2

In the light of recent events around Mirai not being the only IoT botnet, but being joined by IoTroop / IoT_reaper (see here and here ), I wondered what steps need to be taken to securely operate an IoT device. Obviously, just plugging the device into your public-IP internet connection is unwise. But I don't feel that this is the usual deployment scenario. My personal setup is a rather typical home-user's: ISP -> cable modem -> wireless router, and all computers/devices behind this router. This means that there is some firewalling between any given device and the internet. As far as my experience from several companies and universities goes, there is a similar amount of firewalling, if you'd plug your IoT device into any of their company-in-house-network sockets.

So, the first part amounts to the question: What (network) attack vectors need to be considered?

In the above-mentioned setup I regarded the IoT-device as not directly accessible from the internet. This does not seem to be true in the presence of an UPnP-enabled router. On several sites I found that deactivating UPnP increases your security. By my mediocre understanding what UPnP does, this seems very logical, as I don't want insecure devices to poke holes into my firewall. But the same sites that suggest turning UPnP off, never seem to mention what possible side-effects this might have. (I read that some software like Windows Live Messenger relys on UPnP?)

Without UPnP, and without manually redirecting any ports to my IoT device, it seems that my IoT-device would need to make active connections. I can imagine two reasons to make such connections: Connecting to an automatic firmware upgrade mechanism, and to connect to a manufacturer/third-party service, which allows the device to be available from outside of my LAN (e.g. like the Ivideon service).

So, the second part of the question is: Do these active connections pose a threat? (Given that any accounts on such sites have decent passwords.) Does one need to be afraid of man-in-the-middle attacks on the FW-upgrade mechanism, or maliciously altered FW-images?

But what else am I missing out?

[ Of course, there are two most-basic suggestions, one hears on a daily basis: Change default passwords and apply firmware updates (if the manufacturer even cares to provide them). ]

schroeder
  • 123,438
  • 55
  • 284
  • 319
NightLightFighter
  • 123
  • 2
  • 1
    i have dozens for things, but none of them need port changes, that's weird. any wifi connected thing can reach _out_ without restrictions to push data to the cloud, download new firmware, etc. I don't see why many "things" would need to be reached from outside, and that couldn't initiate a persistent connection w/o ports (like websockets) if such on-demand capabilities were needed. Usually, IoTs are owned by a compromised PC on the LAN that can sit around and run local scans looking for known vulns, not from across the world. – dandavis Oct 23 '17 at 11:33

2 Answers2

0

UPnP can safely be disabled. If a service needs a port punched it’ll tell you.

In regards to MITM and altered firmwares: it’s a Wild West our there. Some manufacturers have secure signed images severed on secure servers, some just flash whatever random binary they find over HTTP. You really won’t be MITM’d be your ISP hopefully so that’s not an issue however these unsigned and insecure firmware devices can be compromised from an adjacent compromised device. So if you’re already breached you may be in for an even bigger headache where your only real option is likely to bin the device. If the device is your fridge I’m sorry.

This same principle also applies to all outgoing connections as well if there is some vulnerability in how it handles the responding data. If either the server is compromised or an adjacent device is compromised then an insecure and vulnerable device could be hijacked.

What’s your best bet? Probably keeping them from accessing the wider internet. When that’s not possible, use client isolation so that hijacked devices can’t infect your other devices. Really your best bet is to use as few IOT devices since you really have very little control or access to the configuration.

Allison
  • 3,975
  • 2
  • 13
  • 19
0

What (network) attack vectors need to be considered?

All of them. Well, most of them, unless you happen to control the launch codes for nuclear missiles.

While sitting behind a masquerading router with no port forwarding, external attackers can't connect directly into the IOT target, the IOT target may make frequent client connections out to the internet. Many devices are explicitly design to behave like a server but using polling or long lasting client connections to a broker service with the end result that they are no different than a server. There are even ways for it communicate with the outside world without having to make a connection externally (e.g. DNS smuggling).

would need to make active connections

What is an "active" connection? I presume you mean a client connection.

never seem to mention what possible side-effects this might have

Because even when the role of the device is well defined (not the case in your question) the way it operates is not. The insecurity of IOT devices arises from multiple causes:

  • device not designed to operate securely
  • behaviour of device not documented
  • device deployed in a context other than that which it was designed for
  • users ignoring the documentation which is available when deploying the device

Do these [IOT device client] connections pose a threat?

Potentially yes. There are well known patterns for protecting against the third-party attacker model - but the reason people get excited about IOT devices is that so few of them implement these solutions, or fail to implement them correctly (e.g. requiring SSL, but not validating the certificate).

symcbean
  • 18,278
  • 39
  • 73