17
Jan 18

Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

-Rule #3: Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

-Rule #4: Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.”

If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

-Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

-Rule #6: Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

In the wake of last month’s guilty pleas by several individuals who created Mirai — one of the biggest IoT malware threats ever — the U.S. Justice Department released a series of tips on securing IoT devices.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.

Tags: , , , , , , , , ,

60 comments

  1. If whats my ip address only furnishes an IPV6 address (Your IPv6 Address Is:) does that make the censys.io site unusable?

  2. Do you have recommendations for a Glassware-like tool for Mac and Linux? Is there something that I can install into PFSense or other router software that will provide similar features?

  3. Brian, I’m becoming a huge fan – after years of scouring the net I’ve finally found your blog & someone who’s able to explain InfoSec and “things” to us Gen X parents of Gen Z & Alpha Gen kids born with “gadgets & gizmos” in their hands & attached to their ears 😉 Thank you, thank you, thank you for being such an excellent resource for us. God Bless!

  4. One of the best password generation algorithms I’ve come across yet is Diceware. See https://en.wikipedia.org/wiki/Diceware

    Many implementations are out there, including one that contains spreadsheets in Microsoft Office Excel and LibreOffice Calc formats. See http://happycattech.com/security-apps/spreadsheet-diceware-passphrase-generation

  5. The way to secure your IoT stuff is to not own any IoT stuff.

    • Meh. Put them on an isolated subnet without a default gateway defined. Voila, no internet access.

      It makes a lot of IoT devices lose their damn mind though. On the other hand, the ones that don’t work, you really don’t want.

      • Kind of hard for devices whose purpose is to access the Internet, like streaming of Netflix and Amazon.

        • If you insist on having devices from Amazon and Google that need to talk to the Internet to work, then you probably have little to no concern over your personal privacy to the degree that you could live your life in a house with glass walls and not care if someone saw you doing stuff that the rest of us keep behind closed doors and opaque walls.

    • Well said! Keep your house private.

    • I’ll second that!

  6. Some of the IoT devices I’ve bought recently (Sonoff, Reolink) are starting to go towards the “pipe everything to the Amazon cloud server” model. Great if you want to access/control your device from anywhere. Terrible from a security standpoint. (Luckily Sonoff devices can be flashed with open-source firmware. Hoping someone cracks Reolink!)

  7. Aside from everything else (which you should do) if your wireless router has a “guest network” – putting all of these devices and segmenting them as an additional measure would help.

    At least that’s what I’ve done.

    • Brian Fiori (AKA The Dean)

      That might protect your home network, but I believe these devices can still be used in DDOS attacks.

  8. I don’t know if it adds any real protection, but I use two firewalls. I have one that separates the IOT devices from the Internet and a second that walls off that LAN from an inner LAN with computing devices.

    • Doubling up on firewalls doesn’t necessarily add additional protection, but what you’re describing (network segmentation) does add a layer of security to your environment.

      The important thing to consider when layering like this is to ensure that your devices that contain sensitive data (for most people, this is their desktop PC with pictures of their family, tax return documents, etc.) are completely unable to communicate with your IoT devices. Most IoT devices are configured via some kind of smartphone app which you can use to connect it to your “IOT” segment.

      I am accomplishing the same thing you are with a single firewall, but mine is a repurposed PC with multiple interfaces and BSD on it. Each interface is a separate network segment: WAN (internet), IOT (IoT gadgets), and LAN (desktop PC’s). IOT and LAN have explicit firewall rules that deny traffic traversal between them, so even if an IOT device gets compromised the only thing it’s going to affect is upload bandwidth as it’s used in a DDOS attack or something. Not perfect, but way beyond what most people do.

      • This is the strategy I’m planning, but the challenge still is how to connect mobile devices and control everything via a segmented wireless network. If the wireless AP supports it, then an IoT-only SSID on a separate VLAN could work, but one would have to switch between SSIDs with their mobile devices if they need to instead connect to the main WLAN SSID. Probably a small convenience cost for reduced security risks.

  9. It looks like you can’t deep link to that Shields Up page. You have to go to the homepage and find the correct link in order to get to the right page. Going direct gives some sort of warning page about how they’ve disabled your browser’s reload button.

  10. Chromecast and Google Home use mDNS to communicate with your phone for setup and or control. So if you are going to put them on a separate subnet, you need rules to so the LAN can see the subnet, but only mDNS can come across the subnet to LAN. You might also want the IOT devices to access the WAN so they can get firmware updates.

    Over all it is a mess and there is no easy to secure the devices.

  11. good morning Mr Krebs – yet another fascinating and most helpful article. The link to Shield’s Up didn’t show a point-and-click tool but it said it had temporarily disabled my browser’s reload function – this is the page https://www.grc.com/x/ne.dll?rh1dkyd2
    (Should I run this on all my browsers – IE11, Edge and Chrome?)

    I did some digging and found this page that seems to be what I need, and it’s given a clean bill of health. Phew!

    https://www.grc.com/shieldsup

  12. Rule #7 – RTFM before even turning on the damned thing. btw RTFM means the whole manual, not just the first 2 pages.

    Rule #8 – disable every functionality which you don’t need

    Rule #9 – check for avaliability of alternative firmware, even if you don’t plan installing it. if there is such, that means that many people have been poking around this device, and may have already discovered the more obvious holes in the process (and the vendor fixed them)

  13. this is good to see you and check the following

  14. You’re missing one critical factor. If your device calls home for firmware updates or to store your latest cat vidoes in the ‘cloud’ its possible the producer of the device will get hacked and hand your device over to a botnet.

    Given the number of subscribers to these ‘management’ and their low budget dont trust a brand or price point in your loungeroom or bedroom unless they know what a threat model is and can provide you details.

    Just ask what apple and google are spending for the privledge of being in your lounge room and are belkin, netgear or kung chi wa spending the same.

  15. For those on Mac OS looking for a Glasswire-like utility you might consider Little Snitch

    https://www.obdev.at/products/littlesnitch/index.html

  16. The Shields Up page is a dynamic link, so the link you provided doesn’t work for other people.

    Instead they should go to Gibson Research site’s main page, then click Shields Up.

    https://www.grc.com/

  17. Rule #4: …Looking up IP address details through “Censys.io” And if it’s a static-non-changing-address, running it through blacklist lookups.

  18. A *big* part of the solution to IoT device security involves device manufacturers stepping up their efforts to make Security part of the design process — which most do not. Medical device manufacturers are beginning to move in this direction in response to recent FDA guidance (a.k.a. “requirements”) Re Security. And at least one software vendor — Nova Leah (http://www.novaleah.com) — is directly addressing Security Risk Assessment and continuous vulnerability monitoring for medical devices and potentially other embedded technology. Security for these things is not easily done as a “bolt-on” solution; it needs to be baked into IoT and other devices at the start of the development process.

  19. | -Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities

    Specific to this caution: I recently replaced an old laser printer (“old”: utilized a parallel port) with a new printer sporting a USB port and an ethernet port (RJ45 connector) as well as wireless networking. Under the heading of “wireless networking”, an “ad hoc” option is available as well as connecting through a router’s wireless capability. The “ad hoc” option appears to be another term for Peer-to-Peer (P2P) that you advise avoiding.

    In this instance, I found installing the printer’s wireless drivers disabled functionality in some applications including both legacy and current apps. Removing the printer’s wireless drivers restored these apps’ full functionality.

    Further to your caution: this printer’s menu appears to offer the option of disabling all wireless functionality, which I’ve done. “Appears”: dunno whether this can be defeated.

    Generalized suggestion: consider what benefit (if any) a wireless connection offers before enabling it.

  20. We literally just covered this in our TC2027 course with Prof. Ken Bauer. Thanks for helping us wrap up…

  21. Another option for home automation is use alternate communications standards. I decided to use zwave based devices that are supposed to live off on their own separate protocol and have just one device, the controller connect to the network.

    Both having to go through a single point to get to the devices seems and having them all not on the WiFi network seems like a good idea to me.

    I’ve been testing out the Samsung SmartThings Hub to control their zwave connected devices and it seems OK so far. It also is able to control zigbee protocol devices.

    I’m sure that someone here will correct me if I’ve made separation of protocols a panacea, and I welcome any correction.

  22. Both Censys and ShieldsUP!! are showing my Epic Privacy Browser opens port 80 for HTTP. In Firefox, all common ports are Stealth Status. My understanding is limited, but Stealth sounds better than open. Any thoughts on what is going on?

  23. Many of the items you mention are desirable to have but most users cannot do. Even if they did, there could still be other vulnerabilities lurking.

    The best way is to create a separate VLAN for IoT devices. Even home routers support VLANs nowadays. This ensures even if something does go wrong, none of your other devices are affected.

    • I VLAN’d my network as well, but it was for two reasons. When I did it I had minimal IOT to what I have now. However, the real reason was I got hit by one hell of a dox attack on one of my gaming systems. Now, I had to split it up about a year back because some of the IOTs don’t take nicely to you kicking certain VPNs through the LAN. Without getting too technical on the setup, it operates as 3 different LANs. 2 WIFI with one of those VPN’d . The IOTs normally all run on the other.

  24. It’s not like people “don’t know they should care”. People using IoT devices (my mom) *have no idea of what you’re talking about*.
    My mom doesn’t need to know how to secure her washing machine, because it has a CE mark on it, and because in case of failure somebody will be liable for it. Same thing should apply to IoT and IT in general. Bruce Schneier has been saying it for ages but the fact that nobody followed his advice doesn’t mean it’s not the right thing to do.
    Technology should be secure by design, full stop.
    Asking consumers to adopt security measures is giving an excuse to manufacturers and legislators for not getting their act together.

    • While I agree that hardware makers need to drastically step up their game and more pressure needs to be applied to these companies do so, not doing anything in the meantime to minimize the negative impact of these devices is not really a great option either.

  25. What are the implications for self-driving cars? Everything I hear suggests we won’t simply get self-driving cars. We’ll get all-seeing-all-knowing tracking machines serving ads and in constant communication with the BigBot.

    Any ideas on what we’ll face trying to use those things without being sitting (but mobile) ducks for every criminal out there?

  26. Ricardo Quintas

    Hi Brian,
    Do you have any tips on how to choose “safe” IOT gear ?
    I’m planning to buy some security webcams for my apartment and I don’t know where to start.

    When it comes to security, what would you recommend as the bare minimum for these type of equipments (or any other IOT) ?

    Do you recommend any site ?

    Cheers.

  27. I would be great if SOHO firewalls supported botnet filtering. That would go a long way in improving network security overall.

  28. IoT is flaming out spectacularly. Along with cryptcurrencies and VR, this is going to be a huge bonfire!

  29. One more item: avoid Internet providers that use IPv6. It makes rule 1 dramatically harder, and sometimes impossible to follow.

    Some consumer-grade routers support IPv6 – but only as a plain router that forwards everything; some, but not all, also include firewall features for IPv6.

  30. Open source like Arduino devices makes it less likely that backdoors exist because the code can be reviewed by experts. This is somewhat true of Raspberry Pi and Teensy, which unfortunately have closed source hardware but have open source software. On Linux devices, you can switch to a non-standard port and use a strong password for remote access, or disable remote access entirely.