1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

IOT and Security

Discussion in 'General Network Security' started by AntonK, Feb 7, 2019.

  1. AntonK

    AntonK Senior Member

    Joined:
    Apr 10, 2015
    Messages:
    215
    L&LD likes this.
  2. umarmung

    umarmung Senior Member

    Joined:
    Apr 21, 2018
    Messages:
    243
    One more reason to segment your network and treat IoT networks as highly untrustworthy. Shame most consumer routers and stock software provide little to no tools to help typical users.

    Btw, LIFX eventually fixed that problem: https://www.lifx.com/pages/privacy-security

    Oddly enough, this is also a slight advantage of bridge technologies rather than every single IoT device using WiFi directly, so increasing the threat surface with every new device.
     
    AntonK likes this.
  3. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,998
    Location:
    San Diego, CA
    I think one of the more scary things is not just the devices, but the Apps on smartphone - nobody has really taken a close look at the apps - a misbehaving app could compromise a lot of personal info stashed in the smartphone.

    If the device maker isn't doing security well on the device, it's reasonable to assume that they're equally bad at the apps.
     
    AntonK likes this.
  4. sbsnb

    sbsnb Regular Contributor

    Joined:
    Aug 9, 2017
    Messages:
    172
    I assume that whomever developed the underlying operating system is working to enable such data theft, especially when their business model is monetizing personal information. I can't see any rational way to assume otherwise since the lack of security is plainly obvious to any competent person in the field.

    Better to treat these devices as hostile.
     
    AntonK likes this.
  5. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    769
    Location:
    California central coast
    Amen, serious privacy / security issues just identified.
    https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

    Who knows what else is doing this on Apple or Android operating systems, that no one knows, including directly from Google, Apple, Samsung, Huawei, etc., etc.
     
  6. FatherLandDescendant

    FatherLandDescendant Regular Contributor

    Joined:
    Apr 7, 2017
    Messages:
    117
    Location:
    Kentucky
    That's why you VLAN a secondary router just for IOT devices. I only use wireless for my IOT and phone, the rest of my network is hardwired.

    I've never trusted putting personal info into my phone. I do very little on the internet with my phone, solves those kind of problems all together.
     
  7. sbsnb

    sbsnb Regular Contributor

    Joined:
    Aug 9, 2017
    Messages:
    172
    That's why I'll never use an app for something that can be done in a browser. I do not need to give Walmart access to my phone just to check prices - I can do that on walmart.com thank you. You'd be surprised how few apps you "need" if you do things that way.
     
    FatherLandDescendant and L&LD like this.
  8. FatherLandDescendant

    FatherLandDescendant Regular Contributor

    Joined:
    Apr 7, 2017
    Messages:
    117
    Location:
    Kentucky
    Doubt I'd be surprised, that's the way I do it myself ;)

    I have an app on my phone for reading the plugin I have in my trucks OBD2 port, Flipboard (gives me something to read when I'm waiting out somewhere), a TomTom app (so I can do hands free calls when using my GPS), Alexa and Eufy apps (IOT), and a weather radar app (so I can check storms when I'm fishing), and that's it.
     
  9. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    4,078
    i've been in this position in a job before, they fired me and refused to listen to me in regards to design, they were storing passwords in the clear in the database and wanted to make a multi services multi currency gateway, money/finance related.

    The fault isnt in IoT but the idiots who design them, i'd say the same about dlink too.
     
  10. FatherLandDescendant

    FatherLandDescendant Regular Contributor

    Joined:
    Apr 7, 2017
    Messages:
    117
    Location:
    Kentucky
    It's all about the data they can harvest, they don't care about the users security...
     
    L&LD likes this.
  11. sbsnb

    sbsnb Regular Contributor

    Joined:
    Aug 9, 2017
    Messages:
    172
    I worked for a company that produced software to track employee attendance via proximity cards. I discovered that they left the user/pass to the database in the clear in the config files. When I reported it they told me it was no big deal because nobody was going to abuse it at a customer's site. So I wrote a little cron script that clocked me in and out of work at the appropriate times without me even having to be at work :) To make sure it didn't look scripted I chose a random time that was plus or minus 5 minutes from the target times.

    That taught me how seriously some businesses take security.
     
    Zonkd and L&LD like this.
  12. BenNoir

    BenNoir New Around Here

    Joined:
    Feb 25, 2019
    Messages:
    1
    My Home security cameras are hardwired and isolated on a LAN which provides no access to the Internet, and further only allows cameras to talk to the camera DVR (not to each other). Special firewall rules allow limited access from the general network to the camera DVR. Camera's are poorly protected and make excellent attack platforms for the rest of your network. Any setup where you can access your cameras through a cloud service means others can as well.

    Personal devices like phones should only be connected via a guest network. Don't give them rich access to your networks needlessly. We have separate Guest and General Purpose SSIDs. If you really really need to have an phone access other devices on your LAN, then it can connect to the GP LAN. Friends or family who normally just need Internet access should be directed to the Guest network.

    Home automation devices should also be confined to a subnet with no Internet reachability. Interaction between HA devices is generally a requirement. Interaction between the HA LAN and GP LAN should be as limited as possible.

    I also isolate multi-media devices (Roku, Apple TV, TV DVRs, ) onto dedicated LANs. These devices need access to the Internet, but should not be allowed to access non multi-media devices. This is an excellent LAN to watch network traffic and pi-hole obvious data mining traffic. Smart switches can be used to VLAN isolate device families together thus preventing one owned device from attacking all multi-media assets. I avoid attaching TV monitors, DVD players and other devices to the Internet just because they have an RJ45 plug or wireless capability. Today everybody wants to collect your usage data.
     
    isometimestinker, sbsnb and umarmung like this.