Secure Digital Life #70
Recorded on June 26, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
Fear and Loathing at the SOHO border and the IoT
- Today's show is about devices phoning home and the risk that presents to you.
- So, since a lot of traffic is based in TCP, most soho equipment uses a simple approach to inbound traffic which is to say, it's blocked with the exception of packets which have their ack bits set.
- To review, when you try to connect with a tcp based daemon, there is a three way handshake which consists of an initial syn packet(out), a syn ack(in), and ack. So, if you go to a website, that is an outbound syn and then all the http material has acks set which allows the soho firewall to simply accept these "session" packets.
- But, the interweb (sic) has become a lot more complicated and scripts etc. can all run locally so that means that something on the inside can create a threat even though you have a firewall on the outside preventing bad stuff from autonomously entering you private network.
- An example of this would be very evident in the case of EternalBlue/Double Pulsar type stuff. If you don't recall, EternalBlue is an NSA tool that was stolen and released in 2017. It exploits SMB to compromise a machine which can allow it to execute code. Double Pulsar is a backdoor trojan that is often bundled with EternalBlue to create a way to install software remotely on a machine behind a firewall since the compromised machine essentially "requests" the malware from inside.
- Granted, a lot of trojans rely on the lack of firewalling to allow bad actors to scan the interweb (sic) for listening daemons but as more and more soho equipment is factory defaulted to ack only (also called "established") type inbound traffic, it becomes more important to use egress compromise where the malware phones home and requests its additional components.
- That leads to all sorts of thoughts about IoT. So, if you put a misterRingee doorbell on your domicle, and it has a vulnerability on port 666/tcp, your soho firewall will likely block someone trying to find that device and as such, it's not that vulnerable but, if there is a vulnerability there are several scenarios where it could be exploited:
1) The device contains malware from day 0. So, in this case, the doorbell when it goes live, just immediately detonates and infects your whole network. So, if that was EternalBlue and you use SMB on all your devices, it could take over the whole house.
2) The device phones a legitmate home (mrRingee corporate located somewhere in the heart of Los Angeles, CA) and is infected from there (meaning the home office is a bad actor or has been compromised somehow).
3) The device phones home regularly and someone tricks it. Suppose, actor x pretends to be mrRingee Ltd but is really something else, they could compromise the doorbell.
4) You download something (phishing) and while your Windows 10 box is not vulnerable, the doorbell is and the thing you downloaded finds the doorbell.
5) You don't safeguard your wifi and a bad actor in a white van accesses your local network from the street and embeds malware on the doorbell which then heartbeats the internet looking for the bad actors server and makes a connection.
and on and on.
So, what to do. That's a tricky problem unless you want to build a soc at your domicile and do 24 7 monitoring.
1) You should enable logging on your border soho device so you can see traffic and maybe get a feel for what is in your network.
2) It really wouldn't be a bad idea to use some standard best practice and map out your local network so that you know what all devices are on the network and what they are. It's really a good idea to use ip reservations (based on macs) and mac filtering to assign ip addresses to known things (like doorbells or plumbuses, dvrs, nas, etc.)
3) You might want to schedule some time to review those devices and see what they are doing, check the manufacturer's site for firmware updates, fixes, etc. Or even just warnings.
4) You may want to egress filter those devices to either monitor their activity or block them altogether (but then they may not work).
5) It is possible to use proxy server devices to filter your outbound traffic and prevent (and/or) specifically allow certain devices to communicate. This can also control what they access and log what they do.
Don't get too excited about the censorship parts of these but you can use them to manage outbound connections and flag strange things. DansGuardian is mostly free.
6) Use IDS
- This is a tool which monitors network activity in your network and can certainly alert you to behavior that will make your life problematic. The setup of Snort type devices is a bit of a challenge but it's pretty fun and you can use an older machine (so long as it has a couple of nics) to act as a proxy/ids filter. You can also just mirror(spanning) to the ids machine (one nic) using either a smart switch or a simple device like a hub.
7) Know before you install
- Before you buy mrRingee, google for "exploits of mrRingee" and read up on it. Likely, someone has already suffered and shared. If you start seeing a common theme of (well, we installed mrRingee and everything was great, but then pictures of naked party balloons started appearing in place of our family photos on the nas) you may want to either test the thing in a safe place or maybe skip it altogether.
- Bottom line: As you add IoT devices, you are going to add a lot of network traffic that is not necessarily understood. The very thing that makes IoT convenient, also makes it scary and dangerous because "the less you know".
- I don't think we are going to stop using IoT, so you may need to come to terms with starting to act like a SOC in your own environs and learning what your network traffic smells like. If you spend a little bit of time, you can start to understand the baseline and once that happens, you can start to see anomalous behavior. So far, there aren't many soho level products like LogRythm which do this kind of thing for you but, if your traffic is low, you understand what is there, and you have a plan, you can likely start to fathom anomalous behavior.
- I certainly think a phone activated foot massager could be amusing but how much risk is associated with that and how much overhead does it have. Is it really worth it to be able to see if your eggs are still in the frig from across the world? Well, maybe but you should take some precautions.