Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?

To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall: It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?

Ideally a manifest/profile from IoT makers...

[mlts]

Ideally, there should be a profile/manifest IoT makers have as standard with their devices. This shows what incoming/outgoing ports and hosts the IoT device communicates with. Everything else should be blocked as default from the router. This should be in some central registry or a standardized URL system, so a home firewall could, once it recognizes a certain IoT device, grab a profile and run with it.

Of course, a lot of IoT makers would just put in that the device takes incoming/outgoing traffic from anything and everything, but hopefully there might be come makers who give a shit enough about security to put in limits of what their devices can and do not try communicating with.

This way, a firewall, once it registers a device can automatically apply a profile and call it done. Of course, there are security issues, but this is a giant step forward, compared to letting the device have unfettered access in and out.

Re:Ideally a manifest/profile from IoT makers...

[MobyDisk]

I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.

This device communicates on the following protocols:
IP address | Protocol | Destination
.
.
.

Re:Ideally a manifest/profile from IoT makers...

[mlts]

If the maker puts in an IP address or DNS host, they are responsible for it, so it would be about the same risk as a company ninja-flashing an Android phone to double as a USB zapper. A manifest would make it at least known that the maker did vouch for the IP address.

There are many issues with this manifest system, be it who validates signatures, how do the firewalls grab devices, how are manifests updated and how is a firewall admin presented with updates. However, this is far better than nothing, as as of now, nothing is exactly what IoT security is.

Re:Ideally a manifest/profile from IoT makers...

[ArmoredDragon]

This wouldn't work. As soon as malware infiltrates the device, it could make the manifest say whatever it wants.

Re:Ideally a manifest/profile from IoT makers...

[Bing+Tsher+E]

The IoT device is installed in a home, and writes the 'manifest' to the firewall device at installation. If it ever changes, the firewall would immediately know.

Re:Ideally a manifest/profile from IoT makers...

[ITRambo]

Excellent point. I wish this would take off. I hate the current IoT ease of hacking.

Re:Ideally a manifest/profile from IoT makers...

[grahamsz]

But how would that work for devices that aren't tied to a specific service? I have some neat little wifi devices that show up in spotify and let me stream to various speakers around the house. If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them. In the end I watched them, identified two chinese IPs that they do reach out to and simply blocked those two. In theory that should stop them pulling in new firmware which seems like the most likely way they'd be infected. (However I haven't been able to determine if it uses an DNS lookup to find them and if so then that means someone hacking the chinese manufacturer could easily route the dns to another server).

The other thing that's really missing here is that this isn't really limited to iot devices. I'm sure in a year or two they'll be as secure as a typical windows machine and then the exploits will swing back that direction. Consumers that care about keeping their devices safe will do so, and those that don't give a fuck will see a slight improvement as time goes by.

Re:Ideally a manifest/profile from IoT makers...

[grahamsz]

At which point the consumer would see "Hey, your lightswitch wants permission to send a whole bunch of traffic to a random server" and they'd approve the change like they always do.

Re:Ideally a manifest/profile from IoT makers...

[Gavagai80]

Is there really a need to allow the manifest to be updated? It's not as if IoT device makers are in the habit of giving customers free software updates that enable new features, you're supposed to throw it out and buy the next device for that.

Re:Ideally a manifest/profile from IoT makers...

[vux984]

Actually, It could be like antivirus or an adblocker where you subscribe to a service of your choice to provide you your device profiles from a database of devices... seeded by manufacturers, by volunteers, etc, etc... and not just IoT -- i think a system like this could work for mobile phone permissions and even desktop application firewalls.

Re:Ideally a manifest/profile from IoT makers...

[NotAPK]

This will mitigate scenarios where the device has an open Telnet port for "factory testing" that is not turned off once it goes out in the field.

However, a lot of exploits are in the semi-custom protocols these IoT makers are hacking up themselves. Those vulnerabilities are not mitigated by firewall protection in any way.

Re:Ideally a manifest/profile from IoT makers...

[CountBrass]

So your solution to securing incredibly insecure IoT devices is to allow those incredibly insecure IoT devices privileged access to the security device that polices access to your network.

This is why you don't let novices come up with security solutions.

Re:Ideally a manifest/profile from IoT makers...

[cheetah_spottycat]

This is called UPNP, and is exactly the problem why so many devices are reachable through the internet while their owners don't suspect a thing.

Re:Ideally a manifest/profile from IoT makers...

[mlts]

Then the device gets compromised, tells the firewall to do allow everything as the manifest, and the fun begins. It might be that the device presents a signed (and a CA system is a solved problem similar to signed executables) manifest, allowing the device access, but if the signature chain isn't valid, it would be ignored.

Of course, this causes the issue of who controls the CA chain to rear its ugly head, because who becomes the root CA now has the keys to the kingdom that all the IoT makers must defer to. However, it can be argued that this is better than nothing.

Re:Ideally a manifest/profile from IoT makers...

[AmiMoJo]

As long as Spotify configured its DNS servers correctly it shouldn't be a problem for the firewall to identify all the IP addresses that the devices need to communicate with.

Ideally some kind of identity information for each domain would be included in the manifest, so that the firewall can automatically check that it hasn't changed before allowing access. 5, 10 and 15 years down the line a lot of these domains that provide firmware updates or control services will be long gone so there must be a way to revoke access automatically when that happens.

Re:Ideally a manifest/profile from IoT makers...

[AmiMoJo]

Just don't allow it to ever be changed. There is no good reason why it ever would need to change - if the manufacturer can't manage their domains properly, it's not up to us to support that.

Think of it like car safety. In many jurisdictions the car will not allow you to drive it if certain safety features are not working, mandated by law. Some of the features are to protect other people, pedestrians in particular.

Re: Ideally a manifest/profile from IoT makers...

[NotAPK]

But won't do anything for protocol issues.

A lot of the IoT devices use port 80 and run some kind of HTTP client or server protocol. *Nothing* you do at the router is going to protect you from anything related to these kinds of crap-fest devices.

Re:Ideally a manifest/profile from IoT makers...

[Bob+the+Super+Hamste]

Those vulnerabilities are not mitigated by firewall protection in any way.

How? It isn't like manufactures of these dumb little devices are implementing things at ore below layer 4 of the OSI model so why wouldn't a standard firewall be able to block their crap. At worst it would be some custom protocol running on some random port using TCP. If they did go and create their own custom layer 3 or 4 protocol it would likely be blocked anyway as what networking device would understand bullshit protocol 862 from ChinaTrashCo. If you are referring to running some BS over HTTP that these shitty devices typically do you could always limit the source and destination of their traffic which is what one should be doing anyway. That would stop a lot of the issues with these devices if all of a sudden they couldn't send data off to any random server or get command from random servers. If you want more protection you can always drop something like snort in IPS mode in between and either wait from someone to create some custom rules or figure it out your self and write some rules your self.

Re:Ideally a manifest/profile from IoT makers...

[NotAPK]

Sorry, I meant you can block the functionality completely, but once you want to make use of those features you'll need to allow firewall access and by that point a lot of the vulnerabilities rest with the protocol.

Re:Ideally a manifest/profile from IoT makers...

[Ceaus]

Excellent idea. A manifest file would make it much more manageable. Bonus points for this one.

Re:Ideally a manifest/profile from IoT makers...

[hAckz0r]

Many baby monitors and security cams automagically punch a hole through your home router using Plug-n-play, which is a very bad idea for home security. On the surface thsi doesn't sound much different than what you propose, only I think your profile idea likely was meant to place additional restrictions on how that hole is to be managed. Once the router opens a hole for a device almost anything can flow through that hole unless the router does deep packet inspection, and any SSL used to make that connection safe would likely prevent that. IP and port numbers is what the router can easily manage.

I would think the profile idea would be a sound one, if it created a restricted vpn between known devices. But then that requires user intervention to configure what is allowed to connect to it. Without that information it should be a default deny policy to that port/ip. What I think we need is a simple API used to make associations between user IoT devices that are permitted to talk, and let the routers work out the details of how they communicate. Make it very simple for the non security aware user, to just point and click on registered devices that they own and assign a profile of permissions for non-owned devices to connect to. Let the routers having that API work out the cryptographic key exchanges with all devices on the IoT network.

Re:Ideally a manifest/profile from IoT makers...

[Bob+the+Super+Hamste]

Unless you have a terrible firewall device one would still be able to limit the inbound and out bound connections of IoT devices so that they are only allowed to connect to approved service providers. It isn't like I expect an IoT thermostat to be contacting some random porn site but I would expect it to interact with what ever cloud service allows my phone to remotely set the house temp with an app. Yes there may be issues from their crappy protocol but one can dramatically limit the problems by only allowing the device to talk to approved servers. This dramatically lowers the attack surface

Then again I haven't used the stock consumer firmware on a home router in years so I don't know what the current state of that is as I just drop OpenWRT on them and properly configure things. I know I can port forward inbound traffic from a specific host or set of hosts from the outside to a specific host inside but the say any outside host not in the approved list gets blocked. Same thing with traffic on the outbound side, I can filter at the firewall based off of source and destination IP and port. Some hosts on my network can only send one type of traffic out, others can send everything. For example my time server is allowed to send and receive traffic on UDP 123 but it receives nothing else from the internet and can't even send anything else out to the internet, yet my main desktop can send out anything and receive back only on established connections, while my NAS is cutoff from the outside world.

Re:Ideally a manifest/profile from IoT makers...

[unixisc]

Just as Ethernet devices have MAC addresses which are mapped to IP addresses, can't the same thing be done for IOT? Have a 256-bit ID of sorts which can be mapped to the IP address that it's assigned at any given time by the DHCP server. This ID can have different bits preassigned to define the type of device (fridge, car, garage door, et al), manufacturer, other interesting spec details, if any, and a serial number.

That way, whenever my phone needs to access it, it calls my home network and asks it to poll the ID of the garage door. The DHCP server performs an inverse lookup of that ID, returns the IP address to my phone, and enables it to contact the garage door directly.

Re:Ideally a manifest/profile from IoT makers...

[MobyDisk]

I do not understand the questions. I will try to answer.

But how would that work for devices that aren't tied to a specific service?

Any labeling system has standard lingo. When labeling food for example, vitamin content is listed as a % of the estimated daily value required for an average adult. Protein however is listed in grams. Terms such as "Yellow #5" are standardized. The same would happen when labeling your speakers. When a device is listening, we would need to have a term for "I listen on all IPV4 addresses" and "I listen on the local IP multicast address." If you've ever written socket code, there are already standards for these. We would need other standard terminology for payloads.

When you open the box, you would see a little piece of paper that says "This wifi speaker system communicates on the following protocols:"
IP4ANY | RTCP+TCP/UDP | 554 - 556 | LAN realtime streaming service for receiving audio; PCM audio data, device name, model number
*.spotify.com | HTTPS+TCP | 443 | Internet streaming service for receiving audio; PCM audio data, device name, model number
*.manufacturer.com | HTTPS+TCP | 443 | Firmware update service; sends model number, firmware version, device name, last update date

Hopefully it would not say:
*.centralmonitoringservice.cn | HTTP+TCP | 80 | Remote video monitoring and tunneling service; sends video, wifi password, user name, email address, device name

And the OP was saying this information is also coded into the device, in some standard machine-readable way.

If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them

This is where I am confused. Why would you need to do that?

My interpretation of what mlts proposed is kinda like what UPnP does. Today, UPnP already has a way for a device to request that the firewall open a port. I don't think it is super broadly used because security wasn't really considered when UPnP was designed. It is part of why some people just universally turn off UPnP on their routers. But my knowledge may be totally out of date. I didn't interpret mlts to be saying that all outgoing communication was turned off by default, and that the owner of the firewall would need to manually whitelist sites. That would be secure, and you could certainly do that today, but that won't be convenient for the end-user. One could certainly make a "friendlier" firewall that made this a bit easier, kinda like how personal firewall software works. "Hey, device WIFI_CAMERA_1234 wants to talk to nsa.trustme.cn. Allow Y/N?" :-)

Re:Ideally a manifest/profile from IoT makers...

[Gavagai80]

It may not be elegant, but is there any reason they coudn't have proxied the new weather underground data through the original server?

Re:Ideally a manifest/profile from IoT makers...

[lsatenstein]

With the proliferation of IOT devices, it is time to consider a separate Internet. Let these devices talk to their cellphone provider and your cellphone app, but keep it separate (for security reasons) from the Universal internet that we will be losing, as Trump gets the network neutrality concept squashed.

Trump is not for the working stiff, but to stiff the working. He is for BIG business. Fxxx the small entrepreneur.
I believe that the IOT device proliferation will eventually cause havoc with internet security.
I believe that the IOT device proliferation will eventually cause havoc with internet security.
I believe that the IOT device proliferation will eventually cause havoc with internet security.
I believe that the IOT device proliferation will eventually cause havoc with internet security.

got my message? Remove the word eventually from the above sentence.

some rules

[drinkypoo]

All you really need is... some rules.

If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.

You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.

Re:some rules

[grahamsz]

I've corralled mine into a dhcp space, but it might be safer just to set up a whole separate wifi network for them, would make it easier to monitor.

Still it's trickier for things like the chromecast or airplay-type devices, because they both interact with phones and laptops on the local network and need to connect directly to streaming sources on the internet.

Re:some rules

[vawarayer]

If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.

Not even need some specific open-sourced firmware. Just any home router / NAT / firewall can do that. Don't need smart devices, just smart people to configure it properly...

Re:some rules

[Giant+Electronic+Bra]

ALL you need are some CONVENTIONS. Every firewall that isn't utterly worthless already blocks ALL outgoing traffic. IoT devices should, by convention, expose their API on a specific and otherwise not typical port. This port can simply always be blocked, ALWAYS ALWAYS blocked on the firewall. Now, when you need to have some specific access from somewhere, then the firewall could act as an authenticating proxy, removing the need for IoT vendors to actually grok security (which is literally a hopeless hope, they never will). Assuming your wireless network is adequately secured, so that nothing gets on it that you don't want there, you should be pretty set. Further conventions could relegate all IoT devices to a separate specific VLAN, etc. The key point is, all the devices need to do is adhere to some VERY simple conventions that even half-assed software vendors can adhere to.

Won't stop all problems, but it would make a damned good start.

Re:some rules

[fyngyrz]

set up a whole separate wifi network for them, would make it easier to monitor.

That's the actual answer. Get them their own SLOW connection, their own firewall/router, and let them talk to anyone they want. Keep them the hell away from your in-house goodness. And FFS, secure your actual wifi network. Also, put the channels at opposite ends of the band (or in different bands, better yet.)

Re:some rules

[rjune]

Rules - that is the key. I have a DVD player that is networked so we can access Netflix. The question is, what access does this device need? When we want to watch something, we request access through the device, so it needs to tell Netflix what to stream, and it needs access to receive our movie. I think the hardest part of setting up a firewall is going to be figuring that out. The DVD player is old, but it can access at least a half-dozen services. The same information would be needed for every service that one uses. A raspberry pi sounds ideal - I have a Netgear router that works fine, so I don't want to load new software. Has anyone written rules to protect IoT devices?

Re:some rules

[WhiteKnight07]

Not even need some specific open-sourced firmware. Just any home router / NAT / firewall can do that. Don't need smart devices, just smart people to configure it properly...

Hi. Welcome to the internet. You must be new here.

Re:some rules

[silas_moeckel]

I have no problems getting all my IoT devices to work just fine when they have in general no internet access. In my case it's a seperate vlan with firewall rules.

The problem is the cloud push to do very little onsite and send a lot of data into the clod while accepting C&C from it. Look around and plenty of devices that work locally.

Re:some rules

[TheRealMindChild]

This is bullshit and I will tell you why. Most of this crap communicates over port 80. Block port 80 and you block it all. Keep it open and it is just as exploitable as it ever was. You would need something that could inspect the contents of the traffic. However, if it can inspect the contents of the traffic, you have already failed. All communications should be done over an encrypted connection.

Re:some rules

[TapeCutter]

Don't need smart devices, just smart people to configure it properly

Smart devices are easier to make than smart people.

Re: some rules

[TheRealMindChild]

"Lol". So your consumer grade router will work on a whitelist only basis, and intelligently whitelist wherever you would be connecting from when connecting to your IoT crap, while filtering malicious devices from the same location? Please.

Re:some rules

[aaarrrgggh]

Novel idea here... 3!!! SSIDs: general purpose devices, untrusted devices, and DMZ devices. Easy enough with DD-WRT or UBNT gear. The practical challenge is getting the broadcast traffic mirrored to the general purpose VLAN, but there are tools for that as well.

Re:some rules

[aaarrrgggh]

With DPI, you can make a firewall rule to allow media services applications. You can do it on a $50 EdgeRouter-X painlessly.

Re:some rules

[CrashNBrn]

Something like this Dual Band Wi-Fi Range Extender, Repeater, Wall Plug w/ Ethernet Port.

Then run the IOT on the child network.

Re: some rules

[JaredOfEuropa]

And most importantly: set rules for which device can go where on 80. Your desktop can have it all, whereas your IP camera is allowed access only to the IP address of the remote access service. Sure, a compromised device could spoof its IP or MAC address and still get out, but... it will have to be infected in the first place. And a well configured firewall will make that much harder.

Re:some rules

[JaredOfEuropa]

It's not about the rules, but about setting them up. You can, but can your grandma? That's the lithmus test of the proposed device. You need a device that can figure out the rules by itself, or that makes it dead easy for people to configure it.

As someone suggested in an earlier post: have IoT devices carry a manifest (both printed on the box and in software) of the addresses / ports it needs to access. If we'd have a protocol for this, it could ask the router for that access automatically and prompt the user to visit the router and review / accept the requested access. That's something that grandma would be able to do...

Re:some rules

[msauve]

"Block port 80 and you block it all. Keep it open and it is just as exploitable as it ever was."

You have a really, really crappy firewall if it can only block ports without considering the specific IP(s) the traffic is from/to.

Re: some rules

[TheRaven64]

Okay, so IoT vendor X is using AWS and Azure for their server-side hosting. Where do you get the list of all valid AWS and Azure IPs to whitelist? How do you keep it up to date? Does your cheap router have enough space in its tables to match against those (large, non-contriguous) ranges without imposing a performance penalty?

Re:some rules

[Giant+Electronic+Bra]

Yeah, that's true of course. The problem is most devices envisage remote operation, and for many it CAN make sense. Quite a lot of them also expect to be able to push data up into the cloud for whatever reasons. Many also perform remote updates. It would of course be perfectly reasonable to allow devices to designate a single external point of contact which they can initiate, and obviously your firewall/LAN setup can easily deal with that. That will still leave some potential vectors for attack, but they would require considerably more effort, not something a botnet that spreads automatically would be able to muster.

Re:some rules

[Gr8Apes]

Smart devices are easier to make than smart people.

Apparently not, the devices are as dumb as the people making them.

Re:some rules

[Gr8Apes]

The problem is that 99% of IoT devices do NOT need cloud access to function. The manufacturers would like you to use their (soon to be) charged for services, because that's more revenue for them. Overall, that's a really bad idea. I have tons of IoT devices. None are able to connect outside the LAN and they work just fine.

Re:some rules

[thegarbz]

You're very quickly falling into a trap of making assumptions about the devices and the applications.

Every firewall that isn't utterly worthless already blocks ALL outgoing traffic.

So every firewall on every home network then.

IoT devices should, by convention, expose their API on a specific and otherwise not typical port.

The same could be said about a computer. IoT devices like computers are equally multi-purpose. You expose the API on a port. Great now you have an open port. That port requires two-way communication for configuration, now you have an entry point. In that entry point you just need a bit of poor input checking with some remote code execution vulnerability and now you have yourself an exploit, a device, and an open port to the internet dropping you right back to where we all were in the first place.

You say it won't stop all problems? I'm more thinking it won't stop any.

The big downsides to consumer based IoT (as opposed to stuff that does something more useful than turning on your lights or adjusting your thermostat) is the lack of a local context. All these devices are managed from the cloud presumably by some infallible God, and you wouldn't want to cut off these devices from their God who straight out of the box asks you to punch holes in your firewall.

What is really needed is to get away from a default of always on, always open, always talking to the cloud devices. IoT devices should be like home routers are to a large extent now. They come with saner defaults than the past and with more restrictive settings out of the box, but they do work. But in a world where vendors are hard coding backdoors in their APIs for convenience you're SOL doing anything about it at a firewall other than bricking a device by cutting it off from the internet.

Re:some rules

[Giant+Electronic+Bra]

That's an overgeneralization. It also doesn't take into account that there are a LOT of possibilities that are short of 'you can just access the whole internet'. Any Firewall can restrict outgoing traffic to specific destinations. It can restrict incoming connections equally. It can force a login through a proxy, which can thwart any backdoor. More sophisticated devices can recognize malicious behavior and put a stop to it. There's plenty that can be done.

Re:some rules

[Ceaus]

And who is going to write the rules? Jack? Jill? The manufacturer of the wifi router? The whole idea is to off load this away from the end consumer.

Re:some rules

[silas_moeckel]

Sure lots of things want to connect to the internet, take my garage door interface. They sell their own services to let you via the cloud open/close the door and get alerts if it's left open etc etc. It has a local API, it connects to my IoT vlan and can not get out the door. Yet that means it never gets any possible firmware updates (would have to check if there is a way to upgrade via the api/local interface) but for a wired device on an isolated vlan at worst it's a way to get into that vlan via RF or able to open the garage door (and set off the alarm). The local API gives me all they would sell me and a lot more.

Re:some rules

[Bob+the+Super+Hamste]

Why coulnd't I have a set of rules that says:
Allow established connections
Shitty_IoT_Device1 is allowed to send data on port 80 only to Shitty_IoT_Manufacturer1
Shitty_IoT_Manufacturer1 is allowed contact Shitty_IoT_Device1 on port WhatEverListeningPort
Shitty_IoT_Device2 is allowed to send data on port 80 only to Shitty_IoT_Manufacturer1
Shitty_IoT_Manufacturer1 is allowed contact Shitty_IoT_Device2 on port WhatEverListeningPort
Shitty_IoT_Device3 is allowed to send data on port 80 only to Shitty_IoT_Manufacturer2
Shitty_IoT_Manufacturer2 is allowed contact Shitty_IoT_Device3 on port WhatEverListeningPort
My_usefule_Devices are allowed to send data on port 80 and 443 to anywhere
...
Block everything not allowed

Seems like a rule set like this would work fine and isn't all that different from how I treat wireless mobile devices on my home network. They are all limited in what they can access and are separated from the wired network.

Re:some rules

[silas_moeckel]

Hells most of them should not be on wifi, zwave etc etc is plenty fast and a better network. A dimmer needs a IP stack like a whole in the head. If you need that much speed it better be running artnet or similar not https connections to the cloud. The vast majority of this stuff has data use measured in bytes per day maybe KB if it's gathering power usage data.

Re:some rules

[thegarbz]

Recognition of malicious behavior is probably the key. But restricting source and destination of traffic from a device that is to be controlled from anywhere and spits data into a magical cloud is a non-starter.

Well okay most devices use some authentication that means you're not literally controlling the device form anywhere, but you will be using something from the cloud and back to the cloud. Which magically spun up instance from a dynamically assigned resource from some datacenter in some place in the world is going to talk to your device today? Anyone's guess.

Re:some rules

[Gr8Apes]

To drive them from custom controlling apps requires some kind of access. Now most of mine are ZWave connected through a hub, but that hub is connected to a locally run app, not the cloud.

Re:some rules

[silas_moeckel]

I've got a bit less zwave and a lot of homebrew but same difference. Used vera as the local hub and went to openhab but same sorts of things lots of local control.

Re:some rules

[Giant+Electronic+Bra]

Often the question if there's some sort of client for the local API or not. Obviously if its just a web service, which most are, then its probably not hard to create one, but most people just want plug-n-play. So I'd say the firewall that limits traffic to only the IP of the cloud service, both ways, makes sense. You may need to tweak it now and then as the provider changes IPs perhaps, but it should generally work.

Re:some rules

[silas_moeckel]

Or just dont buy junk that only works via the mother ship.

Firewalls

[gregraven]

We have the Cujo appliance, which seems to catch bad network traffic, and Fing has a Kickstarter/Indiegogo hardware project in the works to go with the Fing software.

A strong firewall

[fred911]

https://en.wikipedia.org/wiki/...

How is this different from any firewall

[Paul+Carver]

I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.

Re:How is this different from any firewall

[johnjones]

exactly its just a firewall with IDS...

scary...

Re:How is this different from any firewall

[AHuxley]

It all works well until the user lets the internet see a device and a device see the internet so it will finally work on their phone or on another computer.
That ramp up of packets out is hard to stop if its left wide open for CCTV been recorded on an internal network but it then becomes part of a swarm flooding an ip in another nation.
Users with click on anything in a GUI to finally get something networked but then feel safe they have hardware securing their network.
AV is really the better step. Try all the common pw/usernames on all local network devices and report issues to the user.

Re: How is this different from any firewall

[gravewax]

still nothing new. Firewalls that have builtin app/protocol/stateful inspection smarts are a dime a dozen and have been around.... well for at least as long as I have been professionally playing with/configuring firewalls (17 years). The same goes for devices, hell my home router even detects connected device MAC's and names so you can select them for rules.

Re: How is this different from any firewall

[skids]

The dime-a-dozen solutions are not up to this task. It would require a subscription to an actively maintained (by the manufacturer or a third party security shop) set of behavioral profiles and updates for when the cloud/app vendors switch things around unannounced. What we're talking about here is the ability to differentiate between typical behavior and aberrant behavior. Such exists in the professional NGFW space, mostly. Note that IoT devices generally do not take direct inbound connections through uPnP ports (there are advocates in the industry, but you know... herding cats), they establish persistent/polling outbound connections to cloud services. So you need to know what two-hundred cloud IP addresses each device should be allowed to connect to both now, and next Tuesday, and figure that out by sniffing the device's traffic, bot for the current firmware version, and future ones, and for products that do not exist yet.

A home product would be possible, but would need to be auto-updated frequently with policies made by a lot of paid professionals. A few of the NGFW vendors have started to size down towards the home-office market, e.g. the PA-200 series. Decidedly not open source, however. pfSense is not quite there yet feature-wise.

Now, if previous posters suggested. all IoT devices adhered to a standard to make this easier, it would not need as much support, but I'm not holding my breath for that... there are so many standards to choose from and its too easy to roll your own.

Re: How is this different from any firewall

[grahamsz]

Plus at that point wouldn't a good heuristic firewall be nearly as helpful. Something that could say "yo, this sprinkler controller is trying to send out lots more data than it normally does" would probably work almost as well but not need the ongoing configuration.

Re: How is this different from any firewall

[skids]

To some extent that might work, until the IoT vendor updates the firmware or cloud service to legitimately send more traffic than it normally used to.

Re:Does anyone else think...

[Great+Big+Bird]

No, I think people of all ethnic persuasions could have this issue. Bravo for bringing race into it, do you have any particular list of people you want to express outrage for on their behalf? Because no, they can't speak for themselves. This white devil here forgot to check his privilege on the way in, I am so sorry about that.

mssp

[jbmartin6]

Sounds like you want to spin up a managed security provider for home users, to manage their gateways. It's been tried before, but not enough people want to pay for it. Much easier and more economical to just get large ISPs to do it. All we need is the right leverage. As Bruce Schneier observed, it is in part a problem because the device manufacturers and the home users really don't have a strong motivation (yet) to do anything.

Re:mssp

[nnull]

Most home owners don't care. They want to plugin their device and use it. They don't worry about security or even care about it most of the time because they don't understand it at all. When you make your device to restrictive, they complain.

Re:mssp

[AmiMoJo]

If we create a standard via RfC for it, and routers start to implement it, then in a few years it will become prevalent like WPS and UPnP did. You don't need 100% coverage for it to be useful. Manufacturers can sell it as a feature, "IoT Security(TM)" or whatever.

ISPs will soon upgrade the free routers that they gave to their customers if it prevents their networks becoming massive botnets and cuts down on support costs.

Social problem, not technical

[Areyoukiddingme]

As is so frequently the case, you're trying to solve a social problem with a purely technical solution. Would such a device work? Of course. Would many of the dozens of existing router products work, if properly configured? Yes. Does any of this matter? No. People don't care what devices on their network are doing as long as they appear to mostly be doing what they want. If they're doing other things, people are completely oblivious, and get petulant if you point out their ignorance.

The only market-driven solution is for Apple to make an IoT router and instruct all their fanboys to buy it for $400. ($600 for the gigabit capable one.)

The only real solution is the same as for every other tragedy of the commons. But that requires a competent legislature interested in doing its job, rather than a rabble of moronic sycophants of industry only competent at being elected.

Re:Social problem, not technical

[Ceaus]

Yes, I've seen this argument before. And it's a strong argument to that. And I don't really know how to approach this. I like the idea of a manifest file i.c.w. an RFC. Perhaps this will work in getting it into the field without bothering grandma.

Re:Social problem, not technical

[JesseMcDonald]

The only real solution is the same as for every other tragedy of the commons.

You mean privatize the commons? That's a good idea, except in this case it would be redundant. There is no commons. Every part of the Internet infrastructure is already privately owned. People just don't see it as worthwhile to set strict rules on how their respective portions of the infrastructure are used, which suggests that such rules would not be economical to implement or enforce, i.e. implementing them would be a net loss for society.

Why yes! There is. It's called

[RightwingNutjob]

not plugging your fucking toaster into the internet so it cat tweet out whenever your toast is done.

Re:Why yes! There is. It's called

[Anubis+IV]

not plugging your fucking toaster into the internet so it cat tweet out whenever your toast is done.

I don't know whether you're talking about a toaster that tweets cat pictures or a toaster that tweets to cats when the toast is done, but either way I agree that it's a step too far (though I don't see the relevance to the topic at hand).

Back on topic, everyone knows you should use IFTTT to connect your toaster to the IoT, that way you can log your toasting activity to a Google Spreadsheet, active your Nest thermostat, initiate your coffee brewing, and share your #toastselfie across 72 social networking sites simultaneously. As you're no doubt aware, enabling people to do so is a vital service to the community, because it allows rampant narcissists to self-identify so that the rest of us can cull those relationships.

I think this would be a major challenge

[eth1]

One of the things I do for a living is write firewall policy. We use Palo Alto gear, which seems to be some of the best available at automatically identifying what stuff is.

Even with a company like that behind the gear spending a lot of time and money keeping things up to date, it doesn't know about every little thing it sees.

Another challenge is that this device would need to be able to do SSL forward proxy for everything, or all it will know is there's an ssl connection to somewhere (although you can use information in the server cert to make further guesses). That means somehow getting a signing cert onto the device that all of the IoT things trust. Good luck.

Re:I think this would be a major challenge

[AHuxley]

"CIA Chief: We’ll Spy on You Through Your Dishwasher"
https://www.wired.com/2012/03/...
and the UK having its Investigatory Powers Act 2016https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016 with equipment interference.
With so many mil and gov groups now interested in the IoT what can any firewall be ready for?
Be able to look for alterations, strange pushed updates not from the user, developer?
Re 'That means somehow getting a signing cert onto the device that all of the IoT things trust." would be good for GUI clicked update requests.

Smart part is auto-config

[SuperKendall]

Yes it's just a firewall.

The smart part would be it only acts as a firewall for IoT devices (welbcams, toasters, receivers) - basically anything with embedded networking in the user would not think to monitor. And it would know what app traffic to allow to connect to the device externally...

Someone like you or me can easily just configure a firewall to do whatever. But such a device would be great to be able to point non-technical (or even technical but uninteresting in networking) friends and family at.

I don't know how you could have anyone non-technical be able to easily add this to an existing network though...

VPN only

[manu0601]

Such a device could turn IoT device connectivity into an on-demand VPN only setup.

Of course, having to fire a VPN client before interacting with the IoT device would be a hassle, but perhaps that could be made automatic. Another problem is that some IoT devices are useless if not connected to the cloud.

Re:VPN only

Luddite here: why should it be necessary to access "the cloud" to set a thermostat or change channels on a TV? That's the kind of thing that normally should only be accessible locally either manually or with an app communicating locally (same local network), and the only "cloud" access should use well-defined ports and protocols, with encryption (ideally, VPNs), to specific servers for backup of setting and remote overrides. Even then, there should be some way of confirming the changes before they happen, and of blocking access by the local devices without having to spelunk through router settings looking for the most cryptic device name possible on some IP address. And they should be able to work normally (except for remote access) when disconnected. IOW, there has to be an ability for manual or local-app management without cloud access. In fact, the DEFAULT should be local access only.

Yes, I know, connected toasters and similar gadgets won't do that. For many if not most of them, one must ask why it id connected at all? You still have to drop in the bread (I guess you *could* drop it in the night before so it would be nice and stale by the time the toaster activated the next morning) and so something with it after (haven't seen any self-buttering toasters yet).

I'm not too happy with my printer calling home periodically for updates, either. Still hunting for the "off" switch so it would have to go through a local managing computer for verification and security checking.

In the recent kerfuffle where people got their Google lives shut down for scalping Pixel phones, did any of them have their Nest thermostats bricked too?

Re:VPN only

[skids]

In the minds of the vendors, it is "necessary" because a) their software only barely works at ship-time and is still under active development for the first few years of product support, so the more of it that is server side, the better and b) their business model involves selling the below actual cost and making up the difference by selling to big-data consumers.

Re:VPN only

[silas_moeckel]

Not to sure on that selling under cost. A single nest costs more than the vera and the 4 zwave thermostats I needed. And a Vera works fine with no internet access.

Really though a smart local controller and dumb devices is a good model. I dont want to replace ever dimmer in my house every few years thats something that should last decades. On the other hand the controller needs security updates new features etc etc. That also gives you a very defined exposure point the be hardened. While the M&M security model is imperfect you have to plan for devices lasting decades they will need something else to do most of the security heavy lifting.

Re: Does anyone else think...

Mexico's gonna pay for it

Re:Does anyone else think...

[Patent+Lover]

Good lord. I hope the diamonds in your ass don't hurt on the way out. http://www.hulu.com/watch/3170...

Or you could just build it in.

[hackwrench]

I don't have an "ISP router". I have a customer owned cable modem hooked up to a customer owned router. The desired functionality could be built into either device and both devices could be in the same device, but I find it more effective for diagnostic and replacing for them to be separate.

Re:some rules - but you have to know how!

[chromaexcursion]

Absolutely correct!
There are several ways to use existing router features to do this. A few steps, a few minutes work.
Sadly, most are too ignorant to implement them.

Basically, how to get the unwashed massed to learn to implement them.

this will never work

[w3bd4wg]

How many devices and pieces of software use multiple servers, cloud hosting (aws, etc), different ports, push json to where ever the hell. This will never work unless the firewall is built to auth to the services itself or some higher level inspection...which means a bigger cpu. Also, inspection of https or any TLS traffic is something still hard/different to do. You gonna install a root cert on your smart TV.

Endian UTM

[thechemic]

I'd recommend Endian Firewall. It could accomplish this quite easily, and its simple to setup.

Re:Answer

[hey!]

No

Or just as accurately: yes.

The answer is no, this is pointless

[caseih]

Something about these recent DDoS attacks originating from IoT has always bothered me. And I think it's that many of these vulnerable IoT devices are already behind firewalls from the open internet. I'd wager that most people's thermostats, smart lights, sprinkerly systems, etc are all attached to their local WiFi, not the open Internet. So the question is, how were these devices compromised? I've not read anything on the internet that explains this, other then lists of default usernames and passwords. So I'm left with the conclusion that most IoT devices are hacked probably by malware on the local LAN from existing desktop computers. And the compromise occurs over services that are purposely exposed to the LAN, like a web interface. Of course compromised IoT devices then seek out and attack other IoT devices.

But the point I'm getting at is that a firewall just isn't going to stop this from happening, since the exploited services are open to incoming connections (from the LAN) by design. Obviously a device on the open internet is stupid and needs to be firewalled. But on your LAN a custom little smart firewall is not going to do squat.

The only vendors take security seriously and stop using default passwords and actively try to stamp out security flaws in the software itself such as buffer overruns, cross-site scripting flaws, or database injection, will IoT devices cease to become vulnerable. But I have my doubts these devices will ever be secured.

Re:The answer is no, this is pointless

[Wizarth]

I understand there is also some sillyness involving UPNP in some devices, so you can connect to the device "from your phone", as in, from the wider Internet. This probably includes the initial connection brokered through a central service, but much of the bulk data via direct connection.

Re:The answer is no, this is pointless

[caseih]

Okay that makes a lot of sense. I hadn't thought about the implications of things like UDP NAT traversal (and apparently neither did any of the companies involved in compromised IoT devices). It makes sense that devices that use unencrypted traffic, after using a third party to establish the connection, are vulnerable to third parties messing with those packets and executing an exploit.

This makes the answer to the Ask Slashdot question even more of a solid NO! A smart firewall just isn't going to help us here as it would prevent the device from being accessed at all, which defeats the purpose of the network-capable aspect of it. So clearly besides the other things I mentioned, connection encryption is very important. Also these companies have to take the security of their central servers very seriously as well. Compromise a company's central control system and you've now compromised millions of devices in one swoop.

Re:The answer is no, this is pointless

[Orgasmatron]

Yup, this. Virtually all commercially available IOT crap is spyware. It opens a port on your firewall with UPNP, then phones home to the device's owner (aka not you). The device's owner also gives you an app for your phone that snoops on you and connects to their device that you've installed in your home.

Building a botnet can be as easy as port-scanning the UPNP-assignable ranges of a few popular home routers on a few big ISPs and exploiting any vulnerable devices that respond.

Oh, and if you already have a botnet, the port scan SYNs will come from everywhere, and probably be spread over many hours or days, which makes it impossible to block. I was going to say it is hard to detect too, but detecting attacks is easy - if the power is on and the network is connected, it is under attack.

Re:The answer is no, this is pointless

[complete+loony]

Many IOT devices have some kind of incoming data stream from the internet so that you can control them from your phone. This might be is via some company run cloud service, with questionable security.

For example,

it's a device that infringes my copyright, gives you root access in response to trivial credentials, has access control that depends entirely on nobody ever looking at the packets, is sufficiently poorly implemented that you can crash both it and the bulbs, has a cloud access protocol that has no security whatsoever and also acts as an easy mechanism for people to circumvent your network security

Re:The answer is no, this is pointless

[aaarrrgggh]

Most consumer firewalls are effectively just stateful firewalls: they trust the local network explicitly, and trust any connections they make to the outside are legitimate, and trust any outside connections back as necessary.

Re:The answer is no, this is pointless

[grahamsz]

Virtually all of mine is zwave. It connects through a bridge to the internet and so while you could compromise the bridge you'd never really compromise the device. The light switch lacks wifi, lacks any concept of an IP address and I struggle to see any viable exploit against that.

The idea of buying a mismatch of nonstandard wifi bulbs from different suppliers just sounds like a nightmare.

Re:The answer is no, this is pointless

[jabuzz]

I have upnp turned off on every router that I can. It is basically the biggest heap of junk there has ever been.

Re:The answer is no, this is pointless

[b0bby]

As others have pointed out, when they say "IoT devices" they usually turn out to mean "embedded Linux box", and any articles where I've seen details they really seem to come down to the cheap linux-based-activex-clients-only security camera DVRs which usually have you open port 9000 or something to get external access. Many of these things, in addition to other vulnerabilities, have a hard coded root password.

Re:The answer is no, this is pointless

[Lodragandraoidh]

There are several problems that seem insurmountable:

1. While you could block the internet from directly interacting with these devices - by definition something would need to interact with the widget - either directly or as a proxy - unless you are okay without remote access.

2. If you have a machine on your network that interacts with the device, and also interacts with the internet (say for web browsing - http protocol) - then a bug in your machine could be a conduit for further access to the IoT device.

The only way to be absolutely sure a device is secure is to not have it connected to the network -

Too much think about and too much to deal with

[dugancent]

I have exactly four items that connect to the internet, my laptop, roku, wii and iPhone. I'm not connecting my lightbulbs, outlets, fridge, thermostat or any other ridiculous crap.

For this to really work

[taustin]

the manufacturers would have to provide, in some form, what their devices are supposed to be able to connect to, so that the firewall can block it from connecting to everything else.

In other words, manufacturers would have to admit how extensively their devices spy on you, and phone home with it, and open themselves up to easy consumer monitoring of what their devices send back.

I'm not holding my breath.

Re:For this to really work

[rectalfeeding]

the manufacturers would have to provide, in some form, what their devices are supposed to be able to connect to, so that the firewall can block it from connecting to everything else.

Not really true. This is the sort of malware signature/whitelist-pattern database that can be easily generated and maintained in a distributed fashion, along with full web of trust weighted tuning. You simply start by sniffing a device for a day of 'normal operation' and assume that is all it needs to do. Early adopters (beta testers of the whitelist version) will suffer problems with corner cases, but then that can be iterated and factored in. At some point if it is popular and accomplishes the goal and makes enough people happy, manufacturers will start to cooperate out of self interested convenience (note how openwrt seems to be used by many manufacturers).

Of course that comes around to- all this 'smart' firewall BuSiness is just basically a small enhancement to the existing general solution of an FOSS firewall that can thus fairly easily be modified to accomplish this theorized rule improvement. Go forth and build and test and the fittest will survive. Play a big game of capture the flag with bitcoins and I'll sign up for the ruleset that has succeeded in defending a $1M pile of bitcoins for more than a year.

Re:For this to really work

[stooo]

>> This is the sort of malware signature/whitelist-pattern database that can be easily generated and maintained
No. If it was easy, it would already have been done.

Put them on a different service.

[0100010001010011]

My IoT switches are Z-wave. My thermostat is RS485. My individual temp feedback sensors are passive 433 MHz.

It's another layer of abstraction and less holes to plug than just letting everything have unfettered access to the outside world.

Re:Ultimate firewall

[TheRealMindChild]

If someone can access a device to which it can use port knocking, you already failed. Communication should only be done on the local network. If you wish to interface with it, set up a VPN tunnel to the local network

So an IOT to protect your IOT's....

[oddware]

Why would we want to actually learn something about the tools that we use, instead lets put another black box IOT thing that i don't know how to administer on the network, we can trust all of our security and personal data to a 3rd party, why wouldn't we? /s

There may be a probem here...

[Eezy+Bordone]

Wait a minute. You want someone to make a device that will identify random IoT devices when we can't even get current home/soho router/firewall device makers to update THEIR firmware?

Re: Plenty of examples to go by

[vocatan]

Steve Gibson had suggested a configuration of three routers to isolate IoT devices. https://www.grc.com/sn/sn-545.... Again, it depends on how much you want to put "common consumers" through. I'd submit that unless it's ridiculously easy, the vast majority of consumers would simply scoff and claim it wasn't worth the trouble. (And those are the folks who probably were the main constituents of the recent botnets)

Yes. With a single acronym change.

[tlambert]

Yes. With a single acronym change.

IoT "Internet of Things" --> IoT "Intranet of Things"

Connect them to a local Intranet server, instead of trying to connect them to a server in China, or at Google, or to everyone in the world, and they are no longer a problem.

True, and anomaly detection gets most of the way

[raymorris]

As Drinkypoo said, no need for new hardware, this is all about configuration. If you have a great many devices, configuration could be difficult, but there is a short cut. It's called "anomaly detection". The firewall learns what's normal, and when unusual traffic starts it takes one of three different actions, depending on the level of risk it estimated. Snort os open source software that can do this.

Along with anomaly detection covering 90%, you might also add some manual rules.

Re:Turn off UPNP

[grahamsz]

I think there are other exploits. Some of my cheap audio devices hit chinese IPs looking for firmware upgrades. If you could hack those IPs then you could deliver a malicious firmware while the network didn't see anything but a web request.

Re:LAN enabled device

[jenningsthecat]

...There are very few IoT devices that couldn't provide near 100% of their functionality without ever having to talk outside your local network.

Develop some IoT devices that can do that and that can gracefully handle it when it loses all communication (e.g., your thermostat should still work)...

Great idea, but who's going to do it? The makers of such gear are much more interested in the big bucks they can make from data mining than they are in the chump change they make by selling you an IoT widget. The only reason big companies make IoT gear is data collection; the customers' needs are incidental to that endeavour, and the customers' connection to servers in the cloud is the whole point of the exercise.

...and prepare yourself to take the market by storm. There are a lot of people out there looking for smart devices that don't work worse than their existing ones.

"There are a lot of technically savvy people out there looking for smart devices that don't work worse than their existing ones". FTFY. Unfortunately, there are WAY more non-tech users, (who keep default passwords on their network gear, don't use ad blockers and NoScript, and drop their drawers to Facebook), than there are technically knowledgeable users. And the non-tech users simply don't care, so I predict that someone using your idea won't be taking any markets by storm. It might be a decent niche market though.

Re: Plenty of examples to go by

[shitzu]

This does not need a special product. Any firewall will do, even a random consumer wifi router that has customizable firewall rules.
a) assign iot devices certain ip addresses
b) block all outgoing traffic from these

I have it done in a bit of more advanced way (VLANs), but thats not strictly necessary.

A Fire

[stooo]

>> Could A 'Smart Firewall' Protect IoT Devices?
No. A big fire would be more adequate.
IOT is BS.

Not the right audience

[flux]

You don't need to be worried about people who might think about hooking up a special router or even RPi to their network to deal with IoT devices, but rather with people that don't. And that's going to be pretty difficult to solve before all consumer routers come with decent default firewall rules or such additional functionality you're describing.

Re:Not the right audience

[Ceaus]

That's a strong argument. I don't have a real answer to that. I like the combination of a manifest file with an RFC. May this way it's possible to skip grandma and make the hop from industry to home network.

Already exists.

[CountBrass]

It's called a ... wait for it... a network firewall!

You would then whitelist the routes you want to allow.

And whatever you do, you would not let your IoT device update the firewall's ruleset!

Re:Already exists.

[Ceaus]

Right. And grandma, what does she need to do?

Re: Plenty of examples to go by

[TheRaven64]

The problem is that most IoT devices rely on a centralised server for their operation, so your (b) will prevent them from working. Their smartphone app talks to the vendor's server and won't work without it. You need to allow it to talk to the vendor's server, but not to anything else.

That's also why the example in TFA won't work: you can't do this sort of filtering based on IP, because a lot of the vendors use multiple servers or even cloud hosting for the server component, so you'll end up having to allow access to, for example, the entire AWS address range, if you don't want the device to stop working randomly.

Re: Plenty of examples to go by

[shitzu]

Yes, true. My iot things talk with my own OpenHAB installation and therefore I do not have that issue. But a generic out of the box behaviour on most of the iot stuff is to phone home as it simply cannot be connected by an app in your phone without forwarding ports etc (which is beyond a normal user's abilities).

TFA is a a question by a person who has no idea how ip networks and client/server/app communication works.

My only point was that we do not need a special IOT isolating appliance, this can all be done with standard firewalls built in most wifi or broadband routers.

Could A 'Smart Firewall' Protect IoT Devices?

[cheetah_spottycat]

Could A 'Smart Firewall' Protect IoT Devices? No. "Smart" firewalls are in fact the problem. Getting rid of them, and using regular non-smart firewalls that only allow incoming connections when you explicitly and manually configured them to do so can protect your IoT devices.

Why pay?

[sabbede]

pfSense with Snort will block access to CnC servers. Add in a DNS blackhole and you'll be in pretty good shape, for free.

It Could Work

[yithar7153]

I use a Raspberry Pi as a firewall between the ISP's router and my network. And I could only allow specific access for certain devices while denying the rest of the access. The downside is that even a RPi3 has limits on bandwidth, but eh, my speeds are crap anyways. 11.8 Mbps download, and 9.8 MBps upload.

sure

[Torvac]

hide a potentially broken/hackable device behind another potentially broken/misconfigured device. the internet of things is bullshit, just remove these items and never talk about them again.

Isn't the problem more to do with default username

[mrmaster]

Isn't the problem the default usernames and passwords not being changed instead of what ports they are listening on? I know I got an infected raspberry pi because I forgot to change the root password. The pi did need outside access so blocking the ports would have made the device useless to me. Stupid mistake I know but most people don't know. Look at consumer routers and their default usernames and passwords.

What About The Router Designers?

[Toad-san]

Couldn't a halfway decent modern router be designed to do something like this?

Naw .. never mind .. that's just crazy talk.

I've got the answer

[wjcofkc]

Let's replace the whole clusterfuck with a... FireCloud!

Re: Plenty of examples to go by

[Rick+Schumann]

The problem is that most IoT devices rely on a centralised server for their operation

..and once again, 'The Cloud' is proven to be a large part of the problem. Why not a service running on a computer on the local network instead? Honestly, how many people are going to have 'IoT' devices all through their homes and not have at least one general-purpose computer around, too?

Re: Plenty of examples to go by

[TheRaven64]

And how do you then set up the ability for that computer (and how many households have a computer that they leave on all of the time?) to be globally reachable from wherever network the users's smartphone happens to be on when they want to use the app?

Re: Plenty of examples to go by

[unrtst]

Yes, you'd have to leave it on all the time. Which for most people is impractical.

You mean just like all the IoT things themselves, and your modem and router and dvr boxes and your roku and echo etc etc etc.
A lot of connected home thingies have (optional?) central hubs which could serve the purpose of an always on computer for whatever purposes you needed that for.

The rest of the AC's rant isn't an argument at all. No desire to have an IoT thing is not a reason why others shouldn't use it. An always on computer is already solved though.

Re:"In front of"?

[Ceaus]

I don't know. "In front of" is more of an hook to suggest that whatever happens on the LAN, in the end it needs to pass through the "IoT FW". I'm sure there are many ore technical challenges to overcome.

Re:Trusted endpoints

[Ceaus]

So true.

Re: Plenty of examples to go by

[unixisc]

And how do you then set up the ability for that computer (and how many households have a computer that they leave on all of the time?) to be globally reachable from wherever network the users's smartphone happens to be on when they want to use the app?

My computer may not be on all the time, but my router is. Even now, even though I don't have any non-computational 'things', such as a coffee maker or internet microwave: just tablets, phones and laptops.

So if I set those devices to accept packets only from my phones/computers, I'd be set. I agree that it is tricky doing that if the things have dynamic, as opposed to static addresses, but aside from that, there is no reason for anyone else but me to have access to my stuff

Re:NO LUDDITE FIREWALLS! ONLY APPS!

[TylerJWhit]

Can someone please explain to me where these comments come from and what they mean? Are they simply just to piss everyone off? The overuse of the word apps, cows, and Luddites are simply obnoxious to me.

Re: Plenty of examples to go by

[tattood]

Tell us why you need an internet-connected refrigerator. Really.

How else can I can see if I need to get more milk when I'm at the store???

Re:NO LUDDITE FIREWALLS! ONLY APPS!

[war4peace]

Posted by bots.

CUJO Firewall available at Walmart

[alanjstr]

https://www.getcujo.com/

Walmart, BestBuy, Amazon carry this home Firewall.

Too bad their website has a bad SSL cert.