Smart Home, Insecure Home.

Person controlling a smart house with a mobile device

At 7:00am EST on October 21, 2016 internet users began having connectivity problems to a large number of major internet properties including Netflix, Twitter, Spotify, Amazon.com, as a key internet service provider was hit by a distributed denial of service attack facilitated by the Mirari botnet. The attack was unusual because not only was it the largest DDoS attack on record at that time (over 1.2Tbps of traffic), but it was carried out by a compromised network connected cameras.

Smart devices like connected Crock Pots, washing machines, speakers, thermostats, and lighting control have become ubiquitous in today’s home, but the convenience of connected devices often comes with unexpected costs. Devices are often manufactured and installed with the false belief they will behave as intended, and security is often not thought about.

If knowing your connected devices can be utilized to take some of the largest internet sites offline isn’t enough to set off your Spidey Sense, there is also the story of a North American casino that had their fish tank’s connected thermostat compromised. By compromising the fish tank, attackers were then able to access other devices on the network and eventually exfiltrate a database containing the personal information on their high stakes gamblers.

Why does this matter?

While keeping the internet a safe and productive place should alone be a great reason to care about securing your smart devices, it is critical for other reasons as well.

Having compromised devices on your network allows attackers to not only enjoy perusing through your archive of cat photos, but also puts all of your other personal information at risk. Long gone are the days of needing to worry about lifted checks, as banking usernames and passwords have become far more valuable targets.

Sometimes, you are even unlucky enough for the attackers to not be interested in your data at all and opt to use your high-speed internet connection as a springboard for other illicit activity.

So, what can I do?

Cyber security is a constant balance between imposed restrictions and accessibility to technology. There is no perfect approach to security, but there are some actions you can take to make your smart home more secure.

1. Update! Update! Update!

Sometimes Windows updates come at extremely inconvenient times but keeping your devices up to date is by far the most effective way to reduce security threats. Many recent security incidents, like Equifax’s data breach, could have been prevented with proper security updates which close many known entry points from malicious actors.

Just like your smart phone or laptop, the software on your smart devices should be updated regularly. While a lot of the devices used in the Mirari botnet now have patches available, many of these devices have yet to be patched and continue to be exploited in newer variants of the malware.

2. Segregate IoT devices from your primary network

A lot of newer home-networking equipment (and enterprise grade equipment) allow you to create multiple subnetworks (VLANs). By segregating the devices to a secondary VLAN, their traffic needs to be routed and can be forced to flow through the firewall before communicating with user devices on your network.

On many consumer grade wireless routers this can be accomplished by creating a second “guest” wireless network and assigning a different subnet to it.

Note: If you have devices that rely on mDNS (e.g. Apple TV) or IGMP (e.g. Sonos) this may not work for you without some additional setup and may require network equipment that can do mDNS reflection and IGMP proxying.

3. Firewall settings

It should go without saying that inbound traffic to your local network should be blocked, however, there are other firewall rules you should consider putting into place:

  1. Disable UPnP support on your router/firewall, this is a well-known attack vector.
  2. Create a drop rule for traffic coming from your devices subnetwork to both your primary network and the internet.
  3. Since the previous rule essentially cuts off your devices from the world, you now should create an allow rule for each specific device to communicate to the internet on the ports needed to function properly.
  4. Block access to external DNS for your smart devices (this should be covered by the rules above, but I want to explicitly call out this important rule).

While these firewall rules alone don’t address all the attack vectors for connected devices, they are part of a broader security strategy which includes the network segregation we already covered and DNS filtering.

4. DNS Filtering

Many network savvy users may bey scratching their head after reading through the above firewall rules realizing that we didn’t whitelist specific IP addresses the devices are allowed to talk to. Since many of these services used by connected devices are hosted in the cloud they often don’t have a fixed list of IP addresses needed for communication, so we have to take a different approach with DNS filtering.

DNS filtering allows us to filter name server requests devices make to ensure they aren’t trying to connect to command and control (C2) servers like i.0wn.yourdevice.ru.

In its simplest form, you can implement DNS filtering with services like Cisco Umbrella (formerly OpenDNS) or Norton ConnectSafe which replace your internet service providers DNS servers and provide a black list for known bad sites.

If you are a little more tech savvy you can also look at options like Pi-hole, which is a self-contained DNS blackhole server designed to run on Raspberry Pi, or setup your own Bind9 DNS server and use RPZ lists to whitelist the traffic you want to allow your devices VLAN to resolve (this is the approach I take, while more cumbersome to set up it provides a higher level of security).

5. Logging

Finally, as with any security strategy logging is a key component, and unfortunately of the toughest challenges to address with consumer grade network equipment.

Some consumer devices today allow for data collection using a remote “syslog” server, which is a collection and storage point for logs from multiple sources. The logs can be aggregated and analyzed with a variety of tools (I work for Microsoft so I use Azure Log Analytics, but software like Nagios can also be used).

If your device doesn’t support a mechanism to collect logs, it is highly recommended to review them regularly and look for any abnormal activity.

While the IoT industry has begun to recognize the need for security, there are many older devices on the market. With a little bit of effort everyone can help make the internet a safer place.