IoT ecosystem security and the important role of closed networks such as HE

automation · August 18, 2019, 1:54pm

With the push for widespread proliferation of WiFi/IP based IoT devices this will become more commonplace. This is another premise for non-WiFi IoT devices that run on closed networks such as Z-Wave, Zigbee, Lutron ClearConnect, etc. Devices residing on standard IP networks will likely become targets for these types of attacks. It is estimated that by the year 2020 some 50 billion IoT devices will be deployed worldwide. Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined. With each networked IoT device having its own separate network stack, these collective devices present a formidable vulnerability.

As long as the Hubitat Elevation hub and associated hubs that sit on the IP network are secure, The closed home automation IoT network will be less likely a target. The HE platform being a local, non-cloud based platform, will further help protect the HE ecosystem from these types of attacks. I don't think that most people are considering how vulnerable their IoT control platforms are to attacks and I also think that the next "big" attack will target these types of devices. Keeping the HE hub (and ancillary hubs ie. Lutron, Etc) secure is critical to the health and security of our homes that use these types of integrated systems.

Overview

Internet of Things (IoT) devices; like smart thermostats, Alexa/Google Home/etc., Smart TV’s, and a host of other appliances and devices that do not require connections to a computer or mobile phone to operate but do connect directly to the Internet; are difficult to secure.

Three such devices – a Voice over IP phone, an Internet connected printer, and a device used for video transmission operations – were recently targeted for attack by a hacking group identified with Russian state-sponsored attacks. These attacks used the IoT devices as a “landing point” to attack additional targets on the company network; as breaking into the IoT devices was far easier than directly attacking more rigorously secured data systems.

What is the threat?

Microsoft has reported that in April its Threat Intelligence Center discovered a targeted attack against IoT devices—a VOIP phone, a printer and a video decoder. Specifics as to the make and model of these devices were not released to the public. The attack hit multiple locations, using the devices as soft access points into wider corporate networks. Two of the three devices still carried factory security settings, the software on the third hadn't been updated. Microsoft said hackers used the compromised IoT devices as an entry point into their targets' internal networks, where they then scanned for other vulnerable systems to expand this initial foothold.

Importance?

Attribution of the attack has been made to one of Russia's elite state-sponsored hacking groups that is going after IoT devices as a way to breach corporate networks, from where they pivot to other more high-value targets. Microsoft attributed the attacks to a group it called Strontium but is also commonly known as APT28 or Fancy Bear. This group has allegedly been previously involved in the DNC hack of 2016; and which, according to an indictment filed in 2018 by US officials, has been identified as Unit 26165 and Unit 74455 of the Russian military intelligence agency GRU.

ronv42 · August 18, 2019, 2:37pm

I tend to think that the use of Z-Wave and Zigbee as a "air gap" to protected by home from the internet. The hub that controls them, if connected to the internet, must protect those networks.

I have done many presentations of the risks of IoT at my work and how to protect the corporate assets and "isolation" is one of the most missed method of security. For example we have time clocks that are now connected. They have to connect to a "cloud" service. To secure those devices a "red" network was created where traffic would be isolated with firewall access only to the "cloud" services.

automation · August 18, 2019, 2:44pm

I agree... every "outside" connection opens a hole into the home automation world, potentially making it vulnerable. Local control and, as you say an "air gap" between these cloud systems and IP networked devices provides a better shield to protect our homes. I try to stay within the HE prescribed devices on closed Zigbee, Z-Wave and Lutron Clearconnect networks as much as possible. While these WiFi and cloud based devices are sometimes cheaper, one must consider that every venture through these connections punches holes in the security infrastructure and makes it less secure.

Cybersecurity is similar to any other type of security in that the "bad guys" will use the easiest and most available methods to compromise a network. The bad guys will likely dedicate less resource to hacking Zigbee, Z-Wave and other closed networks in favor of the easier, more available IP network devices. They are low hanging fruit.

frits · August 18, 2019, 3:29pm

What @ronv42 said is so true. Isolation is most commonly mist in security. with the growing amount of devices that are connected to the cloud it's easy to use that single device to penetrate a local LAN. Because almost nobody isolates the single devices of a LAN from each other. So you have your average Joe buying a washing machine with an app (handy things, big WAF), the thermostat with an app (also very handy), the baby monitor with an app, etc... And all those companies should make sure their devices are safe, right... Impossible and you should not rely on it. So you should isolate those devices within your LAN to make sure that if one is compromised, the others are not to be found. But how to connect them to your HE then without risk? It's so easy if your device can push it's data to your HE right... I wouldn't do it. I would only allow the HE to pull/push something from/to those devices. With of course an SSL certificate to do it.
To bad that is not possible all the time, so we have to deal with the next best thing. Also I have this rule which I live by for security: "Make sure your bike is better locked then the ones next to it". Because everyone tends to take the easiest route available and as long as you're not it...

zarthan · August 18, 2019, 5:00pm

As important as a secure infrastructure is, monitoring said infrastructure is equally as important. While in a business environment, there can be persons dedicated to monitoring and mitigating issues, at home we lack those resources. Even with those dedicated resources, how many businesses have been breached.
Since I usually spend Sunday mornings updating all our NAS devices, a dozen or more virtual machines, the main router and a few desktops, I had plenty of brain time to think about all the log files I wasn't monitoring today. While I do somewhat regularly go through logs, it isn't anywhere near enough to catch anything before a break-in could cause damage. My router does track an amazing amount of data on all the inbound attacks and notifies me of issues but there is just too little of me and too many of them.
I think I have a relatively safe network. I have some segmentation and what I think are sensible firewall rules, but I don't for a second believe I am secure. Even If I did have the notion, I was secure, without constant surveillance, I could not prove it either way.