Re: Security issues with "smart devices" like outlets, toasters, and so forth

trj · ‎2017-01-04

Hello,

I understand that a common hack attack is to remotely gain access to a simple "smart device" in the home like a smart outlet, then use a standard brute force guessing attack to become the admin on the router.

I'd like to add smart outlets to my home. Is there a product or a procedure to safely use them?

Thanks in advance.

Best,

-Terry Jones

StephenB · ‎2017-01-04

One simple tip is to set up the guest network in your router (making sure network isolation is set). Connecting devices to the guest network allows them to connect to the cloud services they use, but they can't access other devices on your network.

That's not enough though - it limits the data leakage from your home, but devices can still be hacked to launch denial-of-service attacks on others, and of course there's a risk that any sensor data they might have can be read by a bad guy.

The usual rules about promply applying security updates, and immediately changing default credentials on the devices certainly apply.

There are some other tips here: http://www.networkworld.com/article/3085607/internet-of-things/8-tips-to-secure-those-iot-devices.ht...

michaelkenward · ‎2017-01-05

@StephenB wrote:
The usual rules about promply applying security updates, and immediately changing default credentials on the devices certainly apply.

That is sound advice.A bit of further explanation may show why.

The fuss that might have led to your concern came about because one hardware maker shipped devices that had simple usernames and passwords "hard wired" into them, leaving the user no chance of making this simple precautionary move. (Netgear has similarly trivial security on shipped devices, but you can change the password if not the username.)

The maker had to recall everything and change its security strategy.

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V

StephenB · ‎2017-01-05

I've heard that some IoT devices have been hacked within 3 minutes of installation (in an IoT security presentation). So the "immediately" phrase above was very intentional.

If you want to be very cautious you could block internet services in the router before you connect them to the WiFi network with all internet services blocked. Then change the credentials, and re-enable services.

Also, if they don't use cloud services you could block their internet access in the router.

michaelkenward · ‎2017-01-05

@StephenB wrote:
I've heard that some IoT devices have been hacked within 3 minutes of installation (in an IoT security presentation). So the "immediately" phrase above was very intentional.

Indeed, do it before you put the device on line.

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V

michaelkenward · ‎2017-01-06

An industry wide problem:

US Federal Trade Commission sues D-Link for having terrible security

Is it good or bad news that the US government is getting involved?

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V

StephenB · ‎2017-01-06

@michaelkenward wrote:

Is it good or bad news that the US government is getting involved?

That might depend on what you expect the technology policies of the new administration to be

Personally I think regulation on IoT security is inevitable. I'm not keen on lawsuits - given the lifetime of the devices in many cases there won't be anyone to sue. And lawsuits are after the fact - proactive security measures are what is really needed.