IoT Paranoia

'Smart' home devices used as weapons in website attack - the trojan horse threat from IoT is very real.

It's not paranoia if someone really is out to get you... Set up an SSH server and expose port 22 outside of your router and firewall. Monitor the number of hack attempts to crack into it and note the countries where they originate. I think you'll find the results alarming. There is too much computing power available to too many idle hands. Once you open it up your home intranet can be accessed from anywhere in the world.

More reason to be scared - in addition to calling into AWS where TP Link hosts it's servers, TP Link smart switches, configured to deny remote access, still continued making calls to all over the world. Turning off remote access generally prevents you alone from accessing them; they still make remote calls out to their home servers so that TP Link can still reach and control them. This is true for most manufacturers.

Internet Of Things (IoT) devices often provide very little if any protection from the wilds of the internet. While some may use passwords (Custom MPP devices protect firmware access with a password), they can still be vulnerable. Worse than that, they may not support SSL so that your password and/or security system passcode are often transmitted in the clear without encryption. Anyone sniffing the data streams will be able to discover both, the risk of being monitored increases with the value of whatever you are protecting. Many free wifi services are also unencrypted so whatever you do is there for anyone to see.

A second concern is the origin of the devices. Often developers put "back doors" on their products. While these devices should only make only outgoing connections to their cloud service, a malicious developer could use that open path as a gateway into your network. Once there, they could monitor your network for user ids, passwords, account numbers, etc, to access your accounts or steal your identity. Consider the consequences if your IoT vendor was located in a country that became hostile to your own.

IoT connected devices can be hijacked to serve as bridges into your network which can then open your network completely: https://arstechnica.com/information-technology/2018/11/mass-router-hack-exposes-millions-of-devices-to-potent-nsa-exploit/

Opensource has risks too: https://it.slashdot.org/story/18/12/01/2217231/nodejs-event-stream-hack-reveals-open-source-developer-infrastructure-exploit

Most IoT devices collect your email account, external IP address, GPS location (yes, your home address!), SSID and password, etc. At best you end up on an email spam list, at worse on a dark net name/address list with your usual times away from home, when you are on vacation, etc.

A third risk is in the cloud service itself. There is the concern of internal or external theft of your information - which would include your system access codes or other privacy information (for example, if or what times you are at home or away, your habits and preferences, etc).

Newer, cheaper IoT devices are being hosted in cloud servers that run in countries that lack the strong privacy protection laws enjoyed in North America and Europe. Your personal data may not remain your own if you use those devices through the manufacture's cloud. State operators may compel the cloud/device owners enable access to your home.

And remember - Amazon (et al) want your IoT business to make money, not to help you. They don't care that you're out of milk, they just want to make sure your fridge orders through them. Don't expect them to care much about your personal data or security unless they're forced to by the law. If you're not paying for the product, you ARE the product.

The solution is to build an INTRAnet of things and to deny your devices access to the broader internet. MPP applications use the android OS to wrap IoT devices in a security blanket, layering on encryption and secure access. These apps work as a hub running on an open platform using industry standard and tested security protocols. Your IoT information is only available to you even when accessing it from outside of your network. There are no central "cloud" MPP servers with an account for you (unlike most IoT vendors). The only cloud account you need is your personal Google account and you're the only one that will have that. And even then, the data kept in your account is only enough information for your MPP server to communicate with your MPP clients. Google does not know the MPP protocol.

Safe practices for setting up an IoT device

  1. Use a disposable email account with unique password when setting up the app.
  2. If possible segregate the IoT devices to a separate subnet & wifi network. Unfortunately there's not much you can do about sharing the SSID, password, and your GPS address.
  3. Disable remote access in the setup up (this is not a guarantee)
  4. Disable internet access for the IoT devices in your router
  5. Use a hub/server like AutomationManager or the DscServer to isolate the IoT devices from the internet and the rest of your accounts.

To break in a malicious attacker will need access to your google account, or your MPP server key, the client key, and the passcodes to your system. As long as you register your MPP clients while behind your firewall, these will not be available publicly. Client authority can be revoked at any time, and because the encryption keys are known only to the client and server apps, it is very, very difficult to break into the system.

You choose what information to share and what devices or services may talk to each other.

Read more as the rest of the industry starts to realize the threat from the Internet Of Things ( IoT):

Companies will stop supporting devices that are unprofitable, leaving you with useless devices if they depend on the cloud. Bulbs that last 20 years aren't much use if the company stops supporting them...

    • BestBuy giving up on the IoT business and leaving their customers hanging. One report says it's because the cost and risk of capturing customer usage data is growing too high: https://www.theverge.com/2019/9/6/20853671/best-buy-connect-insignia-smart-plug-wifi-freezer-mobile-app-shutdown-november-6 .
    • Osram is giving up on it's lightify line and is withdrawing support.
    • Belkin dropped Wemo Baby and their Wemo Cameras; those devices are now useless. The Wemo Link has been abandoned (no new bulbs can be linked). The Wemo Bridge never worked properly (it locks up every few days and must be power cycled), it will not be fixed.
    • DLink has withdrawn IFTTT support limiting IoT integration to their own devices.
    • Wink is transitioning to an expensive monthly service, if you don't sign up your devices stop working.

HP's Internet of Things study

http://www.nbcnews.com/tech/innovation/can-internet-things-preserve-privacy-lawmakers-n304541

http://www.nbcnews.com/tech/gadgets/nest-thermostat-was-leaking-zip-codes-weather-stations-researchers-n501131

http://www.nbcnews.com/tech/security/man-hacks-monitor-screams-baby-girl-n91546

http://download.bitdefender.com/resources/files/News/CaseStudies/study/87/Bitdefender-2016-IoT-A4-en-EN-web.pdf

ZDNET: All your IoT devices are doomed

Here's a list of servers the TP Link devices tried to contact with remote access disable and while blocked from the internet. I suspect it's an old list of NTP they copied/pasted from who knows where, but it's hard to be certain and worrying if not. Or if those names/servers were ever compromised...

144.217.181.221 123 UNREPLIED Canada Beauharnois, Quebec CA OVH SAS (AS16276)

129.6.15.28 123 UNREPLIED NIST

202.112.10.60 123 UNREPLIED China Beijing, Beijing CN China Education and Research Network Center (AS4538)

202.112.1.34 123 UNREPLIED ntpa.nic.edu.cn China Beijing, Beijing CN China Education and Research Network Center (AS4538)

85.199.214.100 123 UNREPLIED DNS not found!

172.104.55.191 123 UNREPLIED ntp.sg.eria.one Singapore Singapore, Central Singapore Community Development Council SG

88.198.49.74 123 UNREPLIED batleth.sapienti-sat.org Germany Nuremberg, Bavaria DE Hetzner Online AG (AS24940)

78.36.11.161 123 UNREPLIED ppp78-36-11-161.pppoe.murmansk.dslavangard.ru Russia Kirovsk, Murmansk RU OJSC Rostelecom (AS8997)

163.172.225.159 123 UNREPLIED bb8.dousse.eu France FR ONLINE S.A.S. (AS12876)

92.53.241.11 123 UNREPLIED timekeeper.webwiz.net, GB

193.228.143.23 123 UNREPLIED ntp7.flashdance.cx, SE

129.6.15.29 123 UNREPLIED NIST

176.126.165.80 123 UNREPLIED ntp.hoster.kg Kyrgyzstan KG Hoster kg, Ltd. (AS59684)

118.140.184.99 123 UNREPLIED sr-99-184-140-118-on-nets.com Hong Kong Kowloon, Kowloon City HK Hutchison Global Communications (AS9304)

212.83.186.55 123 UNREPLIED ntp.fr.eria.one France FR ONLINE S.A.S. (AS12876)

129.215.160.240 123 UNREPLIED linnaeus.inf.ed.ac.uk United Kingdom Edinburgh, Scotland GB JISC Collections And Janet Limited (AS786)