Most businesses invest considerable effort and resources in keeping their networks secure. Many home users also do their due diligence by installing home routers/firewalls. Yet many of these, often without thinking about it, and sometimes without even knowing about it, present gaping security holes in their networks that scream out “I am here, I am here, I am here” to potential intruders.
The source: the wide and broad adoption of Internet-of-Things (IoT) devices. These are often low security/no security devices that sit on the network, often communicating with cloud based services to manage and deliver the particular feature or service that they provide. Examples are the new voice activated home assistants, cloud based security cameras, music receivers, temperature sensors, smart refrigerators, etc. In almost all of these cases these devices cut right through your firewall to an outside services, and allow that service – if the tech on the other end is so willing – to access into your network and have free reign to probe for anything valuable.
If the cloud service is a large disaster recovery service like Datto, a remote identity service such as Microsoft Azure DS, or a site-to-Site VPN going to Amazon Web Services (AWS), then you are probably fine. These services stand not only to have their reputations seriously tarnished by a story of an inside data hack, but also to lose billions in revenue. As such, they vet their staff thoroughly, with security checks and logging in place to prevent their employees from doing such harm. However, a support tech working at 3 AM in a 3rd world support center may not be as well vetted, and may be tempted to access your network to find something worth selling – like your client data or a home user’s identity (or in the future, maybe even plant some ransomware for a good payoff).
So how do you protect yourself against this? Luckily, there are already models in play to do just that, although the market is still moving towards adapting these for the IoT reality. Let’s look at what home users can do first, and then we’ll look at how businesses can respond.
For home users, there is already something out there that has the foundation of attacking this threat directly: the guest network. Many home wireless routers now offer a Guest wireless network in addition to your private wireless network. This is fortunate, as most (but not all) IoT devices work off a wireless signal. In these cases, you can just configure the Guest network and attach these IoT devices to it. However, for most modern interactive IoT devices to work correctly you need 3 things on your home wireless router/firewall: (1) A Guest Network, (2) Isolation of the Guest Network from the Private Network, and (3) the ability of devices on the Guest network to communicate with one another. The problem with most home routers, as of this writing, is the last two are often mutually exclusive – the devices are isolated from each other as well as the private network, or they can talk to each other as well as access the private network. In the first case, devices like Amazon Alexa can’t access your wireless speakers or turn off your lights; in the second, you have the very situation we’re trying to protect against. However, some home routers, such as certain models from TP-Link, are starting to offer the combination we’re looking for – Isolation of the guest network from the private network, while still allowing devices on the guest network to talk to each other. Expect others to follow suit. Even for those who are offering this feature set, it is still more of a sideline or after-thought, and the implementation are often buggy or just broken. So be prepared to have to work through a few revisions of the firmware to get to a solid implementation. If this type of security is important to you now, you can also implement a business type network.
Of course, protecting your home network is even more important if you use it to connect into a business via any tool such as VPN, Remote Desktop, GotoMyPC, LogmeIn, etc. In these cases, if the bad guys get inside your home network, they may also be able to get into your business network when you connect. Once inside the business, they can do the same damage as if they had accessed the business network directly, and likely using your access privileges to do so.
For businesses, the approach is very similar to what is often called a DMZ – a middle ground between the wild-west internet, and the safe internal network. Often all communications between the internet and the internal network have to flow through these DMZ networks, which only allow specific communication types to get through. Setting up a zone for IoT devices is very similar, although the specific implementation can differ. If you already have a DMZ, putting IoT devices there is probably better than on your internal network. However, setting up a specific IoT network on a firewalled, isolated subnet is even better.
Naturally, doing this on a business network can be much more involved than a home network. In a home network, the wireless router/firewall is typically the central hub of the entire network. In a business network, there are additional switches, wireless access points, routers and other network equipment that can reside behind the firewall. Hence, to isolate a network, you need to implement a separate virtual Local Area Network, or VLAN, for all your IoT devices to reside. Then, using firewall rules and access-control-lists (ACLs) on the switches and other network equipment, allow just the communications that you want to occur. Remember, in a company using advanced cloud systems, the risks can be much higher – instead of just controlling the light and music in the facility, these can potentially manipulate air conditioning, physical access security, and power control systems – all which could potentially be vulnerable to a hostile remote IoT tech.
Companies can also go further in deploying Unified-Threat-Management (UTM) systems that look for unexpected communications and allow the security staff in an IT department to trace down where the device is, and implement proper security measures. This is even more important in larger organizations where staff may innocently be bringing IoT devices into the work place without authorization, yet still leave open gaps in the company’s protective layers.
As the Internet continues to fulfill its promise of fostering a highly integrated, responsive, and automated evolution in how we communicate and work, IoT devices are just the latest in the security challenges that come with their new and powerful capabilities. Equipment and software that is customized to specifically deal with these threats will also evolve to make managing them easier. While we are waiting for the response technology to catch up to the initial technology, it’s good to know there are ways to protect yourself now, while still taking advantage of all that the Internet-of-Things has to offer.