Most people connect IoT (Internet of Things) devices to their wireless or w
ired network without worrying too much about security implications – after all, if the device is behind a firewall it must be reasonably safe right?
IoT devices often have "Smart" in their name for some reason, such as Smart TVs, Smart Thermostats, Smart Lights, and even Smart Toasters. Some will try to discover what's around them automatically and helpfully offer streaming services to whichever compatible device is in your vicinity. Despite their names, most of the devices aren't very smart defensively and are often designed with little regard to security. I've seen my share of poor decision making as it relates to balancing the trade-offs between functionality and security – in the professional world and in my own home.
Understanding IoT Devices and How Security Works
Consumers understandably expect devices to securely integrate with the Internet of Things ecosystem. These devices typically offer features that range from pure convenience to "critical to human life." Some of these items could be fridges, TVs, picture frames, thermostats, light bulbs, gaming and entertainment systems, VOIP phones, solar monitoring systems, utility monitoring systems, security/alarm systems, building control systems, and even medical equipment. In most cases the devices don't even meet the most basic endpoint security best practices: running a firewall, removing or at least changing default accounts or sample features, running with reduced privileges, reducing the number of services, yadda yadda. Not quite excusable but not grossly incompetent or negligent either.
In some cases however the devices almost seem to go out of their way to reduce security and expose your personal data or authentication credentials (aka the "dog and pony show demo" or perhaps "Minimally Viable Product"). This is often because organizations make 11th hour decisions to not address security issues (that slipped through the cracks during testing) so that the product can make its ship date. I’ve led software development programs in my past life so I am sympathetic to walking the features/security tightrope. However, there are some vulnerabilities that have no excuse not being addressed prior to release due to the risk of exposure they place on end-users and consumers. This is where things went awry for me.
Connecting Smart Devices at Home...Be Aware of Threats!
Most people connect smart devices to the same network all of their other devices are on out of convenience or necessity. In my house, assuming I am willing to grant access to a device at all, I segregate smart / IoT devices as much as possible to limit the scope or attack surface of my network. I also lock down and monitor what is going into and out of that network a bit more than your average user, and in some cases your average SMB (depressingly). In the case of my fridge, I allowed it to have monitored access to the Internet. Because we don't have other products from the same manufacturer, we could not use its home integration features to link up with a phone and TV. As a result, I configured the fridge to connect to a WiFi network dedicated to these devices (I am not your average consumer and our home network is somewhat…complex). I configured our ZIP code for the weather app, and I granted access to our shared family Google calendar. We also copied a few photos of the kids and pets to the fridge's photo screensaver from a memory card. It was a wonderful conversation piece during family gatherings.
My son loved the ability to check the weather every morning before school, and the whole family used the Google Calendar feature to keep tabs on who needed to be where, when they had to be there, when they had to leave, and for how long they'd be there. It was the closest our family came to "being on the same page" we could ever manage. But alas, it was not to be.
One morning I was having difficulty with a VOIP call on my business network segment that is completely isolated from all the other devices, but still dependent on the same Internet connection. I logged into my networking gear and saw that the IoT network was using all upload bandwidth and a good portion of the download bandwidth. This just so happened to be a few weeks after a popular hacking convention where some issues with WiFi enabled fridges were discovered and disclosed - and a little bell went off in my head.
I blocked the MAC address of the fridge in the router and then hurriedly made my way to the fridge and disabled its WiFi interface. I also logged into Google's admin console and revoked the device's auth token and then disabled the account it was using for calendar access. It remains in this state today and no new IoT devices have been added since. In fact several "cheap-o" devices had Internet privileges revoked as precautionary measures after more IoT devices made headlines.
Addressing the Threat of Smart Devices
I did not attempt to investigate too deeply, but whether compromised or simply poorly designed, my fridge should never be using all my outbound bandwidth. My initial thought was that the device was being used to relay spam with the Google Calendar account. It could have been sending all the pictures we put onto the fridge to some remote server. Or it could have been scanning our network and reporting back what it found- any other devices to compromise and use as jump points or containing valuable data?
Luckily it was just a fridge with some entertainment features on a boring and fruitless network - but if an attacker could use a compromised device to shut down my refrigeration that would be an expensive problem. If the attacker was able to control my lighting, that might just be an annoying problem. If the attacker compromised a thermostat, that could be an even more expensive problem- or even a dangerous problem. If the attacker gained access to a VOIP phone that could lead to identity theft. An alarm system- physical access. Still not as scary as a medical device attached to or implanted inside your body…
So my advice? Unless you really "need" it, keep it disconnected. If you really need to control your TV from your fridge… well the answer is you don't really need to control your TV from your fridge. ;-)
If you don't want to be called a luddite by college-age relatives consider a WiFi router that lets you set up multiple separate WiFi networks and use one for your laptop and personal devices, one for less trusted IoT devices, and if you have the option- one for guest access!
Here are some interesting related articles. Enjoy!
- https://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/
- http://www.makeuseof.com/tag/samsung-smart-fridge-pwned/
- http://fortune.com/2015/08/24/samsungs-smart-fridge-hacked/
- http://www.theregister.co.uk/2015/08/24/smart_fridge_security_fubar/
- http://9to5google.com/2016/03/02/u8-smartwatch-spyware/
- http://www.computerworld.com/article/2981527/cybercrime-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html
