Thursday, July 30, 2015

Forget Internet of Things, You Already Have Spies In Your Home!

First things first, what hell is Internet of Things (IoT)?  Very simply, the IoT movement intends to connect a wide
variety of electronics, embedded devices, and sensors to the Internet.  As practical example, some makers of city street lights have Internet enabled their bulbs.  On the surface, Internet lightbulbs appear as useful as Internet connected refrigerators but a distinct advantage is that these bulbs will alert a central office when replacement is necessary.  In a city with hundreds, or thousands of street lights, a proactive message of an inoperable light eliminates significant effort driving around to check bulbs.

Other manufactures are enabling medical devices like Pulse Oximeters with full TCP/IP stacks, to monitor patient blood Oxygen levels.  On the other hand, cardiac Pacemakers have been wireless for some time.  Former Vice President Dick Cheney had the wireless feature on his pacemaker turned off due to security concerns.  Someday embedding IoT sensors in cereal boxes and other grocery items may eliminate self-checkouts all together.  Push your cart out the door and your account is bank account is debited automatically.  A store clerk is only needed to weigh vegetables, or to help you find something - the grocery store of the future.

Once you get the hang of the IoT concept, it does not take a lot of imagination to understand how Internet connected devices are beneficial.   What might take some imagination is how you can protect yourself in the age of IoT.  Throughout the development of IoT efforts the security community and press has been quick to alert the public to the vulnerability du jour.  Attention focuses sharply where exploitation of vulnerabilities may lead to serious injury or death.  Public education around IoT security is important.  No argument we need to continue educating, but there's a message being lost in the press background noise.  The message is that, the spies are already among us!  Don't let the newness of IoT distract you.  Internet devices in your home and the homes of your friends or family have been monitoring you for some time.  To understand what I mean, let's take my home as an example.  Let's take a look at some of the Internet connected devices I have in my home.

Apple Watches
Phones
Computers (OS X, Windows, Linux)
HP Printer
Tablets
Zigbee gateway (Solar System)
HP Smart Switches
AT&T U-Verse Access Point
Wireless-N Router
Wireless-N Bridge
NAS
Flatscreen TV w/Internet stack
Misc gear: Wifi Raspberry PIs, Wifi Pineapple, Wifi enabled drones, Cisco SIP phones, and more

Today your smartphone can spy on your home network, collect the data, and hide it's activities by sending data back over private cellphone networks.  Your printer can be hijacked, malware installed, and made to perform reconnaissance of your home or office.  Other devices like telephones, copiers, and fax can be similarly exploited and demonstrated years ago at the DEFCON security conference.  In my home, I reflashed my router firmware with OpenWRT, a Linux like operating system.  With OpenWRT in place it's easy for me to sniff any traffic ingressing or egressing my home network to detect comprised computers.  But a hijacked device with malware installed, or a vendor with a complete disregard for your privacy, can do the same.  Whether or not these devices are spying on is irrelevant.  The public should not have to rely upon the morals or good intentions of manufactures to be secure in their home or on their persons.  Our home networks should be battle hardened and withstand a single rouge vendor, bad smartphone app, or exploited device.  Security controls for our home and our person should exist so we can be "verifiably" secure.  Trust be verify is a basic tenant of security and applied in business.  A challenge for the security community is to develop better protections for the home and people.

For security or IT gurus there are some actions you can take strengthen your home security posture.  Firewalls with a single zone of trust and DMZ are not going to be enough but there are some measures you can take.  Ideally every untrusted device should be on it's own network segment and unable to see other network devices.  Of course, this makes it really tough to configure your network.  More practically, you can segment your network by device type.  For example, there is no reason your broadband provider needs direct access to devices on your home network.  Insert a router between your home network and your broadband providers access point.  Your broadband provider will still see Internet traffic as it traverses the WAN but it blocks them from seeing your LAN traffic like, printing a documents, copying files between computers, etc.  The same approach can be used to dedicate a wifi segment to your smartphones.  This allows smartphones to see other smartphones but not other types of devices on the home network.  This type of configuration provides a stronger security profile but it's a lot of work to maintain, even if you know what your doing.  It's hard to predict the future of security controls but in the interim a router providing an easier ways to manage many untrusted devices for home users would be helpful.  Segmenting helps to isolate untrusted devices from each other and reduces the surface area available for reconnaissance or attack.

The problem with segmentation, firewalling, and traditional IT controls for the home is that you have to roll your own solution.  In my case, even though I have the knowledge to strengthen my home network I often avoid many improvements since it's too much maintenance effort to bother.  I spend enough time on the computer in my day job and I don't want extra IT homework at night unless the reward is great.  For the average home user, little if any combination of commercial gear and software exists that's helpful.  Security professionals have been beating the drum of virus scanners for years.  But virus scanners don't have the type of features necessary to protect home users today.  The best thing to do for home users is educate yourself on security so you can make the best decisions possible.  For those interested, I have a personal security page[2] you may find helpful.  Google also provided great article[3] that compares how home users protect themselves vs. how security experts protect themselves.  Follow the experts column in the graphic!

The point I would like to leave you with is that the future is now.  The security concerns of IoT are not something strange and far off in the future for experts to consider if IoT gains favor with industry.  Internet enabled devices are already in our homes, in our cars, on our person, they are inside of us, and they are already pervasive.

[1] Clipart.com: open source White Hat Spy graphic
[2] Securitycurmudgeon.com: Personal Security
[3] Google.com: New research: Comparing how security experts and non-experts stay safe online

Share It!