Securing the Internet of Things
Published: January 22nd 2015
The sub-title for this should probably read: "Concerns and confessions of an ageing geek"
I love the Internet of Things (IoT) and the enabling and educational aspect that this brings. I'm a big advocate of hacking away at hardware and software to make it do things you need it to, perhaps in ways that the designer never intended. What concerns me is that a great many of devices are suddenly being given a direct connection to the Internet with little thought for security. Part of this blame lies with the manufacturers of the products for seeing an easy buck and selling rather than supporting consumers through product lifecycle. Part of the blame lies in years of naivety over how bad things are out there on the communication super highways.
Setting the scene
My primary setup at home until of late consisted of a stock DSL modem/router (Virgin Media Superhub) which
was set to routing mode only with WiFi disabled. Behind that I have a Cisco/Linksys unit which actually
provides the gateway and firewalling as well as my wireless connection (due to the fac tthe aerials in
the unit are considerably better than the superhub).
This is configured to: log activity and email me with daily logs; Disallow universal plug and play port opening; Provide DMZ for my development Raspberry Pi which itself runs around three separate web services for me; Wifi is secured using WPA2/AES and locked to band G radio only for my own equipment to connect.
My Pi was configured to run fail2ban to protect against SSH brute force attacks and has the latest versions
of security patches applied to the 'Raspian' Debian install. The apache configuration is locked down and
I take precaution to monitor activity on my system. The system has a rootkit detection utility on it and
I do not run any gcc compilation platforms on my pi and have no ancilliary accounts created.
Despite the basic precautions, despite the standard paranoid network administrator settings, despite
my best efforts at looking after my little pi, I identified SSH sessions firing up and connecting
under the root account to north Africa. This is rather unusual for me given that I've
a>Not been to North Africa
b>Not configured the root account to use SSH.
I took steps to kill the SSH session process and lock out the connection using iptables on my pi
but the connection appeared to maintain.
Was this really an active session? Checking my process listing I could see no adverse activity; I could see no activity that wasn't out of the ordinary for my unit - no additional services, no other connections out from the unit except for the SSH session for root and my own SSH session.
What the double-deuce was going on?
I could only assume that there was an insecurity in a package I was operating and somehow this was used
to leverage into my system. Given that I had a million things to sort aside from this small inconvenient
issue, I yanked the power on the unit and I've stored it for now until I can try some more detailed
forensics on the unit.
My concern grows that my Cisco unit is woefully inadequate and that primary packages I utilise on the unit are not as secure as the developers would hope.
I reasonably guess that there is an insecurity in one of these services:
- PHP 5.4
- Squid3 (which was turned on for an authenticated proxy for a friend for a time)
Obviously this relates to my Raspian build - which doesn't run the latest patches as the primary Debian installtion build (this is worth bearing in mind for whichever distribution you are potentially using on your IoT device).
Why am I admitting to this information publically? Why not just keep the fact to myself and rebuild the
machine to continue development work?
Why am I highlighting something that might have been my paranoia?
Why am I detailing my hazy information?
We learn nothing from secrecy - how can we possibly discover vulnerabilities and secure our systems if we do not share knowledge, patch the machines and create strong firewall rules to guard against such incidents?
It is imperative that we disclose information in a proactive way amongst the community of hackers and makers so we can learn where vulnerabilities lie and patch the leaks. Software is complex, networks are vast and complex. We can't ever hope to be completely secure unless we disconnect from everything - computer networks as well as the mains power grid (seeing as you can push network traffic down the power grid nowadays and sniff data back from it down the street).
My main point is that if I am a paranoid administrator who is prepared to undertake steps to protect myself with devices behind firewall systems - what hope to standard consumers have in protecting themselves when they start connecting their latest IoT equipment directly to the Internet?
Is it all doom and gloom in my opinion? No, not necessarily - we all need to be more focused on security as consumers and as producers of hardware and software. We need to take more of an active responsibility to secure and administer systems that are under our control.
Next steps for me
One of the key areas I think I will focus on is segregating my delivery LAN from my internal network using a much more granular firewalling system. I need to ensure that any information that lives on my network to be delivered to the world is separated into services and nodes - each one running proper MD5 checks on the filesystem and delivering immediate "I've changed" communication to my phone (via email most likely).
Obviously for the password used on that system, I'll burn that one - and I'll modify the default "insecure" ones that related to simple services I had running on my test platform. These were used only for my own home testing (not client work) - it's important to grade your passwords and complexity based on the level of service (and segregate them from online accounts!).
I'd also like to reduce my overhead of rebuilding systems by having an automated imaging and deployment system running so I can single-command re-install units as necessary or deploy my software and data. It would be much easier to provide an interface for me to do this than have to search around for the images of software and start copying data down again from across my network manually. I will most likely try and implement some hubot system on the internal and the external grid of my network.
Until next time - stay safe out there and ...
Next Item.. The Long Dark Quiet
ServerGrid Door Entry Integration with Paxton Net2 and HipChat