Some worries about mobile appliances and the Internet of Things

Recently a friend of mine set up a new audio system and decided to go for one of the popular Sonos alternatives. Helping him setting it up brought out a few interesting questions, some of which I'll try to elaborate on in this post.

This won't be a comprehensive discussion of the developments of the Internet of Things (IoT), that would result in a book rather than a blog post, and several articles have been written about the subject already, including this pc world article that sums up a few elements quite succinctly;

Vint Cerf is known as a "father of the Internet," and like any good parent, he worries about his offspring -- most recently, the IoT.

"Sometimes I'm terrified by it," he said in a news briefing Monday at the Heidelberg Laureate Forum in Germany. "It's a combination of appliances and software, and I'm always nervous about software -- software has bugs."

And that brings a nice introduction to one of the elements of the issue. Software have bugs, and some (actually a lot) are affecting security. This requires, on the onset, three things;

  1. Software vendors needs to be alerted of the vulnerabilities and fix them
  2. Users needs to be have a way to properly update their systems in a way that provide integrity control and authentication (digital signatures)
  3. Users actually have to upgrade their systems.

As we have seen as recently as with the Stagefright vulnerability affecting mobile phones, there is a failure on several of these levels even for a popular operating system such as Android. These failures stems from multiple sources, one of which is that cellphone vendors don't use the latest versions of the OS available across all phones they sell.

There are reasons for this, mainly that the software shipped is often heavily modified with proprietary code to support the specific features of a specific phone, and requirements of modern OSes might not work on older phones due to resource constraints. That brings up a situation where cellphone vendors, if they are doing their jobs right at least, needs to support security fixes across several branches and backport security fixes.

This backporting is actually very difficult to do, because it require a large security department identifying whether the software bugs are security related, affects the various branches, modifying it the source code to fix the issues on these branches that might have different logic. As such, the choice of cellphone vendor needs to include a consideration of their ability to track security upgrades across the phones and properly defined support cycles for the various phones involved. This is why other software products have End of Life statements for when security fixes are no longer issued for a specific version branch.

Of course, these fixes doesn't matter if the users don't update their systems to receive the fixes. For cellphones this is actually one of the better parts; you see a much broader update for this compared to e.g. regular computers. But the part of the cellphone vendors fixing things is sadly lacking, in particular due to backporting to old kernel versions.

Lets move away from the technical for a little bit and go back to the Sonos system mentioned initially. Ultimately consumers wants things to be easy, and they want everything to communicate directly, e.g. using the cellphone to control the music playing in the living room. That is perfectly natural, but in order to accomodate this, the easy solution is to allow direct access between all network nodes. As described in my former blog post Your Weakest Security Link? Your Children, or is it?  this isn't necessarily a good idea, in fact, it is likely a very bad idea.

I started out mentioning Sonos as that is what prompted me to write this article, in frustration after trying to set up this system on a segregated network, completely isolatet, yet it kept requiring internet access for software updates even to allow to play musing through the digital SPDIF cable. This was supposed to have been one of the easier setups possible, connected to TV and a multi-media computer running Gentoo Linux for things like streaming Netflix and HBO. I would never allow a "smart" application to run unrestricted on other applicances, and I very much like to lock it down as much as possible, using it as, guess what - a sound system. However, the constant requests for updates before it can be used means that you open up a channel for data lekage out of your home, for now that means opening up this specifically in the firewall rules whenever an update is necessary to proceed, but of course, an attacker could make use of this and just submit data along with the update request in batch job rather than streaming live.

Devices have bugs, in particular devices that are outside of your control is of worry; and lets face it, reading through the applications requests for access to information when trying to install a new one results in very few apps being permitted on my own cellphone, can you expect others ensuring proper security hygiene with their own devices? Even my own devices like these are considered as non-secured and should not be permitted access to the regular network. This means setting up an isolated network where they only have access to services explicitly granted permission to, but not between eachother so that it can spread malware and monitor use.

We solved this in the setup the blog post started out about by setting up a new WiFi for Appliances that does not have internet access. You might ask "Why not?" and happily plug your "Smart" TV to the regular network, but history has shown that is a bad idea:

Samsung's small print says that its Smart TV's voice recognition system will not only capture your private conversations, but also pass them onto third parties.

And it is not the only device having the capability of doing so. The only way around this is complete network segregation and a security boundry that doesn't allow traffic (neither upstream nor downstream) unless you explicitly want to grant it.

Expecting users to properly configure their networks is however a pipe dream, and here comes an important issue. The less users care about their privacy, either it is allowing recording devices in your living room, or cellphones that snaps photos without you knowing it , you are at increased risk. There is absolutely no doubt that the choices of other users influence your own security, that further require reduced privileges of any network your guests are permitted into or more careful examination of information that you share (nor not) with them given their lack of ability to safeguard it, reducing your trust in them.

I'm worried about the continued trend of lack of privacy and security focus; but rather a focus on rapid functionality development, increased interconnectiveness and complexity of systems, without a focus on security and privacy that ensures the architecture is sustainable.

Stopping this blog post for now, as to ensure the rant doesn't become too long (or that is maybe too late alreday), but leaving it with a quote from this zdnet article:

The Internet of Things is a safety issue, and therefore a business risk;
When you merge the physical and the digital, it's not just about InfoSec any more. People's lives could be at risk.


Your Weakest Security Link? Your Children, or is it?

A while back I came across a fairly good article on the need for consciousness regarding children and computer. However I miss a few paragraphs (or even chapters) regarding necessary steps (even without children).

None of this is of course the childrens' fault, however it does provide a good opportunity to discuss computer security hygiene, and with it the lack of knowledge and focus on security and privacy in current and new generations.

To start off, the article that inspired this post: Your Weakest Security Link? Your Children - WSJ

What do you do when the biggest threat to your cybersecurity lives under your own roof?

It’s a fact of life online: a network is only as strong as its weakest link. For many people, that weakest link is their children. They inadvertently download viruses. They work around security to visit sites their parents don’t want them to. They run up huge bills using their parents’ one-click ordering.

Segregated WiFi networks
My largest concern with the article is that it does not mention the need for a wifi guest network. You should never, ever, allow external devices outside your control, or lower security devices like tablets and smartphones directly onto your LAN, these devices simply doesn't need it and should be in a separate security zone on the firewall, if you need access to local resources, use OpenVPN to set up a connection from wifi zone to lan zone, or for certain other elements open up specific ports/applications to pass through.

My usual setup involves flashing a router/accesspoint with dd-wrt (a linux based firmware). This allows setting up guest networks / virtual wireless interfaces (although not all devices will allow anything but public / WEP encryption, i.e. no WPA on the virtual interfaces, as these are by definition low security zones, this is however fine). The most important thing is that the guest network is

  • AP isolated, i.e does not allow traffic between individual devices on the network
  • only allows traffic through NAT to wan (internet), i.e. not LAN devices
  • QoS is enabled as to not interfere with your normal use

The guest network should further be restrictive in what traffic it allows, normally your visitors only require HTTP(s), POP3s, IMAPs, SMTPs, SSH (people shouldn't use non-encrypted transport channels for reading mail so the non-secured alternatives are blocked), and maybe a few other protocols, so the firewall should ensure to be restrictive as a starting point.

A proper network setup remove the primary issues discussed with children's devices being connected to network, its not any better allowing other unsecured devices onto it, so why don't you do it properly in the first place?

In fact, with todays growth of the Internet of things, you will also want a dedicated device-network that is internal (no AP-isolation, but doesn't allow traffic to lan or wan) for TV communication with speakers etc. I simply don't get people plugging this directly into the regular network. That only leads to situations such as Samsung voice-recording / surveillance everything you say.

Disk encryption
Disk encryption is necessary in order to avoid passing through the security schemes using known passwords mentioned in the article. I remember in the good old days when NTFS first got here, and how easy it was to brute-force SAN files. Without disk encryption, separating profiles (e.g. in windows 7) won't help you as anyone can boot a live OS (Linux ftw) giving access to all files, including configuration files. But quite frankly, multi-user systems are difficult to secure, hardware today is cheap, you shouldn't let your kids use your own hardware in the first place, but set up own systems for them.

Seven proxies
Be restrictive in what kind of data you allow to flow through your network. Use Proxies, proxies, and even more proxies, filter all network access appropriately through firewalls, and more importantly, make frequent use of jump servers / gateways.

If you are worried about certain types of virus intrusion, also get a firewall device supporting intrusion detection/prevention systems and an appropriate license to keep this updated. If you are concerned about your childrens internet use, all web traffic should also be forced through a proxy (such as squid) on the firewall level.

Separate core devices of the network and don't allow traffic into it even on the regular LAN without going through a jump server / gateway, e.g. using OpenVPN. I actually use this myself, for instance even though I connect my laptop to the regular wifi network, I won't get access to my Virtual Machines without being logged into the VPN. Only certain specified services are exposed by default.

Cloud services
Cloud services are great, I mean, truly, with the number of devices we have today, how else can we keep data available for our own use? The one caveat, you really, truly, REALLY, MUST run the cloud service yourself. ownCloud is a great application, that have multiple clients across operating systems and platforms for this use. File storage, calendar, contact information and a good news reader. Not much more to ask for, and if there is, there is likely already an app for it.

Don't ever allow friends or family to use iCloud, DropBox, google drive or whatnot. Of course, promote using these services to your enemies, you might want to get access to their data some day.