Announcement

Collapse
No announcement yet.

iot security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • iot security

    Not sure where the best place to put this is, but will start here.

    I have largely avoided connecting devices to network servers for cloud support. The devices I do have, aside from mobile phones and select PCs, do not routinely connect to any server outside my LAN, but it's probably inevitable that I will want to in the future. Aside from changing default login settings and using a strong password, are there any other steps that would help?

    For instance, how are people accessing the Amazon Echo? (I realize HST is working on a special interface, but I'm referring to the standard product.)

    What about a WiFi thermostat, like Nest or ecobee that needs to communicate with a cloud server so that HS can retrieve data and control it.

    Would it help to use a separate network for these kinds of connections?
    Mike____________________________________________________________ __________________
    HS3 Pro Edition 3.0.0.548

    HW: Stargate | NX8e | CAV6.6 | Squeezebox | PCS | WGL 800RF, Rain8Net+ | RFXCOM | QSE100D | Vantage Pro | Green-Eye | X10: XTB-232, -IIR | Edgeport/8 | Way2Call | Ecobee3

  • #2
    Originally posted by Uncle Michael View Post
    Would it help to use a separate network for these kinds of connections?
    This is exactly what I do. I've kept an older 802.11g WAP NAT'ed into my real home subnet. All of the internet connected devices (apple tv, chrome cast, bluerays, smart tv, treadmill, work pc, guests, etc use this "G" WAP. My firewall allows full internet access and only allows certain ip/port access to my real home subnet. Additionally, from the "G" WAP I've ran cat6 to a network switch located at the main TV center for use by the apple tv and chrome cast. This dramatically reduced buffering and other wifi related performance degradation.

    Comment


    • #3
      Originally posted by lveatch View Post
      This is exactly what I do. I've kept an older 802.11g WAP NAT'ed into my real home subnet. All of the internet connected devices (apple tv, chrome cast, bluerays, smart tv, treadmill, work pc, guests, etc use this "G" WAP. My firewall allows full internet access and only allows certain ip/port access to my real home subnet. Additionally, from the "G" WAP I've ran cat6 to a network switch located at the main TV center for use by the apple tv and chrome cast. This dramatically reduced buffering and other wifi related performance degradation.
      this is something i am considering, but i have no idea how to do this.

      or even how to search for what its called.
      HS3 Pro on Windows 8 64bit
      53 Z-wave nodes(46 devices, 7 remotes), 15 DS10a's, 10 ms16a's, 9 Oregon Sensors, W800, RFXCOMtrx433, Way2Call, 3 HSTouch Clients, 2xRussound CAS44, Global Cache GC100-12,10 Rollertrol blinds(+ zwave) ,3 Squeezebox Radios and 1 Squeezebox Boom,DMX Arduino via ethernet,Rain8Net,3x Echo Dot's


      Check out my electronics blog here:
      https://www.facebook.com/RaptorsIrrationalInventions

      Comment


      • #4
        Basically what he is doing in a basic form is taking a separate wireless router and connecting the WAN port to his network. This creates a separate network that essentially cannot talk to his main one. If you need to communicate with things on your main network in your "separate" network, you would just open the ports in the firewall settings on the second router.

        Personally iot security doesn't concern me in this sense, there is a bunch of different ways to get into someones network even with out a cloud connected device. This is just the downside of the internet in general, where there is a will, there is a way. What concerns me more is the data collection that these devices do. Unfortunately, you can't get away from it easily, and even cloud based services are not the only data collection happening. If you use a search engine, all that data is collected. Hell, there could be data collection happening on this very site in the background.

        Reality is this... if you use the internet at all, no matter how much you protect yourself, you can only minimize a risk of an attack, which I think as home users, this risk is pretty low as it is. Most will try to attack bigger fish.

        What I don't think is easily minimized is the data that is being collected with every device that connects to a network and every keystroke on your computer, we are being monitored in one way or the other, and just have to accept that, or pull the plug.

        Comment


        • #5
          Originally posted by Raptor View Post
          this is something i am considering, but i have no idea how to do this.
          My router has provision for a 'guest' WiFi network. Although I agree that the risk of intrusion through an iot device is small (for now) and social engineering is a much more likely route, it seems prudent to use the capability to isolate devices from my LAN that don't need to connect to it. I was mostly wondering if using it would introduce other vulnerabilities that might make it less secure than I assumed it would be.
          Mike____________________________________________________________ __________________
          HS3 Pro Edition 3.0.0.548

          HW: Stargate | NX8e | CAV6.6 | Squeezebox | PCS | WGL 800RF, Rain8Net+ | RFXCOM | QSE100D | Vantage Pro | Green-Eye | X10: XTB-232, -IIR | Edgeport/8 | Way2Call | Ecobee3

          Comment


          • #6
            Really I think the biggest concern is always the reliance. If the cloud service goes down, or the company that supplies the cloud service goes belly up... how will it affect you?

            Smart Things is a perfect example of this... they are slowly changing the reliance on the cloud, but from what I am reading, people are still having issues with their automation when the cloud goes down.

            I agree, protect yourself as much as you reasonably can with the understanding of the balance between convenience vs security.

            Comment


            • #7
              If you hadn't seen it yet, here is a link with some info

              http://techcrunch.com/2015/10/24/why...#.tvh4qll:13rF

              Comment


              • #8
                Originally posted by Raptor View Post
                this is something i am considering, but i have no idea how to do this.

                or even how to search for what its called.
                Basically, I configured this WAP to use a static Ip to the internet, however, the internet in this case is my primary home network.

                Let's assume my primary home network is 192.168.0.1-255, I set the "G" WAP to use a static IP say 192.168.0.200 and the gateway of the internet router/modem 192.168.0.1.

                This "G" WAP has DHCP enabled for IP's 192.168.2.100-140.

                Each device I connect to this "G" WAP, gets an IP in the 192.168.2.100 - 140 range and can connect to the internet via the router gateway IP 192.168.0.1.

                My home network sees all "G" network traffic going through 192.168.0.200.

                This isn't my router, but see section 11. 5. Create Static Routes http://www.tp-link.com/res/down/doc/...28UN_V1_UG.pdf .
                Be careful to not open your home network accessible from the internet.

                Comment


                • #9
                  Originally posted by waynehead99 View Post
                  Personally iot security doesn't concern me in this sense, there is a bunch of different ways to get into someones network even with out a cloud connected device.
                  While I generally agree with you on iot security not being a big threat at this very moment, at what point do you become concerned? After you detect a compromise and lost confidential data.

                  I've worked hard to protect my home network from the internet. My firewall logs shows that in 2015 alone, my home network has been attacked 41,000+ times (18K from China). The numbers would be higher if I did not I actively block repeat offenders on my firewall.

                  It is trivial for an iot device to establish a outgoing internet connection which sets up a reverse tunnel allowing full access to your entire home network.

                  Comment


                  • #10
                    Agreed do what you can to protect yourself at home. I guess what I was trying to say is I think there is bigger concerns with data collection that you won't be able to avoid in this day anymore unless you just don't get on the Internet. Plus how do you protect yourself from the other end of the cloud? I would be more concerned with company X getting hacked with your data, vs my echo getting hacked.

                    Comment


                    • #11
                      This very topic with a solution was covered in the latest Security Now podcast on the Twit network.

                      Comment


                      • #12
                        Originally posted by lveatch View Post
                        Basically, I configured this WAP to use a static Ip to the internet, however, the internet in this case is my primary home network.

                        Let's assume my primary home network is 192.168.0.1-255, I set the "G" WAP to use a static IP say 192.168.0.200 and the gateway of the internet router/modem 192.168.0.1.

                        This "G" WAP has DHCP enabled for IP's 192.168.2.100-140.

                        Each device I connect to this "G" WAP, gets an IP in the 192.168.2.100 - 140 range and can connect to the internet via the router gateway IP 192.168.0.1.

                        My home network sees all "G" network traffic going through 192.168.0.200.

                        This isn't my router, but see section 11. 5. Create Static Routes http://www.tp-link.com/res/down/doc/...28UN_V1_UG.pdf .
                        Be careful to not open your home network accessible from the internet.
                        This configuration, while putting your G network on a different NATed subnet, does not block the G network devices from seeing your home network fully with most consumer routers.

                        I prefer a dedicated subnet, and my regular subnet, hanging off a proper firewall. Then I can define what traffic can traverse to where.

                        If doing it with purely wireless routers, I would layer them the other way around from what you descibe, so that from my inner home network, I could connect through to the less safe IoT one, and finally out to the internet.

                        Comment


                        • #13
                          Originally posted by sbwright View Post
                          This very topic with a solution was covered in the latest Security Now podcast on the Twit network.
                          Care to share a bit more? Is there a link?
                          Mike____________________________________________________________ __________________
                          HS3 Pro Edition 3.0.0.548

                          HW: Stargate | NX8e | CAV6.6 | Squeezebox | PCS | WGL 800RF, Rain8Net+ | RFXCOM | QSE100D | Vantage Pro | Green-Eye | X10: XTB-232, -IIR | Edgeport/8 | Way2Call | Ecobee3

                          Comment


                          • #14
                            Originally posted by Automated View Post
                            This configuration, while putting your G network on a different NATed subnet, does not block the G network devices from seeing your home network fully with most consumer routers.

                            I prefer a dedicated subnet, and my regular subnet, hanging off a proper firewall. Then I can define what traffic can traverse to where.

                            If doing it with purely wireless routers, I would layer them the other way around from what you descibe, so that from my inner home network, I could connect through to the less safe IoT one, and finally out to the internet.
                            I guess a more proper way to do this would be to find a layer 3 switch on ebay that you could vlan things out?

                            Comment


                            • #15
                              Originally posted by Automated View Post
                              This configuration, while putting your G network on a different NATed subnet, does not block the G network devices from seeing your home network fully with most consumer routers.

                              I prefer a dedicated subnet, and my regular subnet, hanging off a proper firewall. Then I can define what traffic can traverse to where.

                              If doing it with purely wireless routers, I would layer them the other way around from what you descibe, so that from my inner home network, I could connect through to the less safe IoT one, and finally out to the internet.
                              I did not mention that I have a firewall appliance which blocks the G subnet from communicating with my primary network. Furthermore, the firewall appliance (ZyXel USG20) has multiple LAN ports allowing appropriate network isolation.

                              Comment

                              Working...
                              X