Got a request for a topic

[G+_Mike Meyer]

Got a request for a topic. This weeks KH show talked about wifi scanners for security as well as plugging the Ring Video doorbell with no mention of the security implications of having it on my network.  Ok, they're a sponsor, so maybe not called for. But every time  I run into an IoE device like this, I always wonder how it will affect the security of my LAN. Do they do nothing but send out data? No problem there. Do they update their software from the cloud? Maybe not so good - what has the maker done to prevent an attacker from injecting their own software onto the device? That would give it access to everything on my LAN from the inside, requiring me to treat my LAN like the cloud. Not a good thing.

 

What truly worries me about most of the IoE devices I see advertised - or the tools for building them, like the ESP2866 - is that none of the people peddling them talks about security. This makes me think they're either not doing any, or worse, doing it as an afterthought. Maybe I'm paranoid because I watched what happened when the first generation of internet services did that. With that example, I'm flabbergasted that nobody but security mavens are talking about IoE device security - mostly saying "it's nonexistent".

 

I think knowing how to evaluate how an IoE device will impact the security of a LAN would be a good thing. I can tell when something does things wrong, and have partitioned my LAN for a couple of devices I want in the house anyway. But I'd like to know how to recognize when something does things right, so I'm not increasing the exposure of my systems by putting the device on my LAN.

[G+_Eddie Foy]

IoT, Internet of Threats.  I don't think you are paranoid.

Security in a consumer product is always and afterthought add-on. ( and its a lot harder to get right after the fact) Bean counters don't want to waste money on it.  That's why even exposed vulns on older models rarely get patched.

 

Signed firmware updates is a good starting point.

 

I'd watch what data its sending 'home' .

[G+_Mike Meyer]

How many IoE (Internet of Everything. IoT makes me think all the non-IoT devices on the internet must not be things.) devices that do firmware updates have signed updates? That would seem to be a bare minimum. But I found at least one that sent the firmware updates in the clear. I asked the manufacturer about it, and was told "security is sensitive, so we can't talk about it, but be assured we have good security". I sent them references to the talks/papers describing exactly how easily their devices were broken into, and never heard back from them.

 

Scanning for open ports, checking what gets sent back (and forth, after a DNS redirect....), looking to see if they have fallen into the security through obscurity trap - those can all tell me if that they did things wrong. I'm looking for how to recognize devices that do things right.

[G+_Eddie Foy]

Don't think you can tell if its done right, outside for the word of the company.

 

Open it, find a jtag/console port and explore.  Do a binwalk.

[G+_Mike Meyer]

Eddie Foy I don't think jtag/swd/etc. port is an issue. In fact, I'd consider not having one as a  security measure to be a sign that you've done things wrong. Security through obscurity doesn't work, so any security system that depends on keeping information that's on the deployed device out of attackers hands is already broken.

[G+_Eddie Foy]

I meant to utilize those ports.

extract the firmware, binwalk it.

[G+_Mike Meyer]

Eddie Foy Yeah, I got that. My point is that if your security system depends on attackers not having access to the code, it's broken.

 

Even if you cover the debug port hole by using a µ-controller that read protects flash, you're still hosed if someone breaks into your corporate network and steals the source, or if you fail to properly protect the firmware updates against MiTM attacks, or if - well you get the idea. Best to design the system so if the source somehow gets out, you don't wind up exposing all your customers networks.

[G+_Eddie Foy]

Read the code &  the schematic yourself..  Outside of that you will never know for sure.

[G+_Ben Reese]

I don't think you're being paranoid either - or if you are it's for good cause. I think there's 2 points to be made though...

1. Each device should ideally be on its own subnet/VLAN.

2. It's been said multiple times in TWiET that if you're expecting your perimeter firewall to protect you, you're doing it wrong.

 

I certainly have a hard time trusting these small network appliances - part of the reason I haven't gotten into any yet.

[G+_Mike Meyer]

Eddie Foy OH. No, DOH! You weren't describing an attack, you were describing a check on the system security. Unfortunately, the code is only part of a systems security - and not the most important one! For instance, you can use that to figure out that an update has to be signed, but that doesn't tell you anything about how they handle the signing key.