IoT security, was Krebs on Security booted off Akamai network
mel at beckman.org
Sun Oct 9 14:31:54 UTC 2016
I just bought a $20 Lacrosse remote RF temperature sensor hub for home, the GW-1000U. It does the usual IoT things: after you plug it in, it gets a DHCP address and phones home, then you register it using a smartphone on the same LAN, which I'm guessing finds the device via a broadcast and then configures the hub with my Lacrosse account info. All communication is thereafter through the cloud.
It set itself up quite conveniently and efficiently, and now will start charging me $12/year for alerts and texts. An acceptable business model.
Except the thing is a teaming mass of security vulnerabilities.
How much authentication went on in this process? None. I captured the thing's packets in my firewall's onboard sniffer from the get go. All data is exchanged as plaintext on port 80. The protocol is completely undocumented, but I've since discovered that at least one enterprising tinkerer has reverse engineered it so people can bypass the manufacturer's monetization model.
The device accepts TCP connections on 22, 80, and 443. Theoretically I can't see why it ever needs ongoing inbound connections, so this seems to be a security concession made by the maker. Also, it appears to support SSL, but uses plaintext. Why? Because it's easier to debug in the early deployments, I'll wager. But the thing has been out for years and they're still not using encryption, even though the device apparently has the ability.
As a knowledgable consumer (and security researcher) I'll overcome these shortcomings by putting this device on its own VLAN with extensive firewalling. Still, I can't be sure it won't be malicious, or get exploited through the cloud. And VLANs have their own security weaknesses, despite my using pricey enterprise hardware at home.
My point is that if an expert has to expend several hours of highly technical labor to "responsibly" use a $20 IoT sensor, and use enterprise-grade IT gear and methods to gain even a modicum of safety, then what hope do Ma and Pa Kettle have?
This is not a consumer education problem, unless we think consumers should also learn thermodynamics in order to drive, the Bernoulli principle in order to be airline passengers, and biochemistry to cook their own food. It's clearly a giant screw-up by manufacturers who could easily spread the cost of best-practice security measures across a large customer base.
That they don't shows lack of moral character, and nothing else.
> On Oct 9, 2016, at 7:03 AM, John R. Levine <johnl at iecc.com> wrote:
>> On Sun, 9 Oct 2016, Florian Weimer wrote:
>> If we want to make consumers to make informed decisions, they need to
>> learn how things work up to a certain level. And then current
>> technology already works.
> I think it's fair to say that security through consumer education has been a failure every time anyone has tried it. Why do you think this would be any different?
>> There is little interest in this, however. There's a comparable
>> business case for providing managed PCs to consumers, and I'm not sure
>> if any such companies are still left.
> There's at least two large ones: Microsoft and Apple. Try installing Windows 10 without letting Microsoft update and reconfigure the software any time they want, any way they want.
> Expecting consumers to evaluate the security behavior of their lightbulbs and their refrigerator is absurd. We need to figure out how to have the devices and routers configure themselves so the devices can do what they need to do without doing what we really don't want them to do.
> John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
More information about the NANOG