With absolutely no other news in the United States, let’s talk about securing your IoT devices
Hey all, as stated it’s been a couple of days without any news whatsoever in the United States (really boring over here, nothing to see,) so figured I’d harp on something that’s become a looming pit of dread in my stomach and that is IoT devices, and how pretty much any of them can be hacked or at least controlled without much difficulty.
When is the last time you updated your smart light bulb’s firmware? You know why we do this don’t you? Because your light bulb is running a little stripped down linux distro that accepts commands without much authentication from anything it can talk to.
A mini computer with access to the internet in my home? It’s more likely than you think.
For most IoT devices, your WiFi network is the only security and that password you chose is the only thing standing between your devices and some malware on your neighbor’s computer throwing a dictionary and launching an exploit tester against your network.
Several newer bulbs and Smart Life now have the option to auto-update firmware, but it needs to be enabled on each device in order for this to happen. Even updated, these devices tend to accept commands from anything locally and be pretty easy to manipulate into doing things that could become malicious.
By this point everyone should know a little about what a network is. You should have two. One for your IoT devices and one for things you don’t want being touched by your IoT devices. I’d suspect you also want two physical devices to run the networks. While network isolation and segmenting is cool and all, you hack the router forget about about that. Consumer grade routers are not the most difficult to hack.
When is the last time you updated your WiFi router’s firmware? You know why we do this right?
What I’ve seen in the past few weeks of malware dealing with (reported attacks went up 400% before some local election the US is doing,) makes me envision a scenario where you get ransomwared, try and recover but end up getting hacked repeatedly by your $9.95 smart bulb pushing an exploit pack on your system every time you plug into the internet.
I’ve got network isolation to prevent IoT devices from talking amongst themselves, I’ve got physically separated WiFi APs. VLANs. I still don’t trust that’s going to stop a devoted exploited light bulb with access to the internet and nothing but time on its hands. I fear the Great Bulb Hack is lumen.
So yeah…
Should I try and sell you something? Probably. I’d rather just warn you that the great Smartbulb Hack of 2020 hasn’t appeared yet and hopefully we can keep it from being a vector. Update your firmware. Update your firmware. Update your firmware.
Secure your cameras, put your Googles in the fridge when not in use, and be smart. Don’t end up locked out of your house while someone in Estonia accesses everything you’ve ever logged into from your computer.