IOT As we know it today + rant

There are well over 6.4 billion connected devices out there today. with an expectation of 20.8 billion by

Posted by Ashley Van Steenacker on October 31, 2016

sponsored links

Please consider to whitelist *.ashleyslab.co in your Adblock filter.


There are well over 6.4 billion connected devices out there today. with an expectation of 20.8 billion by 2020.1

Well thats great. And I can definitely understand why you would want to have a DVR or an HVAC system that's "smart". When you are leaving from work you can record your favourite show or turn up the heating. It's great if you can do those things remotely. But are they really that secure?

The insecurities of Things (IOT)

The only thing you might notice as a normal "average" consumer might be an ssl error for a self-signed SSL certificate.

self-signed SSL error

But even big corporations use self-signed ssl certificates for internal use. So it's not really that big of a deal. But let's say we want to secure our home. Ok, let's get some cameras and a DVR. oh wait it has a remote option. And ooh look at that it has password protection by default.
Yeah. About that.

It's probably Admin, Admin. or User and Admin.

And there goes your password security.

Let's creep people out.

Let's start with a tv that turns it self on and off and changes channels out of its own.

Dreambox remote control interface

Done!

Ok let's see how our wind turbine is doing

An Xzeres wind turbine

And the list of insecure devices continues. The most notorious devices would be security cameras, Baby cams, industrial control systems such as SCADA and BACNET.

Ok, there on the internet. But there not evil. right?

Not really. Not only is the Front-end of these devices poorly secured. But the back-end as well. Most of these IOT devices use Linux. Why? It's free and it does everything that you need it to do. But some of these devices take the user input and process it directly in the shell as ROOT. Yes as ROOT! Or even better, some even have ssh or telnet on by default using admin, admin as a login.

Hmm, Big DDOS network anyone?

© mdsec

An IoT botnet is partly behind Friday's massive DDOS attack -PCWorld

yup, they used IOT devices in a DDOS attack. oh well. Time to secure your network!

The Intranet of Things

  • Smart devices are cool. But keep them on the internal network ONLY.

  • Need to connect to them remotely. Use a (properly set up) VPN server instead. That then connects to your internal network.

  • use a firewall

  • Update all your devices Software and firmware.

And if everyone follows these rules that internet will be a much better and safer place.

Conclusion of the day

IOT is cool. But the people who use it need to be educated. And manufacturers need to inform people whats on by default.

[^1]:Statistics according to Gartner