IoT - security and privacy "how-to"

rolion

Hello,

Now that the IoT got its own home here, i was wondering how do you balance or compromise the security & privacy versus comfort & laziness of the system.

Can we compile a "FAQ" / "how-to" in setting up ,securing and best procedures for our protection, please !?

Thanks

PS:
Weekend lecture HERE .
Thanks

BigEejit

I recently changed broadband provider here in the UK, from BT to Vodafone. The old setup had a seperate vdsl modem and router, i used my own router which was far better in just about every way. I also had a Sophos UTM box between the modem and my router. Vodafone gave me an all-in-one box and i have been using it on its own for a couple of days, partly because when you change provider they do funky stuff with the phone line to maximise speed while keeping power down and partly because i wanted to see what the box on it own could do.

From a IOT security standpoint it is utter siht. I cannot turn off the internet to an individual IP, if I turn off uPNP we cant connect new devices over wifi, so i turn on upnp and within minutes my hikvision ip cameras have opened half a dozen ports each. I have a few pi zeros i am playing around with and i dont trust that they will be safe either.

I will be reintroducing my UTM box and using my own router from this evening, but how many ordinary users will just use their box and end up with every single thing on their network pwned because they automagically opened ports on their own left right and center.

Roen

I'm building as much of it as I can myself.

Presence via encrypted MQTT to my own broker.

Automation rules will be set up via my own instance of HA.

Internally everything is over my own network here. Externally I port forward the bare minimum. And that's just from select IPs (work).

All the source code for everything I've used so far is available to go through.

Running DDWRT on the router and that's locked down as well as it can be. Only port 22 open and set to accept login from my ssh key only.

So at that stage you'd need physical access to my kit. And if you have physical access to nearly anything all bets are off to be honest.

BigEejit

But your setup Roen and what I have probably amount to 0.01% of all users who have things IoT kit like IP cameras, weather stations etc. Almost everyone else just wants simplicity and are completely unaware that their cameras are part of a botnet. I'd go so far as to say if you sat them down and explained that their camera was used along with a million others to knock faecebook/twatter offline they just would not give a siht.

degsie

It's up to the manufactures to enforce security as most users are sheeple and as mentioned already would not give one IoTa about netbots or any other attack vectors.

Roen

True for you BigEejit,

A lot of the blame lies at the feet of the people that fail to keep their kit updated, but a fair portion lies at the feet of the manufacturers.

A lot of cameras and IoT devices simply don't have upgrades available. Smart TV's, cheap cameras, fridges etc still running on the same firmware that they shipped with a few years back.

That's one hell of a botnet for you waiting in the wings!

Gryzor

This is something I've thought about a few times and always plan on getting around to it looking into, as I have a few devices exposed on the internet

Hikvision cameras - have firewalls turned on, but no idea if they are any good Satellite box exposed on a custom port to allow remote setup of recordings etc..
Netatmo stat - not sure how exposed this is?

Have a D1000 eircom router with firewall on medium i think, but probably not upto much either..

Without having to get into complicated networking setups, what can the average joe do to minimise exposure.

degsie

Gryzor wrote: »

Have a D1000 eircom router with firewall on medium i think, but probably not upto much either..

You may have bigger issues...
http://www.boards.ie/vbulletin/showthread.php?t=2057673378

robindch

At the moment, my heating, sound, lighting and media are on a private house network with internet provided by a Virgin Media Horizon box. Everything's working fine from my mobile when I'm at home. There's no bridging or port-forwarding or anything from inside to outside or outside to inside, so all the house network elements are inaccessible if I'm not at home.

I was recommended a FortiGate 30E firewall appliance, so the order went in last week and it should be arriving today and it'll be sitting between the Horizon box and the house network to provide VPN-level access to authorized devices from outside home. If it's set up correctly (and a friend will be doing that for me ) then this means that when the VPN app on the phone is running and logged-in, that my phone and anything else will believe that it's on the home network, even when it's not at home.

The FortiGate website is here here and the 30E data sheet is here.

Roen

Here's a handy tutorial for using Tor to hide your Home Assistant install.
I have no doubt it can be used for other services too.

https://home-assistant.io/cookbook/tor_configuration/

Also useful for buying Uzis and uranium no doubt.