Secure your IoT Devices this Holiday Season

New IoT devices are being developed everyday, and with them, new ways for hackers to enter your home. This is partly because companies want to start selling their IoT devices, with little care for security. Many of these companies don’t actually care about security, they just want to sell you something. Many consumers don’t care, or know, about the security risks, so there’s no real business risk for doing this. Luckily the FBI’s warning about IoT devices can help us show others that it’s a real risk.

Warning

I do want to note that this only works as well as the resources you have on your network. If all you have is a cable modem from your ISP and nothing more, this will be a bit more difficult. Also, no one can guarantee you 100% security; however, this is vastly more secure. This will be conceptual, not actual configs.

Segmentation

Now, before you go and plug that new IoT device into your network, you need to setup a separate network for these devices. You can access your router, or cable modem, so that you can setup a separate Wi-Fi network. You want to separate these devices from your network to prevent pivoting. If possible, setup a Guest Network, as many routers will add additional security to prevent a compromised IoT device from accessing other devices on your network. For my network, I’m going to setup a separate network of 10.5.0.0/16. I picked /16 because that’s just how I segment all of my networks.

Connect

Now that we’ve created a separate network for our IoT devices, and locked it down, we can now connect all of our IoT devices to this network. This won’t stop and attacker from hacking it, this greatly depends on the type of attack. If the attacker compromises your account, then either you have a weak password with no 2FA, or the company was compromised. This will prevent an attacker from pivoting to your network. You can’t prevent the attacker from gaining access to your IoT without some pretty nifty firewall rules… even then, to get optimal security, you’d need a HIPS on the IoT device.

Secure your Account

There are many recent articles about people having their IoT devices compromised, many of these could have been avoided with proper password hygiene. When creating your account, you need to ensure that you create a secure password with uppercase, lowercase, numbers, and special characters. unfortunately, you will have some services that won’t allow you to do this… in which case I would recommend returning that device and staying away from that company, as they DON’T know how to setup proper security. You should ensure that the password you’re using isn’t being used anywhere else, as hackers can use password spraying techniques to compromise accounts.

Additional Security

These next couple of points are only possible if you have something more advanced than a cable modem from your ISP… and you know how to configure these options. As there’s SO many different options to perform these tasks, I’m going to continue to keep with the concepts, you will need to apply these concepts to your network.

Further Segmentation

I also tag the IoT network with a VLAN of 5, but this is only possible with more advanced networking hardware. I don’t want other devices trying to hand out IP addresses, especially if they’re hacked, so lets enable DHCP Guard (Unifi) too — aka DHCP Snooping (Cisco).

Firewall

Alright, we have our network created; however, our router will freely route traffic between these networks… we don’t want that. Most IoT devices work perfectly fine without touching your desktop(s) and laptop(s). We should make firewall rules that don’t allow “NEW” connections with the source of IoT and destination of any other network except the core infrastructure (i.e. DNS). This is because we want to allow established connections so that IoT devices can respond to requests from your phone.

At my home there’s only one device that’s allowed to send DNS, and that’s my DNS server — all other DNS traffic is dropped. Traffic from other networks can freely flow into the IoT network, essentially creating a DMZ. I would say you can just throw these IoT devices into a DMZ; however, some routers (cable modems from ISPs) will throw a public IP on the device depending on your settings…

Rate Limit

I like to limit the bandwidth of the devices on my network, unless they are being used by the family and need faster connections. All new devices on my network get 1Mbps, and the only way to get more is for me to switch the profile of their device. All IoT devices on my network get 1Mbps. That connection works just fine for streaming music to the Google Home. This is so that if a device gets compromised and used for a DDoS attack, it’s a minimal impact on my network. Unifi has this built-in, Cisco can do this with srr-queue on an interface.

Restrictions++

You might have thought you’ve completed all the restrictions; however, some of you have resources that can add additional security. My home firewall will perform DPI (Deep Packet Inspection), allowing it to determine at the type of traffic it sees. We can use this to lock down the type of traffic our IoT devices can send. You will need to play around with these settings to find the bare minimum traffic needed for your IoT devices.

Additional Firewall Rules

As stated, the only way to get additional security is to add additional Firewall rules. I’m going to assume you can’t install a HIPS, so let’s setup some additional rules. This WILL need to be maintained, as IPs and subnets change. You should create firewall rules that restricts the outgoing IPs of your IoT network to only an approved list if subnets-- default deny. To best perform this action, you should have logging setup for your firewall, test your IoT, and lookup the subnet of the IP addresses your IoT needs access to.

My IoT Security

I can’t stress this enough, you need to ensure least privilege on your network. IoT devices on my network are limited to 1Mbps as they only need to perform minimal tasks, and works fine for music. All devices, including IoT, must go to my DNS server that utilizes AD blocking and blacklisted malicious domain name lists. They are not allowed to initiate communications with my internal trusted network — only respond to established connections. All IoT devices exist on a separate network, and this works fine for broadcasting to my TV, playing music, and listening to the news.