Security Risks of IoT?

1,936 Views | 17 Replies | Last: 2 yr ago by permabull
KingofHazor
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
9:51a, 1/23/24
I just bought some devices (freezer monitor and water monitors) that connect to my home network. As I was setting them up, it dawned on me that 1) they are manufactured in China and 2) they want/need my home network password.

By giving them access to my home network, am I creating a security risk? My paranoid side says that they could be monitoring everything I'm sending over my network and forwarding it to China, including passwords. Is there in fact a security risk? If so, is there any way that I can eliminate it and still use the devices?

By way of background, I'm using Xfinity internet and the modem they provide. I have no idea how to change any settings on it or if that's even possible.

TIA, folks!

ETA: In order to use these devices, I also have to have an app on my phone. I suppose that's an additional security risk, right?
Reply Quote
1 edit
TMoney2007
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
11:54a, 1/23/24
AG
Websites don't send save your passwords into text documents and transmit them over the open internet,... They're encrypted as is most of the information that gets shuttled around the internet.

Secondly, China doesn't actually care about you. They don't really care about the average American nearly as much as some people would like for you to think. If they wanted demographic data, they would buy it from Facebook or some other American company that we allow to collect scarily personal data about us.

That said, there is some level of security risk. It has been revealed that IoT devices can sometimes have lax security like hard coded passwords and unpatched firmware. There is a risk that this could be used by an elite hacker in North Korea or China or Russia decided that they wanted to access your home network and was willing to dedicate a bunch of time to do it... but that's not going to happen.

What is probably more likely is that some nefarious actor might decide to break some of the web based functionality on these devices or use them as nodes in a bot farm that attacks websites.

What most people who are concerned about this kind of security do is put all their IoT devices on a separate wifi network that is segregated from everything else. If you put in the model of your wifi router and "iot security" or something like that, you can probably find a tutorial to show you some tips.

I try to avoid things with cloud based services attached to major features. For me this has less to do with security and more to do with the parent company losing interest and shutting down the servers and making the products I purchased less useful. Local control is where its at.
Reply Quote
4
KingofHazor
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to TMoney2007 12:59p, 1/23/24
Quote:
Secondly, China doesn't actually care about you.
Thanks.

I fully agree with the quoted part, with the caveat that China does care about me and the hundreds of millions like me. I suppose, however, that if China were to do a mass attack on all of us millions (say, drain our bank accounts simultaneously), it might not accomplish much to be the only man left still standing. An attack like that would destroy our banks and investment firms, making my security rather pointless, perhaps.
Reply Quote
TMoney2007
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to KingofHazor 1:36p, 1/23/24
AG
Jabin said:
Quote:
Secondly, China doesn't actually care about you.
Thanks.

I fully agree with the quoted part, with the caveat that China does care about me and the hundreds of millions like me.
Whatever you say,... Ask yourself why they would care about you. Then, ask yourself why the people telling you to be scared might benefit from you being scared.

I don't mean to belittle you, but if you think that a "mass attack" where they drain everyone's bank accounts is possible and that they would actually be interested in destroying the largest market for their products, you're completely delusional.

China is the big bad that was chosen to replace the USSR to keep you from questioning defense budgets.
Reply Quote
1
KingofHazor
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to TMoney2007 2:25p, 1/23/24
Whatever I said to get you all upset and condescending, I apologize.
Reply Quote
4
Lathspell
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
8:06p, 1/23/24
AG
If a nation-state wanted to hack your network, there's not a damned thing you can do about it. The fact is they won't. You are at greater risk having the bluetooth on your cell phone turned on. Any hacker with any ability can use that signal to get into your phone, and then probably your bank account because they would have access to your cell phone for MFA.

Sleep well!
Reply Quote
MGS
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to TMoney2007 8:29a, 1/24/24
TMoney2007 said:
Secondly, China doesn't actually care about you.
Well, they did steal the records of all government employees for some reason.

Additionally, you don't necessarily need to worry about the Chinese government, but there also Chinese-based criminal organizations that would love to steal your money.
Reply Quote
1 edit
kb2001
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
11:38a, 1/24/24
AG
The security risks you're contemplating are not the right ones.

There are two overall types of risk with IoT devices. First, the security risk, not in malice from the manufacturer, but from poorly implemented devices that cannot be patched. An insecure IoT device can be an attack vector to get in to your network. This is low risk, because the potential payoff for infiltrating your home network is not worth the effort it takes to do it. There isn't much to gain, so why bother?

The other risk is data privacy, this risk is largely the company who provides the service for you. They'll collect whatever data they can in the name of "improving the product experience", and sell it to advertisers. They may collect this initially with the sole intention of seeing how people use their product and trying to sell you more products, or improve the existing one, but it's very likely that at some point down the line they will end up selling the information to a 3rd party advertiser.

If you want to be overly cautious, you can setup an isolated wifi network just for your IoT devices.
Reply Quote
UmustBKidding
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
11:49a, 1/24/24
I run all my IOT devices in a seperate VLAN. There are plenty of examples of black hats using IOT devices to move horizontally within a network. And it does not matter if the device is from China, bad programming practice is wide spread, and you are best keeping devices that you cannot control, evaluate, update and secure off of the network where your daily life lives. In reality as someone who deals with security issues daily I have a separate VLAN for machine and network administration and have a dedicated machine/VLAN which I deal with banks, payments and credit cards.
But my biggest fear is my data in the hands of idiots. Places like medical labs that want to make a copy of my drivers license any time I walk in. My answer is I did not bring it with me. I have multiple government issued ID's but no one gets to copy them.
Reply Quote
2
KingofHazor
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to UmustBKidding 12:02p, 1/24/24
Thanks. Is there an easy way for a lay person to set up a VLAN?
Reply Quote
KingofHazor
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to kb2001 12:05p, 1/24/24
Quote:
This is low risk, because the potential payoff for infiltrating your home network is not worth the effort it takes to do it. There isn't much to gain, so why bother?
Methinks you are assuming way too much and perhaps simply wrong.

Of course there may be significant payoff to infiltrate individuals' home networks. What if I am a billionaire (I'm not). Even short of being a billionaire, the ability of a black hat to electronically steal a million here and a couple of million there is not anything to sneeze at. Before you know it, you'd be talking about real money.
Reply Quote
UmustBKidding
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to KingofHazor 2:00p, 1/24/24
I am not familiar with what router Xfinity is pushing these days. I suspect the best you may be able to do is to put your IOT devices on the guest Wifi if the device supports it. I run PFSense as my router and ubiquity access points/switches but there are lots of options. Unifi Dream router is also a popular choice, not nearly as capable as running PFsense but likely less barriers to use. Lots of Youtube on this stuff but the stuff from Lawrence Systems covers pf & ubiquity options along with others.
Reply Quote
1
kb2001
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to KingofHazor 3:40p, 1/24/24
AG
Jabin said:
Quote:
This is low risk, because the potential payoff for infiltrating your home network is not worth the effort it takes to do it. There isn't much to gain, so why bother?
Methinks you are assuming way too much and perhaps simply wrong.

Of course there may be significant payoff to infiltrate individuals' home networks. What if I am a billionaire (I'm not). Even short of being a billionaire, the ability of a black hat to electronically steal a million here and a couple of million there is not anything to sneeze at. Before you know it, you'd be talking about real money.
You're missing the point. The target won't be a single person, the target will be the company that provides the service to lots of people. Blackhats that break into networks typically don't steal, they blackmail.

Having worked in this industry for 20 years, including designing and implementing a security posture for HIPAA and PCI environments, I am confident in my assessment.

Do as you wish
Reply Quote
2
1 edit
gumby579
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to KingofHazor 1:31p, 1/25/24
AG
Jabin said:
Thanks. Is there an easy way for a lay person to set up a VLAN?


It's going to be easier to set up a pi-hole on something, instead of a VLAN, at least IMO. I have an IoT VLAN that uses a pi-hole.m, sort of just a backup to ensure those packets go to the sinkhole, and not external.
Reply Quote
KingofHazor
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to gumby579 2:21p, 1/25/24
gumby579 said:
Jabin said:
Thanks. Is there an easy way for a lay person to set up a VLAN?


It's going to be easier to set up a pi-hole on something, instead of a VLAN, at least IMO. I have an IoT VLAN that uses a pi-hole.m, sort of just a backup to ensure those packets go to the sinkhole, and not external.
Can you dumb that down to 5th grade level, or if you were explaining it to your mom?
Reply Quote
1
UmustBKidding
User Profile
Private Message
Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to gumby579 4:42p, 1/25/24
His devices are not going to work if packets go to a null device. He is not trying to block packets to or from china only that the devices cannot gather packets from his other devices or send them to his devices. Horizontal movement is what needs to be blocked
Reply Quote
2
gumby579
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
In reply to UmustBKidding 5:54p, 1/25/24
AG
UmustBKidding said:
His devices are not going to work if packets go to a null device. He is not trying to block packets to or from china only that the devices cannot gather packets from his other devices or send them to his devices. Horizontal movement is what needs to be blocked


Good point. VLAN with the right rules is the way to go.
Reply Quote
permabull
User Profile Ignore User Stop Ignoring
How long do you want to ignore this user?
24 hours One week Permanently Cancel
4:58p, 1/26/24
AG
A lot of routers allow you to set up a guest network, I put my iot devices on that network so it's less likely they gain access to my main devices if they were compromised
Reply Quote
Refresh
Page 1 of 1
 
×
subscribe Verify your student status
See Subscription Benefits
Trial only available to users who have never subscribed or participated in a previous trial.