How do you Secure Home Networks from IOT, And Other Smart Devices

Continuing the discussion from Will 5G Push Fibre Aside?:

Having just added a Solar PV System to the house we now have one more smart Wifi connected device.

Alarmingly it has both a broadcast SSID with WEP security (IE next to useless), and has also connected with an IP to our home WAP2 secured network as that is how the iPhone App needs it configured?

What is the best way to take advantage of these devices without compromising the home network?

And is there also a solution for those of us who do not understand if you have Foxtel you most likely have Broadband and a router?

5 Likes

I can never leave a straight line.

Ans: 'OK Google, secure my network." All done :laughing:

3 Likes

Typically, we are already into the complex mathematics of the geometry of straight lines and how to divide. :thinking:

For the more challenged amongst us is connecting a second router to the Ethernet port of the ISP provided router, and creating a separate network one answer? It still needs some smarts to ensure the traffic is separated between two networks.

Alternately many routers allow you to create a guest network. You could use that for all the extra devices.

Of course neither is perfect as having separated the two networks moving content dynamically between the two may not be possible? After all you are trying to stop that from happening?

Do you simply consider your home network for ever more a public network and revert to using a VPN for the majority of your personal use?

There is no paranoia under this hat :billed_cap:.
Hopefully not another marketing specialist either.

P.s. might - “OK Google, Secure our Network!” be a more effective request?

1 Like

An edge router will allow you to create (IIRC) four or five separate networks from one broadband connection. Don’t ask me how. :grin:

1 Like

This entirely depends on your router capabilities. You can configure two networks with two ip ranges and seperate the IoT from other devices.

You can isolate devices on your wireless network so that they cannot communicate with each other ( if they only need internet)

Some routers have firewall functionality and you can block IoT device communicating with you phones using access control lists.

You must:

  • Change the routers default password
  • keep the firmware uptown date.

Then try shutting down services that you don’t use on your router.

1 Like

That’s good feed back. Especially if you are comfortable going into the router configuration software. There is some knowledge required to do so. One of our routers allows a guest network to be enabled with a minimum of effort.

Another simpler router to do so requires you to configure the IP ranges, set a mask and open selected ports! Not so simple for many!

That is partly the reasoning for asking about the options.
It is made harder or easier by how your ISP treats you and whether the ISP supplies a decent router. I know many who have a standard Telstra broadband router of what ever vintage that carries the default Telstra configuration. I used to have one that when supplied used a WAP encryption key related directly to to the SSID. Many users do not have any knowledge of the risks or how to access and change these settings.

Our latest iiNet router standard configuration is a little better, however any built in security - in my example adding a PV solar power invertor, disappears the moment we attach other devices we have no control over. These necessary devices can communicate with their big brothers and like smart TVs also auto download and install software without our knowledge or explicit permissions.

Is it subsequently acceptable for devices to behavior this way?
Should all such software/firmware be subject to third party audit and certification before it is released?
Should all broadband users need a license and pass a test before they are connected?
Should all ISP’s meet an agreed configuration and security standard for the devices they supply including remote configuration?

Our Solar PV Invertor has a two line info display, is effectively headless, amd requires an externally connected device to access it’s performance. Why does it also need to access big brother?
And to whom does big brother facilitate access to?

True many of the concerns are no different to having a Google ID and Gmail account, except the power of a headless smart device on the inside of a home network is infinfinitely greater in what it can discover.

1 Like

Put them on a separate network. Use three routers, one being the gateway and the other two being your ‘main’ network and your ‘IOT’ network. Start at page 21 of the following podcast transcript:

(If you go up a level at that website, you will find all the shows with downloadable audio, show notes and transcripts.)

There are further iterations of the ‘three dumb routers’ concept; the following article and its comments appear to be well considered additions.

The suggestion of a Ubiquiti EdgeRouter X router is also valid, as from my understanding (coming from the above-mentioned podcast) they do not permit any interchange between their ports. They are discussed in the following episode.

Unfortunately many or most routers do not have this capability.

We are in a period of immense change in the computing world. IoT devices can cost pennies to manufacture, and there are plenty of companies willing and able to go into business without worrying about end user security.

I expect that a few years from now things will have settled down, there will be some basic security standards either imposed on the industry or by the industry for devices, and we will all live happily ever after.

It isn’t just IoT devices such as a baby monitor that uploads video to the web which is available to any who can guess your user name. Unpatched security holes in routers, or in server software, are enabling massive breaches and botnets.

We are only relatively new to the idea of IT security, and even newer to the idea of securing everything on the Internet! Microsoft has finally (almost) figured out how to do it right in Windows; Apple and Google are probably in the same range of proficiency, but Google’s partners vary from ‘regular updates’ to ‘what’s an update?’.

It is likely that at some point in the future there will be a ‘stamp of security’ that you can trust for an Internet-connected device. Probably operated by manufacturers who are sick of the low quality stuff that’s poisoning the Internet, it will require functions such as regular automatic updates, limitations on Internet access depending on the device’s purpose, and similar kinds of security. Unfortunately, we are not yet there - and when you are designing one of these devices security is not an add-on, it is a fundamental feature. It is incredibly easy for bugs to slip past, even if you do use third party auditing, so as matters stand you can assume that every Internet-connected device you own has at least some bugs.

There is one other advancement that may make the Internet secure. I cannot remember the terminology, but it is the concept of an ‘error-free’ programming language/tool that does not provide for the easy mistakes that might be made in a million or more lines of code. I suspect it is a while away.

3 Likes

Brazil has had a rash of attacks against both modems and routers that uses the fact that many people don’t change the default login credentials to their modems/routers. The attack uses drive by visits to a compromised, or malicious website or malicious ads to use cross site request attacks to get access to the router DNS settings. AVAST have said that in the last 2 months they have blocked over 4 million of these attacks. They have also reported they have found at least 180,000 routers with hijacked DNS settings.

To read a bit more about the issue and what steps a user can take o help protect against this type of attack see:

3 Likes

Most of this is beyond the control of the customer.

A secure router (device in general) does not have “default login credentials” at all - hence making that particular problem largely go away.

The biggest problem for the customer is abandonware. It sticks in the craw to have to throw out an otherwise “working” router just because it has been abandoned by its manufacturer and may well be vulnerable to some newly discovered attacks.

Some CSRF attacks can be avoided within the browser (or mail client or whatever is the relevant software), which has the advantage that it can be updated long after the router has become abandonware. A secure router is not vulnerable to basic CSRF attacks anyway.

Would like to know how many hijacked routers there are in Australia.

I operate a honeypot. I see a mass of attacks that are very obviously designed to exploit a known vulnerability in some device. I use that then to harden lower-profile devices, if needed.

2 Likes

To access the admin settings of a router most do have a login and password. Most are simple default ones eg admin and admin or password and admin or something equally simple. This is what is being targeted, the malware searches for a router then tries the simple defaults to see if access is possible. Sadly a lot of people don’t change these defaults and even if they do they forget to reset them on a router or modem reset.

The abandonware nature of new tech is sadly well entrenched and I don’t see any answers that will quickly turn this around.

2 Likes

Yes, they are. I was just pointing out that the IT industry realised decades ago that that is a really bad idea - and largely stopped doing it. So why are new devices being sold today, engineered by people in the IT industry, still doing that?

Ergo: Any device that is still doing this is not a secure device.

2 Likes

Why still doing it? Because they are trying to make it easy for a user to initially get into the router or modem to change those settings and hopefully change the access details
which most don’t :frowning:

Marginally better than “admin/admin and away you go” is 
 admin/admin but while the password remains admin the device will not route / will not communicate with the internet / will not do anything else / will only put up a form demanding that the password be changed.

Again though these things (bad design decisions) are not within the control of the customer.

3 Likes

I suspect many of the targets are not in the industry but home systems where the mum or dad doing the installation just accept all the defaults and hope for the best.

2 Likes

In my opinion getting security right is too hard for most customers and therefore security must be correct out-of-the-box. It needs to be a primary consideration for the designer, under the assumption that the customer will take all the defaults and just plug it in and expect it to work, but be secure.

Does the government care? Nope. They are going in the opposite direction, requiring insecurity to be baked in from Day 1. Unless it’s Huawei. LOL.

2 Likes

https://www.cyber.gov.au/news/routers-targeted

No numbers I could find but I am sure there are many as Au stuff has been in Botnet activity in the current past so we know it is here.

This from 2017 about CSRF fixes in ASUS firmware updates:

https://www.pcworld.idg.com.au/article/619153/latest-firmware-updates-asus-routers-fix-csrf-security-flaws/

1 Like

A corollary of that is 
 don’t put gratuitous network connectivity in devices and don’t access the internet unless it is necessary. Looking at the post that started this discussion, Solar PV systems should not access the internet. Period.

Routers I have seen recently have (presumably) randomly generated passwords stuck on the side. This is what I would expect of any router I bought, and I would still change the password as soon as I got it home and fired up and before connecting it to the Internet. I would probably also download any firmware updates using my old router, so it’s entirely Internet-ready.

That said, my current router has been on my desk for over ten years and is still receiving occasional firmware updates (automatically on reboot!). Given that, I’m almost certain to buy the same brand when I move onto the NBN and 802.11ac.

Unfortunately, for security to be ‘done right’ and ‘kept right’ costs the manufacturer money and needs the consumer to care. Manufacturers (other than the bottom-feeders) are gradually getting their houses in order, but I don’t think you can force a consumer to care enough to learn how to change their router’s settings until it’s too late.

And I won’t buy an Asus router.

2 Likes

Manufacturers need to step up by generating random login credentials but for most the easy way is to have a standard image with everything set the same that they just dump onto the hardware. With the ASUS I was just noting how some have patched firmware against many of these attacks but nothing is enough when users leave bog standard login credentials or none on their hardware.

From many RSPs the change has been to generate the passwords and login names as part of the setup of the router for the user who has ordered the device as part of their access plan. But many manufacturers are still providing very simple and standard details.

3 Likes

Which opens up another long discussion about being able to access the basic data collected by the inverter. Being able to monitor performance in some detail is necessary in identifying potential problems with a system proactively.

However not all manufacturers provide suitable options that operate independent of the internet.

It is also useful in objectively assessing whether the system performs to specification.

Given the advanced technical design, delivery of any connected inverter that is not secure from local or internet launched intrusions risks much more than just personal data. Eg recourse by third parties to disrupt the inverter deliberately.

So yes, one solution is to never connect! That leaves a potentially difficult debate re fit for purpose.

1 Like