Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?

Posted by EditorDavid on from the home-network-of-things dept.

To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall: It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?

17 of 230 comments (clear)

  1. Ideally a manifest/profile from IoT makers... by mlts · · Score: 5, Informative

    Ideally, there should be a profile/manifest IoT makers have as standard with their devices. This shows what incoming/outgoing ports and hosts the IoT device communicates with. Everything else should be blocked as default from the router. This should be in some central registry or a standardized URL system, so a home firewall could, once it recognizes a certain IoT device, grab a profile and run with it.

    Of course, a lot of IoT makers would just put in that the device takes incoming/outgoing traffic from anything and everything, but hopefully there might be come makers who give a shit enough about security to put in limits of what their devices can and do not try communicating with.

    This way, a firewall, once it registers a device can automatically apply a profile and call it done. Of course, there are security issues, but this is a giant step forward, compared to letting the device have unfettered access in and out.

    1. Re:Ideally a manifest/profile from IoT makers... by MobyDisk · · Score: 5, Insightful

      I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.

      This device communicates on the following protocols:
      IP address | Protocol | Destination
      .
      .
      .

    2. Re:Ideally a manifest/profile from IoT makers... by Bing+Tsher+E · · Score: 4, Insightful

      The IoT device is installed in a home, and writes the 'manifest' to the firewall device at installation. If it ever changes, the firewall would immediately know.

    3. Re:Ideally a manifest/profile from IoT makers... by grahamsz · · Score: 3, Interesting

      But how would that work for devices that aren't tied to a specific service? I have some neat little wifi devices that show up in spotify and let me stream to various speakers around the house. If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them. In the end I watched them, identified two chinese IPs that they do reach out to and simply blocked those two. In theory that should stop them pulling in new firmware which seems like the most likely way they'd be infected. (However I haven't been able to determine if it uses an DNS lookup to find them and if so then that means someone hacking the chinese manufacturer could easily route the dns to another server).

      The other thing that's really missing here is that this isn't really limited to iot devices. I'm sure in a year or two they'll be as secure as a typical windows machine and then the exploits will swing back that direction. Consumers that care about keeping their devices safe will do so, and those that don't give a fuck will see a slight improvement as time goes by.

    4. Re:Ideally a manifest/profile from IoT makers... by grahamsz · · Score: 3, Insightful

      At which point the consumer would see "Hey, your lightswitch wants permission to send a whole bunch of traffic to a random server" and they'd approve the change like they always do.

    5. Re:Ideally a manifest/profile from IoT makers... by CountBrass · · Score: 3, Insightful

      So your solution to securing incredibly insecure IoT devices is to allow those incredibly insecure IoT devices privileged access to the security device that polices access to your network.

      This is why you don't let novices come up with security solutions.

      --
      Bad analogies are like waxing a monkey with a rainbow.
    6. Re:Ideally a manifest/profile from IoT makers... by cheetah_spottycat · · Score: 3, Insightful

      This is called UPNP, and is exactly the problem why so many devices are reachable through the internet while their owners don't suspect a thing.

  2. some rules by drinkypoo · · Score: 5, Insightful

    All you really need is... some rules.

    If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.

    You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:some rules by grahamsz · · Score: 5, Insightful

      I've corralled mine into a dhcp space, but it might be safer just to set up a whole separate wifi network for them, would make it easier to monitor.

      Still it's trickier for things like the chromecast or airplay-type devices, because they both interact with phones and laptops on the local network and need to connect directly to streaming sources on the internet.

    2. Re:some rules by Giant+Electronic+Bra · · Score: 4, Interesting

      ALL you need are some CONVENTIONS. Every firewall that isn't utterly worthless already blocks ALL outgoing traffic. IoT devices should, by convention, expose their API on a specific and otherwise not typical port. This port can simply always be blocked, ALWAYS ALWAYS blocked on the firewall. Now, when you need to have some specific access from somewhere, then the firewall could act as an authenticating proxy, removing the need for IoT vendors to actually grok security (which is literally a hopeless hope, they never will). Assuming your wireless network is adequately secured, so that nothing gets on it that you don't want there, you should be pretty set. Further conventions could relegate all IoT devices to a separate specific VLAN, etc. The key point is, all the devices need to do is adhere to some VERY simple conventions that even half-assed software vendors can adhere to.

      Won't stop all problems, but it would make a damned good start.

      --
      "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    3. Re:some rules by fyngyrz · · Score: 3, Interesting

      set up a whole separate wifi network for them, would make it easier to monitor.

      That's the actual answer. Get them their own SLOW connection, their own firewall/router, and let them talk to anyone they want. Keep them the hell away from your in-house goodness. And FFS, secure your actual wifi network. Also, put the channels at opposite ends of the band (or in different bands, better yet.)

      --
      I've fallen off your lawn, and I can't get up.
  3. How is this different from any firewall by Paul+Carver · · Score: 5, Insightful

    I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.

  4. mssp by jbmartin6 · · Score: 3, Insightful

    Sounds like you want to spin up a managed security provider for home users, to manage their gateways. It's been tried before, but not enough people want to pay for it. Much easier and more economical to just get large ISPs to do it. All we need is the right leverage. As Bruce Schneier observed, it is in part a problem because the device manufacturers and the home users really don't have a strong motivation (yet) to do anything.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  5. Why yes! There is. It's called by RightwingNutjob · · Score: 3, Insightful

    not plugging your fucking toaster into the internet so it cat tweet out whenever your toast is done.

  6. The answer is no, this is pointless by caseih · · Score: 3, Interesting

    Something about these recent DDoS attacks originating from IoT has always bothered me. And I think it's that many of these vulnerable IoT devices are already behind firewalls from the open internet. I'd wager that most people's thermostats, smart lights, sprinkerly systems, etc are all attached to their local WiFi, not the open Internet. So the question is, how were these devices compromised? I've not read anything on the internet that explains this, other then lists of default usernames and passwords. So I'm left with the conclusion that most IoT devices are hacked probably by malware on the local LAN from existing desktop computers. And the compromise occurs over services that are purposely exposed to the LAN, like a web interface. Of course compromised IoT devices then seek out and attack other IoT devices.

    But the point I'm getting at is that a firewall just isn't going to stop this from happening, since the exploited services are open to incoming connections (from the LAN) by design. Obviously a device on the open internet is stupid and needs to be firewalled. But on your LAN a custom little smart firewall is not going to do squat.

    The only vendors take security seriously and stop using default passwords and actively try to stamp out security flaws in the software itself such as buffer overruns, cross-site scripting flaws, or database injection, will IoT devices cease to become vulnerable. But I have my doubts these devices will ever be secured.

    1. Re:The answer is no, this is pointless by Wizarth · · Score: 3, Informative

      I understand there is also some sillyness involving UPNP in some devices, so you can connect to the device "from your phone", as in, from the wider Internet. This probably includes the initial connection brokered through a central service, but much of the bulk data via direct connection.

  7. There may be a probem here... by Eezy+Bordone · · Score: 3, Insightful

    Wait a minute. You want someone to make a device that will identify random IoT devices when we can't even get current home/soho router/firewall device makers to update THEIR firmware?

    --

    -EB

    Do you ever walk alone like a drifter in the dark?