IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses, Report Says

Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor. From a report: The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces. The Palo Alto, Calif.-based company has previously made security disclosures, including the BlueBorne malware attack that impacted 5 billion IoT devices.

This is why I don't trust IoT

I work in the microcontroller industry and somehow became the security 'expert' for my group. I don't trust IoT for many reasons, the biggest is that not many people has a clue on how to do security right, and those that do cost an arm and a leg and most manufacturers producing IoT devices can't afford them.

With various upgrades to my house (mostly solar), I've had to accept some IoT devices. So I've segmented my wireless network. There's an open wifi (secured by a passkey, I still consider this open), and there's a second wifi that needs 802.1X authentication. The IoT devices go to the open wifi, which is on its own subnet and vlan, and only has access through the firewall with QoS tuned down to 1 Mbps. The second wifi has its own vlan, and is routed to the internal wired network. But if I find that's been compromised its easy to shut it down. I have yet to come upon a consumer IoT devices that can work with WPA2-Enterprise & 802.1X, but my sample size is small.

Of course most people don't run Linux firewalls with 3 Ethernet cards, and level 2 managed switches at home. Prosumer tip: watch the switch manufacturer End-of-Life notices and pick up the switches at fire sale prices as everyone tries to dump their supply, don't buy off of EBay or refurbished, you never know what's one there.

Re:Buy a new firewall

[aaarrrgggh]

What exactly is this magical firewall you speak of? Most are simply stateful and port blocking, which means internally started communication is fine. When the device phones home (in what ever innocuous way, even with a hard-coded NTP request), they have full access. You can’t proxy the https traffic, so you really don’t have any of the easy means of control. You can try a few other tricks— but it gets to diminishing returns quickly.

Re: The attack: DNS rebinding

[Miamicanes]

If you REALLY want to be a rebel & be safe(r), pick a network between 172.16.x.x and 172.31.x.x

99.994% of people have *no* idea that range of private IP addresses exists. Everyone knows about 192.168.x.x, and almost everyone knows about 10.x.x.x, but I have yet to meet anyone who uses 172.16.x.x-172.31.x.x for their home network.

Automatic expiration

All IOT devices should automatically cease functioning after 1 year without a firmware update. It should be the default deadpans switch to assume they are security compromised unless someone actively is maintained by them. Routers could be set up so protocol identities are increments every year and anything with an out of date protocol could be restricted in what it can do on the network.

Re:Just desserts

[JaredOfEuropa]

IoT should stand for Intranet of Things. A separate intranet for IoT, with no access to the Internet and very limited access to the LAN (to connect to an IoT hub for instance, or a smart phone). And do not buy devices that “require” internet in order to function.

Re:Just desserts

[locofungus]

One of the most frustrating things about these IOT things is that they won't work properly unless they have an internet connection and are registered.

I don't actually own any IOT things but kindle - AFAICT you cannot have a 'collection' until it can talk to the internet.

Kindlefire, connect to a private network with no (non proxy) internet connectivity and it will refuse to automatically use the connection - even if there are no other connections available.

I'd guess things like nest are the same. The crazy thing is that I do have a way onto my internal network from outside - a VPN - I don't need each and every device trying to find its own way to punch holes through my firewall. I shouldn't have to have firewall rules to catch outgoing traffic and send it to an internal server so devices work. I shouldn't have to have special DNS zones to redirect traffic.

These devices even try to use their own hardcoded DNS servers and bypass the ones supplied by dhcp/radvd so more firewall rules to send that traffic to the only reachable dns servers.