[Cryptography] FBI: Don't trust IoT devices

Henry Baker hbaker1 at pipeline.com
Tue Dec 10 13:57:30 EST 2019 

FYI --

https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/tech-tuesday-internet-of-things-iot

FBI Portland  Beth Anne Steele  (503) 460-8099

December 3, 2019

Tech Tuesday: Internet of Things (IoT)

Welcome to the Oregon FBI's Tech Tuesday segment. Today: Building a
digital defense in your Internet of Things.

Last week we talked about smart TVs--and how that built-in Internet
connection can allow manufacturers, streaming services, and even
hackers an open door into your home.

This week, we are looking at the larger Internet of Things
(IoT). Basically, this means everything else in your home that
connects to the world wide web. If you look at the holiday wish lists
that your kids, spouse, and parents conveniently dropped on you last
week at Thanksgiving—most everything on there probably makes the cut.

Digital assistants, smart watches, fitness trackers, home security
devices, thermostats, refrigerators, and even light bulbs are all on
the list. Add to that all of the fun stuff: remote-controlled robots;
games and gaming systems; interactive dolls; and talking stuffed
animals … well, the list seems endless.

What these all have in common is that they send and receive data. But
do you know how that data is collected? And where it is going?

Another concern is that hackers can use that innocent device to do a
virtual drive-by of your digital life. Unsecured devices can allow
hackers a path into your router, giving the bad guy access to
everything else on your home network that you thought was secure. Are
private pictures and passwords safely stored on your computer? Don't
be so sure.

Here's what you can do to build that digital defense:

    Change the device's factory settings from the default password. A
    simple Internet search should tell you how--and if you can't find
    the information, consider moving on to another product.

    Passwords should be as long as possible and unique for IoT
    devices.
    
    Many connected devices are supported by mobile apps on your
    phone. These apps could be running in the background and using
    default permissions that you never realized you approved. Know
    what kind of personal information those apps are collecting and
    say "no" to privilege requests that don't make sense.
    
    Secure your network. Your fridge and your laptop should not be on
    the same network. Keep your most private, sensitive data on a
    separate system from your other IoT devices.
    
    Make sure all your devices are updated regularly. If automatic
    updates are available for software, hardware, and operating
    systems, turn them on.

As always, if you have been victimized by a cyber fraud, be sure to
report it to the FBI's Internet Crime Complaint Center at ic3.gov or
call your local FBI office.

-----

"Secure your network. Your fridge and your laptop should not
be on *the same network*. Keep your most private, sensitive
data on a separate system from your other IoT devices."

OK, I agree.

So how do I actually do this?  What does "the same network"
mean?

1.  The same LAN?  OK, does this means setting up another
LAN subnetwork with a different set of IP addresses ?  I'm
pretty sophisticated about IP networking, but this is going
to be a stretch for me; what % of the U.S. population knows
enough about IP networking to achieve this goal ? 0.1% ?

2.  What if I don't trust the router from my ISP ?  Do I
need to buy another router ?  Do I set up multiple VPN's
*in my own home* ??

3.  I have multiple IoT's from different vendors.  Do I
want them to see one another and possibly cooperate and
share information about me ?  Do I need to set up a
separate VPN for *each IoT device* ??  Even if I'm
willing to do this, how do I do it ?

So consider a hi tech wizard's home with multiple IoT
devices:

* one or more iPhones
* one or more Android phones
* one or more Windows laptops
* one or more Mac laptops
* Alexa
* Echo
* Nest thermostat
* Ring doorbell
* August smart lock
* one or more Android TV devices (Netflix/Prime/etc.)
* Samsung smart refrigerator
* Kodi server
* router from untrustworthy ISP (e.g.,
ATT/Verizon/Comcast/Charter/Cox/...)

So Openwrt routers are relatively inexpensive and
relatively trustworthy, and support all manner of
VPN's.  Can a handful of these devices help me to
achieve the FBI's recommendations ?

To a first approximation, just consider isolating
each device in such a way that it can't "see" any
other device, but it can still talk to the internet. 
How best to do this -- even if the device runs
TCPdump/WireShark/Snort/Kismet/Aircrack ?

What configuration would I need to actually achieve
what the FBI recommends?

More information about the cryptography mailing list