Solutions for Internet of Thieves 2
IoT is supposed to mean the Internet of Things – that means how every device from lamps, to TVs, baby monitors, home security devices, to washers, dryers, toasters, blenders, … thermostats, basically anything that uses batteries in the home should be connected to the internet so we can monitor them from our smart phones and remote computers anywhere in the world.
The killer app? Wouldn’t it be nice to have a hot bath ready for you at 7pm exactly 106 degF? Filled exactly to the point for your body to fill to the brim? Of course, you didn’t know you needed a bath for relaxation until about 4pm – when at work still.
Also, any vehicle, bicycle, kid, dog, cat, snake, or other pet you may have, would be located, tracked, available for messaging. Perhaps they have a webcam so you can see where the dog is?
Then there are all the services from vendors, restaurants, gas stations, and stores. Wouldn’t it be nice to see all the inventory in the corner store before you walk there for a visit? If you are up at 4am, was the daily paper already delivered to the quickeeMart? Or what is the wait for a seat in the restaurant?f
Nice Idea, Right?
But what happens if someone you didn’t intend gets access to your data and starts tracking you and your family? Yes, yes, we know you are boring and nobody would be interested. Actually, there are people who will watch other people doing nothing. Just look at reality TV? So now your life is reality TV and you don’t know it?
We all want the Jetson’s house where everything is clean, we can control everything from anywhere and it all just works without 100 hours of programming. On the Jetson’s, I don’t remember any aspects about security. Do you?
The Internet of Thieves
So, almost every company do this appears to be giving ease of use priority over any real security. Besides using static keys and trusting broken SSL connections, they don’t include a way to easily update the firmware or software on these IoT devices. That means 90% of the devices will never be updated. That makes thieves happy.
Plus the companies making these devices want to really have a trade with their customers. They want to gather information about how the device is really used, not how they think the device is used. CableTV companies have been doing this for decades. They’ve tracked every button pressed on the remote all this time. But that wasn’t enough because people leave their cable box on 24/7 and it might be on a channel that isn’t being watched. Plus our VCRs (remember those?) would change the channel and record for 30 or 60 or 120 minutes. Then the cable box would sit on that channel the rest of the day.
Have you heard about TVs with IR sensors? They claim to be adding the sensors to allow hand control over the TV, but really it is to determine if anyone is sitting in front of the TV … perhaps they’ll shut down parts of the box to save power if nobody is in the room? Sounds like a good thing, right?
Every different device has something similar. Yes, then want to make the device better for us and I have no doubt that is the primary goal. They also want to gather as much other data to learn what other devices existing customers might buy so they can make some of those too. Sounds good, though not directly helpful to most of their customers. For example, the roomba vacuums lead to the scooba mops. Very few roomba buyers have gotten the scooba. I don’t mind vacuuming, but I hate mopping. The scooba was very interesting to me, but poor reviews, complaints about breakage and the $400 price has stopped me. Neither of these floor cleaners are internet connected today – but it wouldn’t be hard.
Stop the IoT (thieves) by forcing the use of a VPN to access those devices. Don’t trust the vendor’s security. This way you don’t have to patch 10 devices in your home, just the VPN needs to be constantly maintained. Most thieves won’t bother trying to hack a strong VPN – it is considered pointless. They will look for other attack vectors – like stealing your unlocked, unencrypted, smartphone. ;)
Solution for Internet of Things?
VPN.
First, if the device will not work unless connected to the internet, don’t buy it. It should work perfectly with just a local network connection – on the LAN. The Plex Media Server is like that. It will work without an internet connection, just some of the nice-to-have features don’t work. A VPN won’t help with devices that must be internet connected to work.
Second, if the device requires a login to their internet website to work, don’t buy it. That is the surest way to know that a device is not just helping you, but also reporting back on what you do with it. My Roku requires this even when playing local media. That is crazy. The same applies to a chromecast. The Plex Server wants me to have a Plex-account online, but works fine without it too. There are also storage devices with this requirement. A VPN won’t help to secure a device that requires an internet website login to work either.
A few examples:
The roku forcing an account makes no sense at all – sure, it should be optional to support payments for premium services, but every roku has a deviceID and that ID is probably unique enough for a single Roku home to get all the free services. Of course with 2 or more Rokus or any premium subscriptions, it would be great to have a single account to tie these devices together.
The Plex online account provide external access to your media, but there are other ways to accomplish that without giving that company access to your server, the media on it, and stats about what you watch. Just use a VPN that you host from your home.
That is the generic solution for most of these devices. Instead of allowing company controlled access to these devices, we need to take control of that access and force remote connections through a strong IPSec VPN. That should work for remote viewing/listening of media, controlling the bath tub, lamps, thermostat, checking the weather at the house,
Having a VPN to the house can be accomplished a few different ways. For 100% generic use, openvpn is the best choice, even if it isn’t the easiest to get working. The complexity of openvpn is due to the vast number of features it has. If you just want remote access, but don’t need to stream video, there are much easier (perhaps 10x easier) solutions based on ssh. ssh is a tool that is fairly easy to setup and use from almost any platform. Most of the time, it is used for a single port, not all ports like a vpn. I’ve written about ssh a few times here. A few articles:
ssh can be setup in a few minutes. There are clients for every OS out there. ssh includes sftp and scp – so access to all the files on your LAN are possible too. Nice? Setting up an ssh server for remote access is just about the first thing I do on a new Linux/Unix machine inside my home.
Being Realistic
So, if, I – Mr. Paranoid – can’t follow this advice, how can anyone else? I can’t answer that – besides saying that I barely use the chromecast here and only use the roku for watching premium content. My plex server is not connected to a plex online account and I don’t use any cloud services for things I’m not willing to have on the front page of the New York Times.
Just assume that anything you put into the cloud can be accessed by bad people and that IoT devices will likely be attacked, compromised and used to attack other devices inside your home. Printers hacked and internet storage hacked – basically, just assume that anything on the internet can and will be compromised. Once it is out, you can’t get it back.
Security for Internet of Things devices:
http://www.net-security.org/secworld.php?id=19017
Brian Krebs on The Lingering Mess from Default Insecurity