Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?

Posted by EditorDavid on from the home-network-of-things dept.

To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall: It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?

4 of 230 comments (clear)

  1. Re:some rules by Giant+Electronic+Bra · · Score: 4, Interesting

    ALL you need are some CONVENTIONS. Every firewall that isn't utterly worthless already blocks ALL outgoing traffic. IoT devices should, by convention, expose their API on a specific and otherwise not typical port. This port can simply always be blocked, ALWAYS ALWAYS blocked on the firewall. Now, when you need to have some specific access from somewhere, then the firewall could act as an authenticating proxy, removing the need for IoT vendors to actually grok security (which is literally a hopeless hope, they never will). Assuming your wireless network is adequately secured, so that nothing gets on it that you don't want there, you should be pretty set. Further conventions could relegate all IoT devices to a separate specific VLAN, etc. The key point is, all the devices need to do is adhere to some VERY simple conventions that even half-assed software vendors can adhere to.

    Won't stop all problems, but it would make a damned good start.

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
  2. Re:some rules by fyngyrz · · Score: 3, Interesting

    set up a whole separate wifi network for them, would make it easier to monitor.

    That's the actual answer. Get them their own SLOW connection, their own firewall/router, and let them talk to anyone they want. Keep them the hell away from your in-house goodness. And FFS, secure your actual wifi network. Also, put the channels at opposite ends of the band (or in different bands, better yet.)

    --
    I've fallen off your lawn, and I can't get up.
  3. The answer is no, this is pointless by caseih · · Score: 3, Interesting

    Something about these recent DDoS attacks originating from IoT has always bothered me. And I think it's that many of these vulnerable IoT devices are already behind firewalls from the open internet. I'd wager that most people's thermostats, smart lights, sprinkerly systems, etc are all attached to their local WiFi, not the open Internet. So the question is, how were these devices compromised? I've not read anything on the internet that explains this, other then lists of default usernames and passwords. So I'm left with the conclusion that most IoT devices are hacked probably by malware on the local LAN from existing desktop computers. And the compromise occurs over services that are purposely exposed to the LAN, like a web interface. Of course compromised IoT devices then seek out and attack other IoT devices.

    But the point I'm getting at is that a firewall just isn't going to stop this from happening, since the exploited services are open to incoming connections (from the LAN) by design. Obviously a device on the open internet is stupid and needs to be firewalled. But on your LAN a custom little smart firewall is not going to do squat.

    The only vendors take security seriously and stop using default passwords and actively try to stamp out security flaws in the software itself such as buffer overruns, cross-site scripting flaws, or database injection, will IoT devices cease to become vulnerable. But I have my doubts these devices will ever be secured.

  4. Re:Ideally a manifest/profile from IoT makers... by grahamsz · · Score: 3, Interesting

    But how would that work for devices that aren't tied to a specific service? I have some neat little wifi devices that show up in spotify and let me stream to various speakers around the house. If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them. In the end I watched them, identified two chinese IPs that they do reach out to and simply blocked those two. In theory that should stop them pulling in new firmware which seems like the most likely way they'd be infected. (However I haven't been able to determine if it uses an DNS lookup to find them and if so then that means someone hacking the chinese manufacturer could easily route the dns to another server).

    The other thing that's really missing here is that this isn't really limited to iot devices. I'm sure in a year or two they'll be as secure as a typical windows machine and then the exploits will swing back that direction. Consumers that care about keeping their devices safe will do so, and those that don't give a fuck will see a slight improvement as time goes by.