[Was: TP-Link issues resolved (kind of)] Can I prevent my IOT devices, once compromised, to access my primary network ?

Philip Pedersen ppederse at speakeasy.org
Wed May 20 16:49:39 EDT 2020 

Steve Gibson went further using a Ubiquiti EdgeRouter and managed switches. See 
https://www.grc.com/sn/files/ubiquiti_home_network.pdf

The reasons to segregate IOT devices are that they are notorious for having multiple security vulnerabilities, mostly won’t be patched without manual intervention even if patches are available, and have no protection against someone who can get physical access to them.  Mcafee did a nice job looking at the WiFi enabled garage door opener from Chamberlain, as an example. See  https://www.mcafee.com/blogs/other-blogs/mcafee-labs/we-be-jammin-bypassing-chamberlain-myq-garage-doors/ 

With a separate network for your IOT devices, it makes it harder to compromise stuff on your home network, but not impossible. It would take a hack that would use multiple vulnerabilities on different devices. Let’s say there’s an authentication bypass vulnerability in the Vera that allows someone to login to your Vera through the Vera cloud. An attacker could use this access to change the code in the Vera to then craft a special webpage that would compromise the Safari browser on your Xtension machine the next time you logged in to the Vera’s web interface. Safari would then download malware specified on the webpage to fully compromise your Xtension machine and, ultimately, your entire house network. 

The above is a lot of work and takes a lot of time. I wouldn’t expect there to be a high probability that it would happen to any of us on this list unless one of us is targeted by a state actor with the resources to do it. However, since the  one-step compromise of IOT devices is so much easier, i.e. less cost to do the hack and thus more probable, it makes sense to segregate them.  Note that you also don’t know if the cheap IOT device isn’t phoning home to the manufacturer with your information. 

The setup for a segregated network would include routing rules for each IOT device specifying what it could connect to on the Internet and to the internal network. In a lot of cases, the PC on the internal network makes the connection, so there’s no access from the IOT device to the internal network.  That limits the probability of compromise since it requires an active step from the internal machine. 

The setup for a segregated network configuration is complex and needs some ongoing maintenance as well.  You really have to consider the probability and cost of compromise, i.e, the risks, versus the cost to you of adding and maintaining the security controls to mitigate the risks. I personally think segregating untrusted IOT devices on a separate network, limiting access from them to the Internet and to your internal networks, and only allowing known MAC addresses to connect to your networks goes a long way to protect your information and is probably more than sufficient for most non-commercial users. I also wouldn’t enable any WiFi devices that allow physical access to your house or garage. 

Phil

Sent from my iPad

> On May 20, 2020, at 1:17 PM, Michel Angelo <michel_angelo at me.com> wrote:
> 
> On 19 may 2020 at 22:54, James Sentman <james at sentman.com> wrote :
> 
>> There are those among us (who shall remain nameless but some responded to this thread ;) who maintain 2 (or more!) separate subnets on the same physical medium. Some thinking it gives more security or something, but it’s all on the same wire so anyone can read it if they have hacked your machines. It will take about 3 minutes longer for them to hack you if that is your goal ;)
> 
> This is, I believe, a new thread:
> 
> Internet of things (« IOT ») devices are believed to contain enough hardware and software to become prime targes for hackers willing to use them with malicious intent, say to compromise my primary computer. Example of hackable devices are smart bulbs connected to the internet. I have always heard the same recommendation: protect these IOT devices from access from the WAN and, as a protection against the situation where matters would go horribly wrong, deny them any unsolicited access to your primary resources. Network isolations is a recommended method to this end (see « three dumb routers » and follow-up advice by Steve Gibson of GRC <https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/>). The original solution was with physically separated networks (separate wires), the next solution uses Virtual Lans where packets are tagged and the wires or wifi channels are the same. 
> 
> In the setup I described, I use a separate VLAN for IOT devices. So far, the sole IOT device I have which is connected (to the VLAN) is the Vera. Beyond the Vera, everything is Z-Wave+. 
> 
> My question is: assuming a hacker succeeds to gain control of the Vera from the outside, directly or through the Z-Wave network, how is he going to pass through (or to avoid) the pfSense firewall and gain access to my primary network ?
> 
> Is that configuration insecure ? It seems to be but I fail to see how. Thank you for any hint on this. 
> 
>> Michel Angelo
> <michel_angelo at me.com>
> 
> 
> 
> _______________________________________________
> XTensionList mailing list
> XTensionList at machomeautomation.com
> http://mail.machomeautomation.com/mailman/listinfo/xtensionlist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.machomeautomation.com/pipermail/xtensionlist/attachments/20200520/0a9fb4cd/attachment.html>

More information about the XTensionList mailing list