Another way would be to implement a system like Cisco ISE, which, when set up correctly, totally locks down everything on the network, allowing only legitimate devices to have access. But Cisco ISE is very expensive.

As the author stated, if you must allow non-verified devices onto the network, you could set up a totally separate network, unconnected to the hospital’s working network, to allow people to get onto the internet with their iPhone or personal laptop. But that’s a lot of money to be spending just to appease employees who are demanding to be able to use their own personal devices on the company network.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

EU chipmakers propose IoT cybersecurity baseline ahead of new regulations

Liam Tung (CSO Online) | 23 May, 2017

 
European semiconductor makers have agreed on a proposal to standardize Internet of Things (IoT) cybersecurity.

Infineon, Qualcomm-owned NXP, STMicroelectronics, and the EU Agency for Network and Information Security (ENISA) have released a joint proposal to introduce baseline cybersecurity for connected things.

The semiconductor makers agreed that a European scheme for IoT security certification and labelling should be evaluated by the European Commission (EC).

The EC should also encourage the development of “mandatory staged requirements” for IoT security and privacy through new European legislation, the organizations said in a position paper aimed at policy makers as Europe prepares to introduce new IoT cybersecurity laws.

The paper outlines support for the proposed “Trusted IoT” cybersecurity labelling system, akin to Europe’s CE labeling for products sold in the EU. It also supports the introduction of minimum security requirements and standardized security processes and services.

They also want an incentive system to reward IoT device makers that improve cybersecurity and a framework to correct the “market failure” in IoT cybersecurity and privacy reflected by the unwillingness of suppliers and buyers to pay extra for security.

 
Read the full article here

Reply | Quote