Securing the Internet of Things

The sub-title for this should probably read: "Concerns and confessions of an ageing geek"

I love the Internet of Things (IoT) and the enabling and educational aspect that this brings. I'm a big advocate of hacking away at hardware and software to make it do things you need it to, perhaps in ways that the designer never intended. What concerns me is that a great many of devices are suddenly being given a direct connection to the Internet with little thought for security. Part of this blame lies with the manufacturers of the products for seeing an easy buck and selling rather than supporting consumers through product lifecycle. Part of the blame lies in years of naivety over how bad things are out there on the communication super highways.

Setting the scene

My primary setup at home until of late consisted of a stock DSL modem/router (Virgin Media Superhub) which was set to routing mode only with WiFi disabled. Behind that I have a Cisco/Linksys unit which actually provides the gateway and firewalling as well as my wireless connection (due to the fac tthe aerials in the unit are considerably better than the superhub).
This is configured to: log activity and email me with daily logs; Disallow universal plug and play port opening; Provide DMZ for my development Raspberry Pi which itself runs around three separate web services for me; Wifi is secured using WPA2/AES and locked to band G radio only for my own equipment to connect.

My Pi was configured to run fail2ban to protect against SSH brute force attacks and has the latest versions of security patches applied to the 'Raspian' Debian install. The apache configuration is locked down and I take precaution to monitor activity on my system. The system has a rootkit detection utility on it and clamAV operating.
I do not run any gcc compilation platforms on my pi and have no ancilliary accounts created.

Suspicious activity

Despite the basic precautions, despite the standard paranoid network administrator settings, despite my best efforts at looking after my little pi, I identified SSH sessions firing up and connecting under the root account to north Africa. This is rather unusual for me given that I've
a>Not been to North Africa
b>Not configured the root account to use SSH.

I took steps to kill the SSH session process and lock out the connection using iptables on my pi but the connection appeared to maintain.
Was this really an active session? Checking my process listing I could see no adverse activity; I could see no activity that wasn't out of the ordinary for my unit - no additional services, no other connections out from the unit except for the SSH session for root and my own SSH session.
What the double-deuce was going on?

I could only assume that there was an insecurity in a package I was operating and somehow this was used to leverage into my system. Given that I had a million things to sort aside from this small inconvenient issue, I yanked the power on the unit and I've stored it for now until I can try some more detailed forensics on the unit.
My concern grows that my Cisco unit is woefully inadequate and that primary packages I utilise on the unit are not as secure as the developers would hope.

I reasonably guess that there is an insecurity in one of these services:

  • SSH
  • Apache2
  • PHP 5.4
  • Squid3 (which was turned on for an authenticated proxy for a friend for a time)
If I were to hazard a guess it would have been a combination insecurity with the SSH and Squid3 systems - probably exploting a loophole in Squid and then gaining access to the SSH daemon.
Obviously this relates to my Raspian build - which doesn't run the latest patches as the primary Debian installtion build (this is worth bearing in mind for whichever distribution you are potentially using on your IoT device).

Disclosure reasons

Why am I admitting to this information publically? Why not just keep the fact to myself and rebuild the machine to continue development work?
Why am I highlighting something that might have been my paranoia?
Why am I detailing my hazy information?
We learn nothing from secrecy - how can we possibly discover vulnerabilities and secure our systems if we do not share knowledge, patch the machines and create strong firewall rules to guard against such incidents?

It is imperative that we disclose information in a proactive way amongst the community of hackers and makers so we can learn where vulnerabilities lie and patch the leaks. Software is complex, networks are vast and complex. We can't ever hope to be completely secure unless we disconnect from everything - computer networks as well as the mains power grid (seeing as you can push network traffic down the power grid nowadays and sniff data back from it down the street).

My main point is that if I am a paranoid administrator who is prepared to undertake steps to protect myself with devices behind firewall systems - what hope to standard consumers have in protecting themselves when they start connecting their latest IoT equipment directly to the Internet?

Is it all doom and gloom in my opinion? No, not necessarily - we all need to be more focused on security as consumers and as producers of hardware and software. We need to take more of an active responsibility to secure and administer systems that are under our control.

Next steps for me

One of the key areas I think I will focus on is segregating my delivery LAN from my internal network using a much more granular firewalling system. I need to ensure that any information that lives on my network to be delivered to the world is separated into services and nodes - each one running proper MD5 checks on the filesystem and delivering immediate "I've changed" communication to my phone (via email most likely).

Obviously for the password used on that system, I'll burn that one - and I'll modify the default "insecure" ones that related to simple services I had running on my test platform. These were used only for my own home testing (not client work) - it's important to grade your passwords and complexity based on the level of service (and segregate them from online accounts!).

I'd also like to reduce my overhead of rebuilding systems by having an automated imaging and deployment system running so I can single-command re-install units as necessary or deploy my software and data. It would be much easier to provide an interface for me to do this than have to search around for the images of software and start copying data down again from across my network manually. I will most likely try and implement some hubot system on the internal and the external grid of my network.

Until next time - stay safe out there and ...

Happy hacking!

Next Item.. The Long Dark Quiet

Previous Item.. ServerGrid Door Entry Integration with Paxton Net2 and HipChat