In the later part of 2016, there was an event that captured the attention of the public. The internet of things had it’s major debut as a tool by those with bad intent. It had been seen as a serious problem by security professionals long before. Now the threat was real. Automation should still require attention. The IoT world is not something that should be left to default, unabated to run as is. Unlike traditional user interface devices that would be turned off after use, the IoT runs while we sleep. This is one of many reasons why the IoT should be scrutinized.
In the posts to follow, I’ll be covering home automation and monitoring using the raspberry pi, arduino, and xbee. The purpose of which is to identify and reduce waste. The hidden challenge will be the reliability and integrity. This will be the focus of this post. I’ll be covering methods to reduce issues should a fault occur.
While researching, I came across several brands that offer completed kits. The home automation devices they offered are a great low cost option, versus creating devices from scratch. It became clear that security is a concern if I were to use a shrink wrapped product. However, the problem with marketed products is the obfuscation. The mystery is underneath the shiny plastic cover or missing from the manual included in the box. It’s understandable from the businesses point of view. That is proprietary knowledge and intellectual property. Still, if the device enters my home, I must know how it operates and be aware of any risks it poses to it.
Here is a guideline of precautions to take with some logic behind them
- Do not connect it to the network
- Ensure physical security
- Create a system recovery image
- Provide redundancy with hardware
- Backup data with 3-2-1 methodology
- Remove privileged access
- Use 2FA and strong passwords
- Athenticate over secure channels
- Segment the network if connections are required
- Standby or power off resources during time of non-use
- Use a firewall
- Promptly patch systems when updates are released
- Run virus and malware scanning processes
- Log activity and replicate it
- Continue to learn
The simplest method is to not connect to the internet. However, even out of band devices will come in contact at some point through a third party. Wireless devices have an additional challenge. Unlike wires that offer some type of physical security, the radio waves can not be contained. I equate it to having a data jack floating in space that anyone can attach to. Is the data encrypted? Is it discernible? Why leave that to chance? Garage door keyless entry has been hacked. Just like my data jack analogy, now it’s a door handle flouting in space.
The three traditional methods have been firewall, patching, and virus protection. This is fine for simple desktops. For systems and services these three methods are just not enough. In addition to them you should have a way to operate if a system is downed for any number of reasons. System recovery and data recovery are key to stable operation. System recovery involves either image recovery of the running operating system or transferring operation to parallel hardware. Data recovery is a simple matter of backups. The 3-2-1 method is a resilient model to follow. Having the data available is key. Make 3 copies, use 2 types of media, and keep 1 off site.
Another commonly overlooked method is privileged access. Most desktops operate with a user that has full privileged access to the operating system resources. Processes run by the user also have this same level of access. As you can see, if a user happens to have a process run while active, that process has unfettered authority to do anything on the system. Limit user privilege and you limit the processes that run while that user is active.
Systems are more likely to have some facet of authentication security built in. This means they most likey have default credentials. Change them, Really! Do not keep any of it the same. Some Firmware has been documented to have embedded credentials in it. These back doors are damning. For that reason, enable 2FA if possible. If your device has a web based login, use encryption. Usernames and passwords entered on standard http or ftp can be captured and easily seen.
One more item is network segmentation. Place your services in networks that serve a specific function. VLans provide one method of this by placing desktops in one network, servers in another, devices in another, etc. It is useful to identify the purpose of your network, services, and users. This is unique to you. Using the defaults for every situation is a risk not worth taking.
For systems and services not in use after hours, how about power save and standby. This not only ensures no access, but also saves energy. Why does a file server need to be available at 3am if no one is around? If services can be turned off or processes stopped when no use is expected, this decreases the chance of misuse.
Nothing is going to cover it 100 percent. Something is going to occur that may not be motivated with malice. Log system activity. If an insident does happen, you’ll have a record of it. These logs are targets as well. Due to the threat of being found out, a bad actor could attempt to cover thier tracks by purging the logs. Replicate the logs in realtime. Send that information to a place far removed. If your system is reduced to a pile of ruble, the record of it will still be available.
Lastly and most importantly, continue to learn as new techniques arise. Complacency is a killer. If that comfortably dumb feeling of thinking you’re covered settles in, shake it out. The landscape hasn’t settled, neither should you.
Demystifying IoT should be a priority. IoT devices are like any ordinary computer with network access. Once you recognize that potential, you’ll have a better understanding and can make the decisions needed to ensure security and reliability.