What 's your opinion?

[G+_Jason Perry]

What's your opinion?

 

I am slowly developing my "smart home," but with security being what it is and everything being pushed to the cloud, I am not sure how smart a home should really be.

 

In my opinion video is one of the first things to disconnect from the internet. There are too many people out there looking for exploits with video cameras. Is this a bit of paranoia? Yes. I am fairly confident there is no one out there trying to see what my video camera is looking at besides me and my wife; that being said, there is noting stopping my camera from being grouped in with all the other cameras that an exploit might work for.

 

I love the thought of being able to feed my dog, turn on the lights, adjust the thermostat, and water my garden from anywhere in the world, but should I? It's funny how becoming comfortable with something we are willing to accept, like a smart light bulb, opens the door for accepting something we weren't willing to even conceder in the past, say a door lock. 

 

 If you give yourself access to something from outside your house you have to assume there is someone out there smart enough, or at least persistent enough, to get access for themselves.

 

Where does your comfort zone end? 

[G+_610GARAGE]

I think you have a misconception that a lot of people have. Just because no one will attack you personally, doesn't mean a bot won't hit your ip address at random and get in.

 

I personally think that the "smart home" idea is neat, but an extreme security risk. Anything that has to talk to a server outside of your home may be breached at any time.

 

I work for an hvac company. I was helping out in the field installing networked thermostats. The owners of the building (it was a commercial building) wanted to connect the thermostats to the internet. We were a bit worried about security as the owners of the building have had internet connected thermostats before and they constantly got hacked (probably default login and all of that stuff).

 

So I was talking to the company who made the thermostat. They said to use port forwarding to each thermostat (one of three suggestions). I asked them what about security and the guy I was talking to said that it was only a thermostat, so it wouldn't be a big deal if there was a breach. ?!?!?!

 

I didn't say this to him, but I later thought, "what would happen if someone hacked the thermostats and turned them all off over christmas break?" How much damage would all of those frozen pipes cost.

 

Basically , the companies who make this stuff don't care about security. I do have networked security cameras running, but I have to vpn into my network to see them. The only way I would use any "smart home" devices is through a vpn.

[G+_Keith Mallett]

All of the consumer home automation products out there pride themselves on being accessible via the internet. Anything you put on the net should be considered public and vulnerable. Keep you controls internal and create an encrypted tunnel into your home to access that control to be safe. My comfort level ends at access to my network. That's why I'm constantly testing UTM products and network security principals to see what gives me the best combination of access and control.

 

I think if you're building an automation solution from scratch (which I think is best) then start with creating a strong access point. You can view your ip cameras from inside your network once you create that tunnel in. I think wifi cameras are cool but very VERY insecure, the same way other wifi devices can be hacked. IPv6 Link Local addressing maybe an option too, I'm going to be working on that next.

 

Good luck! - I luv automation and "hacking" hardware, I mean the changing the way the device works type of hack, not the penetration type.

[G+_Mr covert]

Put all the smart devices on there own network with a white list fire wall.

[G+_Eddie Foy]

I have old school home automation.  My HA internet connection is a single point (web server on an odd port).  No devices reach out on their own.

 

Keeping the devices blocked and access them through a VPN would be the way I would go.  I see very little reason for any device to talk to the cloud on their own.  Sure its 'cool' but is it necessary?

 

(disclaimer: I loathe the 'cloud'.  Its just someoneelse's computer I have zero access to with my data, but other unknown people do with me knowing someone accessed it in any way)

[G+_Rud Dog]

My home IOT's project has come to a halt until my search for hardware and/or software is found allowing me to see all that goes on within the confines of my LAN. 

Blind-eye-example:

Most scanners for LAN search only check the entered IP Class for example 192.168.1.0 -192.168.1.255. If there is someone on your network running under 192.168.4.1 it won't be seen. This is just one aspect of what I am looking for there are others such as monitoring in and outgoing traffic without the complexity of Wireshark. 

So far my search has only generated questions more than answers.

 

If you can at a glance see what traffic is doing both incoming and outgoing and devices, especially new ones, pop up with an alert you are more likely to act. 

[G+_Eddie Foy]

Rud Dog  Nmap  has no probs with a 192.168.0.0/16. Most IP scanners I've seen do CIDR, just default to a /24.

Wireshark (or the like) without a SPAN port is only gonna get you your packets, wifi packets, and broadcast packets; only some what helpful.  It will show new IPs in the arp  and DHCP packets. Switches have locked out the snooping/sniffing for the most part.

For IoT threats, its not a new IP on your network, its a compromised device with a 'friendly' IP already.

[G+_Rud Dog]

Eddie Foy with each question the knowledge hole fills. Thank you Eddie off to test 192.168.0.0 on my scanner. Oh and the point you make is very interesting concerning "friendly IPs". That is indeed more difficult to discover and scary at the same time.

[G+_Eddie Foy]

Rud Dog   The 192.168.0.0 wasn't the part to latch onto, the /16 is.  Investigate the CIDR notation.  And glad I gave you more questions.

The IoT (as I latched on to from a local BSides is the: Internet of Threats) is using the IoT device, since its already 'friendly'.  Its hard for a Ukrainian hacker to put a RasPi on your local LAN.

(just ponder the # of routers and NAS's that are running the 'virus/malware/hackers free linux' ,Linux runs 95% of all bots on the bot-nets)

[G+_Rud Dog]

Eddie Foy it went without saying when I used scanner I entered 192.168.0.0/16 and it ran.

As for the rest of what you said sounds like an invite to come to my home & network would be needed along with me learning Russian of which neither has a chance of happening.

And finally sounds like Linux is the way to go based on your last comment, correct?

[G+_Ben Reese]

I like the idea of having one secure point of access to everything from the outside. There's no reason a light bulb would need to talk to their server other than maybe a periodic check for software updates (over SSL with pinned certificates, preferably). Even then, if I have a personal server at home I'd prefer the lightbulb check that server instead and my server can take care if fetching the updates from the manufacturer servers.

[G+_Rud Dog]

Ben Reese recently created a private/public key pair and have successfully placed the public key on my linux box for logging in via this method. Why don't more, they might I am new to this, manufacturers allow you to place your public key on their site for this type security? In fact in any case where you want this type security. 

As mentioned in other posts I am in the middle of the learning curve for public and private key use. But it sounds like something iot's and home automation should incorporate but really sure.

[G+_Ben Reese]

I agree. If company A sells a light bulb, they should have the public key for that light and the light should have their public key. But security is almost always an afterthought. I really want to get into the smart home stuff, but at this point I still don't trust the security. The best options I've seen so far are the ones that use other wireless connections like Z-wave or Bluetooth, but even then I want encryption to be used.

Ring is probably the only camera I'd trust at this point just because it has drawn a lot of attention and is already being attacked. Even then, I'd like an alternative. The last thing I thought of was a Raspberry Pi mounted inside the house with a USB borescope (eg http://www.amazon.com/dp/B00JERRES6) poking through to the outside. I don't want the Pi outside because someone could steal it and get access to my network. I don't want a full USB camera outside because someone could cut the wire and have USB access to my Pi (paranoid much?). But at the same time I want that Pi to be able to unlock the door.

 

All pipe dreams at this time and just the thoughts going through my head on the subject.

[G+_Eddie Foy]

A light bulb has ZERO need to talk to the 'cloud'  None of these devices should.  A single central controller, be it a PC, RasPi, Echo, etc, should be the gateway.  Home automation has been 'all the rage' for decades now, but the rage has never caught on.  now with 'cloud' its back in the forefront. 

 

Z-Wave can be attack from the next apartment.  Was at the last Derbycon and saw that talk/demo (all a talks are available online)

 

BT LE, is a fuster-cluck.  It might be encrypted.  But seems the BT team doesn't learn from its mistakes of the past with new versions.

 

Lnog and short, Home automation isn't ready for prime time and cloud enabled HA isn't ready for Saturday morning cartoons. :)

[G+_Rud Dog]

Ben Reese when I saw the bore scope you showed I said hallelujah. Been working on a scrap piece of wood (2 x 4) seeing if I could cut a hole in it to mount a tiny camera this way from the outside all you would see is a small hole. Then with several of these under the front of the house, under eaves, could pretty much cover the entire front area. The modified 2 x 4 of course would replace the 2 x 4 currently across the front of the house.

But the scope solves a lot of problems now to read up on the suggested scope.    

Will continue to work on refining the type of system until run across a solution for the security issue.

[G+_Dale Burrell]

Look up “triple router Y-configuration” if you want your network safe. 

[G+_Ben Reese]

Dale Burrell that's really just a bubblegum fix for the real issue. Having a separate network for IoT gear helps protect your important gear, but it doesn't protect the IoT gear from each other.

[G+_Jason Perry]

Or you from the outside. If something is going to get in to your 'IoT network' sure the rest of your network is segmented but the IoT gear is now visible.