Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?

Posted by EditorDavid on Sunday November 20, 2016 @12:30PM from the home-network-of-things dept.

To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall: It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?

30 of 230 comments (clear)

Min score:

Reason:

Sort:

Ideally a manifest/profile from IoT makers... by mlts · 2016-11-20 12:39 · Score: 5, Informative

Ideally, there should be a profile/manifest IoT makers have as standard with their devices. This shows what incoming/outgoing ports and hosts the IoT device communicates with. Everything else should be blocked as default from the router. This should be in some central registry or a standardized URL system, so a home firewall could, once it recognizes a certain IoT device, grab a profile and run with it.
Of course, a lot of IoT makers would just put in that the device takes incoming/outgoing traffic from anything and everything, but hopefully there might be come makers who give a shit enough about security to put in limits of what their devices can and do not try communicating with.
This way, a firewall, once it registers a device can automatically apply a profile and call it done. Of course, there are security issues, but this is a giant step forward, compared to letting the device have unfettered access in and out.
1. Re:Ideally a manifest/profile from IoT makers... by MobyDisk · 2016-11-20 14:06 · Score: 5, Insightful
  
  I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.
  This device communicates on the following protocols:
  IP address | Protocol | Destination
  .
  .
  .
2. Re:Ideally a manifest/profile from IoT makers... by mlts · 2016-11-20 14:23 · Score: 2
  
  If the maker puts in an IP address or DNS host, they are responsible for it, so it would be about the same risk as a company ninja-flashing an Android phone to double as a USB zapper. A manifest would make it at least known that the maker did vouch for the IP address.
  There are many issues with this manifest system, be it who validates signatures, how do the firewalls grab devices, how are manifests updated and how is a firewall admin presented with updates. However, this is far better than nothing, as as of now, nothing is exactly what IoT security is.
3. Re:Ideally a manifest/profile from IoT makers... by Bing+Tsher+E · 2016-11-20 15:27 · Score: 4, Insightful
  
  The IoT device is installed in a home, and writes the 'manifest' to the firewall device at installation. If it ever changes, the firewall would immediately know.
4. Re:Ideally a manifest/profile from IoT makers... by grahamsz · 2016-11-20 16:58 · Score: 3, Interesting
  
  But how would that work for devices that aren't tied to a specific service? I have some neat little wifi devices that show up in spotify and let me stream to various speakers around the house. If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them. In the end I watched them, identified two chinese IPs that they do reach out to and simply blocked those two. In theory that should stop them pulling in new firmware which seems like the most likely way they'd be infected. (However I haven't been able to determine if it uses an DNS lookup to find them and if so then that means someone hacking the chinese manufacturer could easily route the dns to another server).
  The other thing that's really missing here is that this isn't really limited to iot devices. I'm sure in a year or two they'll be as secure as a typical windows machine and then the exploits will swing back that direction. Consumers that care about keeping their devices safe will do so, and those that don't give a fuck will see a slight improvement as time goes by.
5. Re:Ideally a manifest/profile from IoT makers... by grahamsz · 2016-11-20 17:03 · Score: 3, Insightful
  
  At which point the consumer would see "Hey, your lightswitch wants permission to send a whole bunch of traffic to a random server" and they'd approve the change like they always do.
6. Re:Ideally a manifest/profile from IoT makers... by CountBrass · 2016-11-20 22:45 · Score: 3, Insightful
  
  So your solution to securing incredibly insecure IoT devices is to allow those incredibly insecure IoT devices privileged access to the security device that polices access to your network.
  This is why you don't let novices come up with security solutions.
  
  --
  Bad analogies are like waxing a monkey with a rainbow.
7. Re:Ideally a manifest/profile from IoT makers... by cheetah_spottycat · 2016-11-21 00:11 · Score: 3, Insightful
  
  This is called UPNP, and is exactly the problem why so many devices are reachable through the internet while their owners don't suspect a thing.
8. Re:Ideally a manifest/profile from IoT makers... by hAckz0r · 2016-11-21 05:50 · Score: 2
  
  Many baby monitors and security cams automagically punch a hole through your home router using Plug-n-play, which is a very bad idea for home security. On the surface thsi doesn't sound much different than what you propose, only I think your profile idea likely was meant to place additional restrictions on how that hole is to be managed. Once the router opens a hole for a device almost anything can flow through that hole unless the router does deep packet inspection, and any SSL used to make that connection safe would likely prevent that. IP and port numbers is what the router can easily manage.
  I would think the profile idea would be a sound one, if it created a restricted vpn between known devices. But then that requires user intervention to configure what is allowed to connect to it. Without that information it should be a default deny policy to that port/ip. What I think we need is a simple API used to make associations between user IoT devices that are permitted to talk, and let the routers work out the details of how they communicate. Make it very simple for the non security aware user, to just point and click on registered devices that they own and assign a profile of permissions for non-owned devices to connect to. Let the routers having that API work out the cryptographic key exchanges with all devices on the IoT network.
9. Re:Ideally a manifest/profile from IoT makers... by MobyDisk · 2016-11-21 09:34 · Score: 2
  
  I do not understand the questions. I will try to answer.
  
  But how would that work for devices that aren't tied to a specific service?
  Any labeling system has standard lingo. When labeling food for example, vitamin content is listed as a % of the estimated daily value required for an average adult. Protein however is listed in grams. Terms such as "Yellow #5" are standardized. The same would happen when labeling your speakers. When a device is listening, we would need to have a term for "I listen on all IPV4 addresses" and "I listen on the local IP multicast address." If you've ever written socket code, there are already standards for these. We would need other standard terminology for payloads.
  When you open the box, you would see a little piece of paper that says "This wifi speaker system communicates on the following protocols:"
  IP4ANY | RTCP+TCP/UDP | 554 - 556 | LAN realtime streaming service for receiving audio; PCM audio data, device name, model number
  *.spotify.com | HTTPS+TCP | 443 | Internet streaming service for receiving audio; PCM audio data, device name, model number
  *.manufacturer.com | HTTPS+TCP | 443 | Firmware update service; sends model number, firmware version, device name, last update date
  Hopefully it would not say:
  *.centralmonitoringservice.cn | HTTP+TCP | 80 | Remote video monitoring and tunneling service; sends video, wifi password, user name, email address, device name
  And the OP was saying this information is also coded into the device, in some standard machine-readable way.
  
  If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them
  This is where I am confused. Why would you need to do that?
  My interpretation of what mlts proposed is kinda like what UPnP does. Today, UPnP already has a way for a device to request that the firewall open a port. I don't think it is super broadly used because security wasn't really considered when UPnP was designed. It is part of why some people just universally turn off UPnP on their routers. But my knowledge may be totally out of date. I didn't interpret mlts to be saying that all outgoing communication was turned off by default, and that the owner of the firewall would need to manually whitelist sites. That would be secure, and you could certainly do that today, but that won't be convenient for the end-user. One could certainly make a "friendlier" firewall that made this a bit easier, kinda like how personal firewall software works. "Hey, device WIFI_CAMERA_1234 wants to talk to nsa.trustme.cn. Allow Y/N?" :-)
some rules by drinkypoo · 2016-11-20 12:40 · Score: 5, Insightful

All you really need is... some rules.
If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.
You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. Re:some rules by grahamsz · 2016-11-20 12:49 · Score: 5, Insightful
  
  I've corralled mine into a dhcp space, but it might be safer just to set up a whole separate wifi network for them, would make it easier to monitor.
  Still it's trickier for things like the chromecast or airplay-type devices, because they both interact with phones and laptops on the local network and need to connect directly to streaming sources on the internet.
2. Re:some rules by vawarayer · 2016-11-20 12:51 · Score: 2
  
  If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.
  Not even need some specific open-sourced firmware. Just any home router / NAT / firewall can do that. Don't need smart devices, just smart people to configure it properly...
3. Re:some rules by Giant+Electronic+Bra · 2016-11-20 13:15 · Score: 4, Interesting
  
  ALL you need are some CONVENTIONS. Every firewall that isn't utterly worthless already blocks ALL outgoing traffic. IoT devices should, by convention, expose their API on a specific and otherwise not typical port. This port can simply always be blocked, ALWAYS ALWAYS blocked on the firewall. Now, when you need to have some specific access from somewhere, then the firewall could act as an authenticating proxy, removing the need for IoT vendors to actually grok security (which is literally a hopeless hope, they never will). Assuming your wireless network is adequately secured, so that nothing gets on it that you don't want there, you should be pretty set. Further conventions could relegate all IoT devices to a separate specific VLAN, etc. The key point is, all the devices need to do is adhere to some VERY simple conventions that even half-assed software vendors can adhere to.
  Won't stop all problems, but it would make a damned good start.
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
4. Re:some rules by fyngyrz · 2016-11-20 13:31 · Score: 3, Interesting
  
  set up a whole separate wifi network for them, would make it easier to monitor.
  That's the actual answer. Get them their own SLOW connection, their own firewall/router, and let them talk to anyone they want. Keep them the hell away from your in-house goodness. And FFS, secure your actual wifi network. Also, put the channels at opposite ends of the band (or in different bands, better yet.)
  
  --
  I've fallen off your lawn, and I can't get up.
5. Re:some rules by silas_moeckel · 2016-11-20 14:15 · Score: 2
  
  I have no problems getting all my IoT devices to work just fine when they have in general no internet access. In my case it's a seperate vlan with firewall rules.
  The problem is the cloud push to do very little onsite and send a lot of data into the clod while accepting C&C from it. Look around and plenty of devices that work locally.
  
  --
  No sir I dont like it.
6. Re:some rules by TapeCutter · 2016-11-20 14:39 · Score: 2
  
  Don't need smart devices, just smart people to configure it properly
  Smart devices are easier to make than smart people.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
7. Re:some rules by aaarrrgggh · 2016-11-20 15:43 · Score: 2
  
  Novel idea here... 3!!! SSIDs: general purpose devices, untrusted devices, and DMZ devices. Easy enough with DD-WRT or UBNT gear. The practical challenge is getting the broadcast traffic mirrored to the general purpose VLAN, but there are tools for that as well.
8. Re: some rules by TheRaven64 · 2016-11-20 23:21 · Score: 2
  
  Okay, so IoT vendor X is using AWS and Azure for their server-side hosting. Where do you get the list of all valid AWS and Azure IPs to whitelist? How do you keep it up to date? Does your cheap router have enough space in its tables to match against those (large, non-contriguous) ranges without imposing a performance penalty?
  
  --
  I am TheRaven on Soylent News
How is this different from any firewall by Paul+Carver · 2016-11-20 13:02 · Score: 5, Insightful

I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.
1. Re:How is this different from any firewall by johnjones · 2016-11-20 13:07 · Score: 2
  
  exactly its just a firewall with IDS...
  scary...
mssp by jbmartin6 · 2016-11-20 13:07 · Score: 3, Insightful

Sounds like you want to spin up a managed security provider for home users, to manage their gateways. It's been tried before, but not enough people want to pay for it. Much easier and more economical to just get large ISPs to do it. All we need is the right leverage. As Bruce Schneier observed, it is in part a problem because the device manufacturers and the home users really don't have a strong motivation (yet) to do anything.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Why yes! There is. It's called by RightwingNutjob · 2016-11-20 13:09 · Score: 3, Insightful

not plugging your fucking toaster into the internet so it cat tweet out whenever your toast is done.
The answer is no, this is pointless by caseih · 2016-11-20 13:51 · Score: 3, Interesting

Something about these recent DDoS attacks originating from IoT has always bothered me. And I think it's that many of these vulnerable IoT devices are already behind firewalls from the open internet. I'd wager that most people's thermostats, smart lights, sprinkerly systems, etc are all attached to their local WiFi, not the open Internet. So the question is, how were these devices compromised? I've not read anything on the internet that explains this, other then lists of default usernames and passwords. So I'm left with the conclusion that most IoT devices are hacked probably by malware on the local LAN from existing desktop computers. And the compromise occurs over services that are purposely exposed to the LAN, like a web interface. Of course compromised IoT devices then seek out and attack other IoT devices.
But the point I'm getting at is that a firewall just isn't going to stop this from happening, since the exploited services are open to incoming connections (from the LAN) by design. Obviously a device on the open internet is stupid and needs to be firewalled. But on your LAN a custom little smart firewall is not going to do squat.
The only vendors take security seriously and stop using default passwords and actively try to stamp out security flaws in the software itself such as buffer overruns, cross-site scripting flaws, or database injection, will IoT devices cease to become vulnerable. But I have my doubts these devices will ever be secured.
1. Re:The answer is no, this is pointless by Wizarth · 2016-11-20 14:21 · Score: 3, Informative
  
  I understand there is also some sillyness involving UPNP in some devices, so you can connect to the device "from your phone", as in, from the wider Internet. This probably includes the initial connection brokered through a central service, but much of the bulk data via direct connection.
There may be a probem here... by Eezy+Bordone · 2016-11-20 14:41 · Score: 3, Insightful

Wait a minute. You want someone to make a device that will identify random IoT devices when we can't even get current home/soho router/firewall device makers to update THEIR firmware?

--
-EB
Do you ever walk alone like a drifter in the dark?
Re: Plenty of examples to go by by vocatan · 2016-11-20 14:49 · Score: 2

Steve Gibson had suggested a configuration of three routers to isolate IoT devices. https://www.grc.com/sn/sn-545.... Again, it depends on how much you want to put "common consumers" through. I'd submit that unless it's ridiculously easy, the vast majority of consumers would simply scoff and claim it wasn't worth the trouble. (And those are the folks who probably were the main constituents of the recent botnets)
Yes. With a single acronym change. by tlambert · 2016-11-20 16:00 · Score: 2

Yes. With a single acronym change.
IoT "Internet of Things" --> IoT "Intranet of Things"
Connect them to a local Intranet server, instead of trying to connect them to a server in China, or at Google, or to everyone in the world, and they are no longer a problem.
Re:VPN only by skids · 2016-11-20 17:04 · Score: 2

In the minds of the vendors, it is "necessary" because a) their software only barely works at ship-time and is still under active development for the first few years of product support, so the more of it that is server side, the better and b) their business model involves selling the below actual cost and making up the difference by selling to big-data consumers.

--
Someone had to do it.
Re: Plenty of examples to go by by TheRaven64 · 2016-11-20 23:17 · Score: 2

The problem is that most IoT devices rely on a centralised server for their operation, so your (b) will prevent them from working. Their smartphone app talks to the vendor's server and won't work without it. You need to allow it to talk to the vendor's server, but not to anything else.
That's also why the example in TFA won't work: you can't do this sort of filtering based on IP, because a lot of the vendors use multiple servers or even cloud hosting for the server component, so you'll end up having to allow access to, for example, the entire AWS address range, if you don't want the device to stop working randomly.

--
I am TheRaven on Soylent News