Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Can You Tell if an IoT Device is Vulnerable to Attack?


  • Please log in to reply
5 replies to this topic

#1 Warthog-Fan

Warthog-Fan

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Endicott, NY
  • Local time:11:57 AM

Posted 27 August 2017 - 01:37 PM

I was just looking through my Harbor Freight catalog and saw that they were selling a number of security cameras and systems. There have been a number of articles on this web site stating that many IoT devices like smart thermostats and security cameras are vulnerable to being exploited because of their software vulnerabilities.

 

How can you tell if a device that you have is vulnerable to being exploited? If there is a way to find out, is there really anything that the user can do to close holes in the devices and make them more secure?


Edited by hamluis, 27 August 2017 - 02:09 PM.
Moved from Web Browsing/Email to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 traxsdata

traxsdata

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 28 September 2017 - 11:07 PM

Depending on exactly what you are looking at, it is always good to change the password for any default accounts that are set out of the box.

 

You can also ensure that you are using the latest firmware for the device. Vendors will release firmware as issues or vulnerabilities are discovered with the device.

 

 

I also found a PC World that talks about how to scan for IoT vulnerabilities:

 

https://www.pcworld.com/article/3155466/internet-of-things/how-to-quickly-check-that-your-home-iot-devices-are-secure.html



#3 Warthog-Fan

Warthog-Fan
  • Topic Starter

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Endicott, NY
  • Local time:11:57 AM

Posted 29 September 2017 - 08:59 AM

traxdata,

 

Thanks. I'll check out the article that you referred to above.



#4 r.a.d.

r.a.d.

  • Members
  • 421 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 30 September 2017 - 01:04 PM

Reluctantly stepping in a moment since it's off your main topic question, but you mentioned HF/ security system. 
A family member has worked for the company some years in troubleshooting/customer service and a guy I know purchased a home security and camera wireless package with an American brand name similar to their Bunker Hill ones. He eventually returned it (with accompanying re-stocking fee) and paid about 35-40% more from a store here that worked flawlessly.
HF has great prices for stuff (tarps, rope, non-technical stuff) of which I've availed myself of many times, but if you're considering a more complicated product, my advice is to do some shopping beyond price attraction and learn to cry only once, instead of twice.
Just my humble 2¢ .

#5 undr1kr

undr1kr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 04 October 2017 - 05:37 PM

Short answer: if it's connected to a network, it's vulnerable. The steps you take to secure it determine HOW vulnerable it is. Not the popular answer, but it's the truth...

 

The first step in securing your home network devices is to take a look at the network edge. That is, the device(s) that sit between your home network and the rest of the world. In most home networks, this equates to your router/wireless access device.

 

All networked devices:

  • CHANGE DEFAULT PASSWORDS! The most common security flaw I see is people not changing default passwords. Anyone with Google and just a couple brain cells can gain full access to your device.
  • Password complexity. When you change these default passwords, don't use just numbers, or a lowercase word, or a word with a number or two after it. The way password attacks work, the more complex the password, the less likely someone will be able to crack it in a reasonable amount of time. Use a mix of uppercase, lowercase, symbols, and numbers. Also, try to stay away from "dictionary" words. I hate memorizing complicated passwords as much as the next guy, but it really does make a difference.
  • Stay on top of updates. I know, updates are annoying and seem to be a pain for no apparent reason. But they're there for good reason: when a manufacturer learns of a security flaw in their device, this is how they fix it. Updates are important.

Router:

  • Disable any open firewall ports you don't actively use. Unnecessary open ports are like building a 20 foot concrete wall around something and putting random gates in it no one will ever use. Maybe nobody will come through them, but why give them the chance?
  • Make sure settings that allow access from an external IP are turned off.
  • If your router supports remote protocols like telnet or SSH and you don't use them, turn them off.
  • Go through and disable other features you don't use. If you don't know if one of these features is in use, make changes slowly so if something stops working, you know what to enable again.

Access Point (if separate from router):

  • Ensure your encryption standard is set to WPA or preferably WPA2. If you're using WEP, you're extremely vulnerable. If your AP doesn't support WPA, it's time for a new AP.
  • Disable WPS. There are a number of attacks that exploit WPS vulnerabilities. Just type the password in if you're connecting a new device, it doesn't take THAT long.
  • Like the router, disable remote administration and telnet, SSH, etc.
  • The password complexity rule especially applies to Wi-Fi passwords. I'm here to tell you, it's not very difficult to capture a handshake and crack a weak Wi-Fi password. Then boom, full LAN access. Game over.

These steps are a good start to protecting all devices on your LAN. As far as IoT devices go, first assess the practicality of them. I know it's on a flashy, shiny display at the store, and it looks really cool, and it has an app, and you've heard about these "smart homes," but do you really need your toaster to be connected to the Internet? Come on... If you decide you absolutely can't live without it, then the same principles from above apply. Change from the default to a strong password. Disable unnecessary services. If your kung fu is a little stronger than most, fire up nmap and scan it. See if you can find any exploits. Also, assess the need to access the device from outside your home. I realize it's popular to be able to pull up your cameras from anywhere, but if you don't use this, turn it off. Any device that doesn't venture beyond the virtual walls of your LAN is going to have a much smaller chance of being poked at by nerds with sticks.

 

If all of this made your head spin, contract it out to someone who knows what they're doing. I promise the cost will be much less than if someone pops your box and steals your social. By the way, nobody thinks it will happen to them.

 

Happy cybering! 


Edited by undr1kr, 04 October 2017 - 05:39 PM.


#6 Warthog-Fan

Warthog-Fan
  • Topic Starter

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Endicott, NY
  • Local time:11:57 AM

Posted 04 October 2017 - 08:42 PM

undr1kr,

 

Great information. I will be looking into these things tomorrow. Not sure what some of the things you said actually mean, but I can probably fight  my way  through it. I've done some of these things already, like changing router network name and password. but I'm sure that there is more that can be done.

 

As far as things being connected to the internet that don't necessarily need to be, I was in the checkout line at Wal-Mart a couple of months ago, and the lady in line ahead of me had a crock pot that had a Wi-Fi interface built into it.


Edited by Warthog-Fan, 04 October 2017 - 08:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users